SlideShare una empresa de Scribd logo

Hacking iOS Applications with Proxies

Karl Fosaaen
Karl Fosaaen

This presentation will cover the basics of attacking iOS applications (and their back ends) using a web proxy to intercept, modify, and repeat HTTP/HTTPS requests. From setting up the proxy to pulling data from the backend systems, this talk will be a great primer for anyone interested in testing iOS applications at the HTTP protocol level. There will be a short (2 minute) primer on setting up the intercepting proxy, followed by three practical examples showing how to intercept data headed to the phone, how to modify data heading to the application server, and how to pull extra data from application servers to further an attack. All of these examples will focus on native iOS apps (Game Center and Passbook) and/or functionality (Passbook Passes). Video Link - http://www.irongeek.com/i.php?page=videos/louisvilleinfosec2013/attacking-ios-applications-karl-fosaaen

Tecnología
1 de 54
Hacking iOS GameCenter and Passbook with Proxies OWASP Boston November 6, 2013
Who am I? • Karl Fosaaen Senior Security Consultant At NetSPI Twitter: @kfosaaen
Presentation Overview • Intercepting iOS Traffic • Why and How • Tools • Certificates • Identifying Pinning • Attack Examples • GameCenter Scores • GameCenter Hashes • Passbook files • Conclusions
Intercepting traffic: Why • iOS traffic can be interesting ‒ Most apps use web service calls ‒ Most apps are web browsers • Traffic tampering ‒ Can you name your own price? ‒ Submit a higher score? • Server responses can be interesting ‒ Modify what the server says to trick your app ‒ Intercepting files (ie: Passbook Passes) • Same goes for Android
Intercepting traffic: How • Use an intercepting proxy ‒ Set it up to capture your traffic ‒ Store and forward allows for tampering • SSL Interception ‒ Requires a trusted certificate ‒ Some apps don’t trust iOS cert stores • This is a good thing, just a pain for interception • Traffic sniffing ‒ Some apps send requests in the clear ‒ Packet sniffing can be useful
Intercepting traffic: Tools • Burp • iOS simulator • Other Proxies ‒ ZAP ‒ Fiddler ‒ WebScarab
Intercepting Traffic: Certs • Exporting the Burp Root CA
Intercepting Traffic: Certs • Exporting the Burp Root CA
Intercepting Traffic: Certs • Exporting the Burp Root CA • Save the root cert as PortSwiggerCA.crt • Send the cert to yourself via email and add it to your iOS device • Instructions from Portswigger: http://portswigger.net/burp/help/proxy_options_installingCAcert.html#iphone
Intercepting Traffic: Certs • Exporting the Burp Root CA • Certificate installed on iPhone
Intercepting Traffic: Burp • Burp Set Up
Intercepting Traffic: Burp • iOS Proxy Set Up
Intercepting Traffic: Burp • Intercepted iOS traffic • HTTPS request to Google from iPhone
Intercepting Traffic: Burp • A quick warning… ‒ Watch your credentials • • Exchange ActiveSync sends encoded passwords Your login creds for other apps and sites will get stored in your proxy ‒ Mostly watch the data getting stored in your proxy • You never know when you will need to send your Burp session to someone else
Intercepting Traffic: Certs • Identifying pinned apps • Able to intercept normal browser SSL traffic • Can’t get app specific data • Pinning might be in use • The app may also be looking for specific cert parameters • This is not pinning • It’s cert checking
Intercepting Traffic: Certs • Avoiding issues with cert pinned apps • • • • Open the app without the proxy enabled Get to a spot where you request an external resource Switch over to your preferences • Turn on the Proxy Request the resource • • • Passbook pass Coupon Or just use the exclusions in Burp
Attack Examples Example Time!
Attack Examples • GameCenter High Scores • GameCenter Email Hashes • Passbook files
Attack Examples: GameCenter
Attack Examples: GameCenter • Attacking High Scores ‒GameCenter scores update with HTTPS POST requests ‒No input validation on “score-value” parameter • Max score of 9,223,372,036,844,775,807
Attack Examples: GameCenter • Attack Process ‒Set up intercepting proxy ‒Play a game • Beat the first level or • Trigger a score update ‒ Intercept the score update • Look for “submitScores” page ‒ Replace score value with 9,223,372,036,844,775,807
Attack Examples: GameCenter
Attack Examples: GameCenter
Attack Examples: GameCenter
Attack Examples: GameCenter ‒ Bad News • • This was fixed in iOS 7 There’s a token now =
Attack Examples: GameCenter Capturing GameCenter Email Hashes
Attack Examples: GameCenter • Capturing Email Hashes • SHA1 email hashes can be leaked by requesting player information • This can be done for current friends and accounts of “friends of friends” • What can we do with these? • Why would anyone want those?
Attack Examples: GameCenter • Next Steps ‒ So you have some hashes, so what… • You have their handle, first and last names too ‒ What’s your email address? • Common email user names • • • • First.last FirstinitialLast Handle/username NameBirthYear (or other “significant” number) ‒ Who’s your email provider? • Gmail, yahoo, hotmail, AOL
Attack Examples: GameCenter • Capturing Email Hashes • Step One: Add a bunch of friends • Current recommendations, leaderboards, friends of your friends
Attack Examples: GameCenter • Capturing Email Hashes • Step Two: Get a list of all of their friends • • So “friends of friends” Use Burp for this
Attack Examples: GameCenter • Capturing Email Hashes • Step Three: Friend request all of them
Attack Examples: GameCenter • Capturing Email Hashes • RETURN to Step One multiple times • Step Four: Query for the email hashes for all of your friends and all of their friends too • • This will be done with intruder in Burp Much like step three – Send the request on the next slide to intruder
Attack Examples: GameCenter
Attack Examples: GameCenter • Cracking Email Hashes ‒ PowerShell Script to Guess Email user names • kfosaaen@example.com • k.fosaaen@example.com • karlfosaaen@example.com • karl.fosaaen@example.com • karl.f@example.com • karlf@example.com ‒ Append the top 500 email domains to the end and SHA1 the whole thing
Attack Examples: GameCenter • Cracking Email Hashes ‒ PowerShell Script to SHA1 hash the guessed emails • This was basic, but worked well ‒ Use the email guesses as a dictionary for Hashcat • The rule set can be customized to make cracking easier
Attack Examples: GameCenter • Final Numbers: ‒225 friends added* (as of 10/16/13) *Records collection stopped after 45 friends ‒1,635 records gathered • 1,534 after Unicode removal • 14,377 available to me currently ‒300 email hashes cracked (19.5%) Records Example: SHA1 Email Hash : username : First Name : last Name 591542B50A99EAA8E41136305075F9FF708F1992:bubblefish:Deb:Morgan
Attack Examples: Passbook Passbook
Attack Examples: Passbook • Multiple Apps are now available with Passbook • Mostly used to store loyalty cards, coupons, and boarding passes ‒ Gift cards are now getting adopted • Can actually be pretty convenient to use
Attack Examples: Passbook • Common Application Issues: • Failure to securely deliver .pkpass files • No HTTPs or certificate pinning • Failure to validate pass information on backend systems • Do you really have $1,000 on that gift card?
Attack Examples: Passbook • Passes are sent as .pkpass files ‒.pkpass is just a renamed .zip file ‒Required contents: • manifest.json • pass.json • Signature • • A signature file for integrity Prevents file replacement and a re-zip
Attack Examples: Passbook • Creating your own ‒ Join the Apple Developer Program ($99) ‒ Create the pass.json to match your needs • The teamIdentifier and passTypeIdentifier fields need to be modified to match your Apple cert • Modify the pass details that you want to ‒ Use the signpass application (from Apple) to generate the new .pkpass file ‒ Can be done in Windows and Linux • Apple Developer cert is still needed
Attack Examples: Passbook • Deployment ‒ Can be done via email or web server
Attack Examples: Passbook • Attack overview – Proxy method ‒ Set up your intercepting proxy ‒ Request a Passbook pass from the app • Look for the “Add to Passbook” button ‒ Intercept the request for the pass • Usually to a third party site ‒ Request and save the pass in your browser ‒ Modify your pass ‒ Re-sign and use your new and improved pass
Attack Examples: Passbook • Delta Boarding Passes ‒ One of many Passbook apps, but it’s the one that I use the most ‒ Main Delta App does not do certificate pinning
Attack Examples: Passbook • Delta Boarding Passes ‒ Request for Passbook pass
Attack Examples: Passbook • Attack overview – Easier way ‒ Add your pass to Passbook ‒ Send yourself the pass from the Passbook app ‒ Modify your pass ‒ Re-sign and use your new and improved pass =
Attack Examples: Passbook • Attack overview – Easier way
Attack Examples: Passbook • Attack overview – Easier way
Attack Examples: Passbook • Delta Boarding Passes ‒ Extracted pkpass file ‒ Extracted Sky Priority pkpass file
Attack Examples: Passbook • Delta Boarding Passes ‒ Modify the pass.json file ‒ And include the footer images in the directory
Attack Examples: Passbook • Delta Boarding Passes ‒ Run the Signpass utility and email yourself the pass
Attack Examples: Passbook • Original/Modified Delta Boarding Pass
Conclusions •Fixes • • • Certificate pinning Better input validation Limiting data leakage from apps
Hacking iOS Game Center and Passbook • Questions? • Karl Fosaaen ‒ Senior Security Consultant at NetSPI ‒ Twitter: @kfosaaen

Recomendados

Hacking iOS with Proxies - dc612
Hacking iOS with Proxies - dc612Hacking iOS with Proxies - dc612
Hacking iOS with Proxies - dc612Karl Fosaaen
 
Email Address Harvesting
Email Address HarvestingEmail Address Harvesting
Email Address HarvestingMichael Lamont
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
Log File Analysis: The most powerful tool in your SEO toolkit
Log File Analysis: The most powerful tool in your SEO toolkitLog File Analysis: The most powerful tool in your SEO toolkit
Log File Analysis: The most powerful tool in your SEO toolkitTom Bennet
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsFelipe Prado
 
Detection of Phishing Websites
Detection of Phishing Websites Detection of Phishing Websites
Detection of Phishing Websites Nikhil Soni
 
Proxy log review and use cases
Proxy log review and use casesProxy log review and use cases
Proxy log review and use casesMostafa Yahia
 
Bootstrapping Recommendations OSCON 2015
Bootstrapping Recommendations OSCON 2015Bootstrapping Recommendations OSCON 2015
Bootstrapping Recommendations OSCON 2015Max De Marzi
 

Recomendados

Hacking iOS with Proxies - dc612
Hacking iOS with Proxies - dc612Hacking iOS with Proxies - dc612
Hacking iOS with Proxies - dc612Karl Fosaaen
 
Email Address Harvesting
Email Address HarvestingEmail Address Harvesting
Email Address HarvestingMichael Lamont
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
Log File Analysis: The most powerful tool in your SEO toolkit
Log File Analysis: The most powerful tool in your SEO toolkitLog File Analysis: The most powerful tool in your SEO toolkit
Log File Analysis: The most powerful tool in your SEO toolkitTom Bennet
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsFelipe Prado
 
Detection of Phishing Websites
Detection of Phishing Websites Detection of Phishing Websites
Detection of Phishing Websites Nikhil Soni
 
Proxy log review and use cases
Proxy log review and use casesProxy log review and use cases
Proxy log review and use casesMostafa Yahia
 
Bootstrapping Recommendations OSCON 2015
Bootstrapping Recommendations OSCON 2015Bootstrapping Recommendations OSCON 2015
Bootstrapping Recommendations OSCON 2015Max De Marzi
 
HadoopSummit_2010_big dataspamchallange_hadoopsummit2010
HadoopSummit_2010_big dataspamchallange_hadoopsummit2010HadoopSummit_2010_big dataspamchallange_hadoopsummit2010
HadoopSummit_2010_big dataspamchallange_hadoopsummit2010Yahoo Developer Network
 
authentication.ppt
authentication.pptauthentication.ppt
authentication.pptAchinikeWinifred
 
CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management Sam Bowne
 
Ch 7: Attacking Session Management
Ch 7: Attacking Session ManagementCh 7: Attacking Session Management
Ch 7: Attacking Session ManagementSam Bowne
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
NPTs
NPTsNPTs
NPTsBrandon Levene
 
CNIT 129S - Ch 6a: Attacking Authentication
CNIT 129S - Ch 6a: Attacking AuthenticationCNIT 129S - Ch 6a: Attacking Authentication
CNIT 129S - Ch 6a: Attacking AuthenticationSam Bowne
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Ashley Madison - Lessons Learned
Ashley Madison - Lessons LearnedAshley Madison - Lessons Learned
Ashley Madison - Lessons LearnedAdam Englander
 
CNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking AuthenticationCNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking AuthenticationSam Bowne
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 
CNIT 129S Ch 7: Attacking Session Management
CNIT 129S Ch 7: Attacking Session ManagementCNIT 129S Ch 7: Attacking Session Management
CNIT 129S Ch 7: Attacking Session ManagementSam Bowne
 
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...Jason Hong
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Ajay Negi
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 
Voight-Kampff for Email Addresses: Quantifying Email Address Reputation to Id...
Voight-Kampff for Email Addresses: Quantifying Email Address Reputation to Id...Voight-Kampff for Email Addresses: Quantifying Email Address Reputation to Id...
Voight-Kampff for Email Addresses: Quantifying Email Address Reputation to Id...Joshua Kamdjou
 
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfLior Rotkovitch
 
Red Team Apocalypse (RVAsec Edition)
Red Team Apocalypse (RVAsec Edition)Red Team Apocalypse (RVAsec Edition)
Red Team Apocalypse (RVAsec Edition)Beau Bullock
 
Phishing Forensics - SnowFROC - Denver Chapter of OWASP
Phishing Forensics - SnowFROC - Denver Chapter of OWASP Phishing Forensics - SnowFROC - Denver Chapter of OWASP
Phishing Forensics - SnowFROC - Denver Chapter of OWASP Frank Victory
 
Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developersPablo Gazmuri
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 

Más contenido relacionado

Similar a Hacking iOS Applications with Proxies

HadoopSummit_2010_big dataspamchallange_hadoopsummit2010
HadoopSummit_2010_big dataspamchallange_hadoopsummit2010HadoopSummit_2010_big dataspamchallange_hadoopsummit2010
HadoopSummit_2010_big dataspamchallange_hadoopsummit2010Yahoo Developer Network
 
CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management Sam Bowne
 
Ch 7: Attacking Session Management
Ch 7: Attacking Session ManagementCh 7: Attacking Session Management
Ch 7: Attacking Session ManagementSam Bowne
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
CNIT 129S - Ch 6a: Attacking Authentication
CNIT 129S - Ch 6a: Attacking AuthenticationCNIT 129S - Ch 6a: Attacking Authentication
CNIT 129S - Ch 6a: Attacking AuthenticationSam Bowne
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Ashley Madison - Lessons Learned
Ashley Madison - Lessons LearnedAshley Madison - Lessons Learned
Ashley Madison - Lessons LearnedAdam Englander
 
CNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking AuthenticationCNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking AuthenticationSam Bowne
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 
CNIT 129S Ch 7: Attacking Session Management
CNIT 129S Ch 7: Attacking Session ManagementCNIT 129S Ch 7: Attacking Session Management
CNIT 129S Ch 7: Attacking Session ManagementSam Bowne
 
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...Jason Hong
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Ajay Negi
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 
Voight-Kampff for Email Addresses: Quantifying Email Address Reputation to Id...
Voight-Kampff for Email Addresses: Quantifying Email Address Reputation to Id...Voight-Kampff for Email Addresses: Quantifying Email Address Reputation to Id...
Voight-Kampff for Email Addresses: Quantifying Email Address Reputation to Id...Joshua Kamdjou
 
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfLior Rotkovitch
 
Red Team Apocalypse (RVAsec Edition)
Red Team Apocalypse (RVAsec Edition)Red Team Apocalypse (RVAsec Edition)
Red Team Apocalypse (RVAsec Edition)Beau Bullock
 
Phishing Forensics - SnowFROC - Denver Chapter of OWASP
Phishing Forensics - SnowFROC - Denver Chapter of OWASP Phishing Forensics - SnowFROC - Denver Chapter of OWASP
Phishing Forensics - SnowFROC - Denver Chapter of OWASP Frank Victory
 
Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developersPablo Gazmuri
 

Similar a Hacking iOS Applications with Proxies (20)

HadoopSummit_2010_big dataspamchallange_hadoopsummit2010
HadoopSummit_2010_big dataspamchallange_hadoopsummit2010HadoopSummit_2010_big dataspamchallange_hadoopsummit2010
HadoopSummit_2010_big dataspamchallange_hadoopsummit2010
 
authentication.ppt
authentication.pptauthentication.ppt
authentication.ppt
 
CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management
 
Ch 7: Attacking Session Management
Ch 7: Attacking Session ManagementCh 7: Attacking Session Management
Ch 7: Attacking Session Management
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
NPTs
NPTsNPTs
NPTs
 
CNIT 129S - Ch 6a: Attacking Authentication
CNIT 129S - Ch 6a: Attacking AuthenticationCNIT 129S - Ch 6a: Attacking Authentication
CNIT 129S - Ch 6a: Attacking Authentication
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Ashley Madison - Lessons Learned
Ashley Madison - Lessons LearnedAshley Madison - Lessons Learned
Ashley Madison - Lessons Learned
 
CNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking AuthenticationCNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking Authentication
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
 
CNIT 129S Ch 7: Attacking Session Management
CNIT 129S Ch 7: Attacking Session ManagementCNIT 129S Ch 7: Attacking Session Management
CNIT 129S Ch 7: Attacking Session Management
 
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
 
Voight-Kampff for Email Addresses: Quantifying Email Address Reputation to Id...
Voight-Kampff for Email Addresses: Quantifying Email Address Reputation to Id...Voight-Kampff for Email Addresses: Quantifying Email Address Reputation to Id...
Voight-Kampff for Email Addresses: Quantifying Email Address Reputation to Id...
 
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
 
Red Team Apocalypse (RVAsec Edition)
Red Team Apocalypse (RVAsec Edition)Red Team Apocalypse (RVAsec Edition)
Red Team Apocalypse (RVAsec Edition)
 
Phishing Forensics - SnowFROC - Denver Chapter of OWASP
Phishing Forensics - SnowFROC - Denver Chapter of OWASP Phishing Forensics - SnowFROC - Denver Chapter of OWASP
Phishing Forensics - SnowFROC - Denver Chapter of OWASP
 
Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developers
 

Último

Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Français Patch Tuesday - Avril
Français Patch Tuesday - AvrilFrançais Patch Tuesday - Avril
Français Patch Tuesday - AvrilIvanti
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 

Último (20)

Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Français Patch Tuesday - Avril
Français Patch Tuesday - AvrilFrançais Patch Tuesday - Avril
Français Patch Tuesday - Avril
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 

Hacking iOS Applications with Proxies

  • 1. Hacking iOS GameCenter and Passbook with Proxies OWASP Boston November 6, 2013
  • 2. Who am I? • Karl Fosaaen Senior Security Consultant At NetSPI Twitter: @kfosaaen
  • 3. Presentation Overview • Intercepting iOS Traffic • Why and How • Tools • Certificates • Identifying Pinning • Attack Examples • GameCenter Scores • GameCenter Hashes • Passbook files • Conclusions
  • 4. Intercepting traffic: Why • iOS traffic can be interesting ‒ Most apps use web service calls ‒ Most apps are web browsers • Traffic tampering ‒ Can you name your own price? ‒ Submit a higher score? • Server responses can be interesting ‒ Modify what the server says to trick your app ‒ Intercepting files (ie: Passbook Passes) • Same goes for Android
  • 5. Intercepting traffic: How • Use an intercepting proxy ‒ Set it up to capture your traffic ‒ Store and forward allows for tampering • SSL Interception ‒ Requires a trusted certificate ‒ Some apps don’t trust iOS cert stores • This is a good thing, just a pain for interception • Traffic sniffing ‒ Some apps send requests in the clear ‒ Packet sniffing can be useful
  • 6. Intercepting traffic: Tools • Burp • iOS simulator • Other Proxies ‒ ZAP ‒ Fiddler ‒ WebScarab
  • 7. Intercepting Traffic: Certs • Exporting the Burp Root CA
  • 8. Intercepting Traffic: Certs • Exporting the Burp Root CA
  • 9. Intercepting Traffic: Certs • Exporting the Burp Root CA • Save the root cert as PortSwiggerCA.crt • Send the cert to yourself via email and add it to your iOS device • Instructions from Portswigger: http://portswigger.net/burp/help/proxy_options_installingCAcert.html#iphone
  • 10. Intercepting Traffic: Certs • Exporting the Burp Root CA • Certificate installed on iPhone
  • 12. Intercepting Traffic: Burp • iOS Proxy Set Up
  • 13. Intercepting Traffic: Burp • Intercepted iOS traffic • HTTPS request to Google from iPhone
  • 14. Intercepting Traffic: Burp • A quick warning… ‒ Watch your credentials • • Exchange ActiveSync sends encoded passwords Your login creds for other apps and sites will get stored in your proxy ‒ Mostly watch the data getting stored in your proxy • You never know when you will need to send your Burp session to someone else
  • 15. Intercepting Traffic: Certs • Identifying pinned apps • Able to intercept normal browser SSL traffic • Can’t get app specific data • Pinning might be in use • The app may also be looking for specific cert parameters • This is not pinning • It’s cert checking
  • 16. Intercepting Traffic: Certs • Avoiding issues with cert pinned apps • • • • Open the app without the proxy enabled Get to a spot where you request an external resource Switch over to your preferences • Turn on the Proxy Request the resource • • • Passbook pass Coupon Or just use the exclusions in Burp
  • 18. Attack Examples • GameCenter High Scores • GameCenter Email Hashes • Passbook files
  • 20. Attack Examples: GameCenter • Attacking High Scores ‒GameCenter scores update with HTTPS POST requests ‒No input validation on “score-value” parameter • Max score of 9,223,372,036,844,775,807
  • 21. Attack Examples: GameCenter • Attack Process ‒Set up intercepting proxy ‒Play a game • Beat the first level or • Trigger a score update ‒ Intercept the score update • Look for “submitScores” page ‒ Replace score value with 9,223,372,036,844,775,807
  • 25. Attack Examples: GameCenter ‒ Bad News • • This was fixed in iOS 7 There’s a token now =
  • 26. Attack Examples: GameCenter Capturing GameCenter Email Hashes
  • 27. Attack Examples: GameCenter • Capturing Email Hashes • SHA1 email hashes can be leaked by requesting player information • This can be done for current friends and accounts of “friends of friends” • What can we do with these? • Why would anyone want those?
  • 28. Attack Examples: GameCenter • Next Steps ‒ So you have some hashes, so what… • You have their handle, first and last names too ‒ What’s your email address? • Common email user names • • • • First.last FirstinitialLast Handle/username NameBirthYear (or other “significant” number) ‒ Who’s your email provider? • Gmail, yahoo, hotmail, AOL
  • 29. Attack Examples: GameCenter • Capturing Email Hashes • Step One: Add a bunch of friends • Current recommendations, leaderboards, friends of your friends
  • 30. Attack Examples: GameCenter • Capturing Email Hashes • Step Two: Get a list of all of their friends • • So “friends of friends” Use Burp for this
  • 31. Attack Examples: GameCenter • Capturing Email Hashes • Step Three: Friend request all of them
  • 32. Attack Examples: GameCenter • Capturing Email Hashes • RETURN to Step One multiple times • Step Four: Query for the email hashes for all of your friends and all of their friends too • • This will be done with intruder in Burp Much like step three – Send the request on the next slide to intruder
  • 34. Attack Examples: GameCenter • Cracking Email Hashes ‒ PowerShell Script to Guess Email user names • kfosaaen@example.com • k.fosaaen@example.com • karlfosaaen@example.com • karl.fosaaen@example.com • karl.f@example.com • karlf@example.com ‒ Append the top 500 email domains to the end and SHA1 the whole thing
  • 35. Attack Examples: GameCenter • Cracking Email Hashes ‒ PowerShell Script to SHA1 hash the guessed emails • This was basic, but worked well ‒ Use the email guesses as a dictionary for Hashcat • The rule set can be customized to make cracking easier
  • 36. Attack Examples: GameCenter • Final Numbers: ‒225 friends added* (as of 10/16/13) *Records collection stopped after 45 friends ‒1,635 records gathered • 1,534 after Unicode removal • 14,377 available to me currently ‒300 email hashes cracked (19.5%) Records Example: SHA1 Email Hash : username : First Name : last Name 591542B50A99EAA8E41136305075F9FF708F1992:bubblefish:Deb:Morgan
  • 38. Attack Examples: Passbook • Multiple Apps are now available with Passbook • Mostly used to store loyalty cards, coupons, and boarding passes ‒ Gift cards are now getting adopted • Can actually be pretty convenient to use
  • 39. Attack Examples: Passbook • Common Application Issues: • Failure to securely deliver .pkpass files • No HTTPs or certificate pinning • Failure to validate pass information on backend systems • Do you really have $1,000 on that gift card?
  • 40. Attack Examples: Passbook • Passes are sent as .pkpass files ‒.pkpass is just a renamed .zip file ‒Required contents: • manifest.json • pass.json • Signature • • A signature file for integrity Prevents file replacement and a re-zip
  • 41. Attack Examples: Passbook • Creating your own ‒ Join the Apple Developer Program ($99) ‒ Create the pass.json to match your needs • The teamIdentifier and passTypeIdentifier fields need to be modified to match your Apple cert • Modify the pass details that you want to ‒ Use the signpass application (from Apple) to generate the new .pkpass file ‒ Can be done in Windows and Linux • Apple Developer cert is still needed
  • 42. Attack Examples: Passbook • Deployment ‒ Can be done via email or web server
  • 43. Attack Examples: Passbook • Attack overview – Proxy method ‒ Set up your intercepting proxy ‒ Request a Passbook pass from the app • Look for the “Add to Passbook” button ‒ Intercept the request for the pass • Usually to a third party site ‒ Request and save the pass in your browser ‒ Modify your pass ‒ Re-sign and use your new and improved pass
  • 44. Attack Examples: Passbook • Delta Boarding Passes ‒ One of many Passbook apps, but it’s the one that I use the most ‒ Main Delta App does not do certificate pinning
  • 45. Attack Examples: Passbook • Delta Boarding Passes ‒ Request for Passbook pass
  • 46. Attack Examples: Passbook • Attack overview – Easier way ‒ Add your pass to Passbook ‒ Send yourself the pass from the Passbook app ‒ Modify your pass ‒ Re-sign and use your new and improved pass =
  • 47. Attack Examples: Passbook • Attack overview – Easier way
  • 48. Attack Examples: Passbook • Attack overview – Easier way
  • 49. Attack Examples: Passbook • Delta Boarding Passes ‒ Extracted pkpass file ‒ Extracted Sky Priority pkpass file
  • 50. Attack Examples: Passbook • Delta Boarding Passes ‒ Modify the pass.json file ‒ And include the footer images in the directory
  • 51. Attack Examples: Passbook • Delta Boarding Passes ‒ Run the Signpass utility and email yourself the pass
  • 52. Attack Examples: Passbook • Original/Modified Delta Boarding Pass
  • 53. Conclusions •Fixes • • • Certificate pinning Better input validation Limiting data leakage from apps
  • 54. Hacking iOS Game Center and Passbook • Questions? • Karl Fosaaen ‒ Senior Security Consultant at NetSPI ‒ Twitter: @kfosaaen