[In this third installation of tips originally included in the Ultimate SANS Pen Test Poster, we'll turn to Josh Wright's tips for mobile device penetration testing. Josh shares some really useful insights here, as well as recommendations for tools (software and hardware) and resources for keeping current. Nice stuff!
Click these links for the first two articles in this series:
-Ed.]
Methodology Tips
- Recon - Identify the types of mobile devices used in the target environment, and the applications used. Consider using social networking data ("Posted with Tweetie for iOS"), e-mail headers ("X-Mailer: iPhone Mail (10B143)") or Satori fingerprints for insider or public network/hotspot attacks.
- Scanning - For local mobile device attacks, identify the wireless networks sought by the mobile device by inspecting network probes. Commonly weak network names such as "attwifi" and "linksys" are easy targets to impersonate and lure a victim into a hostile network.
- Exploitation - Use man-in-the-middle attacks to intercept and inspect network protocols. Use traffic insertion attacks to deliver client-side exploits to vulnerable devices, or manipulate captured traffic to exploit supporting back-end mobile application servers. If you have physical possession of a device, bypass device passcode use by physically connecting the device to an attack workstation to root or jailbreak the device, exposing the filesystem data.
- Post-Exploitation - Inspect commonly sensitive data areas on mobile devices for information such as the Notes, SMS, and browser history databases. Look for stored passwords in third-party applications, and for opportunities to extract saved passwords from keychain storage. If it is within scope, consider adding a backdoor to the mobile device and returning to the end-user, giving you remote access to trusted networks.
Must-Have Tools: Software
- Android Emulator and SDK Tools - The Android Emulator is almost as good as having real Android hardware since it can be used to run and assess Android applications. Pen testers can install the Android Emulator and the associated SDK tools for use in evaluating Android applications, and for attacking "stolen" Android devices. By Google http://developer.android.com/sdk
- Plist Editor for Windows - The Plist Editor for Windows makes it easy to view and search binary or ASCII preference list files from compromised Apple iOS devices. Pen testers can use the Plist Editor for Windows to extract data from iOS built-in or third-party applications and harvest credentials or other sensitive data from numerous weak applications. By VOWSoft, Ltd.
http://www.icopybot.com/plist-editor.htm - SQLiteSpy - SQLiteSpy reads, searches, and converts SQLite database files used on iOS and Android devices. Pen Testers can inspect the compromised contact, GPS history, browser history, SMS messages and more with SQLiteSpy. By Ralf Junker http://www.yunqa.de/delphi/doku.php/products/sqlitespy/index
- Elcomsoft Phone Password Breaker* - EPPB is used to brute- force passwords on Apple iTunes backups, BlackBerry backups, and to bypass BlackBerry lock screen passcodes. Pen testers can use EPPB to decrypt and extract Apple and BlackBerry backup data from compromised hosts, and to bypass the passcode selection on BlackBerry devices. By Elcomsoft http://www.elcomsoft.com/eppb.html
- iPhone Data Protection Tools - The iDPT suite creates an alternate iOS boot environment, allowing pen testers to brute-force PIN- based passcodes on older iPhone, iPod Touch and iPad devices. By Jonathan Zdziarski and a community of contributing developers http://code.google.com/p/iphone-dataprotection
- Redsn0w - Redsn0w is an all-purpose iOS jailbreaking tool for iOS 5 devices. If device theft is in the scope of the mobile device pen test, the pen tester can jailbreak and access confidential data on stolen devices using Redsn0w. By iPhone Dev Team http://www.redsn0w.us
- Satori - Satori is a multi-faceted passive operating system fingerprinting tool, combining results from over 25 different protocols for precise results. Pen testers can use Satori to monitor LAN or WLAN traffic and identify the mobile devices that are present to target. By Eric Kollmann http://chatteronthewire.org
- Burp Suite* - Burp Suite is commonly used for web application assessments, but it also makes a powerful HTTP/S network manipulation tool when combined with a man-in-the-middle attack. Pen testers can use Burp Suite to exploit HTTP-based mobile applications with server-side and client- side injection attacks. By PortSwigger, Ltd. http://portswigger.net/burp
- Ettercap - Ettercap is a powerful man-in-the-middle tool, adding powerful network traffic manipulation and plugin functionality to exploit downstream devices. Pen testers can use Ettercap to capture plaintext passwords, intercept SSL traffic, and manipulate DNS name resolution on mobile devices. By Alberto Ornaghi, Marco Valleri, Emilio Escobar, and Eric Milam http://ettercap.github.com/ettercap
- Mercury Framework - The Mercury Framework is an Android security testing platform using a client/server architecture with plugin support for dynamic exploit delivery. Pen testers can use Mercury to evaluate the threat of malware on an Android platform, developing or leveraging available exploits to take advantage of Android platform vulnerabilities. By Daniel Bradberry https://github.com/mwrlabs/mercury
- iPhone Configuration Utility - The iPCU tool from Apple provides a set of iOS device management features for small organizations, creating XML profiles that can be installed on iOS devices to specify wireless networks, platform settings, certificate trust, and more. Pen testers can use iPCU to create malicious profiles, adding the attacker as a new trusted root CA as part of a phishing assessment. By Apple Corporation http://www.apple.com/support/iphone/enterprise
Must-Have Tools: Hardware
- Google Nexus* - The Google Nexus is the perfect hardware for experimenting with Android attacks with WiFi, Bluetooth, and NFC wireless capabilities. As a "Google Experience" device, the Nexus also receives software updates to stay current with new Android OS features. By Google http://www.google.com/nexus
- iPad Mini* - A lower-cost alternative to an iPad or an unsubsidized iPhone, the iPad Mini runs all iOS applications. After jailbreaking the iPad Mini, pen testers can install and target vulnerable applications, or test the impact of attacks before delivering them to the production target environment. By Apple Corporation http://www.apple.com/ipad-mini
* These tools are available on a commercial (cost) basis.
Great Resources for Staying Current
- MacRumors - http://www.macrumors.com
- BGR Mobile Report - http://bgr.com/mobile
- XDA Developers Blog - http://www.xda-developers.com
- Josh's Mobile RSS Feed - http://www.willhackforsushi.com/subscriptions.xml
- Twitter Search Terms - ios security | android security
- Twitter Accounts - @pod2g |@lookout| @pof | @pentesttips | @joswr1ght
Associated SANS Courses
SEC575: Mobile Device Security and Ethical Hacking www.sans.org/sec575
-Josh Wright
Counter Hack