40
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 1 Hi Everyone, I attended the Android Penetration testing session organized by Null Bangalore. It was an AWESOME session by Ashish and everyone enjoyed it. This is the first time the Humla session was organized at Flipkart and it was beautiful venue. As I was sure that I may forget it later, I documented the entire session so that it will help me to revise it later as well. I have tried to make it as comprehensive as possible which gives you precise step by step instructions. It also covers most of the errors and solutions we all faced during the session. This will help all of us to revise whatever we were taught in the Humla Session. It covers everything except the challenges. I am sure once you go through this document it will help you and others as well who were not able to attend. Cheers !!!

My Null Android Penetration Session

Embed Size (px)

DESCRIPTION

I attended the Android Penetration testing session organized by Null Bangalore. It was an AWESOME session by Ashish and everyone enjoyed it. This is the first time the Humla session was organized at Flipkart and it was beautiful venue. As I was sure that I may forget it later, I documented the entire session so that it will help me to revise it later as well. I have tried to make it as comprehensive as possible which gives you precise step by step instructions. It also covers most of the errors and solutions we all faced during the session. This will help all of us to revise whatever we were taught in the Humla Session. It covers everything except the challenges. I am sure once you go through this document it will help you and others as well who were not able to attend. Cheers !!!

Citation preview

Page 1: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 1

Hi Everyone,

I attended the Android Penetration testing session organized by Null Bangalore. It was an AWESOME session by Ashish and everyone enjoyed it. This is the first time the Humla session was organized at Flipkart and it was beautiful venue. As I was sure that I may forget it later, I documented the entire session so that it will help me to revise it later as well. I have tried to make it as comprehensive as possible which gives you precise step by step instructions. It also covers most of the errors and solutions we all faced during the session. This will help all of us to revise whatever we were taught in the Humla Session. It covers everything except the challenges. I am sure once you go through this document it will help you and others as well who were not able to attend.

Cheers !!!

Page 2: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 2

Install the AppUse VM

Open Android SDK Manager

root@dev-virtual-machine:~/Desktop/AppUse# android

Go to Tool Manage Avd

New

Page 3: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 3

Page 4: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 4

Emulator is rooted

Own device needs to be rooted for this.

root@dev-virtual-machine:~/Desktop/AppUse/.Android/android-sdk-linux_86/tools# emulator -avd Null

Before that lets view which tools are available within AppUse

Page 5: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 5

For those comfortable with explorer Got to-

On desktop Appuse folder

Cntrl+H to view hidden files

Page 6: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 6

To open and configure Burp Right click Use java to open

Configure as seen below

Page 7: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 7

Remember to Tick the selected line for the configuration to be active

Scale is size

-cpu-deplay 0 This tells us that the delay is set to zero i.e there should not be delay

root@dev-virtual-machine:~/Desktop/AppUse/.Android/android-sdk-linux_86/tools# emulator -avd Null -scale 0.7 -cpu-delay 0 -http-proxy http://127.0.0.1:8080

Few may face errors such as your emulator didn’t open or hangs in that case you need to kill the process and repeat the above command .This usually happens if you have low RAM or scale value to set to a large number.

Error 1:- If hangs follow below command

ps aux | grep emulator

kill -9 <pid> if any any avd is open

Error 1:- If there is no DNS found error

Configure your VM setting to Bridged mode

Page 8: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 8

Page 9: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 9

To capture https traffic

Do the following

Open Mozilla Edit tab- Preferences

Page 10: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 10

Page 11: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 11

Select Port Cwiigger CA and press export .Save it on your Desktop.

Page 12: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 12

Rename certificate to

PortSwiggerCA.crt

{ Abd- Android Debugging Bridge- Ref:- http://developer.android.com/tools/help/adb.html

To check the attached devices use the below command:-

root@dev-virtual-machine:~/Desktop/AppUse/Pentest# adb devices

List of devices attached

emulator-5554 device

Lets Push the Certificate to sdcard

Page 13: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 13

After pushing certificate into sdcard .

Go to Device –Menu-Setting-Press security

Page 14: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 14

Install from SD Card option

Page 15: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 15

Page 16: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 16

Give any pin here 1111 I used

Port swigger installed

We are storing certificate in external location .Certificate to be stored in sd card. Android Debug Bridge (adb) is a versatile command line tool that lets you communicate with an emulator instance or connected Android-powered device. Install certificate in SD Card.

Copy all apks provided during null session and place them in AppUse VM in any folder of your choice.

Page 17: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 17

GoatDroid-Vulnerable Apps

1. -FourGoat 2. -Hear Financial

Page 18: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 18

Install Apk of FOurgoat

root@dev-virtual-machine:~/Desktop/APK/OWASP-GoatDroid-0.9/OWASP-GoatDroid-0.9/goatdroid_apps/FourGoats/android_app# adb install OWASP\ GoatDroid-\ FourGoats\ Android\ App.apk

Fourgoat is installed and new icon can be seen in ur emulator

After you reach the Apk file location press TAB and enter.

Page 19: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 19

Now do the same process for installing other apk file as well. Rest we can see that after installation we see a success message .We can also confirm the looking at the device emulator.

root@dev-virtual-machine:~/Desktop/APK/OWASP-GoatDroid-0.9/OWASP-GoatDroid-0.9/goatdroid_apps/HerdFinancial/android_app# adb install OWASP\ GoatDroid-\ Herd\ Financial\ Android\ App.apk

Page 20: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 20

Open the below selected .You will be able to see the DB info (Server side).

Using right click and run java

Then start webservice for Hear Financial

Page 21: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 21

Go to emulator and press the herd financial app

We have server setup

Click on Menu then click on destination info

Page 22: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 22

Give default port 9888

Click save

Page 23: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 23

After you have logged into the application. The Testing then is just as same as normal Web application security testing.

Press check balance

Alter the account id to /9876543210

Page 24: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 24

To start the testing you are required to know other user account number

Tools>utilities>Database browser

To transfer fund testing 2

Page 25: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 25

Alter account numbers

Goat droid testing-Four Gaots

Page 26: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 26

Do the same ip settings by pressing Menudestination info

Let’s see files created by App- Goto Terminal and use below command

adb shell

Every apk will create some files inside

Page 27: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 27

root@android:/ # cd /data/data

root@android:/data/data # ls

We can observe that after apk installation below files were created

org.owasp.goatdroid.fourgoats org.owasp.goatdroid.herdfinancial

(Location data/data is used for all applications data storeed inside this folder)

root@android:/data/data # cd org.owasp.goatdroid.fourgoats

root@android:/data/data/org.owasp.goatdroid.fourgoats #

We can view the file permissions on each file as well.

Ref below link if you donot have understanding of file permissions format.

(http://www.linux.com/learn/tutorials/309527-understanding-linux-file-permissions )

Page 28: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 28

Let’s see what is stored in files by fourgoat.

Read permission to all users. Open the credentials.xml file:-Terminal command

Cat credentials.xml

HardCoded –Username and Password can be seen.

Page 29: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 29

root@android:/data/data/org.owasp.goatdroid.fourgoats/shared_prefs # exit

Page 30: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 30

Now We Decompile the apk file for code review

Memory error due to java may occur.If not you will end up with Code file

Refer Below links helpful for tool downloads if any required

Page 31: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 31

http://droiddudes.com/howto-extract-apk-into-readable-java-source-code-and-xml-files/

In this session the below jar was directly provided to me as I ran out of memory so save time :P

Page 32: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 32

Highlighted line in below pic contains ‘1’ as mode set

Ref link for understanding the Vulnerabilty

http://developer.android.com/reference/android/content/Context.html#getSharedPreferences%28java.lang.String,%20int%29

Page 33: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 33

0 Private mode 1 World readable 2 World writable 4 Multiple process- defines permission for application to use

Second Flaw:- Hardcoded password

root@dev-virtual-machine:~/Desktop/APK/OWASP-GoatDroid-0.9/OWASP-GoatDroid-0.9/goatdroid_apps/FourGoats/android_app# adb shell root@android:/ # cd data/data root@android:/data/data # We will use sqlite to read the contents of files stored by fourgoat and herdFinancial in the data/data folder

Page 34: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 34

root@android:/data/data/org.owasp.goatdroid.fourgoats/databases #sqlite3 userinfo.db

Error Y Bcoz you need to end your sql statement using semicolon at the end.

sqlite> .tables

Page 35: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 35

(List the table inside- .tables)

android_metadata info

sqlite> select * from info;

1|881b71832d7fc841f498f54bf698e0344a557ec42e562981b88f81136175d688dc66b9d4d9fddcec652c852a977d789799d7f0745d9f95fe8a625d9942b29c09|goatdroid|true|true|false

Now let’s go for another app which is supposed to be a financial application(Herd Financial).

Error:- File Contents are Encrypted

Need not worry .We have Decrypting method

Lets decompile the app first .Let’s see if we have any clues

Page 36: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 36

this.db = localUserInfoOpenHelper.getWritableDatabase("hammer");

hammer is the key

From above pic we can see the key is stored which is a Bad Practice

Now Installing App which will help us decipher the encrypted db as we have the key from the code

Page 37: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 37

SQL Cipher Decrypt installed -Move db to sdcard as sd card is world readable

root@android:/ # cp data/data/org.owasp.goatdroid.herdfinancial//databases/userinfo.db /mnt/sdcard

(cp<copy> from <space> <to> location)

Page 38: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 38

Open SQL Cipher Decrypt .Fill the details as above and press ok

In device Press parameter-

1 is location of move file

2 is to be copied to location name

3 is key.

Lets press decrypt and open using sqlite

Page 39: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 39

root@android:/mnt/sdcard # sqlite3 decryptbank.db

Got the details

Page 40: My Null  Android Penetration Session

Android Penetration Testing-Goat Droid-Null Bangalore

Avinash Sinha-Null Humla Session-Notes Page 40

Each application has manifest file .Tool name apktool

Apktool d

root@dev-virtual-machine:~/Desktop/APK/OWASP-GoatDroid-0.9/OWASP-GoatDroid-0.9/goatdroid_apps/FourGoats/android_app# apktool d /Desktop/APK/OWASP-GoatDroid-0.9/OWASP-GoatDroid-0.9/goatdroid_apps/FourGoats/android_app/OWASP GoatDroid- FourGoats Android App.apk

Three things to check in Manifest file.

Export, Permission and Debugging

Ref Link:- http://developer.android.com/guide/topics/security/permissions.html#manifest

Permission will tell us which provision the app is assigned to use.

Ref Link: https://developer.android.com/guide/topics/manifest/manifest-intro.html#perms

Other Sample Applications :-

Geni motion Anroid Tamer

Hope you all Njoyed reading this article