SlideShare a Scribd company logo

ZeroNights: Automating iOS blackbox security scanning

Mikhail Sosonkin
Mikhail Sosonkin

The document discusses several tools for testing iOS applications, including ChaoticMarch, Machshark, and Objc_trace. ChaoticMarch is described as a tool for simulating user interactions and automating testing of an iOS app. It allows writing Lua scripts to interact with the UI and regulate test execution speed. Machshark is a tool for analyzing Mach IPC messages and Objc_trace is used to trace Objective-C method calls. Code snippets are provided showing examples of how to use ChaoticMarch to automate tapping buttons and entering text, as well as how Machshark and Objc_trace work.

1 of 28
Download to read offline
ME! “leverages the best combination of humans and technology to discover security vulnerabilities in our customers’ web apps, mobile apps, IoT devices and infrastructure endpoints” Employer! - SYNACK.com
Our privacy. Our money.Our freedoms. Wouldn’t want to lose any of those things!
Pangu TaiG
For those that don’t know Aarch64 IdaRef documentation plugin: https://github.com/nologic/idaref
In-process • • • • • External • •
• • • • • • • •
1. Allocate a page - a jump page 2. Set objc_msgSend readable and writable 3. Copy preamble bytes from objc_msgSend 4. Check for branch instructions in preamble 5. Modify objc_msgSend preamble 6. Set jump page to readable and executable 7. Set objc_msgSend readable and executable Objc_Trace Call Sequence Hook Steps
void* hook_callback64_pre(id self, SEL op, void* a1, ...) { Class cls = object_getClass(self); if(cls != NULL && op != NULL) cacheImp = c_cache_getImp(cls, op); if(!cacheImp) { // not in cache, never been called, record the call. … const struct mach_header* libobjc_base = libobjc_dylib_base(); c_cache_getImp = (p_cache_getImp)((uint8_t*)libobjc_base) + 97792 + 0x4000; Only record unseen method calls Find the cache check function cache_getImp
{ '_payload': { '_payload': { '_msg': 'x00x00x08x00x00x00subsystemx00x00x00x00@x00x00x05x0 0x00x00x00x00x00x00ha', 'type': 2048}, 'magic': '!CPX', 'version': 5}, 'msgh_bits': 1250579, 'msgh_id': 268435456, 'msgh_local_port': '0x30b', 'msgh_remote_port': '0x10b', 'msgh_reserved': 2819, 'msgh_size': 256} Machshark
• • • • • • • • • •
“A little engine for driving the UI while doing blackbox testing of an iOS App” - CHAOTICMARCH
• • • • • •
● Simulate the user ● Read and understand the UI
cy# UIApp.keyWindow <UIWindow; frame = (0 0; 320 568); gestureRecognizers = <NSArray>;> | <TiRootViewNeue; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer>> ... <TiUITableViewCell; baseClass = UITableViewCell; text = 'Log On'; | <TiGradientLayer;> (layer) | <UITableViewCellContentView; frame = (0 0; 256 43.5); layer = <CALayer>> | | <UITableViewLabel; frame = (74 0; 167 43.5); text = 'Log On'> | | <UIImageView; frame = (15 0; 44 43.5); layer = <CALayer>> | <_UITableViewCellSeparatorView; frame = (74 43.5; 182 0.5); layer = <CALayer>>
● Lua Scriptable Logic ● Standard functions for touching the device ● Options for record/replay ● Finding UI Components ● Regulating speed of execution ● Support for multiple targets ● Mechanisms for generic logic ● Lightweight injected module Source
• • •
while true do local button = getButton(clickedButtons) -- put some info in. fill_all_fields() click_button(button) if(button["text"] ~= nil) then clickedButtons[button["text"]] = 1 end usleep(2 * 1000000) end
• • • • • • •
MITM Proxy Request Fuzz Parse Mutator
1 - Make a post 2 - Get exploited binary/XSS with phish 3 - Steal creds or tokens 4 - Put up a draft 5 - Request messages 6 - respond with attack content Attacker User We focus on this
while true do local inputs = findOfTypes("UITextField", "") for index, inputField in pairs(inputs) do click_button(inputField) inputText("SomeInput!!") end -- touch login touchDown(3, 138, 619); usleep(83148.83); touchUp(3, 141, 615); check_alert() end Source
• • • • • •
• Apps are important! • Automation of the UI • Collection of coverage information • Fuzzing of responses messages
, blog: debugtrap.com Twitter: @hexlogic Source: CHAOTICMARCH: https://github.com/synack/chaoticmarch Machshark: https://github.com/nologic/machshark Objc_trace: https://github.com/nologic/objc_trace Images: http://iconmonstr.com/

Recommended

Sniffing Mach Messages
Sniffing Mach MessagesSniffing Mach Messages
Sniffing Mach Messages
Mikhail Sosonkin
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
Mikhail Sosonkin
 
Formatul Portable Executable
Formatul Portable Executable Formatul Portable Executable
Formatul Portable Executable DefCamp
 
PHP Internals and Virtual Machine
PHP Internals and Virtual MachinePHP Internals and Virtual Machine
PHP Internals and Virtual Machine
julien pauli
 
Php arduino
Php arduinoPhp arduino
Php arduinoJonadri Bundo
 
Flashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas MacFlashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas Mac
ESET Latinoamérica
 
Php engine
Php enginePhp engine
Php engine
julien pauli
 
Rust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineRust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command Line
Matt Provost
 

Recommended

Sniffing Mach Messages
Sniffing Mach MessagesSniffing Mach Messages
Sniffing Mach Messages
Mikhail Sosonkin
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
Mikhail Sosonkin
 
Formatul Portable Executable
Formatul Portable Executable Formatul Portable Executable
Formatul Portable Executable DefCamp
 
PHP Internals and Virtual Machine
PHP Internals and Virtual MachinePHP Internals and Virtual Machine
PHP Internals and Virtual Machine
julien pauli
 
Php arduino
Php arduinoPhp arduino
Php arduinoJonadri Bundo
 
Flashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas MacFlashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas Mac
ESET Latinoamérica
 
Php engine
Php enginePhp engine
Php engine
julien pauli
 
Rust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineRust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command Line
Matt Provost
 
Book
BookBook
Book
luis_lmro
 
Алексей Кутумов, Coroutines everywhere
Алексей Кутумов, Coroutines everywhereАлексей Кутумов, Coroutines everywhere
Алексей Кутумов, Coroutines everywhere
Sergey Platonov
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
JungMinSEO5
 
Endless fun with Arduino and Eventmachine
Endless fun with Arduino and EventmachineEndless fun with Arduino and Eventmachine
Endless fun with Arduino and Eventmachine
Bodo Tasche
 
Catch a spider monkey
Catch a spider monkeyCatch a spider monkey
Catch a spider monkey
ChengHui Weng
 
Csw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCsw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemes
CanSecWest
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012DefCamp
 
3
33
3Marat Vyshegorodtsev
 
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
GangSeok Lee
 
Евгений Крутько, Многопоточные вычисления, современный подход.
Евгений Крутько, Многопоточные вычисления, современный подход.Евгений Крутько, Многопоточные вычисления, современный подход.
Евгений Крутько, Многопоточные вычисления, современный подход.
Platonov Sergey
 
Работа с реляционными базами данных в C++
Работа с реляционными базами данных в C++Работа с реляционными базами данных в C++
Работа с реляционными базами данных в C++
corehard_by
 
Chatting dengan beberapa pc laptop
Chatting dengan beberapa pc laptopChatting dengan beberapa pc laptop
Chatting dengan beberapa pc laptopyayaria
 
The Php Life Cycle
The Php Life CycleThe Php Life Cycle
The Php Life CycleXinchen Hui
 
Architecture for Massively Parallel HDL Simulations
Architecture for Massively Parallel HDL Simulations Architecture for Massively Parallel HDL Simulations
Architecture for Massively Parallel HDL Simulations DVClub
 
An introduction to PHP 5.4
An introduction to PHP 5.4An introduction to PHP 5.4
An introduction to PHP 5.4
Giovanni Derks
 
Rop and it's friends
Rop and it's friendsRop and it's friends
Rop and it's friends
nuc13us
 
Bug fix sharing : where does bug come from
Bug fix sharing : where does bug come fromBug fix sharing : where does bug come from
Bug fix sharing : where does bug come from
宇 申
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
The true story_of_hello_world
The true story_of_hello_worldThe true story_of_hello_world
The true story_of_hello_world
fantasy zheng
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре Linux
Positive Hack Days
 
Media evaluation
Media evaluationMedia evaluation
Media evaluationsergiuhowie
 
Leilão da Prefeitura Municipal de Paracuru, Ceará-BR
Leilão da Prefeitura Municipal de Paracuru, Ceará-BRLeilão da Prefeitura Municipal de Paracuru, Ceará-BR
Leilão da Prefeitura Municipal de Paracuru, Ceará-BR
Francisco Luz
 

More Related Content

What's hot

Book
BookBook
Book
luis_lmro
 
Алексей Кутумов, Coroutines everywhere
Алексей Кутумов, Coroutines everywhereАлексей Кутумов, Coroutines everywhere
Алексей Кутумов, Coroutines everywhere
Sergey Platonov
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
JungMinSEO5
 
Endless fun with Arduino and Eventmachine
Endless fun with Arduino and EventmachineEndless fun with Arduino and Eventmachine
Endless fun with Arduino and Eventmachine
Bodo Tasche
 
Catch a spider monkey
Catch a spider monkeyCatch a spider monkey
Catch a spider monkey
ChengHui Weng
 
Csw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCsw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemes
CanSecWest
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012DefCamp
 
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
GangSeok Lee
 
Евгений Крутько, Многопоточные вычисления, современный подход.
Евгений Крутько, Многопоточные вычисления, современный подход.Евгений Крутько, Многопоточные вычисления, современный подход.
Евгений Крутько, Многопоточные вычисления, современный подход.
Platonov Sergey
 
Работа с реляционными базами данных в C++
Работа с реляционными базами данных в C++Работа с реляционными базами данных в C++
Работа с реляционными базами данных в C++
corehard_by
 
Chatting dengan beberapa pc laptop
Chatting dengan beberapa pc laptopChatting dengan beberapa pc laptop
Chatting dengan beberapa pc laptopyayaria
 
The Php Life Cycle
The Php Life CycleThe Php Life Cycle
The Php Life CycleXinchen Hui
 
Architecture for Massively Parallel HDL Simulations
Architecture for Massively Parallel HDL Simulations Architecture for Massively Parallel HDL Simulations
Architecture for Massively Parallel HDL Simulations DVClub
 
An introduction to PHP 5.4
An introduction to PHP 5.4An introduction to PHP 5.4
An introduction to PHP 5.4
Giovanni Derks
 
Rop and it's friends
Rop and it's friendsRop and it's friends
Rop and it's friends
nuc13us
 
Bug fix sharing : where does bug come from
Bug fix sharing : where does bug come fromBug fix sharing : where does bug come from
Bug fix sharing : where does bug come from
宇 申
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
The true story_of_hello_world
The true story_of_hello_worldThe true story_of_hello_world
The true story_of_hello_world
fantasy zheng
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре Linux
Positive Hack Days
 

What's hot (20)

Book
BookBook
Book
 
Алексей Кутумов, Coroutines everywhere
Алексей Кутумов, Coroutines everywhereАлексей Кутумов, Coroutines everywhere
Алексей Кутумов, Coroutines everywhere
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
 
Endless fun with Arduino and Eventmachine
Endless fun with Arduino and EventmachineEndless fun with Arduino and Eventmachine
Endless fun with Arduino and Eventmachine
 
Catch a spider monkey
Catch a spider monkeyCatch a spider monkey
Catch a spider monkey
 
Csw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCsw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemes
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
 
3
33
3
 
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
 
Евгений Крутько, Многопоточные вычисления, современный подход.
Евгений Крутько, Многопоточные вычисления, современный подход.Евгений Крутько, Многопоточные вычисления, современный подход.
Евгений Крутько, Многопоточные вычисления, современный подход.
 
Работа с реляционными базами данных в C++
Работа с реляционными базами данных в C++Работа с реляционными базами данных в C++
Работа с реляционными базами данных в C++
 
Chatting dengan beberapa pc laptop
Chatting dengan beberapa pc laptopChatting dengan beberapa pc laptop
Chatting dengan beberapa pc laptop
 
The Php Life Cycle
The Php Life CycleThe Php Life Cycle
The Php Life Cycle
 
Architecture for Massively Parallel HDL Simulations
Architecture for Massively Parallel HDL Simulations Architecture for Massively Parallel HDL Simulations
Architecture for Massively Parallel HDL Simulations
 
An introduction to PHP 5.4
An introduction to PHP 5.4An introduction to PHP 5.4
An introduction to PHP 5.4
 
Rop and it's friends
Rop and it's friendsRop and it's friends
Rop and it's friends
 
Bug fix sharing : where does bug come from
Bug fix sharing : where does bug come fromBug fix sharing : where does bug come from
Bug fix sharing : where does bug come from
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧
 
The true story_of_hello_world
The true story_of_hello_worldThe true story_of_hello_world
The true story_of_hello_world
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре Linux
 

Viewers also liked

Media evaluation
Media evaluationMedia evaluation
Media evaluationsergiuhowie
 
Leilão da Prefeitura Municipal de Paracuru, Ceará-BR
Leilão da Prefeitura Municipal de Paracuru, Ceará-BRLeilão da Prefeitura Municipal de Paracuru, Ceará-BR
Leilão da Prefeitura Municipal de Paracuru, Ceará-BR
Francisco Luz
 
Uso Pedagogico
Uso PedagogicoUso Pedagogico
Uso Pedagogico
Rafael Yeferson Payano Muñoz
 
Como criar um email gmail flavio queiroz
Como criar um email gmail flavio queirozComo criar um email gmail flavio queiroz
Como criar um email gmail flavio queiroz
Flávio Queiroz
 
Prof. Zhihua Wang, Tsinghua University, Beijing, China
Prof. Zhihua Wang, Tsinghua University, Beijing, China Prof. Zhihua Wang, Tsinghua University, Beijing, China
Prof. Zhihua Wang, Tsinghua University, Beijing, China
chiportal
 
CARRIE ADAMS chronological (2)
CARRIE ADAMS chronological (2)CARRIE ADAMS chronological (2)
CARRIE ADAMS chronological (2)Carrie Adams
 
MVP ShowCast 2014 - O dia a dia do Cientista de Dados
MVP ShowCast 2014 - O dia a dia do Cientista de DadosMVP ShowCast 2014 - O dia a dia do Cientista de Dados
MVP ShowCast 2014 - O dia a dia do Cientista de Dados
Diego Nogare
 
Ruaridh's bean diary
Ruaridh's bean diaryRuaridh's bean diary
Ruaridh's bean diary
Alan Duncan
 
Mic productivity productivity-day-madrid-20110609-socialnetworks-ramoncosta
Mic productivity productivity-day-madrid-20110609-socialnetworks-ramoncostaMic productivity productivity-day-madrid-20110609-socialnetworks-ramoncosta
Mic productivity productivity-day-madrid-20110609-socialnetworks-ramoncostaRamon Costa i Pujol
 
Ml based detection of users anomaly activities (20th OWASP Night Tokyo, Japan...
Ml based detection of users anomaly activities (20th OWASP Night Tokyo, Japan...Ml based detection of users anomaly activities (20th OWASP Night Tokyo, Japan...
Ml based detection of users anomaly activities (20th OWASP Night Tokyo, Japan...
Yury Leonychev
 
SOC training
SOC trainingSOC training
SOC training
Kirill Ermakov
 
Apresentação N2
Apresentação N2Apresentação N2
Apresentação N2
José Pinto da Cunha Neto
 
Fora Hackers! Proteção em camadas do SQL Server
Fora Hackers! Proteção em camadas do SQL ServerFora Hackers! Proteção em camadas do SQL Server
Fora Hackers! Proteção em camadas do SQL Server
Fabrício Catae
 
Casual Cyber Crime
Casual Cyber CrimeCasual Cyber Crime
Casual Cyber Crime
Brian Baskin
 
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Kirill Ermakov
 
Programação dinâmica
Programação dinâmicaProgramação dinâmica
Programação dinâmica
Marcos Castro
 
Prof. Danny Raz, Director, Bell Labs Israel, Nokia
Prof. Danny Raz, Director, Bell Labs Israel, Nokia Prof. Danny Raz, Director, Bell Labs Israel, Nokia
Prof. Danny Raz, Director, Bell Labs Israel, Nokia
chiportal
 
Drupal Coder Zafiyet Analizi & İstismar Kodu Geliştirimesi
Drupal Coder Zafiyet Analizi & İstismar Kodu GeliştirimesiDrupal Coder Zafiyet Analizi & İstismar Kodu Geliştirimesi
Drupal Coder Zafiyet Analizi & İstismar Kodu Geliştirimesi
Mehmet Ince
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware Analysis
Brian Baskin
 

Viewers also liked (20)

Media evaluation
Media evaluationMedia evaluation
Media evaluation
 
Leilão da Prefeitura Municipal de Paracuru, Ceará-BR
Leilão da Prefeitura Municipal de Paracuru, Ceará-BRLeilão da Prefeitura Municipal de Paracuru, Ceará-BR
Leilão da Prefeitura Municipal de Paracuru, Ceará-BR
 
Uso Pedagogico
Uso PedagogicoUso Pedagogico
Uso Pedagogico
 
Como criar um email gmail flavio queiroz
Como criar um email gmail flavio queirozComo criar um email gmail flavio queiroz
Como criar um email gmail flavio queiroz
 
Prof. Zhihua Wang, Tsinghua University, Beijing, China
Prof. Zhihua Wang, Tsinghua University, Beijing, China Prof. Zhihua Wang, Tsinghua University, Beijing, China
Prof. Zhihua Wang, Tsinghua University, Beijing, China
 
CARRIE ADAMS chronological (2)
CARRIE ADAMS chronological (2)CARRIE ADAMS chronological (2)
CARRIE ADAMS chronological (2)
 
System_Safety_Engrg
System_Safety_EngrgSystem_Safety_Engrg
System_Safety_Engrg
 
MVP ShowCast 2014 - O dia a dia do Cientista de Dados
MVP ShowCast 2014 - O dia a dia do Cientista de DadosMVP ShowCast 2014 - O dia a dia do Cientista de Dados
MVP ShowCast 2014 - O dia a dia do Cientista de Dados
 
Ruaridh's bean diary
Ruaridh's bean diaryRuaridh's bean diary
Ruaridh's bean diary
 
Mic productivity productivity-day-madrid-20110609-socialnetworks-ramoncosta
Mic productivity productivity-day-madrid-20110609-socialnetworks-ramoncostaMic productivity productivity-day-madrid-20110609-socialnetworks-ramoncosta
Mic productivity productivity-day-madrid-20110609-socialnetworks-ramoncosta
 
Ml based detection of users anomaly activities (20th OWASP Night Tokyo, Japan...
Ml based detection of users anomaly activities (20th OWASP Night Tokyo, Japan...Ml based detection of users anomaly activities (20th OWASP Night Tokyo, Japan...
Ml based detection of users anomaly activities (20th OWASP Night Tokyo, Japan...
 
SOC training
SOC trainingSOC training
SOC training
 
Apresentação N2
Apresentação N2Apresentação N2
Apresentação N2
 
Fora Hackers! Proteção em camadas do SQL Server
Fora Hackers! Proteção em camadas do SQL ServerFora Hackers! Proteção em camadas do SQL Server
Fora Hackers! Proteção em camadas do SQL Server
 
Casual Cyber Crime
Casual Cyber CrimeCasual Cyber Crime
Casual Cyber Crime
 
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...
 
Programação dinâmica
Programação dinâmicaProgramação dinâmica
Programação dinâmica
 
Prof. Danny Raz, Director, Bell Labs Israel, Nokia
Prof. Danny Raz, Director, Bell Labs Israel, Nokia Prof. Danny Raz, Director, Bell Labs Israel, Nokia
Prof. Danny Raz, Director, Bell Labs Israel, Nokia
 
Drupal Coder Zafiyet Analizi & İstismar Kodu Geliştirimesi
Drupal Coder Zafiyet Analizi & İstismar Kodu GeliştirimesiDrupal Coder Zafiyet Analizi & İstismar Kodu Geliştirimesi
Drupal Coder Zafiyet Analizi & İstismar Kodu Geliştirimesi
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware Analysis
 

Similar to ZeroNights: Automating iOS blackbox security scanning

[NDC 2019] Enterprise-Grade Serverless
[NDC 2019] Enterprise-Grade Serverless[NDC 2019] Enterprise-Grade Serverless
[NDC 2019] Enterprise-Grade Serverless
KatyShimizu
 
[NDC 2019] Functions 2.0: Enterprise-Grade Serverless
[NDC 2019] Functions 2.0: Enterprise-Grade Serverless[NDC 2019] Functions 2.0: Enterprise-Grade Serverless
[NDC 2019] Functions 2.0: Enterprise-Grade Serverless
KatyShimizu
 
Demystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchIDDemystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchID
Sebastián Guerrero Selma
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation Primitives
Synack
 
Owasp orlando, april 13, 2016
Owasp orlando, april 13, 2016Owasp orlando, april 13, 2016
Owasp orlando, april 13, 2016
Mikhail Sosonkin
 
Local Authentication par Pierre-Alban Toth
Local Authentication par Pierre-Alban TothLocal Authentication par Pierre-Alban Toth
Local Authentication par Pierre-Alban Toth
CocoaHeads France
 
MFF UK - Advanced iOS Topics
MFF UK - Advanced iOS TopicsMFF UK - Advanced iOS Topics
MFF UK - Advanced iOS TopicsPetr Dvorak
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101
wireharbor
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
Sqreen
 
Introduction to aop
Introduction to aopIntroduction to aop
Introduction to aop
Dror Helper
 
Onward15
Onward15Onward15
Onward15
sarah_nadi
 
Medium TechTalk — iOS
Medium TechTalk — iOSMedium TechTalk — iOS
Medium TechTalk — iOS
jimmyatmedium
 
Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3
Ortus Solutions, Corp
 
Docker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic StackDocker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic Stack
Jakub Hajek
 
Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek
PROIDEA
 
Node azure
Node azureNode azure
Node azure
Emanuele DelBono
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introduction
Sebastien Gioria
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
Jen Andre
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
Jvm operation casual talks
Jvm operation casual talksJvm operation casual talks
Jvm operation casual talksYusaku Watanabe
 

Similar to ZeroNights: Automating iOS blackbox security scanning (20)

[NDC 2019] Enterprise-Grade Serverless
[NDC 2019] Enterprise-Grade Serverless[NDC 2019] Enterprise-Grade Serverless
[NDC 2019] Enterprise-Grade Serverless
 
[NDC 2019] Functions 2.0: Enterprise-Grade Serverless
[NDC 2019] Functions 2.0: Enterprise-Grade Serverless[NDC 2019] Functions 2.0: Enterprise-Grade Serverless
[NDC 2019] Functions 2.0: Enterprise-Grade Serverless
 
Demystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchIDDemystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchID
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation Primitives
 
Owasp orlando, april 13, 2016
Owasp orlando, april 13, 2016Owasp orlando, april 13, 2016
Owasp orlando, april 13, 2016
 
Local Authentication par Pierre-Alban Toth
Local Authentication par Pierre-Alban TothLocal Authentication par Pierre-Alban Toth
Local Authentication par Pierre-Alban Toth
 
MFF UK - Advanced iOS Topics
MFF UK - Advanced iOS TopicsMFF UK - Advanced iOS Topics
MFF UK - Advanced iOS Topics
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
 
Introduction to aop
Introduction to aopIntroduction to aop
Introduction to aop
 
Onward15
Onward15Onward15
Onward15
 
Medium TechTalk — iOS
Medium TechTalk — iOSMedium TechTalk — iOS
Medium TechTalk — iOS
 
Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3
 
Docker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic StackDocker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic Stack
 
Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek
 
Node azure
Node azureNode azure
Node azure
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introduction
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
Jvm operation casual talks
Jvm operation casual talksJvm operation casual talks
Jvm operation casual talks
 

Recently uploaded

How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
Globus
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Globus
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
Globus
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar
 
Software Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdfSoftware Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdf
MayankTawar1
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
XfilesPro
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Shahin Sheidaei
 
Explore Modern SharePoint Templates for 2024
Explore Modern SharePoint Templates for 2024Explore Modern SharePoint Templates for 2024
Explore Modern SharePoint Templates for 2024
Sharepoint Designs
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Globus
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 

Recently uploaded (20)

How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
Software Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdfSoftware Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdf
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
 
Explore Modern SharePoint Templates for 2024
Explore Modern SharePoint Templates for 2024Explore Modern SharePoint Templates for 2024
Explore Modern SharePoint Templates for 2024
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 

ZeroNights: Automating iOS blackbox security scanning

  • 1.
  • 2. ME! “leverages the best combination of humans and technology to discover security vulnerabilities in our customers’ web apps, mobile apps, IoT devices and infrastructure endpoints” Employer! - SYNACK.com
  • 3. Our privacy. Our money.Our freedoms. Wouldn’t want to lose any of those things!
  • 5. For those that don’t know Aarch64 IdaRef documentation plugin: https://github.com/nologic/idaref
  • 8. 1. Allocate a page - a jump page 2. Set objc_msgSend readable and writable 3. Copy preamble bytes from objc_msgSend 4. Check for branch instructions in preamble 5. Modify objc_msgSend preamble 6. Set jump page to readable and executable 7. Set objc_msgSend readable and executable Objc_Trace Call Sequence Hook Steps
  • 9. void* hook_callback64_pre(id self, SEL op, void* a1, ...) { Class cls = object_getClass(self); if(cls != NULL && op != NULL) cacheImp = c_cache_getImp(cls, op); if(!cacheImp) { // not in cache, never been called, record the call. … const struct mach_header* libobjc_base = libobjc_dylib_base(); c_cache_getImp = (p_cache_getImp)((uint8_t*)libobjc_base) + 97792 + 0x4000; Only record unseen method calls Find the cache check function cache_getImp
  • 10.
  • 11. { '_payload': { '_payload': { '_msg': 'x00x00x08x00x00x00subsystemx00x00x00x00@x00x00x05x0 0x00x00x00x00x00x00ha', 'type': 2048}, 'magic': '!CPX', 'version': 5}, 'msgh_bits': 1250579, 'msgh_id': 268435456, 'msgh_local_port': '0x30b', 'msgh_remote_port': '0x10b', 'msgh_reserved': 2819, 'msgh_size': 256} Machshark
  • 13.
  • 14. “A little engine for driving the UI while doing blackbox testing of an iOS App” - CHAOTICMARCH
  • 16. ● Simulate the user ● Read and understand the UI
  • 17. cy# UIApp.keyWindow <UIWindow; frame = (0 0; 320 568); gestureRecognizers = <NSArray>;> | <TiRootViewNeue; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer>> ... <TiUITableViewCell; baseClass = UITableViewCell; text = 'Log On'; | <TiGradientLayer;> (layer) | <UITableViewCellContentView; frame = (0 0; 256 43.5); layer = <CALayer>> | | <UITableViewLabel; frame = (74 0; 167 43.5); text = 'Log On'> | | <UIImageView; frame = (15 0; 44 43.5); layer = <CALayer>> | <_UITableViewCellSeparatorView; frame = (74 43.5; 182 0.5); layer = <CALayer>>
  • 18. ● Lua Scriptable Logic ● Standard functions for touching the device ● Options for record/replay ● Finding UI Components ● Regulating speed of execution ● Support for multiple targets ● Mechanisms for generic logic ● Lightweight injected module Source
  • 20. while true do local button = getButton(clickedButtons) -- put some info in. fill_all_fields() click_button(button) if(button["text"] ~= nil) then clickedButtons[button["text"]] = 1 end usleep(2 * 1000000) end
  • 23. 1 - Make a post 2 - Get exploited binary/XSS with phish 3 - Steal creds or tokens 4 - Put up a draft 5 - Request messages 6 - respond with attack content Attacker User We focus on this
  • 24.
  • 25. while true do local inputs = findOfTypes("UITextField", "") for index, inputField in pairs(inputs) do click_button(inputField) inputText("SomeInput!!") end -- touch login touchDown(3, 138, 619); usleep(83148.83); touchUp(3, 141, 615); check_alert() end Source
  • 27. • Apps are important! • Automation of the UI • Collection of coverage information • Fuzzing of responses messages
  • 28. , blog: debugtrap.com Twitter: @hexlogic Source: CHAOTICMARCH: https://github.com/synack/chaoticmarch Machshark: https://github.com/nologic/machshark Objc_trace: https://github.com/nologic/objc_trace Images: http://iconmonstr.com/