checkerios6.1.3越狱

ios6.1.3越狱  时间:2021-05-24  阅读:()
Copyright2015KRvWAssociates,LLCKenvanWyk,ken@krvw.
com,@KRvWPenTestingiOSAppsFIRST2015KenvanWyk,@KRvWBerlin,Germany14-19June2015Copyright2015KRvWAssociates,LLCTopicswe'llcoverWe'llfocusonhowtobreaktypicaliOSapps–iOStopics–ApplicationtopicsSimpleanalysis–Surfaceofapp–Staticanalysis–DynamicanalysisDeeperanalysis–Exploreappbinary–Run-timeexplorationandexploitation3Copyright2015KRvWAssociates,LLCToolsMosttoolswe'lluseareeitheropensourceorinexpensive–iExplorerforexploringfilesystemonaniOSdevice–iOSdeviceandaUSBcablePreferablyjailbrokenCydiaCycript4Copyright2015KRvWAssociates,LLCClearupsomemisconceptionsApple'siOShasbeenahugesuccessforApple–TogetherwithAndroid,theyhavere-definedmobiletelephonyApplehasmadegreatadvancesinsecurity–Theyarestillfarfromreallygood–Notevensureifthey'reprettygoodSoftwaredevelopersstillmakesillymistakes5Copyright2015KRvWAssociates,LLCSystemHardeningFeaturesAttacksurfacereductionStrippeddownOS–No/bin/shPrivilegeseparationCodesigningDataexecutionprevention(DEP)–Vitalforreturnorientedprogramming–NoarchitecturalseparationofdataandcodesegmentsAddressspacelayoutrandomization(ASLR)6Copyright2015KRvWAssociates,LLCApplicationsandboxingBypolicy,appsareonlypermittedtoaccessresourcesintheirsandbox–Inter-appcommsarebyestablishedAPIsonlyURLs,keychains(limited)–Filei/oin~/DocumentsonlyTheserulesdon'talwaysapplytoApple'sownapps7Copyright2015KRvWAssociates,LLCHardwareencryptionEachiOSdevice(asof3GS)hashardwarecryptomodule–UniqueAES-256keyforeveryiOSdevice–SensitivedatahardwareencryptedSoundsbrilliant,right–Well.
.
.
8Copyright2015KRvWAssociates,LLCiOScryptokeysGIDkey-GroupIDkeyUIDkey-UniqueperdevDkey-DefaultfilekeyEMF!
-EncryptsentirefilesystemandHFSjournalClasskeys-Oneperprotectionclass–SomederivedfromUID+Passcode9Copyright2015KRvWAssociates,LLCiOSNAND(SSD)mappingBlock0-LowlevelbootloaderBlock1-Effaceablestorage–Lockerforcryptokeys,includingDkeyandEMF!
Blocks2-7-NVRAMparametersBlocks8-15-FirmwareBlocks8-(N-15)-FilesystemBlocks(N-15)-N-Last15blocksreservedbyApple10Copyright2015KRvWAssociates,LLCBuilt-infileprotectionclassesiOS(since4)supportsfileprotectionclasses–NSFileProtectionComplete–NSFileProtectionCompleteUnlessOpen–NSFileProtectionCompleteUntilFirstUserAuthentication–NSFileProtectionNoneAllbutNonearederived11Copyright2015KRvWAssociates,LLCBuilt-infileprotectionlimitationsPros–Easytouse,withkeymanagementdonebyiOS–Powerfulfunctionality–Alwaysavailable–ZeroperformancehitCons–ForComplete,cryptokeyingincludesUDID+Passcode4digitPINproblem12Copyright2015KRvWAssociates,LLCKeychainsKeychainAPIprovidedforstorageofsmallamountsofsensitivedata–Logincredentials,passwords,etc.
–CreditcarddataoftenfoundhereStoredinaSQLitedatabase–EncryptedusinghardwareAESwithderivedkey13Copyright2015KRvWAssociates,LLCJailbreaksApple'sprotectionarchitectureisbasedonamassivedigitalsignaturehierarchy–Startingfrombootloader–ThroughapploaderJailbreaksoftwarebreaksthathierarchy–Currentbreaksupto8.
1.
2DFUmodeallowsUSBvectorforbootloader–OlderiPhonesmostly,but…14Copyright2015KRvWAssociates,LLCKeyboarddataAll"keystrokes"arestored–Usedforauto-correctfeature–NicespellcheckerKeydatacanbeharvestedusingforensicsprocedures–Passwords,creditcards.
.
.
–Needleinhaystack15Copyright2015KRvWAssociates,LLCScreensnapshotsDevicesroutinelygrabscreensnapshotsandstoreinJPG–Usedforminimizingappanimation–ItlooksprettyWHAT!
–It'saproblem–Requireslocalaccesstodevice,butstill.
.
.
16Copyright2015KRvWAssociates,LLCLet'sconsiderthebasicsWe'llcoverthese(fromthemobiletop10)–ProtectingsecretsAtrestIntransit–Input/outputvalidation–Authentication–Sessionmanagement–Accesscontrol–Privacyconcerns17Copyright2015KRvWAssociates,LLCExamplesAirlineapp–StoresfrequentflyerdatainplaintextXMLfileHealthcareapp–StorespatientdatainplistfileButit'sbase64encodedforyourprotection…Bankingapp–FrameworkcacherevealedsensitiveaccountdataConsumerticketapp–AcceptedSSLfromselfsignedkey–Exposedcreditcarddata18Copyright2015KRvWAssociates,LLCSQLliteexampleLet'slookatadatabaseappthatstoressensitivedataintoaSQLitedb–We'llrecoverittriviallybylookingattheunencrypteddatabasefile19Copyright2015KRvWAssociates,LLCProtectingsecretsatrestEncryptionistheanswer,butit'snotquitesosimple–Wheredidyouputthatkey–Surelyyoudidn'thardcodeitintoyourapp–Surelyyou'renotcountingontheusertogenerateandrememberastrongkeyKeymanagementisanon-triviallysolvedproblem20Copyright2015KRvWAssociates,LLCStaticanalysisofanappExplorefolders–.
/Documents–.
/Library/Caches/*–.
/Library/Cookies–.
/Library/PreferencesAppbundle–Hexdumpofbinary–plistfilesWhatelse21Copyright2015KRvWAssociates,LLCToolstouseMactools–Finder–iExplorer–hexdump–strings–otool–otx(otx.
osxninja.
com)–class-dump(iphone.
freecoder.
org/classdump_en.
html)–Emacs(editor)Xcodeadditionaltools–Clang(buildandanalyze)Findsmemoryleaksandothers22Copyright2015KRvWAssociates,LLCExercise-coffeeshopattackThisoneistrivial,butlet'stakealookInthisiGoatexercise,theuser'scredentialsaresentplaintext–SimplewebserverrunningonMacresponds–IfthiswereonapublicWiFi,anetworksnifferwouldbepainlesstolaunch23Copyright2015KRvWAssociates,LLCMostcommonSSLmistakeWe'veallheardofCAsbeingattacked–That'sallimportant,but.
.
.
–(Certificatepinningcanhelp.
)FailingtoproperlyverifyCAsignaturechain–BiggestSSLproblembyfar–Studyshowed1/3ofAndroidappsfelltothis24Copyright2015KRvWAssociates,LLCTestingforSSLproblemsGoalistoensureclientperformsstrongcertificateverificationMITMonthenetsetup–Appproxyonlaptop(e.
g.
,Burpsuite)–GenerateSSLcertsignedbyyourownCA–PutyourCAcertontestiOSdeviceRemembertoremovefakeCAbeforeleavinglabenvironment!
25Copyright2015KRvWAssociates,LLCButthat'snotenough26Copyright2015KRvWAssociates,LLCObjCRun-timeisflawedUnlikeinC,"functions"arenotcalled–Messagesarepassed–ObjectsdynamicallyallocatedWithinprocessspace,dynamictamperingalsopossible–Messagetraffic–Objects27Copyright2015KRvWAssociates,LLCReverseengineeringAttackerwantstolearnhowyourappworks–DeepinternaldetailsAttackerwantstoattempttotrickyourappintomisbehaving–TamperwithruntimeHowJailbrokendeviceandsomefreetools–Andalotoftime28Copyright2015KRvWAssociates,LLCPrerequisitetoolsandenvMacwithOSXandXcodeJailbrokendevice–evasi0nworksgreatCydiaandfriends–Cydiainstalledwithevasi0n–ShellaccessOpenSSH-installwithCydia–Debuggergdb-installwithCydiaBareminimumessentials29Copyright2015KRvWAssociates,LLCAnalysistechniquesStaticanalysis–Observeattributesoftheexecutable,appfiles–Yes,encrypted(appstore)appstooDynamicanalysis–RuntheappandlearnhowitworksTampering–Tricktherun-timeenv30Copyright2015KRvWAssociates,LLCStaticanalysisAnybinarycanbeexamined–Usuallyrevealamaptoclasses,objects,text,symbols,etc.
Commontools–otool–class-dump-z–nmExamples–Linkedlibs,methodsotool-Lappnameotool-lappname–Listofclassesclass-dump-zappname–Symboltablenmappname31Copyright2015KRvWAssociates,LLCIt'sCunderneaththehoodBeneaththatniceOOPObjClayerliesaCfoundation–PrettymucheverythinginObjCcanbedoneinCPrimitivesfordoingalltheOOstuffobjc_msgSend(),objc_getClass()areprimeexamplesThismatterstouswhenanalyzingstaticallyordynamically32Copyright2015KRvWAssociates,LLCEncryptedbinariestooBasicprocess–Useapploadertodecrypt–Calculatememoryoffsets–StoreprocesstodiskddisyourfriendWillalsoneedplutilandgdbHOWTOavailable–http://www.
mandalorian.
com/2013/05/decrypting-ios-binaries/33Copyright2015KRvWAssociates,LLCLet'stakealook34Copyright2015KRvWAssociates,LLCDynamicanalysisWhatcanwelearnfromobservingitrunning–Alot–Allthosemessages–Memorycontents–CPUregistersYoudon'thaveanythingtohide,right35Copyright2015KRvWAssociates,LLCAttackingarunningappManintheapp(MITA)–Themostdangerousformofon-hostdynamicattack–InternalaccesstoeverythingThatObjCrun-timemessagingarchitectureisgoingtohauntus36Copyright2015KRvWAssociates,LLCAfewmoretoolsForthese,you'llwant–gdb–Cycript(seeslide)–Networkproxy(e.
g.
,Burpsuite)–SSLstrip(optional)37Copyright2015KRvWAssociates,LLCMessageeavesdroppingUsegdbtobuildasimplebuteffectivemessageeavesdropper–Examplegdb-q-pPIDbreakobj_msgSendcommandsx/a$r0x/s$r1c38Copyright2015KRvWAssociates,LLCCycript"CycriptallowsdeveloperstoexploreandmodifyrunningapplicationsoneitheriOSorMacOSXusingahybridofObjective-C++andJavaScriptsyntaxthroughaninteractiveconsolethatfeaturessyntaxhighlightingandtabcompletion"—Fromhttp://www.
cycript.
orgItisanamazingutilityfordynamicallyprobingarunningapp39Copyright2015KRvWAssociates,LLCFunwithCycriptBasics#cycriptcy#varmyString=[[NSStringalloc]cy>initWithString:@"Helloworld"];"Helloworld"cy#[myStringlength];11CombinationofJavaScriptandObjCsyntaxgivesamazingcapabilities40Copyright2015KRvWAssociates,LLCCycript(2)Safariexample#cycript-pPIDcy#varapp=[UIApplicationsharedApplication];""cy#[appopenURL:[NSURLURLWithString:cy>@"http://www.
first.
org"]];1cy#app.
networkActivityIndicatorVisible=YES41Copyright2015KRvWAssociates,LLCCycriptingforfunandprofitBreakclient-sidelogic–AlterPINs,booleans,semaphores–ReplacemethodsProberunningappdata–Canbeverbose,butyougeteverythinginanobjectcy#functionappls(a){varx={};for(iin*a){try{x[i]=(*a)[i];}catch(e){}}returnx;}cy#appls(object);42Copyright2015KRvWAssociates,LLCClient-sidelogicYoudidn'tthinkyoucouldtrustclient-sidelogic,didyou43Copyright2015KRvWAssociates,LLCTamperingNowlet'sgobeyondmereobservationReplaceexistingmethods–Changeaddressingdb–DynamiclinkerattackPutyourlibraryinDYLD_INSERT_LIBRARIESAutomatedynamiclinking–MobileSubstrate44Copyright2015KRvWAssociates,LLCNothingiswhatitappearsNowwecanchangetheentireuniverseyourapprunsin(Ifthisdoesn'tseembad,gowatchTheMatrix)45Copyright2015KRvWAssociates,LLCCopyright2013KRvWAssociates,LLCResourcesHackingandSecuringiOSApplications,JonathanZdziarski,O'Reilly,2012Evasi0n,popularjailbreakingtool,http://www.
evad3rs.
com/46Copyright2015KRvWAssociates,LLCHardeningUseractionsandclientconfigurationsArchitecturalconsiderationsHardeningtipsButremember,nothingisperfect.
47Copyright2015KRvWAssociates,LLCUseractionsandconfigurationsStrongpasscodeshelpMDMscanmanageconfigurationsofentirefleets48Copyright2015KRvWAssociates,LLCArchitecturalconsiderationsDesignchoicesmakeahugedifference–ClientcannotbetrustedSensitivedataSensitivefunctionsSecuritycontrols–ClientshouldprovidepresentationlayerMinimalfunctionalityProcessingshouldbeserver49Copyright2015KRvWAssociates,LLCHardeningtipsNon-obviousnames–ObfuscatefunctionalpurposeDisabledebugging#defineDENY_DEBUG31ptrace(DENY_DEBUG,0,0,0);Complicatedisassembly–Compileroptimizer–Stripsymbols50Copyright2015KRvWAssociates,LLCHardeningtips(2)Sensitivecode–Onserver,but…–WriteinCorASM–Compile+linkin-line–ExpandloopsmanuallyForceyourattackertosinglestepthroughDon'tgiveawayanything51Copyright2015KRvWAssociates,LLCHardening(3)Datastorage–EncryptDataProtectionAPIforconsumergradeKeysonserver–CommonCryptoLibSecurefilewipingSQLitedatawiping–Updatebeforedelete52Copyright2015KRvWAssociates,LLCTamperdetectionHowdoweknow–Run-timeintegritychecksMemoryoffsetsofsensitiveobjects–SandboxintegrityAttempttoforkSizeandchecksumof/etc/fstabSymboliclinksin/ApplicationsCommonjailbreakfilesandapps–/Applications/Cydia.
app–HoneypotsinappThereain'tahorsethatcan'tberodeoramanthatcan'tbethrowed.
53Copyright2015KRvWAssociates,LLCTamperresponseWhattodo–Remotewipe–Phonehome–Logeverything–Wipeuserdata,keys–Disablenetworkaccess–Etcetera54Copyright2015KRvWAssociates,LLCCopyright2014KRvWAssociates,LLCCopyright2015KRvWAssociates,LLCKennethR.
vanWykKRvWAssociates,LLCKen@KRvW.
comhttp://www.
KRvW.
com@KRvW55

TTcloud(月$70)E3-1270V3 8GB内存 10Mbps带宽 ,日本独立服务器

关于TTCLOUD服务商在今年初的时候有介绍过一次,而且对于他们家的美国圣何塞服务器有过简单的测评,这个服务商主要是提供独立服务器业务的。目前托管硬件已经达到5000台服务器或节点,主要经营圣何塞,洛杉矶以及日本东京三个地区的数据中心业务。这次看到商家有推出了新上架的日本独立服务器促销活动,价格 $70/月起,季付送10Mbps带宽。也可以跟进客户的需求进行各种DIY定制。内存CPU硬盘流量带宽价...

DiyVM:香港VPS五折月付50元起,2核/2G内存/50G硬盘/2M带宽/CN2线路

diyvm怎么样?diyvm这是一家低调国人VPS主机商,成立于2009年,提供的产品包括VPS主机和独立服务器租用等,数据中心包括香港沙田、美国洛杉矶、日本大阪等,VPS主机基于XEN架构,均为国内直连线路,主机支持异地备份与自定义镜像,可提供内网IP。最近,DiyVM商家对香港机房VPS提供5折优惠码,最低2GB内存起优惠后仅需50元/月。点击进入:diyvm官方网站地址DiyVM香港机房CN...

LOCVPS(29.6元/月)KVM架构 香港/美国机房全场8折

LOCVPS商家我们还是比较熟悉的老牌的国内服务商,包括他们还有其他的产品品牌。这不看到商家的信息,有新增KVM架构轻量/迷你套餐,提供的机房包括香港云地和美国洛杉矶,适用全场8折优惠,月付29.6元起。LOCVPS是一家成立于2011年的稳定老牌国人商家,主要从事XEN、KVM架构的国外VPS销售,主推洛杉矶MC、洛杉矶C3、香港邦联、香港沙田电信、香港大埔、日本东京、日本大阪、新加坡等数据中心...

ios6.1.3越狱为你推荐
eacceleratorCentOS5.2下安装eAccelerator,怎么都装不上ipad连不上wifiiPad 连不上Wifi,显示无互联网连接iphone连不上wifi苹果8p连接不了WiFix-routerx-arcsinx的等价无穷小是什么?win7如何关闭445端口如何彻底永久取消win7粘滞键功能迅雷快鸟迅雷快鸟是做什么用的,,,css3按钮HTML中,怎么表示一个图片按钮googleadsensegoogle adsense 和google adwords有什么区别?适合什么样的人群?google搜图google搜索的网址是什么?ipad无法加入网络为什么我的ipad加入网络没法用
已备案域名注册 域名主机空间 个人注册域名 河北服务器租用 网页空间租用 二级域名申请 新网域名解析 备案域名出售 lamp godaddy主机 秒解服务器 BWH shopex空间 parseerror 魔兽世界台湾服务器 panel1 浙江独立 域名转向 北京双线 新家坡 更多