SlideShare uma empresa Scribd logo

The Hookshot: Runtime Exploitation

Prathan Phongthiproek
Prathan Phongthiproek

TL;DR Motivation Dynamic binary instrumentation FRIDA DBI without rooting / jailbreaking Unleash the power of Frida Case study for runtime exploitation Countermeasure References

Tecnologia
1 de 30
Baixar para ler offline
Prathan Phongthiproek KPMG Thailand TheHookshot:RuntimeExploitation
@zeq3ul • Just a guy who is passionate in (offensive)security ~ 10 years+ • Dota2 SEA MMR ~ 3k+ • Rainbow Six Siege LVL ~ 100+ “Keep farming (Self-study) and Challenge the Roshan (Get certificate)” tanprathan pprathan prathan
TL;DR • Motivation • Dynamic binary instrumentation • FRIDA • DBI without rooting / jailbreaking • Unleash the power of Frida • Case study for runtime exploitation • Countermeasure • References
Motivation • Root / Jailbreak Detection • SSL Pinning Implementation • End-to-end encryption on top of TLS • Cellular network (4G) restriction
Dynamic binary instrumentation • A method of analyzing the behavior of a binary application at runtime through the injection of instrumentation code. • DBI can : • Access process memory • Overwrite functions while the application is running • Call functions from imported classes • Find object instances on the heap and use them • Hook, trace and intercept functions etc.
FRIDA • Dynamic code instrumentation toolkit allowing you to hook into applications while running, inject your own JavaScript while getting complete access to the memory and functions. • With Frida, we got the power to : • Bypass Root / Jailbreak Detection • Bypass SSL Pinning • Modify the encrypted traffic over TLS • Pwn the application without using proxy • Bypass local authentication • Subvert business logic • Increase game gems without purchasing
FRIDA Client Server https://www.frida.re/docs/installation/
Tip!! How to root/jailbreak device • Android • https://www.xda-developers.com/root/ • iOS • https://canijailbreak.com Jailbreak Type Processor iOS Version Duration Untethered jailbreak 32 bit 7.0.0-7.1.2 September 18, 2013 - September 16, 2014 8.0-8.4 September 17, 2014 - August 12, 2015 64 bit 9.0-9.1 September 16 2015 - December 7, 2015 Semi untethered jailbreak 32 bit 8.4.1 August 13, 2015 - September 15, 2015 9.1-9.3.5 October 21, 2015 - September 12, 2016 64 bit 9.2-9.3.3 December 8, 2015 - August 3, 2016 Unstable (Don’t work on i7) 64 bit 10.0 - 10.2 September 13, 2016- January 22, 2017
FRIDA Bypass local authentication on Android https://vimeo.com/235930373
FRIDA Bypass Jailbreak Detection on iOS https://vimeo.com/236043814
DBI without rooting / jailbreaking
Library Injection • Re-route application control during library initialization • Be able to conduct Runtime analysis without rooting or jailbreaking the device • Bypass Root/Jailbreak detection
Library Injection on Android app
Library Injection on Android app
Library Injection on Android app Dissemble the app using apktool Insert the Frida native library ("frida-gadget") into the APK’s /lib folder Inject a System.loadLibrary ("frida-gadget") call into the bytecode of the app (Main application activity) Add the Internet permission to the manifest, so that Frida gadget can open a socket Repackage the app, Resign the updated APK using your own keys and zipalign
Library Injection on Android app • An automated script for unpacking, patching (Insert the frida library into binary), re-packaging, re-signing and deploying apps on non-rooted device. • https://github.com/dpnishant/appmon/ tree/master/apk_builder
Dynamic Library (DYLIB) Injection on iOS app Mach-O File Structure
Dynamic Library (DYLIB) Injection on iOS app
Dynamic Library (DYLIB) Injection on iOS app
Dynamic Library (DYLIB) Injection on iOS app Create a developer profile, provision profile and Certificate Insert the Frida library (FridaGadget.dylib) to the application container, Insert the load command on the load commands section of the binary Increment the load command counter on the header section, Increase the size binary number on the header section Re-package the application by replacing the provision profile, re-sign both the main executable and FridaGadget.dylib with the certificate listed in the profile Deploy all set of application container and run the application on device as debug mode
Dynamic Library (DYLIB) Injection on iOS app • An automated script for unpacking, patching (Insert the load command into binary), re-signing and deploying apps on non-jailbroken device. https://github.com/tanprathan/Fridpa
Unleash the power of Frida https://codeshare.frida.re
Unleash the power of Frida • Objection uses Frida to inject objects into an applications runtime and executes them within that applications security context to perform various tasks. https://github.com/sensepost/objection • An automated framework for monitoring and tampering system API calls of native MacOS, iOS and Android apps. https://github.com/dpnishant/appmon
Unleash the power of Frida Using FRIDA without Jailbreaking https://vimeo.com/236055614
• Mobile banking application (Android, iOS) that: • Conducted source code review from commercial tools • Be able to detect Root/Jailbreak • Implemented SSL Pinning • Implemented end-to-end encryption Case study for runtime exploitation
• Mobile banking application (Android, iOS) that: • Conducted source code review from commercial tools • Be able to detect Root/Jailbreak • Implemented SSL Pinning • Implemented end-to-end encryption Case study for runtime exploitation tsprotector TrustKiller
Case study for runtime exploitation • Decrypted the app and performed reverse engineering • Analyzed the app classes and methods • Found some interesting class name and method • Created script to intercept the class and method • Customized script to manipulate the argument • Bypassed the business logic on the app coz they didn’t validate at server-side NOOB SPOTTED !!
Case study for runtime exploitation
Countermeasures Defense in depth and Fix root causes MSTG and MASVS
References • http://www.ninoishere.com/frida-learn-by-example/ • https://www.slideshare.net/andreaskurtz/pentesting-i-os-apps-deepsec-2012-andreas-kurtz-15423426 • https://www.notsosecure.com/pentesting-android-apps-using-frida/ • http://blog.attify.com/2017/05/06/bypass-jailbreak-detection-frida-ios-applications/ • https://github.com/interference-security/frida-scripts/blob/master/iOS/frida_python_script.py • https://koz.io/using-frida-on-android-without-root/ • https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/october/ios-instrumentation-without-jailbreak/ • https://www.vantagepoint.sg/blog/85-patching-and-re-signing-ios-apps

Recomendados

Introduction to Frida
Introduction to FridaIntroduction to Frida
Introduction to Frida
AbhishekJaiswal270
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
Tony Thomas
 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)
Chandrapal Badshah
 
DBI-Assisted Android Application Reverse Engineering
DBI-Assisted Android Application Reverse EngineeringDBI-Assisted Android Application Reverse Engineering
DBI-Assisted Android Application Reverse Engineering
Sahil Dhar
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam edition
Jose Manuel Ortega Candel
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
OWASP
 
Learning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorialLearning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorial
Landice Fu
 
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal ShindeFrida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
NSConclave
 

Recomendados

Introduction to Frida
Introduction to FridaIntroduction to Frida
Introduction to Frida
AbhishekJaiswal270
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
Tony Thomas
 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)
Chandrapal Badshah
 
DBI-Assisted Android Application Reverse Engineering
DBI-Assisted Android Application Reverse EngineeringDBI-Assisted Android Application Reverse Engineering
DBI-Assisted Android Application Reverse Engineering
Sahil Dhar
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam edition
Jose Manuel Ortega Candel
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
OWASP
 
Learning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorialLearning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorial
Landice Fu
 
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal ShindeFrida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
NSConclave
 
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...
PROIDEA
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool
nullowaspmumbai
 
Breaking iOS Apps using Cycript
Breaking iOS Apps using CycriptBreaking iOS Apps using Cycript
Breaking iOS Apps using Cycript
n|u - The Open Security Community
 
How to reverse engineer Android applications
How to reverse engineer Android applicationsHow to reverse engineer Android applications
How to reverse engineer Android applications
hubx
 
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
CODE BLUE
 
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs [CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
PROIDEA
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
Justin Bui
 
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
PROIDEA
 
Null 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNull 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarang
Ninad Sarang
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai
 
Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)
ClubHack
 
Reverse Engineering Android Application
Reverse Engineering Android ApplicationReverse Engineering Android Application
Reverse Engineering Android Application
n|u - The Open Security Community
 
What Can Reverse Engineering Do For You?
What Can Reverse Engineering Do For You?What Can Reverse Engineering Do For You?
What Can Reverse Engineering Do For You?
Amanda Rousseau
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application Exploitation
Positive Hack Days
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
Aditya K Sood
 
Introduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android ApplicationIntroduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android Application
Kelwin Yang
 
Android Tamer BH USA 2016 : Arsenal Presentation
Android Tamer BH USA 2016 : Arsenal PresentationAndroid Tamer BH USA 2016 : Arsenal Presentation
Android Tamer BH USA 2016 : Arsenal Presentation
Anant Shrivastava
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Tom Keetch
 
Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...
Internet Security Auditors
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 June
nullowaspmumbai
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhones
saurabhharit
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
Subhransu Behera
 

Mais conteúdo relacionado

Mais procurados

Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
CODE BLUE
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
Aditya K Sood
 
Introduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android ApplicationIntroduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android Application
Kelwin Yang
 

Mais procurados (20)

[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool
 
Breaking iOS Apps using Cycript
Breaking iOS Apps using CycriptBreaking iOS Apps using Cycript
Breaking iOS Apps using Cycript
 
How to reverse engineer Android applications
How to reverse engineer Android applicationsHow to reverse engineer Android applications
How to reverse engineer Android applications
 
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
 
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs [CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
 
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
 
Null 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNull 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarang
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 
Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)
 
Reverse Engineering Android Application
Reverse Engineering Android ApplicationReverse Engineering Android Application
Reverse Engineering Android Application
 
What Can Reverse Engineering Do For You?
What Can Reverse Engineering Do For You?What Can Reverse Engineering Do For You?
What Can Reverse Engineering Do For You?
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application Exploitation
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
 
Introduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android ApplicationIntroduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android Application
 
Android Tamer BH USA 2016 : Arsenal Presentation
Android Tamer BH USA 2016 : Arsenal PresentationAndroid Tamer BH USA 2016 : Arsenal Presentation
Android Tamer BH USA 2016 : Arsenal Presentation
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
 
Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 June
 

Semelhante a The Hookshot: Runtime Exploitation

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 

Semelhante a The Hookshot: Runtime Exploitation (20)

Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhones
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
CNIT 128: 3. Attacking iOS Applications (Part 2)
CNIT 128: 3. Attacking iOS Applications (Part 2)CNIT 128: 3. Attacking iOS Applications (Part 2)
CNIT 128: 3. Attacking iOS Applications (Part 2)
 
From Reversing to Exploitation
From Reversing to ExploitationFrom Reversing to Exploitation
From Reversing to Exploitation
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
From Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in EssenceFrom Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in Essence
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with Frida
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
 
MOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdfMOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdf
 
Mobile App Penetration Testing Bsides312
Mobile App Penetration Testing Bsides312Mobile App Penetration Testing Bsides312
Mobile App Penetration Testing Bsides312
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Android Security
Android SecurityAndroid Security
Android Security
 

Mais de Prathan Phongthiproek

OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration Testing
Prathan Phongthiproek
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
Prathan Phongthiproek
 
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest Workshop
Prathan Phongthiproek
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load Target
Prathan Phongthiproek
 
Tisa-Social Network and Mobile Security
Tisa-Social Network and Mobile SecurityTisa-Social Network and Mobile Security
Tisa-Social Network and Mobile Security
Prathan Phongthiproek
 

Mais de Prathan Phongthiproek (20)

Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
 
The CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationThe CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team Operation
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomware
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application Attacks
 
Owasp Top 10 Mobile Risks
Owasp Top 10 Mobile RisksOwasp Top 10 Mobile Risks
Owasp Top 10 Mobile Risks
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration Testing
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure Coding
 
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest Workshop
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load Target
 
Advanced Malware Analysis
Advanced Malware AnalysisAdvanced Malware Analysis
Advanced Malware Analysis
 
Tisa mobile forensic
Tisa mobile forensicTisa mobile forensic
Tisa mobile forensic
 
Tisa-Social Network and Mobile Security
Tisa-Social Network and Mobile SecurityTisa-Social Network and Mobile Security
Tisa-Social Network and Mobile Security
 

Último

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 

Último (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 

The Hookshot: Runtime Exploitation

  • 2. @zeq3ul • Just a guy who is passionate in (offensive)security ~ 10 years+ • Dota2 SEA MMR ~ 3k+ • Rainbow Six Siege LVL ~ 100+ “Keep farming (Self-study) and Challenge the Roshan (Get certificate)” tanprathan pprathan prathan
  • 3. TL;DR • Motivation • Dynamic binary instrumentation • FRIDA • DBI without rooting / jailbreaking • Unleash the power of Frida • Case study for runtime exploitation • Countermeasure • References
  • 4. Motivation • Root / Jailbreak Detection • SSL Pinning Implementation • End-to-end encryption on top of TLS • Cellular network (4G) restriction
  • 5. Dynamic binary instrumentation • A method of analyzing the behavior of a binary application at runtime through the injection of instrumentation code. • DBI can : • Access process memory • Overwrite functions while the application is running • Call functions from imported classes • Find object instances on the heap and use them • Hook, trace and intercept functions etc.
  • 6. FRIDA • Dynamic code instrumentation toolkit allowing you to hook into applications while running, inject your own JavaScript while getting complete access to the memory and functions. • With Frida, we got the power to : • Bypass Root / Jailbreak Detection • Bypass SSL Pinning • Modify the encrypted traffic over TLS • Pwn the application without using proxy • Bypass local authentication • Subvert business logic • Increase game gems without purchasing
  • 8. Tip!! How to root/jailbreak device • Android • https://www.xda-developers.com/root/ • iOS • https://canijailbreak.com Jailbreak Type Processor iOS Version Duration Untethered jailbreak 32 bit 7.0.0-7.1.2 September 18, 2013 - September 16, 2014 8.0-8.4 September 17, 2014 - August 12, 2015 64 bit 9.0-9.1 September 16 2015 - December 7, 2015 Semi untethered jailbreak 32 bit 8.4.1 August 13, 2015 - September 15, 2015 9.1-9.3.5 October 21, 2015 - September 12, 2016 64 bit 9.2-9.3.3 December 8, 2015 - August 3, 2016 Unstable (Don’t work on i7) 64 bit 10.0 - 10.2 September 13, 2016- January 22, 2017
  • 9. FRIDA Bypass local authentication on Android https://vimeo.com/235930373
  • 10. FRIDA Bypass Jailbreak Detection on iOS https://vimeo.com/236043814
  • 11. DBI without rooting / jailbreaking
  • 12. Library Injection • Re-route application control during library initialization • Be able to conduct Runtime analysis without rooting or jailbreaking the device • Bypass Root/Jailbreak detection
  • 13. Library Injection on Android app
  • 14. Library Injection on Android app
  • 15. Library Injection on Android app Dissemble the app using apktool Insert the Frida native library ("frida-gadget") into the APK’s /lib folder Inject a System.loadLibrary ("frida-gadget") call into the bytecode of the app (Main application activity) Add the Internet permission to the manifest, so that Frida gadget can open a socket Repackage the app, Resign the updated APK using your own keys and zipalign
  • 16. Library Injection on Android app • An automated script for unpacking, patching (Insert the frida library into binary), re-packaging, re-signing and deploying apps on non-rooted device. • https://github.com/dpnishant/appmon/ tree/master/apk_builder
  • 17. Dynamic Library (DYLIB) Injection on iOS app Mach-O File Structure
  • 18. Dynamic Library (DYLIB) Injection on iOS app
  • 19. Dynamic Library (DYLIB) Injection on iOS app
  • 20. Dynamic Library (DYLIB) Injection on iOS app Create a developer profile, provision profile and Certificate Insert the Frida library (FridaGadget.dylib) to the application container, Insert the load command on the load commands section of the binary Increment the load command counter on the header section, Increase the size binary number on the header section Re-package the application by replacing the provision profile, re-sign both the main executable and FridaGadget.dylib with the certificate listed in the profile Deploy all set of application container and run the application on device as debug mode
  • 21. Dynamic Library (DYLIB) Injection on iOS app • An automated script for unpacking, patching (Insert the load command into binary), re-signing and deploying apps on non-jailbroken device. https://github.com/tanprathan/Fridpa
  • 22. Unleash the power of Frida https://codeshare.frida.re
  • 23. Unleash the power of Frida • Objection uses Frida to inject objects into an applications runtime and executes them within that applications security context to perform various tasks. https://github.com/sensepost/objection • An automated framework for monitoring and tampering system API calls of native MacOS, iOS and Android apps. https://github.com/dpnishant/appmon
  • 24. Unleash the power of Frida Using FRIDA without Jailbreaking https://vimeo.com/236055614
  • 25. • Mobile banking application (Android, iOS) that: • Conducted source code review from commercial tools • Be able to detect Root/Jailbreak • Implemented SSL Pinning • Implemented end-to-end encryption Case study for runtime exploitation
  • 26. • Mobile banking application (Android, iOS) that: • Conducted source code review from commercial tools • Be able to detect Root/Jailbreak • Implemented SSL Pinning • Implemented end-to-end encryption Case study for runtime exploitation tsprotector TrustKiller
  • 27. Case study for runtime exploitation • Decrypted the app and performed reverse engineering • Analyzed the app classes and methods • Found some interesting class name and method • Created script to intercept the class and method • Customized script to manipulate the argument • Bypassed the business logic on the app coz they didn’t validate at server-side NOOB SPOTTED !!
  • 28. Case study for runtime exploitation
  • 29. Countermeasures Defense in depth and Fix root causes MSTG and MASVS
  • 30. References • http://www.ninoishere.com/frida-learn-by-example/ • https://www.slideshare.net/andreaskurtz/pentesting-i-os-apps-deepsec-2012-andreas-kurtz-15423426 • https://www.notsosecure.com/pentesting-android-apps-using-frida/ • http://blog.attify.com/2017/05/06/bypass-jailbreak-detection-frida-ios-applications/ • https://github.com/interference-security/frida-scripts/blob/master/iOS/frida_python_script.py • https://koz.io/using-frida-on-android-without-root/ • https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/october/ios-instrumentation-without-jailbreak/ • https://www.vantagepoint.sg/blog/85-patching-and-re-signing-ios-apps