[go: up one dir, main page]
Scribd
Upload
14 views20 pages

AndroidMobilePentest101 Lecture8

Uploaded by

irajtaghlidi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views20 pages

AndroidMobilePentest101 Lecture8

Uploaded by

irajtaghlidi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

Android Mobile Pentest 101

© tsug0d, September 2018


Lecture 8 – Tools time
Goal: Speed up our pentest process
Why?
- Assume that we are so noob, the app is just too hard for us, cannot reverse, cannot patch, cannot hook,
etc... So, give up?
- Don’t worry, maybe tool will help you. I always use tool first, if fail, the manual phase come next J
- I will introduce tool aim for bypass root detection, emulator detection and ssl pinning
Root Detection Bypass
- To bypass root detection, we are going to use RootCloak
- It is a module for Xposed Framework
- It uses a variety of methods, completely hide root from the app
- This includes hiding the su binary, superuser/supersu apks, processes run by root, adb, and more.
Root Detection Bypass -> Install
- Since it is a module for Xposed Framework, we have to install Xposed first
- Install via MobSF script:
https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/master/scripts/mobsfy.py

- Type command:
python3 mobsfy.py -i 192.168.56.101:5555 -t 1

The ip is ip address of our virtual phone, the value of option –t equal to 1 to specify it’s the virtual, 2 is device

- Fail because we are dealing with genymotion, we have to use geny adb, replace this adb with genymotion
adb and we are all done
Root Detection Bypass -> Install
- Run it again, Xposed appear in our phone, but still not install, we have to click install option
Root Detection Bypass -> Install
- Now go to Modules task and tick on RootCloak

- Then reboot the phone


Root Detection Bypass -> Install
- RootCloak appear J
Root Detection Bypass -> Using
- To use it, click on the app icon, it look like this:

- Choose Add/Remove Apps


Root Detection Bypass -> Using
- To use it, click on the app icon, it look like this:

- Click on plus symbol


Root Detection Bypass -> Using
- Add your app to hide root from it, you are all set
Emulator Detection Bypass
- Same as root bypass, we select Android Blue Pill in Xposed

- Reboot the phone, done ( Just introduce, I always fail when using it J )
SSL Pinning Bypass -> JustTrustMe
- In this section, i’ll introduce 2 tools I always use, the first is JustTrustMe from Xposed Modules

- Tick on it, reboot, done


- Since it is too old, I prefer the second one!
SSL Pinning Bypass -> Objection
- Remember last slide of lecture 6? We are going to use Objection - a runtime mobile exploration toolkit,
powered by Frida, to bypass ssl pinning
- Objection was built with the aim of helping assess mobile applications and their security posture without the
need for a jailbroken or rooted mobile device.

Note: This is not some form of jailbreak / root bypass. By using objection, you are still limited by all of the
restrictions imposed by the applicable sandbox you are facing.
SSL Pinning Bypass -> Objection
- To Install, simply type command:
pip3 install objection
- Test if it is installed:
SSL Pinning Bypass -> Objection
- To use Objection, you need two things:
1. Objection installed
2. A patched APK installed to your android device and with the device connected and authorized to your
computer via USB
- We already got the first thing, so we will create a patched APK, type command:
objection patchapk --source InsecureBankv2.apk
(More about this: https://github.com/sensepost/objection/wiki/Patching-Android-Applications)
- Result:
SSL Pinning Bypass -> Objection
- We install the patched apk on the phone:

- Run the app on phone, then type this command to expore it:
objection --gadget "com.android.InsecureBankv2" explore
SSL Pinning Bypass -> Objection
- With Objection, we can easily collect app information, for example the env command will print out the locations
of the applications Files, Caches and other directories:
SSL Pinning Bypass -> Objection
- Or list all of the Activities that the application has:

- Using the output from the activities list, invoking arbitrary activities is as simple as:
SSL Pinning Bypass -> Objection
- Sorry, I’ll back to our topic, to bypass SSL Pinning using Objection, simply type command (although this app
have no pinning, just example J):
android sslpinning disable

- We are all done! There are many cool features that objection has, feel free to explore it

You might also like