iOS Penetration Test Setup

Snoop-it

添加Cydia source: http://repo.nesolabs.de/

Cydia sources http://www.bestcydiasources.com/

Introspy

iOS 9 unsupported
https://github.com/iSECPartners/Introspy-iOS/issues/38

SSL Killswitch 2

https://github.com/nabla-c0d3/ssl-kill-switch2

isrs-iPad:~ root# dpkg -i com.nablac0d3.SSLKillSwitch2_0.10.deb  
Selecting previously deselected package com.nablac0d3.sslkillswitch2.  
(Reading database ... 4846 files and directories currently installed.)
Unpacking com.nablac0d3.sslkillswitch2 (from com.nablac0d3.SSLKillSwitch2_0.10.deb) ...  
Setting up com.nablac0d3.sslkillswitch2 (0.10-2) ...  
isrs-iPad:~ root# killall -HUP SpringBoard  

Apple File Conduit "2"

安装后,iFunbox才能看到var folder内容

Clutch2

Add cydia source
http://cydia.iphonecake.com

If permission error

isrs-iPad:~ root# Clutch2  
-sh: /usr/bin/Clutch2: Permission denied
isrs-iPad:~ root# chmod 755 /usr/bin/Clutch  

NIN: iphonecake repo已没有了Clutch2.
Ref: mwrlabs/needle

$ curl -ksL "http://cydia.iphonecake.com/Clutch2.0.4.deb" -o /var/root/kill.deb
$ dpkg -i /var/root/kill.deb && rm -f /var/root/kill.deb
$ killall -HUP SpringBoard

A Quick Guide to Using Clutch 2.0 to Decrypt iOS Apps | Digital Forensics Tips

PList Edit Pro

➜  A6889CA1-CB53-42D1-A59A-42D2BCBCACFE pledit .com.apple.mobile_container_manager.metadata.plist

class-dump, class-dump-z & class-dump-dyld

class-dump & class-dump-z

From a given executable, class-dump and class_dump_z will generate header files with class interfaces. (class-dump may produce better headers than class-dump-z for recent binaries.) This allows for an analysis of what methods exist in the executable, which can help you guess which ones to hook to get given functionality.

两者都可以安装在 iPhone 上.

// Update class-dump-z binary to iphone with cyberduck
ninos-iPhone:~ root# cp class-dump-z /usr/bin/  
ninos-iPhone:~ root# chmod 755 /usr/bin/class-dump-z  

安装 class-dump, 方法如上.

  • 使用 class-dump-z xxxx > ./xxxx-classdump.txt 可以将目标程序的代码信息导出到单个文本文件中方便查找。
  • 使用 class-dump-z -H -o xxxx ./SourceCode 可以将目标程序的所有代码信息以头文件的形式输出到指定目录,每个类一个文件。

class-dump-dyld

Installation: Cydia. (Github)

ninos-iPhone:~/lipo-nino root# otool -Vh your_app  
your_app (architecture armv7):  
Mach header  
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
   MH_MAGIC     ARM         V7  0x00     EXECUTE    48       5112   NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE
your_app (architecture arm64):  
Mach header  
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
MH_MAGIC_64   ARM64        ALL  0x00     EXECUTE    48       5696   NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE  
// Need to thin app
ninos-iPhone:~/lipo-nino root# lipo your_app -thin armv7 -o your_app_thin  
ninos-iPhone:~/lipo-nino root# classdump-dyld -o classdump/ your_app_thin  
  Dumping /private/var/root/lipo_nino/your_app_thin...(543 classes)  (injected with libclassdumpdyld.dylib)
 80% [========================================          ]  435/543 <ADEumBeaconBuilder>
  Done. Check "output" directory.

NIN: Output似乎说可以了, 但是 folder 中没有. 原因未明.