AdSense

Friday, December 23, 2016

ANDROID PT / Hooking with AndBug


HOOKING WITH ANDBUG
- Layout for this exercise:
- Layout for this exercise:



- Connecting Santoku to Nexus 5:


 0 - INSECURE BANK

 - To illustrate the exercises of this post, it will be used the InsecureBank application, written by Dinesh Shetty.

- InsecureBank is an intentionally vulnerable application used to gain training on different Android platform attacks. 

 - In this exercise we'll see insecure logging and how to hook the application on the go with the tool AndBug.




- Installing the application from Santoku to Nexus 5, using ADB:






- InsecureBank.apk works in a client/server model, so the server runs at Santoku on port 8888 and the client on the mobile device.

 - Starting the server on Santoku with the script app.py, located inside the folder AndroLabServer:






- Starting the application at the mobile device:




- Configuring the preferences:




- Serveip is Santoku's IP:




- Listening port for the server is 8080:





1 - INSECURE LOGGING 

- Once the applications is running, let's detect its PID:


- Logging the application with ADB logcat:


- Introducing the default credentials and signing in:

 username: dinesh
password: dines@123$




- logcat informs immediately about the login trial:




- Then, performing a transaction of 1 million dollar from Account 1111 to Account 2222:




- Again, the logging debugger logcat informs immediately about the trasaction:







 2 - HOOKING WITH ANDBUG

 - Hooking an application is a very useful technique to analyze and understand on the go how applications work.

 - AndBug is a wrapper around the JavaTM Debug Wire Protocol (JDWP), what is the protocol used for communication between a debugger and the Java virtual machine (VM) which it debugs, called the target VM.

 - AndBug allows to analyze the methods and the passed arguments while the applications is being run, by setting trace and hookup points on those methods.

 - AndBug can be found here:

 https://github.com/swdunlop/AndBug

- Once AndBug downloaded and installed on Linux Santoku:
- Installing the setup.py file:


- Looking up for the PID of the application insecurebank.apk:


- Using the command andbug over the PID, and loading the classes for the package of the application:


- Checking what are the methods used by the .RestClient class:
- Setting up a hook for the .dotransfer method:
- Performing a transaction with the mobile application:


- When the .dotransfer method is called and the arguments passed to the application, AndBug displays remotely all the details about the transaction:




Posted by at
Labels: