AdSense
Friday, December 23, 2016
ANDROID PT / Hooking with AndBug
HOOKING WITH ANDBUG
- Layout for this exercise:
- Layout for this exercise:
- Connecting Santoku to Nexus 5:
0 - INSECURE BANK
- To illustrate the exercises of this post, it will be used the InsecureBank application, written by Dinesh Shetty.
- InsecureBank is an intentionally vulnerable application used to gain training on different Android platform attacks.
- In this exercise we'll see insecure logging and how to hook the application on the go with the tool AndBug.
- Installing the application from Santoku to Nexus 5, using ADB:
- InsecureBank.apk works in a client/server model, so the server runs at Santoku on port 8888 and the client on the mobile device.
- Starting the server on Santoku with the script app.py, located inside the folder AndroLabServer:
- Starting the application at the mobile device:
- Configuring the preferences:
- Serveip is Santoku's IP:
- Listening port for the server is 8080:
1 - INSECURE LOGGING
- Once the applications is running, let's detect its PID:
- Logging the application with ADB logcat:
- Introducing the default credentials and signing in:
username: dinesh
password: dines@123$
- logcat informs immediately about the login trial:
- Then, performing a transaction of 1 million dollar from Account 1111 to Account 2222:
- Again, the logging debugger logcat informs immediately about the trasaction:
2 - HOOKING WITH ANDBUG
- Hooking an application is a very useful technique to analyze and understand on the go how applications work.
- AndBug is a wrapper around the JavaTM Debug Wire Protocol (JDWP), what is the protocol used for communication between a debugger and the Java virtual machine (VM) which it debugs, called the target VM.
- AndBug allows to analyze the methods and the passed arguments while the applications is being run, by setting trace and hookup points on those methods.
- AndBug can be found here:
https://github.com/swdunlop/AndBug
- Once AndBug downloaded and installed on Linux Santoku:
- Installing the setup.py file:
- Looking up for the PID of the application insecurebank.apk:
- Using the command andbug over the PID, and loading the classes for the package of the application:
- Checking what are the methods used by the .RestClient class:
- Setting up a hook for the .dotransfer method:
- Performing a transaction with the mobile application:
- When the .dotransfer method is called and the arguments passed to the application, AndBug displays remotely all the details about the transaction:
Thursday, December 22, 2016
ANDROID PT / Client Side Injection
CLIENT SIDE INJECTION
- Layout for this exercise:
- Connecting Santoku to Nexus 5:
- The goal of this exercise is to inject a crafted SQL query to a database, so that the application yields the contents of the database due to the lack of proper input sanitization.
- Android mobile devices use SQLite as framework for local database storage, so let's install the application sqliteapp.apk into the mobile device:
- Clicking the icon of the application:
- The user is prompted to register:
- Registering a user:
- The valid user logins and his private details are displayed:
- With the purpose of bypassing the authentication proceses, let's disassemble the application with jadx and see how is written the source code:
- Running jadx over the application:
- A new directory is created:
- Going to the manifest to see what is the associated package:
- Moving trough the directory to reach the innermost folder of the package, the Java source code is found:
- Opening the connector to the database, there is a SQL instruction that takes credentials (username and password) from the user_records database:
- Now, taking advantage of the lack of input validation sanitization, let's try an "always true" SQL query.
- This SQL injection is based on the well-known fact that OR function yields TRUE whenever one the operands is 1:
0 OR 0 = 0
0 OR 1 = 1
1 OR 0 = 1
1 OR 1 = 1
- For instance: Joey1'or'1'='1'--
- The command injection is successful, because all the details about the user are displayed:
Wednesday, December 21, 2016
ANDROID PT / Bypassing SSL Pinning
BYPASSING SSL PINNING
- Layout for this exercise:
- Connecting Santoku to Nexux 5:
0 - INTRODUCTION
- SSL Pinning is an extra layer of security used by applications to ensure that the certificate provided by the remote server is the expected one.
- By storing the certificate or public key within the application, it is possible a comparison with the certificate or public key provided by the remote server.
- This technique allows the developers to specify what certificates are considered valid by the applications.
- Without SSL pinning, it would be possible to add one certificate to the custom certificate chain, and later to intercept all SSL traffic.
- SSL pinning prevents this from happening, because the certificate introduced by the user doesn't match the certificate embedded or "pinned" into the application.
1 - METHODS TO BYPASS SSL PINNING
- However, this client-side security measure can be bypassed by manipulating the application.
- Applications can be disassembled by removing or manipulating the certificate pinning, also switching the certificate embedded within the application with another.
- In the same way, there are some tools that automatically disable certificate pinning, like for instance the AndroidSSLTrustKiller, by ISECPartners.
- Denis Andzakovic published a paper on 2014 about the SSL Pinning on Android devices. The document can be found here .
2 - SSLPinningExample.apk
- The previous document provides the application SSLPinningExample.apk, very useful to test the bypassing process of SSL Pinning.
- SSLPinningExample.apk just performs an HTTP request to http://github.com, displaying the result of the request.
- In general circumstances, the HTTP response would be returned from Github.
- However, because SSL Pinning is enabled, in case of presence of a proxy like Burp, it would result in an SSL error.
- Once the test application is downloaded from the previous link, it is installed on the Android device:
3 - TESTING WITH BURP
- Burp proxy is enabled on the Android device:
- The proxy hostname corresponds to Santoku's IP (192.168.1.8), where the Burp suite is installed:
- Clicking the icon of the application:
- The user is prompted to test the application:
- Launching Burp and setting to "on" the interception, however nothing happens. The reason is that the application tries to verify the certificate, but not been recognized as the trusted one, the connection is not established.
4 - ANDROID SSL TRUST KILLER
- For the purpose of bypassing the SSL pinning, let's download to Santoku the application AndroidSSLTrustKiller, by ISECPartners:
https://github.com/iSECPartners/android-ssl-TrustKiller
- Installing AndroidSSLTrustKiller on Nexus 5:
5 - FINAL TEST
- Testing again the application SSLPinningExample.apk:
- Now, the HTTPS request connection to github.com is intercepted:
- Forwarding the request:
- Eventually, the mobile device receives the answer to the HTTPS request:
- The success of this final test is due to the fact that the application Android SSL TrustKiller is disabling the SSL Pinning embedded into SSLPinningExample.apk, what didn't happen at the previous test on point 3.
Subscribe to:
Posts (Atom)