Hacking(a(Moving(Target( - SANS · PDF fileHacking(a(Moving(Target ... • SANS&Mentor&...

Chris Cuevas Senior Security Consultant [email protected] Office -‐ 904-‐639-‐6709

©2012 Secure Ideas LLC | hDp://www.secureideas.net

Hacking a Moving Target Mobile ApplicaLon PenetraLon

Chris Cuevas

•  Security Consultant at Secure Ideas •  Open Source Advocate – Contributor to SamuraiWTF and MobiSec

•  Co-‐Author of Sec571: Mobile Device Security •  SANS Mentor – SEC504 Incident Handling and Hacker Techniques

•  I piss off large corporaLons from Lme to Lme –  (shmoocon talk)

©2012 Secure Ideas LLC | hDp://www.secureideas.net 2

What I'll be talking about today

•  iOS (yep I have one of those devices) – Device Overview – ADacks

•  Android (yep I have one of those devices) – Device Overview – ADacks

•  Blackberry (sorry not my area of experLse) •  ADacking Mobile ApplicaLons •  Demo


Mobile Device Overview

•  This is more important than some people think

•  Understanding the aDack surface is key to pulling off a successful aDack

•  What version of the underlying OS is running will drasLcally alter what aDack opLons I have to work with


Apple Device Overview

•  iPhone –  5 generaLons of iPhone Models –  4 different storage capaciLes –  5 major versions of iOS operaLng system

•  iPad –  3 generaLons of iPad models

•  WiFi Only •  WiFi plus 3G •  WiFi plus 4GLTE

–  3 different storage capaciLes –  3 versions of iOS operaLng system

iOS Version Overview

•  Originally iPhone OS for version 1 and 2 •  iOS version 3 (release of iPad) –  Find my phone opLon added in mobileMe –  HTML 5 support

•  iOS version 4 –  EncrypLon for user data –  Background locaLon –  Find my iPhone

•  iOS version 5

iOS App Store

•  The iOS App Store is the official store –  Released in July of 2008 –  Part of iOS 2.0.1

•  The App Store has over 500,000 apps –  18 billion downloads

•  As of October 2011

•  Accessible from a number of interfaces –  iOS –  iTunes –  Apple web site

•  Apple vets applicaLons before release –  They can revoke the applicaLon

Android Device Overview

•  Android runs on a wide variety of devices –  Chosen by the hardware manufacturer

•  CPU –  Qualcomm, Tegra2, Snapdragon, Cortex A9

•  Storage –  From 512MB to 32GB

•  The bootloader chosen by the carrier affects access –  Changes the image capabiliLes

Android Version Overview

•  Android 2.2 –  Froyo –  Improved Exchange support

•  Android 2.3 –  Gingerbread –  Switched from YAFFS to ext4

•  Android 3.0 –  Honeycomb –  Designed for Tablets

•  Android 4.0 –  Ice Cream Sandwich –  Face Unlock –  Android Beam (NFC)

Android Markets

•  Android has a number of marketplaces for applicaLons –  Google Market –  Amazon App Store –  Vendor and Carrier Store fronts

•  ApplicaLons can also be installed from the developer or a web site

•  As with the variety of hardware, this variety of app sources causes difficulLes –  DifficulLes for the developers and organizaLons –  Controlling app sources is a problem –  Is the app installed the right one?

Mobile ADacks

Let's look at some of the types of aDacks we see on mobile devices today


Malicious ApplicaLons

•  Android –  Easy to anonymously sign apps to distribute through Android Market

– Google Bouncer (RootSmart for the bypass) •  iOS – More difficult to bypass vemng process, but not impossible

–  RootSmart type bypass could work as well •  hDp://contagiominidump.blogspot.com/ (collecLon of mobile malware)


Malicious Web Sites

•  Malicious Javascript – BeEF Hook – Android browser has access to SDcard where applicaLon data is stored

•  HTML5 compliant browsers FTW J – Web Workers – Web Storage

•  Firefox and Chrome Extensions


Malicious Networks

•  Lines are blurred over internal and external as the network is everywhere – Cellular Data Plans sLll connect you to the internet

•  WiFi hotspots – CredenLal HarvesLng – MiTM ADacks

•  Home Networks – Sync OrganizaLonal Device to personal PC


MiTM ADacks

•  I have to be physically near the device •  Session Highjacking – FaceNiff (FireSheep for Android)

•  ARP Poisoning –  If I'm the gateway I control the flow of traffic – Most apps communicate using hDp –  I love BURP


Mobile ApplicaLon Discovery

•  Mobile applicaLon discovery is similar to web applicaLons – Most of the same flaws exist

•  Slight differences in client-‐side aDacks – XSS has different targets for example

•  The tools are similar – Main focus is intercepLng traffic

TesLng Techniques

•  TesLng mobile applicaLons can take many forms –  TesLng the back-‐end site or service –  Reverse engineering the applicaLon –  Code analysis of the sopware

•  We will focus on the first two –  As that is typically what penetraLon tests include – Mobile interfaces are open found during normal tests

Reverse Engineering

•  A decompiler does not reconstruct the original source code

•  But it gets us close enough •  There are many obstacles to overcome in reversing Mobile ApplicaLons –  iOS applicaLons are encrypted using Apple's binary encrypLon scheme

– DecrypLng this format is not a new technique


Android SDK

•  A comprehensive set of development tools •  Includes a debugger, libraries, and an emulator

•  Android applicaLons are wriDen in Java and packaged in .apk format

•  contain .dex files which are compiled byte code files called Dalvik executables

•  adb is our friend


adb

•  Android Debug Bridge (part of the SDK) •  lets you communicate with an emulator instance or connected Android-‐powered device

•  You can push, pull, install, and remove files and apps using adb.


Xcode

•  A suite of tools developed by Apple for developing sopware for OS X and iOS

•  The main applicaLon is the Xcode IDE •  Apps are wriDen in ObjecLve C – An Object Oriented language that adds Smalltalk-‐style messaging to C

•  Mach-‐O executable format which allows for "fat binaries" containing code for mulLple architectures


otool

•  Displays specified parts of object files or libraries •  OpLons we are interested in

-‐t Display the contents of the (__TEXT,__text) secLon -‐o Display the contents of the __OBJC segment used by the ObjecLve-‐C run-‐Lme system

-‐V Display the disassembled operands symbolically

hDp://pauldotcom.com/wiki/index.php/Episode226#Guest_Tech_Segment:_Eric_MonL_on_iPhone_ApplicaLon_Reversing_and_Rootkits


dex2jar

•  dex2jar is a tool for converLng Android's .dex format to Java's .class format

•  dex-‐tool-‐0.0.9.8 add support to DeObfuscate a jar

•  dex-‐tool can also be used to modify an .apk •  Requires a decompiler to view the source –  Jd-‐gui –  JAD


IntercepLon Tools

•  IntercepLon is one of our main goals – Can we get between the applicaLon and the server

•  IntercepLon tools do more then intercept – They can analyze the traffic – They can inject aDacks


iSniff

•  SSL man-‐in-‐the-‐middle tool •  Works on iOS < 4.3.5 devices vulnerable to CVE-‐2011-‐0228

•  WriDen by @hubert3 •  Redirect SSL traffic from NAT'd clients to iSniff as follows –  iptables -‐t nat -‐A PREROUTING -‐p tcp -‐-‐desLnaLon-‐port 443 -‐j REDIRECT -‐-‐to-‐ports 2000


Burp Suite

•  Integrated plaworm for performing security tesLng of web applicaLons

•  Some of the tools from the suite we will talk about today – Burp IntercepLng Proxy – Burp Intruder (fuzzing of applicaLon requests) – Burp Repeater (tool for manually modifying and reissuing individual HTTP requests)


Mallory

•  Mallory is a transparent proxy – Proxies TCP and UDP

•  This allows us to intercept traffic – Without configuring the device with a proxy – Great for older versions of Android

Mallory

•  Mallory works with IPTables and the network adaptors – Provides an access point for other devices

•  It then tunnels the traffic through the Mallory system – Allowing us to intercept and modify the traffic

Demo

•  Decompile an Android .apk – Unzip – dex2jar –  Java decompiler

•  Decompile an iOS .ipa – Yes I wish it was the beer too ;-‐) – Unzip – otool


Thank You

To my family To SecureIdeas Special thanks to John H Sawyer for just being awesome


Hacking(a(Moving(Target( - SANS · PDF fileHacking(a(Moving(Target ... • SANS&Mentor&...

Documents

Transcript of Hacking(a(Moving(Target( - SANS · PDF fileHacking(a(Moving(Target ... • SANS&Mentor&...