Posts

Showing posts from 2016

Installing Burp cert in Android

I have seen many a times, even though there's already a Burp cert is installed on the Android device, the browser throws an error and Burp does not capture the request. This issue is mostly prevalent with Kitkat 4. As browser errors can be bypassed by clicking Proceed, but Banking apps keep throwing 'SSL Error' messages. Not sure what happens, but below works for me in such cases:

1. Download the Burp certificate. It'll be downloaded as 'cert.der'

2. Go to download folder, rename it as 'cert.cer' . Recommend to have a file explorer app which makes renaming easy.

3. Copy it to /storage/sdcard0 folder.

4. Go to Settings-> Security-> Trusted Credentials-> User. Remove the old Portswigger (Burp) certificates.

5. Go to Settings-> Security-> Install from device storage. Tap it and it installs your new certificate automatically. Now you are done. You'll notice all well now, the app communications being intercepted by Burp.

Maybe due to some…

jtool - an alternative to otool

jtool comes with a capability of running on Linux environment. Some ipa scanning tools are created to run on Linux environment where mac environment is not available. In such cases tools such as otool and class-dump-z will not work. So jtool can be an alternative to otool. For more information on jtool please refer to http://www.newosxbook.com/tools/jtool.html . It lists down various commands which have same output as otool or a equivalent. There are several commands mentioned in link.

But for our customized requirements and basis checks I have listed down the below ones after running on many binaries. The outputs are similar or equivalent to otool and class-dump-z:

Commands for checking PIE flag (ASLR) in jTool jtool -d -v -arch | grep stack
·Automatic Reference Counting (ARC) protection: jtool -d -v -arch | grep _objc_release
·To check if the device is jailbroken: jtool -d -v -arch | grep jail
·Dyldinfo compatible options: jtool -function_starts  -v -arch -d objc arm64 --- prin…

SQLi and Blind SQLi in search field

This continues from my earlier posts on SQLi in search fields:
http://nileshkumar83.blogspot.sg/2012/10/sql-injection-in-search-field.html

I recently found one sqli which was both in nature- generic sqli and blind sqli. As I have already said, search boxes are always an unusual suspect and we tend to generally overlook them.

But the field was not vulnerable to simple queries like ' or ''=', would have missed it if would not have tried similar to ' or ''='' or ''='. I fired Burp intruder and got a couple of more payloads which worked. Still I am not able to understand the difference between these two queries, why they yield different results.

Anyways, the sqli got exploited and the app displayed all the records from the table.

Now turn for blind sqli:
The same field was also vulnerable to blind sqli. This became more important as the automated tools such as SQLmap, failed due to some errors or the apps being unstable. So it is purely man…

Resizing VM space on MacOs

Run the following commands:

First go the path of your vdi:


/var/root/VirtualBox VMs/Linux/Linux.vdi
and then run this command: VBoxManage modifyhd Linux.vdi --resize
Output will be similar to this: 0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100% and you are done.
Sometimes you require superuser privileges to go into above directories. Just type suod -s, it'll present a bash shell, using which you should be able to enter the VM directory and then follow the above commands. Should be easy.

Combining power of Fiddler with Burp

Both are pretty powerful tools when it comes to intercept and modify http communications. But at some point of time, they become even more powerful combo if tied with each other. They complement each other. In a recent pentest I came across a similar situation where in Burp was not able to intercept a specific kind of traffic and Fiddler came to rescue.

The application was designed to upload video. The initial communication was straight forward, I mean logging into application, filling up the video details etc. And all these were easily captured by Burp except the point where you hit the Upload Video and it connects to a different server and surprisingly it was not captured by Burp, not sure why, even after repeated attempts. So, I fired Fiddler to see if the it sees this request. But it's a;ways to play with requests using Burp due to it's various functionalities like, Intruder, Repeaters etc. But it was necessary to capture this request in Burp.

So the below steps can be pe…

Stripping the iOS binary of unneeded symbols

Image
Sometimes the iOS binary contains the symbol table which provides information about symbols linking a specific function in the binary. Presence of symbol tables make run time analysis of the binary easy for the attackers using gdb, cycript tools etc. So, it's recommended to strip the symbols off the binary.

The following commands shows the symbols linked to the funcion:
 # nm
0001556ad t _mySecretFuncion

An easy way to strip them is to use Strip command or strip the symbol table of C/C++ function information is by going into Xcode and changing around the Deployment Postprocessingand Strip Linked Product flags to YES.




















When sqlite3 is unavailable

Sometime we come across cases, where sqlite3 is not available on the android device and we are stuck with pull and push of sqlite3 from emulator or our client machine to the android device.
I saw a lot of articles around using adb to pull and push the sqlite3 binray. Nothing worked for me due to some reasons.
I tried to the following effective way:

1. Install SFTPserver app on your android device. Configure and run it.
2. Install some SFTP client at your client machine, I used Cyberduck at my Mac.
3. The twist was, even I was able to connect to the android device files and folders, was not able to read the Data folder where the SQLite database resides., including other folders. Then either you should install a SFTP server with root privileges, maybe that was the reason behind above.
4. So, in this case, I did an ssh to my android device, (use ssh server on the android device and run it).
5. Run the cat /data/data/package_name/.../example.db > /sdcard/example.db
6. Now access the d…

Warning: Remote Host Identification Has Changed error and solution

Ok, let me admit, I trapped in this issue again. This time the old remedy of running ssh-keygen -R did not work. Phew!

I did this :
went to cd /Users/nilesh/.ssh/ at my client machine and removed the following files:

known_hostsand known_hosts.old

Ran the ssh command once again, it asked for new RSA keys, accept it and the client machine would be added into list of new hosts.
And you are done. Now ssh connects properly.

Nice read about hacking with SWIFT

https://www.theguardian.com/technology/2016/apr/26/international-bank-transfer-system-hacked-swift-group-admits

Provision file installation error- ios security testing-0xe800801a

Image
Sometimes we get provision file along with the original ipa file for installation and security testing of ios apps. Earlier during old versions of ios such as 4  or5 we used to have a tool called iphone configuration utility tool which was used to provision the file. Now Apple has deprecated the utility so we have to install both using itunes.
Recently I faced repeated errors while trying to install provision file. Very similar to this:



This happens when you get the provision file through emails, which gets corrupted due the mail server issues, which throws the above error when trying to install. So the solution is it to ask the project team to send it again in zipped format- this solved my error.



When you face error while installing Drozer

Finally after doing  a lot of research while getting while getting the following error while installing Drozer on OSx/ linux:

"The following error occurred while trying to add or remove files in the installation directory:
    [Errno 13] Permission denied: '/Library/Python/2.7/site-packages/test-easy-install-3959.pth'
The installation directory you specified (via --install-dir, --prefix, or the distutils default setting) was:
    /Library/Python/2.7/site-packages/
Perhaps your account does not have write access to this directory?  If the installation directory is a system-owned directory, you may need to sign in as the administrator or "root" account.  If you do not have administrative access to this machine, you may wish to choose a different installation directory, preferably one that is listed in your PYTHONPATH environment
variable................"
This happens due to the fact that you don't have root permissions or write privileges. So, to enable root privileg…

Solving sshDroid warning

During one of the recent android pentest, I was required to install sshDroid, a very popular ssh server meant for Android device. For few hours it worked fine until the next day, I encountered the following nasty error: "Warning: Remote Host Identification Has Changed!......"

I know I had messed up it somehow so getting that message. So I found a way to do away with this:
Run the following command from your client terminal:
ssh-keygen -R

Once that is done, do an ssh again to the remote host:

ssh username@remotehost port (optional)

And we are done. Happy hacking!


Threatpost cert error

Image