KEMBAR78
GS With IOS Pentestinng | PDF | Ios | Software Engineering
Scribd
Upload
140 views18 pages

GS With IOS Pentestinng

This document provides an overview of iOS pentesting. It discusses requirements like jailbreaking iOS devices. It also covers setting up the environment, extracting and decompiling IPA files, understanding iOS filesystems, intercepting HTTP/HTTPS traffic. Attack surfaces like hardcoded credentials, bypassing biometrics, and vulnerabilities in deep links and webviews are outlined. Resources for further learning about iOS pentesting tools like Frida, Objection and methodologies are also referenced.

Uploaded by

Sologgh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
140 views18 pages

GS With IOS Pentestinng

This document provides an overview of iOS pentesting. It discusses requirements like jailbreaking iOS devices. It also covers setting up the environment, extracting and decompiling IPA files, understanding iOS filesystems, intercepting HTTP/HTTPS traffic. Attack surfaces like hardcoded credentials, bypassing biometrics, and vulnerabilities in deep links and webviews are outlined. Resources for further learning about iOS pentesting tools like Frida, Objection and methodologies are also referenced.

Uploaded by

Sologgh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 18

Getting Started with

iOS
Pentesting

Niraj Kharel
https://nirajkharel.com.np
Niraj Kharel
Offensive Security Lead
CryptoGen Nepal Pvt. Ltd.
Topics
● Requirements
● Environment Setup
● Extracting the IPA file
● Decompiling the IPA file
● Understanding iOS filesystems
● Intercepting HTTP Traffic
● Intercepting HTTPs Traffic
● Some Attack Surface
● Resources
Requirements

Research

Jailbreak
• Getting a root access on iOS devices.
• Untethered Jailbreak: Permanent Jailbreak, the device
will be jailbroken even after a reboot.
• Tethered Jailbreak: Temporary Jailbreak, after a reboot
device, will be back to its normal state.

Workstation
• MacBook (preferably)
• Or, we can use Mobexler (Customized virtual machine) designed for pentesting iOS and
Android Application.
Environment Setup

Cydia

• Cydia can be used to install different packages on jailbroken device.


• Some of the application which should be installed using Cydia.
Frida
SSH
Filza

SSH
• ssh root@<device-ip> Password is alpine.
• Forgot root password??
• Use Filza to edit the /private/etc/master.passwd. This file contains hashes to all passwords of iOS users.
• Find the root record and modify it to the following value:
root:/smx7MYTQIi2M:0:0::0:0:System Administrator:/var/root:/bin/sh
• It will reset the password to alpine.
Extracting the IPA file

The IPA file installed from App Store is encrypted. We can decrypt it by using Frida.

• Download and install Frida on PC. pip3 install frida-tools


• Grab the Display name or bundle identifier of the application using frida-ps -Uai
• Download a python file which is built using Frida to dump the IPA from GitHub (Frida iOS Dump).
• Install the requirements
• Forward SSH port with Iproxy. iproxy 2222 22
• Run python3 dump.py "Display Name"
• If the script does not start dumping itself. Open the app and keep the script running on background.
MobSF
Always run MobSF after getting your IPA file.
Decompiling the IPA file
Understanding iOS filesystems
Understanding iOS filesystems

Navigating into the Directories


Intercepting HTTP Traffic

• The iOS device and interceptor should be on the same LAN.


• Navigate to Proxy tab and Add a new listener. The IP address
should be of your computer and port can be any. Example: 5567
• Open the Settings on iOS device and Click on Wifi.
• Click on (i) symbol.
• Select Manual on HTTP Proxy and enter IP address and PORT
configured on the Burp Proxy.
• The HTTP traffic should be intercepted by the Burpsuite.
Intercepting HTTPs Traffic

Using Frida Using Objection

Note: Burp Certificate need to be installed on the device before intercepting HTTPs Traffic.
Some Attack Surface
Hardcoded Credentials
• Many developers hard coded credentials in the app binary and file storages, search for secret and creds.
• Analyze the binary executable file, plist files for such strings.
Some Attack Surface

Bypassing Finger Print Authentication


• Check if Local Authentication mechanisms like TouchID/FaceID are properly implemented.
Some Attack Surface

DeepLink and WebView


• Do not miss the DeepLink and WebView parts.
If the application have debug mode enabled, you can discover DeepLink hosts and schemas on the log.

• Data Exfiltration
• Cross Site Scripting
• Path Traversal
• CSRF via Deep Link

Data Exfiltration Payload Sample


Some Tools/Applications

Be Familiar with:
• Frida
• Objection
• Cydia
• Filza
• Mobsf
• Checkra1n
• Impactor
• Xcode
• PassionFruit
• Burp Suite
• Hopper Disassembler
Resources

• https://book.hacktricks.xyz/mobile-pentesting/ios-pentesting-checklist
• https://mobexler.com/checklist.htm
• https://codeshare.frida.re/
• https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06a-platform-overview
• https://medium.com/@lucideus/understanding-the-ios-file-system-eee3dc87e455
• https://www.cobalt.io/blog/ios-pentesting-101
• https://github.com/sensepost/objection/issues/136#issuecomment-419664574
• https://github.com/nirajkharel/NotJustAChecklist
• https://bhattsameer.github.io/2021/06/23/Intercepting-flutter-iOS-application.html
Happy 9th Anniversary

https://github.com/nirajkharel https://twitter.com/nirajkharel7 https://np.linkedin.com/in/nirajkharel

You might also like