Date post: | 22-Nov-2014 |
Category: |
Technology |
Upload: | avinash-sinha |
View: | 1,479 times |
Download: | 2 times |
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 1
Hi Everyone,
I attended the Android Penetration testing session organized by Null Bangalore. It was an AWESOME session by Ashish and everyone enjoyed it. This is the first time the Humla session was organized at Flipkart and it was beautiful venue. As I was sure that I may forget it later, I documented the entire session so that it will help me to revise it later as well. I have tried to make it as comprehensive as possible which gives you precise step by step instructions. It also covers most of the errors and solutions we all faced during the session. This will help all of us to revise whatever we were taught in the Humla Session. It covers everything except the challenges. I am sure once you go through this document it will help you and others as well who were not able to attend.
Cheers !!!
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 2
Install the AppUse VM
Open Android SDK Manager
root@dev-virtual-machine:~/Desktop/AppUse# android
Go to Tool Manage Avd
New
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 3
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 4
Emulator is rooted
Own device needs to be rooted for this.
root@dev-virtual-machine:~/Desktop/AppUse/.Android/android-sdk-linux_86/tools# emulator -avd Null
Before that lets view which tools are available within AppUse
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 5
For those comfortable with explorer Got to-
On desktop Appuse folder
Cntrl+H to view hidden files
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 6
To open and configure Burp Right click Use java to open
Configure as seen below
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 7
Remember to Tick the selected line for the configuration to be active
Scale is size
-cpu-deplay 0 This tells us that the delay is set to zero i.e there should not be delay
root@dev-virtual-machine:~/Desktop/AppUse/.Android/android-sdk-linux_86/tools# emulator -avd Null -scale 0.7 -cpu-delay 0 -http-proxy http://127.0.0.1:8080
Few may face errors such as your emulator didn’t open or hangs in that case you need to kill the process and repeat the above command .This usually happens if you have low RAM or scale value to set to a large number.
Error 1:- If hangs follow below command
ps aux | grep emulator
kill -9 <pid> if any any avd is open
Error 1:- If there is no DNS found error
Configure your VM setting to Bridged mode
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 8
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 9
To capture https traffic
Do the following
Open Mozilla Edit tab- Preferences
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 10
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 11
Select Port Cwiigger CA and press export .Save it on your Desktop.
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 12
Rename certificate to
PortSwiggerCA.crt
{ Abd- Android Debugging Bridge- Ref:- http://developer.android.com/tools/help/adb.html
To check the attached devices use the below command:-
root@dev-virtual-machine:~/Desktop/AppUse/Pentest# adb devices
List of devices attached
emulator-5554 device
Lets Push the Certificate to sdcard
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 13
After pushing certificate into sdcard .
Go to Device –Menu-Setting-Press security
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 14
Install from SD Card option
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 15
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 16
Give any pin here 1111 I used
Port swigger installed
We are storing certificate in external location .Certificate to be stored in sd card. Android Debug Bridge (adb) is a versatile command line tool that lets you communicate with an emulator instance or connected Android-powered device. Install certificate in SD Card.
Copy all apks provided during null session and place them in AppUse VM in any folder of your choice.
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 17
GoatDroid-Vulnerable Apps
1. -FourGoat 2. -Hear Financial
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 18
Install Apk of FOurgoat
root@dev-virtual-machine:~/Desktop/APK/OWASP-GoatDroid-0.9/OWASP-GoatDroid-0.9/goatdroid_apps/FourGoats/android_app# adb install OWASP\ GoatDroid-\ FourGoats\ Android\ App.apk
Fourgoat is installed and new icon can be seen in ur emulator
After you reach the Apk file location press TAB and enter.
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 19
Now do the same process for installing other apk file as well. Rest we can see that after installation we see a success message .We can also confirm the looking at the device emulator.
root@dev-virtual-machine:~/Desktop/APK/OWASP-GoatDroid-0.9/OWASP-GoatDroid-0.9/goatdroid_apps/HerdFinancial/android_app# adb install OWASP\ GoatDroid-\ Herd\ Financial\ Android\ App.apk
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 20
Open the below selected .You will be able to see the DB info (Server side).
Using right click and run java
Then start webservice for Hear Financial
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 21
Go to emulator and press the herd financial app
We have server setup
Click on Menu then click on destination info
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 22
Give default port 9888
Click save
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 23
After you have logged into the application. The Testing then is just as same as normal Web application security testing.
Press check balance
Alter the account id to /9876543210
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 24
To start the testing you are required to know other user account number
Tools>utilities>Database browser
To transfer fund testing 2
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 25
Alter account numbers
Goat droid testing-Four Gaots
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 26
Do the same ip settings by pressing Menudestination info
Let’s see files created by App- Goto Terminal and use below command
adb shell
Every apk will create some files inside
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 27
root@android:/ # cd /data/data
root@android:/data/data # ls
We can observe that after apk installation below files were created
org.owasp.goatdroid.fourgoats org.owasp.goatdroid.herdfinancial
(Location data/data is used for all applications data storeed inside this folder)
root@android:/data/data # cd org.owasp.goatdroid.fourgoats
root@android:/data/data/org.owasp.goatdroid.fourgoats #
We can view the file permissions on each file as well.
Ref below link if you donot have understanding of file permissions format.
(http://www.linux.com/learn/tutorials/309527-understanding-linux-file-permissions )
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 28
Let’s see what is stored in files by fourgoat.
Read permission to all users. Open the credentials.xml file:-Terminal command
Cat credentials.xml
HardCoded –Username and Password can be seen.
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 29
root@android:/data/data/org.owasp.goatdroid.fourgoats/shared_prefs # exit
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 30
Now We Decompile the apk file for code review
Memory error due to java may occur.If not you will end up with Code file
Refer Below links helpful for tool downloads if any required
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 31
http://droiddudes.com/howto-extract-apk-into-readable-java-source-code-and-xml-files/
In this session the below jar was directly provided to me as I ran out of memory so save time :P
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 32
Highlighted line in below pic contains ‘1’ as mode set
Ref link for understanding the Vulnerabilty
http://developer.android.com/reference/android/content/Context.html#getSharedPreferences%28java.lang.String,%20int%29
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 33
0 Private mode 1 World readable 2 World writable 4 Multiple process- defines permission for application to use
Second Flaw:- Hardcoded password
root@dev-virtual-machine:~/Desktop/APK/OWASP-GoatDroid-0.9/OWASP-GoatDroid-0.9/goatdroid_apps/FourGoats/android_app# adb shell root@android:/ # cd data/data root@android:/data/data # We will use sqlite to read the contents of files stored by fourgoat and herdFinancial in the data/data folder
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 34
root@android:/data/data/org.owasp.goatdroid.fourgoats/databases #sqlite3 userinfo.db
Error Y Bcoz you need to end your sql statement using semicolon at the end.
sqlite> .tables
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 35
(List the table inside- .tables)
android_metadata info
sqlite> select * from info;
1|881b71832d7fc841f498f54bf698e0344a557ec42e562981b88f81136175d688dc66b9d4d9fddcec652c852a977d789799d7f0745d9f95fe8a625d9942b29c09|goatdroid|true|true|false
Now let’s go for another app which is supposed to be a financial application(Herd Financial).
Error:- File Contents are Encrypted
Need not worry .We have Decrypting method
Lets decompile the app first .Let’s see if we have any clues
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 36
this.db = localUserInfoOpenHelper.getWritableDatabase("hammer");
hammer is the key
From above pic we can see the key is stored which is a Bad Practice
Now Installing App which will help us decipher the encrypted db as we have the key from the code
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 37
SQL Cipher Decrypt installed -Move db to sdcard as sd card is world readable
root@android:/ # cp data/data/org.owasp.goatdroid.herdfinancial//databases/userinfo.db /mnt/sdcard
(cp<copy> from <space> <to> location)
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 38
Open SQL Cipher Decrypt .Fill the details as above and press ok
In device Press parameter-
1 is location of move file
2 is to be copied to location name
3 is key.
Lets press decrypt and open using sqlite
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 39
root@android:/mnt/sdcard # sqlite3 decryptbank.db
Got the details
Android Penetration Testing-Goat Droid-Null Bangalore
Avinash Sinha-Null Humla Session-Notes Page 40
Each application has manifest file .Tool name apktool
Apktool d
root@dev-virtual-machine:~/Desktop/APK/OWASP-GoatDroid-0.9/OWASP-GoatDroid-0.9/goatdroid_apps/FourGoats/android_app# apktool d /Desktop/APK/OWASP-GoatDroid-0.9/OWASP-GoatDroid-0.9/goatdroid_apps/FourGoats/android_app/OWASP GoatDroid- FourGoats Android App.apk
Three things to check in Manifest file.
Export, Permission and Debugging
Ref Link:- http://developer.android.com/guide/topics/security/permissions.html#manifest
Permission will tell us which provision the app is assigned to use.
Ref Link: https://developer.android.com/guide/topics/manifest/manifest-intro.html#perms
Other Sample Applications :-
Geni motion Anroid Tamer
Hope you all Njoyed reading this article