Hacking iOS with Proxies - dc612

878 views

Published on

From http://dc612.org/index.php/2013/11/02/november-14th-meeting-6pm-elsies/:
Karl Fosaaen will be presenting on Attacking iOS Apps with Proxies at the November 14th DC612. This presentation will cover the basics of attacking iOS applications (and their back ends) using a web proxy to intercept, modify, and repeat HTTP/HTTPS requests. From setting up the proxy to pulling data from the backend systems, this talk will be a great primer for anyone interested in testing iOS applications at the HTTP protocol level. There will be a short primer on setting up the intercepting proxy, followed by three practical examples; showing how to intercept data headed to the phone, how to modify data heading to the application server, and how to pull extra data from application servers to further an attack. All of these examples will focus on native iOS apps (Game Center and Passbook) and/or functionality (Passbook Passes).

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
878
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Hacking iOS with Proxies - dc612

  1. 1. Hacking iOS GameCenter and Passbook with Proxies DC612 November 14, 2013
  2. 2. Who am I? • Karl Fosaaen Senior Security Consultant At NetSPI Twitter: @kfosaaen
  3. 3. Presentation Overview • Intercepting iOS Traffic • Proxies • Why and How • Tools • Certificates • Attack Examples • GameCenter Scores • GameCenter Hashes • Passbook files • Conclusions
  4. 4. Intercepting traffic: Proxies • What are they? ‒ A tool that allows you to intercept, modify, and store HTTP and HTTPs requests • Examples ‒ Burp ‒ ZAP ‒ Fiddler ‒ WebScarab
  5. 5. Intercepting traffic: Why • iOS traffic can be interesting ‒ Most apps use web service calls ‒ Most apps are just pretty web browsers • Traffic tampering ‒ Can you name your own price/score? ‒ Most back ends have the same vulnerabilities as normal web apps (XSS, SQLi, etc.) • Server responses can be interesting ‒ Modify what the server says to trick your app ‒ Intercepting files (ie: Passbook Passes) • Same goes for Android
  6. 6. Intercepting traffic: How • Use an intercepting proxy ‒ Be on the same Wi-Fi network as the iOS device ‒ Set it up to capture your traffic ‒ Store and forward allows for tampering • SSL Interception ‒ Requires a trusted certificate ‒ Some apps don’t trust iOS cert stores • This is a good thing, just a pain for interception • Traffic sniffing ‒ Some apps send requests in the clear ‒ Packet sniffing can be useful
  7. 7. Intercepting traffic: Tools • Burp • iOS simulator • Other Proxies ‒ ZAP ‒ Fiddler ‒ WebScarab
  8. 8. Intercepting Traffic: Certs • Exporting the Burp Root CA
  9. 9. Intercepting Traffic: Certs • Exporting the Burp Root CA
  10. 10. Intercepting Traffic: Certs • Exporting the Burp Root CA • Save the root cert as PortSwiggerCA.crt • Send the cert to yourself via email and add it to your iOS device • Instructions from Portswigger: http://portswigger.net/burp/help/proxy_options_installingCAcert.html#iphone
  11. 11. Intercepting Traffic: Certs • Exporting the Burp Root CA • Certificate installed on iPhone
  12. 12. Intercepting Traffic: Burp • Burp Set Up
  13. 13. Intercepting Traffic: Burp • iOS Proxy Set Up
  14. 14. Intercepting Traffic: Burp • Intercepted iOS traffic • HTTPS request to Google from iPhone
  15. 15. Intercepting Traffic: Burp • A quick warning… ‒ Watch your credentials • • Exchange ActiveSync sends encoded passwords Your login creds for other apps and sites will get stored in your proxy ‒ Mostly watch the data getting stored in your proxy • You never know when you will need to send your Burp session to someone else
  16. 16. Intercepting Traffic: Certs • Identifying pinned apps • Able to intercept normal browser SSL traffic • Can’t get app specific data • Pinning might be in use • The app may also be looking for specific cert parameters • This is not pinning • It’s cert checking
  17. 17. Intercepting Traffic: Certs • Avoiding issues with cert pinned apps • • • • Open the app without the proxy enabled Get to a spot where you request an external resource Switch over to your preferences • Turn on the Proxy Request the resource • • • • Passbook pass Coupons Etc. Or just use the exclusions in Burp
  18. 18. Attack Examples Example Time!
  19. 19. Attack Examples • GameCenter High Scores • GameCenter Email Hashes • Passbook files
  20. 20. Attack Examples: GameCenter GameCenter High Scores
  21. 21. Attack Examples: GameCenter
  22. 22. Attack Examples: GameCenter • Attacking High Scores ‒ GameCenter scores update with HTTPS POST requests ‒ No input validation on “score-value” parameter • Max score of 9,223,372,036,844,775,807
  23. 23. Attack Examples: GameCenter • Attack Process ‒ Set up intercepting proxy ‒ Play a game • Beat the first level or • Trigger a score update ‒ Intercept the score update • Look for “submitScores” page ‒ Replace score value with 9,223,372,036,844,775,807
  24. 24. Attack Examples: GameCenter
  25. 25. Attack Examples: GameCenter
  26. 26. Attack Examples: GameCenter
  27. 27. Attack Examples: GameCenter ‒ Bad News • • This was fixed in iOS 7 There’s a token now =
  28. 28. Attack Examples: GameCenter Capturing GameCenter Email Hashes
  29. 29. Attack Examples: GameCenter • Capturing Email Hashes • Unsalted SHA1 email hashes can be leaked by requesting player information • This can be done for current friends and accounts of “friends of friends” • Why would they allow this?
  30. 30. Attack Examples: GameCenter • Capturing Email Hashes • Step One: Add a bunch of friends • Current recommendations, leaderboards, friends of your friends
  31. 31. Attack Examples: GameCenter • Capturing Email Hashes • Step Two: Get a list of all of their friends • • So “friends of friends” Use Burp for this
  32. 32. Attack Examples: GameCenter • Capturing Email Hashes • Step Three: Friend request all of them
  33. 33. Attack Examples: GameCenter • Capturing Email Hashes • RETURN to Step One multiple times • Step Four: Query for the email hashes for all of your friends and all of their friends too • • This will be done with intruder in Burp Much like step three – Send the request on the next slide to intruder • *Step Five: Write a worm that tries to friend everyone (*Very Optional)
  34. 34. Attack Examples: GameCenter
  35. 35. Attack Examples: GameCenter • Next Steps ‒ So you have some hashes, so what… • You have their handle, first and last names too ‒ What’s your email address? • Common email user names • • • • First.last FirstinitialLast Handle/username NameBirthYear (or other “significant” number) ‒ Who’s your email provider? • Gmail, Yahoo, Hotmail, AOL
  36. 36. Attack Examples: GameCenter • Cracking Email Hashes ‒ PowerShell Script to Guess Email user names • kfosaaen@example.com • k.fosaaen@example.com • karlfosaaen@example.com • karl.fosaaen@example.com • karl.f@example.com • karlf@example.com ‒ Append the top 500 email domains to the end and SHA1 each one
  37. 37. Attack Examples: GameCenter • Cracking Email Hashes ‒ PowerShell Script to SHA1 hash the guessed emails • This was basic, but worked well ‒ Use the email guesses as a dictionary for Hashcat • The rule set can be customized to make cracking easier
  38. 38. Attack Examples: GameCenter • Final Numbers: ‒ 225 friends added* (as of 10/16/13) *Records collection stopped after 45 friends ‒ 1,635 records gathered • 1,534 after Unicode removal • 14,377 available to me currently ‒ 300 email hashes cracked (19.5%) Records Example: SHA1 Email Hash : username : First Name : last Name 591542B50A99EAA8E41136305075F9FF708F1992:bubblefish:Deb:Morgan
  39. 39. Attack Examples: Passbook Passbook
  40. 40. Attack Examples: Passbook • Multiple Apps are now available with Passbook • Mostly used to store loyalty cards, coupons, and boarding passes ‒ Gift cards are now getting adopted • Can actually be pretty convenient to use
  41. 41. Attack Examples: Passbook • Passes are sent as .pkpass files ‒ .pkpass is just a renamed .zip file ‒ Required contents: • manifest.json • pass.json • Signature • • A signature file for integrity Prevents file replacement and a re-zip
  42. 42. Attack Examples: Passbook • Creating your own ‒ Join the Apple Developer Program ($99) ‒ Create a pass.json file to match your info • The teamIdentifier and passTypeIdentifier fields need to match your Apple cert info • Make the pass details what you want • • Boarding pass, coupon, etc. Add images ‒ Use the signpass application (from Apple) to generate the new .pkpass file ‒ Can be done in Windows and Linux
  43. 43. Attack Examples: Passbook • Deployment ‒ Can be done via email or web server
  44. 44. Attack Examples: Passbook • Common Application Issues: • Failure to securely deliver .pkpass files • No HTTPs or certificate pinning • Failure to validate pass information on backend systems • Do you really have $1,000 on that gift card?
  45. 45. Attack Examples: Passbook • Attack overview – Proxy method ‒ Set up your intercepting proxy ‒ Request a Passbook pass from the app • Look for the “Add to Passbook” button ‒ Intercept the request for the pass • Usually to a third party site ‒ Request and save the pass in your browser ‒ Modify your pass ‒ Re-sign and use your new and improved pass
  46. 46. Attack Examples: Passbook • Attack overview – Easier way ‒ Add your pass to Passbook ‒ Send yourself the pass from the Passbook app ‒ Modify your pass ‒ Re-sign and use your new and improved pass =
  47. 47. Attack Examples: Passbook • Delta Boarding Passes ‒ One of many Passbook apps, but it’s the one that I use the most ‒ Main Delta App does not do certificate pinning
  48. 48. Attack Examples: Passbook • Delta Boarding Passes ‒ Request for Passbook pass
  49. 49. Attack Examples: Passbook • Attack overview – Easier way
  50. 50. Attack Examples: Passbook • Attack overview – Easier way
  51. 51. Attack Examples: Passbook • Delta Boarding Passes ‒ Extracted pkpass file ‒ Extracted Sky Priority pkpass file
  52. 52. Attack Examples: Passbook • Delta Boarding Passes ‒ Modify the pass.json file ‒ And include the footer images in the directory
  53. 53. Attack Examples: Passbook • Delta Boarding Passes ‒ Run the Signpass utility and email yourself the pass
  54. 54. Attack Examples: Passbook • Modified and Original Delta Boarding Passes
  55. 55. Conclusions •Fixes • • • Certificate pinning Better input validation Limiting data leakage from apps
  56. 56. Hacking iOS Game Center and Passbook • Questions? • Karl Fosaaen ‒ Senior Security Consultant at NetSPI ‒ Twitter: @kfosaaen

×