APP penetration—MobSF security assessment, frida, r0capture packet capture
- 1 Introduction
- 2. Supplement related content of AppInfoScanner
- 3. MobSF security assessment
- 4. frida grab bag
- 5. Android application layer capture and kill script
1 Introduction
The previous articles have introduced how to capture packets of APP applications and small programs. This time, we will mainly discuss how to obtain detailed information and non-HTTP/S traffic more comprehensively, and use automated tools to continue to process APK files. Automated scans for associated threats.
APP and Mini Program—Information Collection
2. Supplement related content of AppInfoScanner
In the previous presentation, we only introduced how to use the AppInfoScanner project, and did not introduce this tool in more detail. This tool is a mobile terminal (Android, iOS , WEB, H5, static website) information collection scanning tool, which can help penetration test engineers, attack team members, and red team members quickly collect key asset information on mobile terminals or static WEB sites and provide basic information output, such as: Title , Domain, CDN, fingerprint information, status information, etc.
However, in the actual information acquisition process, it is found that the collected relevant information is still relatively small. At this time, it is necessary to use Fiddler to collect together, so that the information in the APK can be collected.
This is because the AppInfoScanner project extracts the URL address information that exists in the APK. If the URL address is obtained, it will be collected, and other URL information will not be collected.
Fiddler collects during the communication process. Compared with the AppInfoScanner project, it may collect more relevant information accessed during the communication process. However, Fiddler needs to perform functional tests one by one if it wants to collect it completely. At the same time, membership may appear. The functions that can only be clicked or some functions that can only be used with special authorization will not be collected at this time, so the combination of the two is the best way. Of course, it is not necessary to use Fiddler or AppInfoScanner projects. If you have more A good project is of course better to pull, if not, then these two are also good.
3. MobSF security assessment
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF supports mobile application binaries (APK, XAPK, IPA & APPX) along with compressed source code and provides a REST API for seamless integration with CI/CD or DevSecOps pipelines. Dynamic Analyzer helps you perform runtime security assessments and interactive instrumented testing.
3.1. Download MobSF
It is best to use the Linux system to install here. It will be more troublesome to install on the Windows system or MAC, but to use the Linux system, you only need to prepare a Docker on the Linux system to achieve one-click installation.
3.2. Install Docker
I installed Centos7.6 in a virtual machine, linux 3.10 kernel, docker official says at least 3.8 or above, and recommends 3.10 or above (linux kernel 3.8 or above is required under ubuntu, the RHEL/Centos kernel has been patched, and the centos6.5 version is fine—— You can try this)
Requires root privileges to install.
3.2.1. Check the Linux kernel version
uname -r
3.2.2. Update yum package
Here you need to update the yum package to the latest. Here I am using a cloud server. I updated it, but there is nothing to update, and it is relatively slow, so there is no update directly.
yum update
3.2.3. Installing the Docker package
It seems to be installed here, and I don't know what was installed before.
yum install -y yum-utils device-mapper-persistent-data lvm2
3.2.4. Set yum source
yum-config-manager –add-repo http://download.docker.com/linux/centos/docker-ce.repo ##中央仓库
3.2.5. View Docker version
Here we can look at all docker versions in all warehouses and choose a specific version to install.
yum list docker-ce --showduplicates | sort -r
3.2.6. Install Docker
The version number is the version number in the second row, for example, I chose 18.09 here.
yum install docker-ce-版本号
3.2.7. Setting up Docker
Setting up Docker here is mainly to set up the startup, boot up automatically, and check the version. If you can check the version, it means that the installation is successful.
systemctl start docker
systemctl enable docker
docker version
3.2.8. Other Docker commands
Here are some commonly used Docker commands.
docker ps ##查看当前正在运行的容器
docker ps -a ##查看所有容器的状态
docker start/stop id/name ##启动/停止某个容器
docker exec -ti id ##启动一个伪终端以交互式的方式进入某个容器(使用exit退出后容器不停止运行)
docker images ##查看本地镜像
docker rm id/name ##删除某个容器
docker rmi id/name ##删除某个镜像
3.3. Install MobSF
If you use Linux, the installation is very convenient, and you don't need to operate too much, just one command.
3.3.1. One-click installation
Installing MobSF here may be a little slow.
docker pull opensecurity/mobile-security-framework-mobsf
3.3.2. Start MobSF
Start MobSF here. If you are using a cloud server, you need to open port 8000 in the security group. Of course, the port can be changed.
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
3.3.3. Open MobSF
Here you can open MobSF through the web page, visit the address:http://IP地址:端口
3.4. Use of MobSF
Simply put, upload the APK to MobSF. If there is no APK file, you can use the resource extractor to extract the APK file of the APP application. How to extract it has been introduced in the previous article, so I won’t go into details here. Here I still use a concubine to operate.
3.4.1. Upload APK file
Click upload in the middle, upload the file, and that’s it. Then wait for the result. The time may be a bit long. The high probability is that the analysis time is long due to the size of the APK file, whether it is packed, and the content.
3.4.2. View APK analysis results
After a while here, the analysis results will appear. These are all in English. You can use a browser to translate them into Chinese, which is easy to understand. Here I will not introduce the relevant information one by one, just look at the big picture!
The specific way of use can be studied by yourself, I just introduce how to use it here.
4. frida grab bag
FirdaIt is an easy-to-use cross-platform Hook tool that is omnipotent Javafrom layer to Nativelayer Hook. It is a dynamic instrumentation tool that can insert code into the Appnative memory space to monitor and modify behavior dynamically. The native platform includes Win、Mac、Linux、Android、iOSall platforms. .
Most apps are black boxes for us. Reverse engineering and dynamic debugging of apps, or automated analysis, requires continuous dynamic debugging. Frida uses Python to inject JavaScript scripts to operate Java on the device through JS scripts. code.
If you need a persistent Hook, you still need to go through a framework such as Xposed, but Frida's dynamics and flexibility provide great help for reverse and automated reverse.
4.1. Introduction to frida
FridaDivided into client and server.
Client: PC (control terminal)
Server: mobile device (controlled end)
PythonThe code written by the client is used to connect to the remote device, submit JSthe code to be injected to the server, and accept the message sent by the server.
The server needs to inject JScode into the target process, manipulate memory data, and send messages to the client.
4.2. PC configuration
Here first install python, and then install the frida library and frida-tools tools.
4.2.1. Install python
I have already installed python with privilege escalation here, and I have learned about APP penetration, so I shouldn’t have installed python yet!
4.2.2. Install frida and frida-tools
You may need to wait patiently here, the installation process is very slow, but after exiting several times, the reinstallation will be fast, which is also very strange. After the installation is complete, check the version to determine the version of the server. Here I am 16.0.7, so I need to download version 16.0.7 to install the server.
pip install frida ##安装frida
pip install frida-tools ##frida-tools
frida --version ##查看版本
4.3. Simulator configuration
4.3.1. View the number of digits of the simulator
There will be digits in the downloaded server version, so you need to check the digits of the emulator version.
First of all, you need to open the emulator. If you don’t open the emulator, you can’t get in. At the same time, because I haven’t set the environment variable, then I will open the input command in the installation directory of the Yeshen emulator to check the number of digits, so that binwe cmdcan Determine what number of servers to download.
adb shell ##进入模拟器
getprop ro.product.cpu.abi ##查看位数
4.3.2. Download Frida-server
Above we obtained that the version of our client is 16.0.7, and the number of bits of the emulator is 64 bits, so according to this information, we can download the corresponding server. Note that Fridathe version must Fridabe consistent with the version of the client.
It should be noted here that the prefix needs to be android, arm/arm64 is selected for the physical mobile phone, and X86/X86_64 is selected for the emulator.
4.3.3. Upload simulator
Here you need to upload the server to the emulator, you need to exit to upload, and you cannot upload in the system.
adb push 文件位置 /data/local/tmp
4.3.4. Granting Permissions
Here, like Linux, you need to give execution permission.
adb shell
cd /data/local/tmp
chmod 777 frida-server
4.3.5. Running frida-server
When running here, as long as it is stuck, it proves successful.
./frida-server ##运行
If you are not sure, you can start a cmd at this time and enter to see if it is running.
ps | grep frida-server
4.3.6. Determine the connection status
Here you need to judge the running status, and the information displayed here is the information in the simulator.
frida-ps -U
Here you also need to enter a command, and both of them need to be executed successfully.
frida-ps -R
It can be seen that the execution is not successful here, so port forwarding is required.
adb forward tcp:27042 tcp:27042
Check the status again, and you can see that it has been successfully executed. Here, try to cmdhang up all the windows and do not close them, so as to avoid further debugging.
4.4. Summary
At this point, all the operations on Frida are over. Note that in the above operations, especially after port forwarding, there may be a stuck situation. It is recommended to re-operate and run the server and port forwarding tests.
5. Android application layer capture and kill script
Usually, if the APP traffic does not go through the HTTP/S protocol, then fiddler and burp will not be able to capture the package, so here we can use fride to cooperate with the following script to capture the package that we cannot capture.
Here you need to download a script, this script can read the relevant introduction by itself, here is a brief introduction.
- Android platform only, test Android 7, 8, 9, 10, 11, 12 available;
- Ignore all certificate verification or binding, do not consider any certificate;
- Kill all protocols in the application layer in the TCP/IP four-layer model;
- Killing protocols include: Http, WebSocket, Ftp, Xmpp, Imap, Smtp, Protobuf, etc., and their SSL versions;
- Kill all application layer frameworks, including HttpUrlConnection, Okhttp1/3/4, Retrofit/Volley, etc.;
- Ignore the reinforcement, whether it is the overall shell or the second-generation shell or VMP, do not consider the reinforcement;
Android application layer capture and kill script
5.1. Before the test
It should be noted here that I found that when the emulator runs frida-server, the emulator cannot operate, and when the frida-server is suspended, it can be operated immediately. I haven't quite figured out what is going on here, but here is the Yeshen emulator, Android version 7.0.
This may be due to my personal environmental problems, not sure if other people will have this situation.
Here I have figured out a process, in simple terms.
First run according to the above process frida-serverand test -Rwhether -Uthe information can be obtained normally.
Then after making sure that the information can be obtained, it is found that the emulator cannot be operated. Here, it needs to be frida-serverpaused to test whether the emulator returns to normal. If it does not continue to pause frida-server, then test again.
When the emulator returns to normal, use r0capture.py to capture packets.
5.2. How to get the package name
The package name may be used later, so here is an introduction to how to obtain the package name of the APP in the simulator. Here you need to use the MT manager. The MT manager was also mentioned in the previous chapter. The specific introduction will not be More nonsense, here is a direct introduction to how to use it.
5.2.1. Select the installation package to extract
Here select the installation package to extract.
5.2.2. View package name
Here you can see what the package name is.
5.3. How to use the Attach mode
As shown in the official notes, the old version of Frida uses the package name, and the new version of Frida uses the APP name. The APP name must be the app name displayed by frida-ps -U after clicking on the app.
5.3.1. Attach mode operation
Here I am using the Attach mode, and only grab when accessing any interface. Simply put, it is to grab the stream of interest.
If you execute it directly, an error will be reported. When you start the Tantan APP, you cmdneed to press Enter immediately. Therefore, you need to enter the command in advance.
python r0capture.py -U 探探 -v -p tantan.pcap
5.3.2. Attach mode results
The result obtained here is pcap, which is the package of wiresharp. Open the package and you can see which addresses and some related information are accessed. Here you can analyze these IPs and internal data.
5.4. How to use Spawn mode
The official introduction here is to use the package name to operate, but it will not be saved as a data package, but the result will be exported to a txt file, and it is very messy, so the official also recommends using the attach mode.
5.4.1. Spawn mode operation
Here, after the input is completed, it will automatically jump to and open the APP corresponding to the package name.
python r0capture.py -U -f 包名
5.4.2. Spawn mode results
A txt file will be automatically generated under the folder, and all content will be placed in this txt file.
5.5. Summary
It seems that it can be linked with fiddler and burp. It has not been studied here yet. Look forward to the next chapter. It should mention this aspect.