Pentesting iOS Apps - Runtime Analysis and ManipulationAndreas Kurtz
Apple iOS Apps are primarily developed in Objective-C, an object-oriented extension and strict superset of the C programming language. Objective-C supports the concepts of reflection, also known as introspection. This describes the ability to examine and modify the structure and behavior (specifically the values, meta-data, properties and functions) of an object at runtime.
This talk discusses the background, techniques, problems and solutions to Objective-C runtime analysis and manipulation. It will be discussed how running applications can be extended with additional debugging and runtime tracing capabilities, and how this can be used to modify instance variables and to execute or replace arbitrary object methods of an App.
Moreover, a new framework to assist dynamic analysis and security assessments of iOS Apps will be introduced and demonstrated.
Pentesting iOS Apps - Runtime Analysis and ManipulationAndreas Kurtz
Apple iOS Apps are primarily developed in Objective-C, an object-oriented extension and strict superset of the C programming language. Objective-C supports the concepts of reflection, also known as introspection. This describes the ability to examine and modify the structure and behavior (specifically the values, meta-data, properties and functions) of an object at runtime.
This talk discusses the background, techniques, problems and solutions to Objective-C runtime analysis and manipulation. It will be discussed how running applications can be extended with additional debugging and runtime tracing capabilities, and how this can be used to modify instance variables and to execute or replace arbitrary object methods of an App.
Moreover, a new framework to assist dynamic analysis and security assessments of iOS Apps will be introduced and demonstrated.
This slide briefs about various tools & techniques used to extract unprotected data from iOS apps. You can extract resource files, database files, get data in runtime using various methods. In my next slides I will brief about the ways to secure your iOS apps.
A workshop about the "dark side" of iOS, Objective-C and Xcode. Discussion about private API, why Apple doesn't want you to use it and how they enforce that. What information can you extract from a compiled binary? Let's take a look at the possibilities of reverse engineering including demos and showcases.
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
This presentation was given at the SANS Rpcky Mountain Conference in Denver, CO June 2014. The presentation had a rather large portion that was demo. That is not captured here. Sorry.
IDA Vulnerabilities and Bug Bounty by Masaaki ChidaCODE BLUE
IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.
http://codeblue.jp/en-speaker.html#MasaakiChida
This talk is going to give an overview of Android operating system and it´s apps ecosystem from the security point of view of a penetration tester.
So lets dive into topics like Pentest Environment Setup, Tools of the Trade, App Analysis and some security hints for Android developers.
This slide briefs about various tools & techniques used to extract unprotected data from iOS apps. You can extract resource files, database files, get data in runtime using various methods. In my next slides I will brief about the ways to secure your iOS apps.
A workshop about the "dark side" of iOS, Objective-C and Xcode. Discussion about private API, why Apple doesn't want you to use it and how they enforce that. What information can you extract from a compiled binary? Let's take a look at the possibilities of reverse engineering including demos and showcases.
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
This presentation was given at the SANS Rpcky Mountain Conference in Denver, CO June 2014. The presentation had a rather large portion that was demo. That is not captured here. Sorry.
IDA Vulnerabilities and Bug Bounty by Masaaki ChidaCODE BLUE
IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.
http://codeblue.jp/en-speaker.html#MasaakiChida
This talk is going to give an overview of Android operating system and it´s apps ecosystem from the security point of view of a penetration tester.
So lets dive into topics like Pentest Environment Setup, Tools of the Trade, App Analysis and some security hints for Android developers.
All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler.
This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence.
From DeliveryConf 2020
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)Bastian Feder
So wie sich PHP weiterentwickelt, so entwickelt sich auch die Art der Programmierung weiter. Die Zeiten sind vorbei, in denen PHP nur von Hobbyprogrammierern genutzt wurde. Doch mit dem Anspruch an die Projekte steigt auch der Anspruch bei der Entwicklung. Schnell wird hierbei auf eine leistungsstarke IDE wie Eclipse PDT, Zend Studio oder Netbeans zurückgegriffen. Doch wie sieht eine anspruchsvolle Entwicklung mit solch einer IDE aus? Dieser Workshop wird Ihnen am Beispiel von der IDE Eclipse PDT demonstrieren, wie solch eine Entwicklung aussehen kann. Im Detail wird Ihnen gezeigt, wie Sie mittels SVN und Subversive Ihren Code mit mehreren Leuten gemeinsam pflegen und entwickeln und wie Sie die Entwicklungsumgebung Ihren Bedürfnissen anpassen, um z.B. mittels phing eigene Build-Prozesse anstoßen zu können. Damit Sie direkt eigene Erfahrungen sammeln können, würden wir Ihnen herzlich anraten, Ihren Laptop mitzubringen. Um zeitraubenden Installationen vorzubeugen, wird Ihnen ein Ubuntu in Form einer Live-CD bereitgestellt. Teilnehmer mit bestehender Linux-Installation und entsprechenden Rechten können ihr System während des Workshops direkt für den täglichen Gebrauch einrichten.
Akash Mahajan, Appsecco
Ansible offers a flexible approach to building a SecOps pipeline. System hardening can become just another software project. Using it we can do secure application deployment, configuration management and continuous monitoring. Security can be codified & attack surfaces reduced by using Ansible.
Who is this talk for?
This talks and demo is relevant and useful for any practitioner of DevSecOps.
It introduces the concepts of declarative security
Showcases one of the tools (Ansible) to embrace DevSecOps in a friction free no expense required manner
Implements security architecture principles using a structured language (YAML) as part of the framework (playbooks) which is ‘Infrastructure As Code’
Gives a clear roadmap on how to find the best practices for security hardening
Covers how continuous monitoring can be applied for security
Technical Requirements
While 30 minutes short for letting attendees do hands-on, the following will be required
- A modern Linux distribution with Python and Ansible installed
- Basic idea of running commands on the Linux command line
### Delivered at grrcon.com ###
One of the primary data sources we use on the Splunk Security Research Team is attack data collected from various corners of the globe. We often obtain this data in the wild using honeypots, with the goal of uncovering new or unusual attack techniques and other malicious activities for research purposes. The nirvana state is a honeypot tailored to mimic the kind of attack/attacker you are hoping to study. To do this effectively, the honeypot must very closely resemble a legitimate system. As a principal security research at Splunk, co-founder of Zenedge (Now part of Oracle), and Security Architect at Akamai I have spent many years protecting organizations from targeted as well as internet-wide attacks, and honeypots has been extremely useful (at times better than threat intel) tool at capturing and studying active malicious actors.
In this talk, I aim to provide an introduction to honeypots, explain some of the experiences and lessons learned we have had running Cowrie a medium interaction SSH honeypot base on Kippo. How we modified cowrie to make it more realistic and mimic the systems and attack we are trying to capture as well as our approach for the next generation of honeypots we plan to use in our research work. The audience in this talk will learn how to deploy and use cowrie honeypot as a defense mechanism in their organization. Also, we will share techniques on how to modify cowrie in order to masquerade different systems and vulnerabilities mimicking the asset(s) being defended. Finally, share example data produced by the honeypot and analytic techniques that can be used as feedback to improve the deployed honeypot. We will close off the talk by sharing thoughts on how we are evolving our approach for capturing attack data using honeypots and why.
This was a workshop I conducted at Black Hat Europe'12. The workshop explains how to program a USB HID, Teensy++ in this case, for usage in offensive security.
TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...Concentrated Technology
Whether you’ve attended Greg’s earlier sessions or not, you probably recognize the value in automating application installs. The trick is in getting those installs to do their work silently, without prompting for questions. The hard part, indeed the art, is in that packaging of software. Microsoft MVP Greg Shields has been packaging and deploying software for nearly a decade. In this do-not-miss session, he’ll share his secret tricks in getting the job done. And tricks they are! Whether you’re deploying software through Group Policy, System Center Configuration Manager, a Windows deployment solution, or any of the third party options out there, this session contains the knowledge you’ll need for them all. Don’t miss this one. What you learn might just be the most powerful thing you discover all week at TechMentor.
2. About me
Security Consultant @ INTEGRITY S.A. - www.integrity.pt
Penetration testing:
Web Apps
Mobile Apps
Infrastructure / Wireless
BSc in Information Systems and Computer Engineering
OSCP, CISSP Associate, ISO27001LA, CCNA
8. Environment Setup
Tools of trade (just to name a few):
*nix tools: tcpdump, ps, file, vim, wget, tar, …
otool, plutil, sqlite3, gdb, installipa, class-
dump-z, cycript, ldid, keychain_dumper,
dumpdecrypted, …
iRET, Snoop-It, Introspy, iNalyzer, …
9. Environment Setup
Tips and Tricks #1:
Use TCP over USB with usbmux
One such client is libusbmuxd from libmobiledevice
with a python based implementation
python tcprelay.py -t 22:2222 8080:8080
ssh root@localhost -p 2222
Its a more stable connection
No need to have a wifi connection at all
13. Binary protections
The bundle of an iOS app is a zip file with the "ipa" extension
Checks:
Is the binary compiled with the PIE flag (Position Independent
Executable aka ASLR) ?
Is the binary compiled with stack smashing protection ?
What about ARC (Automatic Reference Counting) ?
Is the binary encrypted ?
otool can be used to obtain the answers for the above questions.
iRET is a tool that uses otool and presents the info in a web page.
15. Inspecting the binary
When the binary is encrypted, it is decrypted in memory upon
execution.
How can I do that ?
By using gdb to dump the memory after decryption
Dumpdecrypted
Clutch
(put your decryption tool/script here)
16. Inspecting the binary
What can I do after decryption ?
Use class-dump-z to extract the __OBJC segment, that
provides information about internal classes, methods, method
arguments and variables that are used in the app
Use your favourite disassembler, run strings and have fun :)
22. Core Data Services
Where?
<app dir>/Documents/
How ?
Data is currently stored as a sqlite file.
Tables are normally prefixed with a “Z"
Z_METADATA
Z_PRIMARYKEY
Z_…
27. Background screenshot
What ?
Every time an app is put on the
background a screenshot is taken. This
screenshot is used by iOS when the app
returns to foreground
Where ?
<app dir>/Library/Caches/Snapshots/<app id>/
Main/
32. Introspy
Tracer:
Used to hook and log security-sensitive iOS APIs
called by applications running on the device
The calls can also sent to the Console for real-time
analysis
Analyzer:
A tool to turn a database generated by Introspy
into an HTML report
34. Filesystem
While executing an application interacts with
the filesystem, and files are created, deleted,
read, moved, etc
!
Introspy, Snoop-It and fileMon are some of
the applications that allows for file system
monitoring in real time
35. Keychain
While executing an application interacts with
the keychain, and items are created, deleted,
read, updated, etc
!
Introspy and Snoop-It are some of the
applications that allows for keychain
monitoring in real time
36. Methods, variables …
Using Cycript one can interact with this
Objective-C runtime environment and call
methods, change methods implementation,
change variables value, etc
Snoop-It implements part o Cycript
functionality, and it’s simpler to use
38. Network
There are 2 types of apps, from the network
perspective:
Those that respect the HTTP proxy
configuration for network interactions;
Tools: A proxy like Burp Suite or ZAP.
and those that don’t!
Tools: A proxy like Mallory.
41. Tips and Tricks #2:
Instead of exposing your proxy on the network
SSH remote port forwarding
ssh root@localhost -p 2222 -R 8080:localhost:
8080
Configure HTTP proxy to point to localhost:8080
Proxy
43. Network
What to look for:
Does the app use SSL ?
Does the app accept any certificate ?
Remove any root CA installed on the phone
What about certificate pinning?
Install burp root CA before testing
46. Pinning
If an application uses pinning what can you do:
You can use a tool that patches low-level SSL
functions to bypass any certificate validation
based on iOS API’s
48. Backend
Infrastructure and web app backend tests apply
to this component:
Data validation flaws
Business logic flaws
Authentication flaws
Authorisation flaws
…