cdic 2013-mobile application pentest workshop
DESCRIPTION
TRANSCRIPT
![Page 1: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/1.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Advanced Mobile Penetration Testing
Application Attacks and Defense
27th – 28th February 2013, Centara Grand & Bangkok Convention Centre at Central World, Bangkok
www.cdicconference.com
Mr. Prathan PhongthiproekConsulting ManagerGIAC GPEN, E|CSA, C|EH, eCPPT, CPTS, CIW Security Analyst, CWNA, CWSP, Security+
![Page 2: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/2.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
2
Speaker Profile
อ. ประธาน พงศ์�ทิ�พย์�ฤกษ์�
Mr. Prathan Phongthiproek
GIAC GPEN, E|CSA, C|EH, eCPPT, CPTS, CIW Security Analyst, CWNA, CWSP, Security+
ACIS Professional Center
E-mail: [email protected]
![Page 3: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/3.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Let’s Talk and Workshop
Introduction
Attack Vectors for Pentest
Pentest iOS App
Pentest Android App
Workshop !!
3
![Page 4: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/4.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
INTRODUCTION
4
![Page 5: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/5.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Past few years…..
Just Mobile phone
– Phone calls
– Sending text message or MMS
– Alarm clock
– Calculator
– Listen music
Edge for Surf internet !!
5
![Page 6: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/6.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Now…
3G, 4G and WIFI support on Mobile network
Became more intelligent – Smart Phones
– Sending email
– Surf internet
– Check-in for flights
– Online Banking transactions
– Social network (Facebook, Twitter, Instagram)
6
![Page 7: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/7.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Now…
Companies started creating mobile applications to offer services to clients
– Storing and synchronizing data files in the cloud
– Participating in social network sites
– As the data that stored, processed and transferred can often be considered sensitive.
7
![Page 8: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/8.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
ATTACK VECTORS FOR PENTEST
8
![Page 9: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/9.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Three Attack Surfaces
9
Server Side Infrastructu
re
Comm. Chann
el
Client Softwar
e
Client Software on Mobile device
Communications Channel
Server Side Infrastructure
![Page 10: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/10.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Client Software
Packages are typically downloaded from an AppStore, Google Play or provided via Company website
Testing requires a device that is rooted or jailbroken for access to all files and folders on the local file system
Be able to decompiled, tampered or reverse engineered
10
![Page 11: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/11.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Client Software
Attention points
– Files on the local file system
– Application authentication & authorization
– Error Handling & Session Management
– Business logic
– Decompiling and analyzing
11
![Page 12: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/12.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
iExplorer for iPhone
12
![Page 13: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/13.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Profile.properties and user_info.pref.xml
13
![Page 14: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/14.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Plist files
14
![Page 15: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/15.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Decompiled
15
![Page 16: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/16.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Communications Channel
Channel between the client and the server (HTTPs, Edge-3G)
Testing with HTTP Proxy (Burp, ZAP) to intercept and manipulate alter traffic
If the application does not use the HTTP protocol, can use transparent TCP and UDP proxy like Mallory
16
![Page 17: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/17.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Communications Channel
Attention points
– Replay attack vulnerabilities
– Secure transfer of sensitive information
– SSLStrip for HTTPS via Wifi
– Setup SSL for Proxy
17
![Page 18: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/18.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Sniff traffic
18
![Page 19: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/19.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Server-Side Infrastructure
The attack vectors for the web servers behind a mobile application is similar to those use for regular websites
Perform host and service scans on the target system to identify running services
19
![Page 20: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/20.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Server-Side Infrastructure
Attention points
– OWASP Top 10 vulnerabilities (SQL Injection, XSS, ...)
– Running services and versions
– Infrastructure vulnerability scanning
20
![Page 21: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/21.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Real Case Study: Mobile App Pentest
Client Software
– Found backend path in Localizable.strings
Server-Side Infrastructure
– Access to port 8080 (Tomcat)
– Logged in with default tomcat username and password
– Upload Malicious JSP code into webserver (Bypass Symantec AV)
– Access to configuration file that contain database credentials
– OWNED !! Database Server
– Capture the Flag !!
21
![Page 22: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/22.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Localizable.strings
22
![Page 23: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/23.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Logged in with Default Tomcat credentials
23
![Page 24: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/24.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Upload Malicious code
24
![Page 25: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/25.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Backend Compromised
25
![Page 26: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/26.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Database Compromised
26
![Page 27: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/27.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
PENTEST IOS APPLICATION
Fast Track
27
![Page 28: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/28.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
iOS Application
Distributed as “.ipa” file (Simply zip file)
Deployed as “.app” directories (Same as Mac OSX)
Objective-C
Data storage
– Plist files
– SQLite
– Binary data files28
![Page 29: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/29.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Fast and Furious Step
Preparing a Device
– Jailbreak
Install Tools on Device
– Cydia (OpenSSH, MobileTerminal, Etc)
Install Tools on Workstation
– SSH Client
– Plist Editor
– SQLite Database Browser
– Wireshark, Burp proxy29
![Page 30: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/30.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Fast and Furious Step
Read application’s data files
30
![Page 31: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/31.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Fast and Furious Step
Setup Proxy for Intercept and Manipulate traffic data
31
![Page 32: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/32.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Fast and Furious Step
32
![Page 33: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/33.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
PENTEST ANDROID APPLICATION
Fast and Furious
33
![Page 34: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/34.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Android Application
Distributed as “.apk” file (Simply zip file)
Multiuser OS running DalvikVM
Android runs .dex files on DalvikVM
Data storage
– XML files
– SQLite
34
![Page 35: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/35.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Android Application
35
![Page 36: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/36.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Android and Java
36
![Page 37: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/37.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Preparation Tools for Pentest
Android SDK Tools
– AVD Manager and ADK Manager
Java 5,6, or 7
Eclipse for code review purpose
MITM proxy Tools such as Burp
Dex2jar, JD GUI
37
![Page 38: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/38.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Setting up the environment
38
![Page 39: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/39.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Setting up the environment
39
![Page 40: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/40.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Setting up the environment
40
![Page 41: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/41.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Adb install <apk path>
41
![Page 42: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/42.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Configuring the proxy
42
![Page 43: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/43.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Configuring the proxy
43
![Page 44: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/44.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Adb shell
44
![Page 45: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/45.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Access Database via adb shell
45
![Page 46: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/46.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Android Debug Bridge (ADB)
Packaged with the Android Software Development Kit
Essential adb commands:
– Adb devices: returns serial number of device(s) attached
– Adb kill-server: shuts down the adb daemon
– Adb shell: remote terminal
– Adb push: moves files from the local workstation to device
– Adb pull: moves files from the device to local workstation
– Adb remount: remounts the system partition on the device as read-write or write, depending on switch
– Adb forward: forwards adb traffic from one port to another
– Adb –h: help file for adb commands
46
![Page 47: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/47.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Source Code Review
Convert the .apk file into .zip
Extract the zipped file, Found classes.dex
Dex2jar for convert .dex to .jar
Using JD GUI to open JAR file and review source code
47
![Page 48: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/48.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Decompiled Application
48
![Page 49: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/49.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Java Decompiler
49
![Page 50: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/50.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Tip!! Prevent Application Reverse Engineering
50
ProGuard (Free) and DexGuard
– Obfuscator for Android
– Encrypt strings
– Encrypt entire classes
– Add tamper detection
![Page 51: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/51.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
WORKSHOP !!
51
![Page 52: CDIC 2013-Mobile Application Pentest Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062614/54680d89af7959925f8b5864/html5/thumbnails/52.jpg)
CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com
Thank You
www.cdicconference.com