Friday, November 18, 2016

jtool - an alternative to otool

jtool comes with a capability of running on Linux environment. Some ipa scanning tools are created to run on Linux environment where mac environment is not available. In such cases tools such as otool and class-dump-z will not work. So jtool can be an alternative to otool. For more information on jtool please refer to . It lists down various commands which have same output as otool or a equivalent. There are several commands mentioned in link.

But for our customized requirements and basis checks I have listed down the below ones after running on many binaries. The outputs are similar or equivalent to otool and class-dump-z:

Commands for checking PIE flag (ASLR) in jTool
jtool -d -v -arch | grep stack

·         Automatic Reference Counting (ARC) protection:
jtool -d -v -arch | grep _objc_release

·         To check if the device is jailbroken:
jtool -d -v -arch | grep jail

·         Dyldinfo compatible options:
jtool -function_starts  -v -arch -d objc arm64 --- prints the classes and interfaces with start addresses, not as compact and clean as class-dump-z output

·         Signtaure:
jtool --sig -arch arm64 --provides info about flag/ version/ Identifier, CDHash, CA information

·         Entitlements:
jtool --ent   -arch  arm64

·         Dumping the binary:
jtool -d

Tuesday, October 18, 2016

SQLi and Blind SQLi in search field

This continues from my earlier posts on SQLi in search fields:

I recently found one sqli which was both in nature- generic sqli and blind sqli. As I have already said, search boxes are always an unusual suspect and we tend to generally overlook them.

But the field was not vulnerable to simple queries like ' or ''=', would have missed it if would not have tried similar to ' or ''='' or ''='. I fired Burp intruder and got a couple of more payloads which worked. Still I am not able to understand the difference between these two queries, why they yield different results.

Anyways, the sqli got exploited and the app displayed all the records from the table.

Now turn for blind sqli:
The same field was also vulnerable to blind sqli. This became more important as the automated tools such as SQLmap, failed due to some errors or the apps being unstable. So it is purely manual efforts to extract some information about the DB.

The following query greatly helped:
param= ' or ascii(substring('sqlquery',1,1))>/=ASCII value of characters or ''='

A true result for the query will return the page with some records. Here the sqlquery can be replaced with any query which can provide information about DB. For example,
ascii(substring((Select USER from DUAL),1,1))>47 , 47 is ascii equivalent of  /. After this alphabets and numerical start.

So, one by one asking the queries based on true false conditions we were able to extract DB username, Current DB name, Hostname etc. Since this was a manual and slow effort, a few proofs like them were enough to prove that Blind SQLi is possible.

Friday, September 16, 2016

Resizing VM space on MacOs

Run the following commands:

First go the path of your vdi:

/var/root/VirtualBox VMs/Linux/Linux.vdi

and then run this command:
VBoxManage modifyhd Linux.vdi --resize

Output will be similar to this:
and you are done.

Sometimes you require superuser privileges to go into above directories. Just type suod -s, it'll present a bash shell, using which you should be able to enter the VM directory and then follow the above commands. Should be easy.

Sunday, August 21, 2016

Combining power of Fiddler with Burp

Both are pretty powerful tools when it comes to intercept and modify http communications. But at some point of time, they become even more powerful combo if tied with each other. They complement each other. In a recent pentest I came across a similar situation where in Burp was not able to intercept a specific kind of traffic and Fiddler came to rescue.

The application was designed to upload video. The initial communication was straight forward, I mean logging into application, filling up the video details etc. And all these were easily captured by Burp except the point where you hit the Upload Video and it connects to a different server and surprisingly it was not captured by Burp, not sure why, even after repeated attempts. So, I fired Fiddler to see if the it sees this request. But it's a;ways to play with requests using Burp due to it's various functionalities like, Intruder, Repeaters etc. But it was necessary to capture this request in Burp.

So the below steps can be performed:

1, First start the Fiddler and let it run on it's default port (8888).

2. In outgoing stream settings inside Fddler, provide the following settings: https://; http://
3. Start the burp, specify the same port under proxy settings:

Now run both in parallel, Fiddler will feed all the requests to Burp, which in turn will now capture the requests which it was not able to do earlier.

Now once, the request is captured, perform your needed activity in Burp- Scanner, Intruder, Repeater etc.!

Friday, July 1, 2016

Stripping the iOS binary of unneeded symbols

Sometimes the iOS binary contains the symbol table which provides information about symbols linking a specific function in the binary. Presence of symbol tables make run time analysis of the binary easy for the attackers using gdb, cycript tools etc. So, it's recommended to strip the symbols off the binary.

The following commands shows the symbols linked to the funcion:
 # nm
0001556ad t _mySecretFuncion

An easy way to strip them is to use Strip command or strip the symbol table of C/C++ function information is by going into Xcode and changing around the Deployment Postprocessingand Strip Linked Product flags to YES.

Thursday, June 9, 2016

When sqlite3 is unavailable

Sometime we come across cases, where sqlite3 is not available on the android device and we are stuck with pull and push of sqlite3 from emulator or our client machine to the android device.
I saw a lot of articles around using adb to pull and push the sqlite3 binray. Nothing worked for me due to some reasons.
I tried to the following effective way:

1. Install SFTPserver app on your android device. Configure and run it.
2. Install some SFTP client at your client machine, I used Cyberduck at my Mac.
3. The twist was, even I was able to connect to the android device files and folders, was not able to read the Data folder where the SQLite database resides., including other folders. Then either you should install a SFTP server with root privileges, maybe that was the reason behind above.
4. So, in this case, I did an ssh to my android device, (use ssh server on the android device and run it).
5. Run the cat /data/data/package_name/.../example.db > /sdcard/example.db
6. Now access the db file using Cyberduck on your client machine (Mac).
7. Open the db file using any sqlite browser at Mac.

That's it.

Wednesday, June 8, 2016

Warning: Remote Host Identification Has Changed error and solution

Ok, let me admit, I trapped in this issue again. This time the old remedy of running ssh-keygen -R did not work. Phew!

I did this :
went to cd /Users/nilesh/.ssh/ at my client machine and removed the following files:

known_hosts and known_hosts.old

Ran the ssh command once again, it asked for new RSA keys, accept it and the client machine would be added into list of new hosts.

And you are done. Now ssh connects properly.