Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018

448 views

Published on

Decrypting iOS app traffic with Wireshark and TLS secrets extracted using Frida

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018

  1. 1. Inspecting iOS App Traffic with JavaScript @AndyDavies https://www.flickr.com/photos/marc-flores/8367323660
  2. 2. WHY?
  3. 3. What’s that app doing when you’re not looking? https://www.flickr.com/photos/clover_1/6664943919
  4. 4. rvictl -s 782ea5ddfa242a6efda29adcc4a5bd7bf1ae4c96 From Xcode’s Command Line Tools UDID of device (From itunes, idevice_id, system_profiler) Network interface that mirrors device traffic
  5. 5. tcpdump -i rvi0 -w capture.pcap Network interface created in previous step Capture traffic to a file
  6. 6. View captured network packets in wireshark
  7. 7. DEMO
  8. 8. https://www.flickr.com/photos/ironypoisoning/24223737671 But of course… iOS App traffic is all encrypted
  9. 9. Can still see some patterns
  10. 10. But… wouldn’t it be great if we could see the contents?
  11. 11. CLIENT_RANDOM 5A26BB7043754E31B99DE6ED1EC91807A6BAC4F0C89F80670CE997A7B5191836 84E270AEA7ACFC90009211F6B76541E900FF89474AD33DBB47B3514C7E3669CF60144DB00737267D DC4B178CBD33EA88 CLIENT_RANDOM 5A26BB708B7A2A44500FCDCA7518F4C91BC193DE4524EAA7A63CCE30F145087F D7BB97615F58BFB256E3646D0F65F712E40A0164C21959013F99A650F22222D6D39A8EA2A4F6424C2 0AAEE2593699872 CLIENT_RANDOM 5A26BB700E74CC1AAA8884835511159BC8301FC3D55F4264CDE1D3A05985E83F 4DE8143DD8A22A44B0595166DFFE0C3FFB7D57AB5A7FAE1D08D4CB4887F88B0B896E42ECB306E6E B09007FF905635DD0 CLIENT_RANDOM 5A26BB701C3AD8998E34F73588E8A8C8688D8BCCCDF9D34D731B4E4D63103722 3BC14A702CC48F24CBFDD92382DDC471C80948770DA4FFACFA73D2BFD36D8526256FFFAE637E99F 27DCD485B7C1D44D7 CLIENT_RANDOM 5A26BB709F04A771615ED31FBECA28CACA7D49124DC7962EA22C284A2D8AA8E9 4CA4E41F0E4F435C3A0FFCC7F69F0F8DA57E00F409B4335EF2CEEBEDD1C693A53B7DA16EFC31FF7 66F2D471FDC8A25FF CLIENT_RANDOM 5A26BB70EAA450CF1272E2F3BFF09C367AF0E1DF533DACEAE839599BE3DBFE69 962756AE63ABD2DEE050BC72F27B1DF14DF85C59208B4AD159714F0C41D1801EE0A7B12C220FE122 201E4C20210C25CA CLIENT_RANDOM 5A26BB70A14A1C2FE650117E6D83BAB3060531E363A99C299437B4D7D9C3A3D6 Wireshark can decrypt HTTPS if it has a keylog
  12. 12. CLIENT_RANDOM 5A26BB7043754E31B99DE6ED1EC91807A6BAC4F0C89F80670CE997A7B5191836 84E270AEA7ACFC90009211F6B76541E900FF89474AD33DBB47B3514C7E3669CF60144DB00737267D DC4B178CBD33EA88 CLIENT_RANDOM 5A26BB708B7A2A44500FCDCA7518F4C91BC193DE4524EAA7A63CCE30F145087F D7BB97615F58BFB256E3646D0F65F712E40A0164C21959013F99A650F22222D6D39A8EA2A4F6424C2 0AAEE2593699872 CLIENT_RANDOM 5A26BB700E74CC1AAA8884835511159BC8301FC3D55F4264CDE1D3A05985E83F 4DE8143DD8A22A44B0595166DFFE0C3FFB7D57AB5A7FAE1D08D4CB4887F88B0B896E42ECB306E6E B09007FF905635DD0 CLIENT_RANDOM 5A26BB701C3AD8998E34F73588E8A8C8688D8BCCCDF9D34D731B4E4D63103722 3BC14A702CC48F24CBFDD92382DDC471C80948770DA4FFACFA73D2BFD36D8526256FFFAE637E99F 27DCD485B7C1D44D7 CLIENT_RANDOM 5A26BB709F04A771615ED31FBECA28CACA7D49124DC7962EA22C284A2D8AA8E9 4CA4E41F0E4F435C3A0FFCC7F69F0F8DA57E00F409B4335EF2CEEBEDD1C693A53B7DA16EFC31FF7 66F2D471FDC8A25FF CLIENT_RANDOM 5A26BB70EAA450CF1272E2F3BFF09C367AF0E1DF533DACEAE839599BE3DBFE69 962756AE63ABD2DEE050BC72F27B1DF14DF85C59208B4AD159714F0C41D1801EE0A7B12C220FE122 201E4C20210C25CA CLIENT_RANDOM 5A26BB70A14A1C2FE650117E6D83BAB3060531E363A99C299437B4D7D9C3A3D6 Wireshark can decrypt HTTPS if it has a keylog
  13. 13. CLIENT_RANDOM 5A26BB7043754E31B99DE6ED1EC91807A6BAC4F0C89F80670CE997A7B5191836 84E270AEA7ACFC90009211F6B76541E900FF89474AD33DBB47B3514C7E3669CF60144DB00737267D DC4B178CBD33EA88 CLIENT_RANDOM 5A26BB708B7A2A44500FCDCA7518F4C91BC193DE4524EAA7A63CCE30F145087F D7BB97615F58BFB256E3646D0F65F712E40A0164C21959013F99A650F22222D6D39A8EA2A4F6424C2 0AAEE2593699872 CLIENT_RANDOM 5A26BB700E74CC1AAA8884835511159BC8301FC3D55F4264CDE1D3A05985E83F 4DE8143DD8A22A44B0595166DFFE0C3FFB7D57AB5A7FAE1D08D4CB4887F88B0B896E42ECB306E6E B09007FF905635DD0 CLIENT_RANDOM 5A26BB701C3AD8998E34F73588E8A8C8688D8BCCCDF9D34D731B4E4D63103722 3BC14A702CC48F24CBFDD92382DDC471C80948770DA4FFACFA73D2BFD36D8526256FFFAE637E99F 27DCD485B7C1D44D7 CLIENT_RANDOM 5A26BB709F04A771615ED31FBECA28CACA7D49124DC7962EA22C284A2D8AA8E9 4CA4E41F0E4F435C3A0FFCC7F69F0F8DA57E00F409B4335EF2CEEBEDD1C693A53B7DA16EFC31FF7 66F2D471FDC8A25FF CLIENT_RANDOM 5A26BB70EAA450CF1272E2F3BFF09C367AF0E1DF533DACEAE839599BE3DBFE69 962756AE63ABD2DEE050BC72F27B1DF14DF85C59208B4AD159714F0C41D1801EE0A7B12C220FE122 201E4C20210C25CA CLIENT_RANDOM 5A26BB70A14A1C2FE650117E6D83BAB3060531E363A99C299437B4D7D9C3A3D6 Wireshark can decrypt HTTPS if it has a keylog 64 byte hex encoded value from TLS Client Hello message
  14. 14. CLIENT_RANDOM 5A26BB7043754E31B99DE6ED1EC91807A6BAC4F0C89F80670CE997A7B5191836 84E270AEA7ACFC90009211F6B76541E900FF89474AD33DBB47B3514C7E3669CF60144DB00737267D DC4B178CBD33EA88 CLIENT_RANDOM 5A26BB708B7A2A44500FCDCA7518F4C91BC193DE4524EAA7A63CCE30F145087F D7BB97615F58BFB256E3646D0F65F712E40A0164C21959013F99A650F22222D6D39A8EA2A4F6424C2 0AAEE2593699872 CLIENT_RANDOM 5A26BB700E74CC1AAA8884835511159BC8301FC3D55F4264CDE1D3A05985E83F 4DE8143DD8A22A44B0595166DFFE0C3FFB7D57AB5A7FAE1D08D4CB4887F88B0B896E42ECB306E6E B09007FF905635DD0 CLIENT_RANDOM 5A26BB701C3AD8998E34F73588E8A8C8688D8BCCCDF9D34D731B4E4D63103722 3BC14A702CC48F24CBFDD92382DDC471C80948770DA4FFACFA73D2BFD36D8526256FFFAE637E99F 27DCD485B7C1D44D7 CLIENT_RANDOM 5A26BB709F04A771615ED31FBECA28CACA7D49124DC7962EA22C284A2D8AA8E9 4CA4E41F0E4F435C3A0FFCC7F69F0F8DA57E00F409B4335EF2CEEBEDD1C693A53B7DA16EFC31FF7 66F2D471FDC8A25FF CLIENT_RANDOM 5A26BB70EAA450CF1272E2F3BFF09C367AF0E1DF533DACEAE839599BE3DBFE69 962756AE63ABD2DEE050BC72F27B1DF14DF85C59208B4AD159714F0C41D1801EE0A7B12C220FE122 201E4C20210C25CA CLIENT_RANDOM 5A26BB70A14A1C2FE650117E6D83BAB3060531E363A99C299437B4D7D9C3A3D6 Wireshark can decrypt HTTPS if it has a keylog hex encoded secret
  15. 15. So where can we get the values from?
  16. 16. Chrome & Firefox can dump them out WebPageTest makes it super easy to get them - enable tcpdump in advanced options
  17. 17. But… How do we get them for iOS?
  18. 18. https://www.frida.re/
  19. 19. Inject JavaScript into an App! App JavaScript VM Script Host Injects script Receives Messages
  20. 20. Three methods for adding Frida Use a Jailbroken iPhone Install Frida from Cydia (available for all apps on device) Resign someone else’s app, and inject the FridaGadget (app may need decrypting first) Add the FridaGadget to your own App
  21. 21. What can we do with it?
  22. 22. DEMO
  23. 23. So… back to App traffic…
  24. 24. http://www.delaat.net/rp/2015-2016/p52/report.pdf
  25. 25. https://opensource.apple.com/source/coreTLS/coreTLS-83.20.8/lib/tls1Callouts.c.auto.html /* * The TLS pseudorandom function, defined in RFC2246, section 5. * This takes as its input a secret block, a label, and a seed, and produces * a caller-specified length of pseudorandom data. * * Optimization TBD: make label optional, avoid malloc and two copies if it's * not there, so callers can take advantage of fixed-size seeds. */ // Note: This is exported as SPI. int tls_handshake_internal_prf( tls_handshake_t ctx, const void *vsecret, size_t secretLen, const void *label, // optional, NULL implies that seed contains // the label size_t labelLen, const void *seed, size_t seedLen, void *vout, // mallocd by caller, length >= outLen size_t outLen) { int serr = errSSLInternal; … Master Secret Client & Server Randoms
  26. 26. var hexChar = ["0", "1", "2", "3", "4", "5", "6", "7","8", "9", "A", "B", "C", "D", "E", "F"]; function byteToHex(byte) { return hexChar[(byte >> 4) & 0x0f] + hexChar[byte & 0x0f]; } var f = Module.findExportByName("libsystem_coretls.dylib", "tls_handshake_internal_prf"); Interceptor.attach(f, {onEnter: function (args) { var secretLength = parseInt(args[2], 16); var seedLength = parseInt(args[6], 16); if(secretLength == 48 && (seedLength == 64 || seedLength == 77)) { var secretAddr = new NativePointer(args[1]) var secretBytes = new Uint8Array(Memory.readByteArray(secretAddr, secretLength)); var secret = ""; for(var i = 0; i < secretLength; i++) { secret += byteToHex(secretBytes[i]); } Find function Hook function Extract master secret
  27. 27. var seedLength = parseInt(args[6], 16); var seedAddr = new NativePointer(args[5]); var seedBytes = new Uint8Array(Memory.readByteArray(seedAddr, seedLength)); var clientRandom = ""; var serverRandom = ""; if(seedLength == 64) { for(i = 0; i < 32; i++) { clientRandom += byteToHex(seedBytes[i]); } for( ; i < 64; i++) { serverRandom += byteToHex(seedBytes[i]); } } else if(seedLength == 77) { // key expansion var offset = 13; for(i = offset; i < 32 + offset; i++) { serverRandom += byteToHex(seedBytes[i]); } for( ; i < 64 + offset; i++) { clientRandom += byteToHex(seedBytes[i]); } } Extract client and server randoms
  28. 28. if(clientRandom !== "") { send("CLIENT_RANDOM "+ clientRandom + " " + secret); } } } }); Send it to the host
  29. 29. DEMO
  30. 30. So what did I learn? ★ Just like on the web… sometimes we forget to Compress JSON responses Reuse connections Optimise images And a whole bunch of other things
  31. 31. Areas that need more work ★ TLS Session Resumption ★ Safari ★ iOS 11 ★ Transforming the packet captures into something that’s easy for any developer to understand
  32. 32. Thank You @AndyDavies

×