Posts - Anand Tiwari

Hack Android Application Through Exposed Components

2017-04-25T00:00:00Z

In this blog, we'll walk through how we can use exposed components to perform attack on android application.

The first thing strike in mind what is components ? well component is an entry point through which the system or user can interact with app and some components depend on others.

There are four different types of app components:

Activity : An activity is the first thing which allow users to interact with app. It represents a single screen with a user interface. For example an password storing app first activity is login page and second activity is show your list of password already saved into application. As such, a different app can start any one of these activities if the app allows. For example, a camera app can start the activity in the email app that composes new mail to allow the user share a picture.
Service : A service is a general-purpose entry point for keeping an app running in the background for all kinds of reasons. It is a component that runs in the background to perform long-running operations or to perform work for remote processes. For example music player.
Broadcast receivers : Broadcast Receivers simply respond to broadcast messages from other applications or from the system. For example, applications can also initiate broadcasts to let other applications know that some data has been downloaded to the device and is available for them to use, so this is broadcast receiver who will intercept this communication and will initiate appropriate action.Many broadcasts originate from the system—for example, a broadcast announcing that the screen has turned off, the battery is low, or a picture was captured.
Content Providers: We can simply say "Content Providers are used to share data between the applications". Through the content provider, other apps can query or modify the data if the content provider allows it. For example, the Android system provides a content provider that manages the user's contact information. As such, any app with the proper permissions can query the content provider, such as ContactsContract.Data, to read and write information about a particular person.

Intents: Intent is used to invoke components. It is mainly used to:

Start the service
Launch an activity
Display a web page
Display a list of contacts
Broadcast a message
Dial a phone call etc.

Test Application:

I'm using sieve vulnerable app for the demonstration of the vulnerabilities. Sieve is A ‘Password Manager’ App, showcasing some common Android vulnerabilities created by MWR Labs.

Viewing Manifests

We'll get the manifest file using apktool :

Now you can analyze the manifest file and list all activity to check the exposed data through activity and explore application functionality. Some time activity exposing user sensitive data by calling activity without providing credential which cause expose users sensitive data.

Activity Manager (am) :

Within an adb shell, you can issue commands with the activity manager (am) tool to perform various system actions, such as start an activity, force-stop a process, broadcast an intent, modify the device screen properties, and more.

$ adb shell am start -n <package_name>/<activity_name>

Let's call the .PWList/ activity and check the list of password saved into application.

We can use the Drozer a semi-automatic framework developed by MWR InfoSecurity, which help us to extract exposed component of the application and perform attack on the application.

Drozer uses an agent (APK) which is installed on the device and provides a shell for executing the commands. First, download drozer agent from MWR Labs website and install it on the tested device/emulator. After installing the agent, launch the app and turn-on the agent.

After that, set up a port-forward so that your PC can connect to a TCP socket opened by the Agent inside the emulator, or on the device:

             $ adb forward tcp:31415 tcp:31415

And then launch the drozer console.

             $ drozer console connect

Lets search the target application package name using drozer command.

Check application attack surfaces.

As we can see there are 3 Activities, 2 Content Providers, and 2 Services are exported. For further, we can analyze all exported attack surfaces.

Lets start with the activities :

There are three packages are listed. Lets check hidden Activities.

In picture we can see some hidden activities are listed which could may expose user sensitive information.

Executing the following command will launch an activity.

Exploiting Insecure Content Providers

A common root cause of content provider problems is the fact that they are not explicitly marked as exported="false" in their manifest declarations because the assumption is that they follow the same default export behavior as other components.

Lets explore the content providers in sieve application try to understand the vulnerabilities.

This reveals that two content providers don’t require any permissions for users who want to read from or write to them. However, the DBContentProvider requires that users have permissions to read from or write to the /Keys path.

Lets check the content URIs.

Using Drozer list of URIs

The newly discovered path is /Passwords. This does not have any permissions protecting it, and querying this URI leads to the disclosure of all the accounts stored in this password manager. Here is the command for querying this content URI:

The content provider leaked the all the stored password but the developer of the application was clever and encrypted or obfuscated the password field.

Lets scan for SQL injection and try to figure out whether we can extract information from content providers.

Looks like injection in projection. We can confirm sql injection by providing single quote into the projection which causes an error in the structure of the query that SQLite received.

You can now use this injection point to find all the tables available in the same SQLite database by using a projection of * from sqlite_master where type='table'--.

Lets extract the data from key table

Great... Here we got the login password and pin of the application. This shows a complete compromise of the password manager’s master password and pin used to protect the data.

Conclusion:

In this article we walk through the android application components and technique to exploit them. We also understand the Drozer framework to perform security Assessment on Android Application.

CTF Mr-Robot 1 Challenge

2016-08-04T00:00:00Z

If you looking to start real pentesting and want to hack any box or do real time pentesting I would suggest start with the CTF.

Mr-Robot – CTF Let’s takes this challenge and cracks this CTF. You can get the VM from VulnHub.

If you want to do pentesting on any target you should have to start with these following steps

Reconnaissance
Scanning.
Exploitation.
Gaining Access.

Let’s start with Reconnaissance and Scanning phase on the target and get the valuable information to use for future steps.

So here I have target IP is “192.168.56.103”. Let’s do Nmap scan to know about the open ports on the target IP.

As we got the nmap result and we found that there are two ports are opened 80 and 443 and Apache service is running on.

Let’s browse this on port 80.

Whenever I do testing me always using Nikto to start first point of scan the target and get some information. It is also important for web application to spider the host. Let’s do both things.

So here what we interesting things found after scans.

Robots.txt is a text (not html) file you put on your site to tell search robots which pages you would like them not to visit. Robots.txt is by no means mandatory for search engines but generally search engines obey what they are asked not to do.
/wp-login/ : word press admin path found.

Let’s check the Robots.txt file and explore the unhidden paths.

Wawoo !! we found first flag as key-1.

Let’s check the second path.

Seems that its contain huge amount of word list.

Now let’s check the other part of the scan which is wp-loin page.

The first thing in my mind pop-up with that we should have to do brute force attack on login page to get the username password.

We previously found the huge amount of word list data while exploring robots.txt file.

Before moving the next step we should have to check for removing duplicate value from the fsocity.dic.

root@kali:~#sort fsocity.dic | uniq > sorted.dic

Now we have sorted.dic file with removed duplicate values.

Let’s move the next step and figure out the username by bruteforce using burp intruder.

Here we found three correct usernames ELLIOT, elliot, Elliot.

Now it’s time to get the password using same method by burp intruder.

Here we go… and found password as ER28-0652.

Now it’s time to get the root access on the machine.

We can upload the php shell into wordpress and get the reverse shell on it.

I previously aware about the pentestmonkey php-reverse shell http://pentestmonkey.net/tools/web-shells/php-reverse-shell let’s download this and upload in the .php page.

Boom !!! we got the shell as daemon. Now let's figure out the flags inside the box.

After checking some file systems and folders got that in home > robot folder containing two files as key-2-of-3.txt, password.raw-md5.

Here we got the second flag in key-2-of-3.txt file.

Oh!! Wait… we don’t have access on this file.

Let’s check the second file password.raw-md5.

Looks like this is password of user robot as MD5. We need to crack this password as we know we can use John the Ripper tool.

Congrats!! we got the robot user password. Next is to login into as robot user.

When you try to su robot here I got the error. Let’s get as terminal by using python.

python -c 'import pty; pty.spawn("/bin/sh")'

Here we got the second flag key-2-of-3.txt

822c73956184f694993bede3eb39f959

Now the next thing in my mind to go into root folder and get check the what data are stored into.

But wait we don’t have permission. We need to get the root privilege.

No luck to get any clue after all the file systems and folder I checked. Now it’s time to check what applications installed under which privilege.

After checking the all file folders finally got to know that there is nmap installed as root privilege which will useful to get the root privilege.

After googling and reading many article got to know that –interactive help us to escalate the privilege.

And finally catch the third flag into key-3-of-3.txt

Windows Mobile Application Security Testing - Part 6

2016-03-02T00:00:00Z

In this article we will learn how to analysis the local storage of device and will look into way to do static analysis by doing reverse engineering. If you had not yet rooted your device please read my previous article where I have written the process to root the device.

Exploring application binaries, .NET assemblies, and other assets

In device installed applications have two main directories one is where application binaries, .NET assemblies assets are stored and another is app’s local storage directory where the app can store the local data.

All installed app have their own installation directory located at D:\Computer\Windows Phone\Phone\Data\PROGRAMS\{GUID}\Install\.

Also each app has its own local storage directory which run in their own filesystem sandbox. The local storage directory for an app is located at D:\Computer\Windows Phone\Phone\Data\Users\DefApps\APPDATA\{GUID}

Application Manifests file

Let's start with Manifest file of application which give us information about the application and their structure which help us to understand about the application.

In Windows Phone 8 Manifests file name as WMAppManifest.xml in XAP files and in Windows 8.x application Manifests name as Package.appxmanifest in APPX packages.

Manifest file support multiple XML elements, some of them are interesting as security view. Capabilities () - Which defines the capabilities required by the application. File Type Association () - Which defines the file extensions that are associated with the application. Protocol () - Defines URL schemes that the app wishes to register for Activatable Class () - Defines classes that are used by the app that are external to it. Interface() - Specifies interfaces that the app implements that are external to it

Check the capabilities

<Capabilities>
<Capability Name="ID_CAP_IDENTITY_DEVICE" />
<Capability Name="ID_CAP_IDENTITY_USER" />
<Capability Name="ID_CAP_LOCATION" />
<Capability Name="ID_CAP_MICROPHONE" />
<Capability Name="ID_CAP_NETWORKING" />
<Capability Name="ID_CAP_PHONEDIALER" />
<Capability Name="ID_CAP_PUSH_NOTIFICATION" />
<Capability Name="ID_CAP_SENSORS" />
<Capability Name="ID_CAP_WEBBROWSERCOMPONENT" />
<Capability Name="ID_CAP_ISV_CAMERA" />
<Capability Name="ID_CAP_CONTACTS" />
<Capability Name="ID_CAP_APPOINTMENTS" />
<Capability Name="ID_CAP_MEDIALIB_AUDIO" />
<Capability Name="ID_CAP_MEDIALIB_PHOTO" />
<Capability Name="ID_CAP_MEDIALIB_PLAYBACK" />
</Capabilities>

Seems that application using Capability Location, Microphone, Networking, phone dialer, contacts, Medialib Photo. These all susceptible and collecting user information. Analysis Local Storage As we know that application need local storage to save or cache file and folder for further uses. Lets analysis the local storage of the application into device.

Application data — C:\Data\Users\DefApps\APPDATA\{GUID}\...

Install directory — C:\Data\Programs\{GUID}\Install\...

Here are the some interesting folders to analysis the local storage.

Framework Temp - Some framework temporary data storing.

INetCache - Storing webView cache files

INetCookies - Storing WebCookies data.

INetHistory - Storing History of the web pages

Local - This is the folder where most of the application storing sensitive data. Also we can call isolated storage of application.

LocalLow - Low integrity code execute in this folder. Code executing with low integrity can only write to a small number of locations on the disk, such as the LocalLow folder you mentioned. (FOLDERID_LocalAppDataLow)

PlatformData - The system will create a directory in the top level of the app’s isolatedstorage.

Let's move into the local storage >

D:\Data\Users\DefApps\APPDATA\{513D7B13-D7A9-4B59-ACB0-B4629E4A7EEE}\Local

So above we have list of all local storage data. __ApplicationSettings and userdata seems that storing sensitive data. Lets open the __ApplicationSettings file.

Wooo!! application login username and password stored plain text in__ApplicationSettings

Now check the userdata database file where all data has been stored.

In order to open userdata.sdf file which is in the form of SQL Server compact database we need to use sdf viewer or Compact Viewer.

You can download CompactView_1.4.12.0 and install in your system.

Okay, so here we got the database where all data has been stored. But seems that data has been encoded into some numeric value. To get the know about which numeric value these data has been encoded we have to do reverse engineering and from the code let's understand the data encoding.

Reverse Engineering on the Application

In order to analyzing application binaries we have to extract all application binaries and .NET assemblies from the device where application installation files has been installed. Move into install directory C:\Data\Programs\{GUID}\Install\..

D:\Data\PROGRAMS\{513D7B13-D7A9-4B59-ACB0-B4629E4A7EEE}\Install

Okay, after extract all the binaries from the device we’ll going to disassembled/decompiled and analyzed by doing manual testing. It is also need to review source code.

Most of the .dll files are seems that googleAds and GoogleAnalytics but we have to decompiled application .dll file. PhoneApp5.dll is seems that application .dll file. Let’s decompile this file using ILSpy. Its allow you to decompile .NET assemblies.

Now let's load the PhoneApp5.dll file into ILSpy and decompile assemblies.

As above picture you can view all the class has dicomplied and we are able to view C# code. Now let's review the code and figure-out some security issue.

We can start looking into .net Libraries, namespace and classes. So let’s start from first class AboutUs as by name it's look like all information about the application.

If you look into the code, he has embedded his name with his mail ID. Which will used for further attacks. Many time and most of the application you can able to extract information about developers. Let’s move other classes.

On the top of the class you can review the .net Libraries which will help you to figure out security issues.

Here in the action class if you look on the top you can see there are some Libraries list.

using GoogleAds;
using GoogleAnalytics;
using Microsoft.Phone.Controls;
using System;
using System.ComponentModel;
using System.Diagnostics;
using System.IO.IsolatedStorage; //
using System.Windows;
using System.Windows.Controls;
using System.Windows.Input;

In this class action using System.IO.IsolatedStorge which mean that the class using IsolatedStorage to store data.

If you look into snippet code username and password storing into __ApplicationSettings() without doing any encryption that found in our local storage analysis into __ApplicationSettings file.

Lets move another classes to check for local storage database.

using GoogleAnalytics;
using Microsoft.Phone.Controls;
using PhoneApp5.MyClasses;
using System;
using System.Diagnostics;
using System.Linq; //
using System.Windows;
using System.Windows.Controls;
using System.Windows.Navigation;

If you look into these Libraries list there is using System.Linq namespace provides classes and interfaces that support queries that use Language-Integrated Query (LINQ).

In this picture if you look closely UserDataContext is publicly used class were DB connection established and created as userdata.sdf database file were all the data has been stored.

Next things all Bank data has stored and updated by class userDataContext. If you look closely in the code before storing data into database they parse with Function Scramble.

In our local storage analysis we got userdata.sdf database file and using compactView we have view the data which being stored into userdata.sdf file. But data has encoded into some numeric value which is not in plain text. So the application using Scramble function to puzzle the words using some programming method.

Let's look closely and figure out how the data has been decoded.

Okay, we manage to get the function UnScramble which is using decoding the data stored into database file while display the information to the users. Also we got he unscramble program to decode all users data from the database.

By the way for this application we got the username password in plain text stored into __ApplicaitonSetting file which will use to unlock the application and view all data of users. But I want to show you approach for source code review by doing reverse engineering on the application.

Secure way Storing Data in Windows Phone

If you are developer and used to save data in local storage of device then I would say saving confidential data in a phone’s isolated storage is not secure. Also if you encrypted your all data and save decryption key inside the device its not increase your security, its about how well the key is hidden.

Microsoft have DPAPI (Data Protection API)to encrypt and decrypt entire isolated storage. DPAPI generating and storing a cryptographic key by using the user and device credentials to encrypt and decrypt data. You can use the Protected Data class that provides you access to DPAPI through Protect and Unprotect methods. You use the Protect method to encrypt the data and the Unprotect method to decrypt the data. On a Windows Phone device, every app gets its own decryption key, which is created when you run the app for the first time. Calls to Protect and Unprotect will implicitly use the decryption key and make sure that all the data remains private to the app.

Protect and Unprotect API using optional parameter call optionalEntropy.If you are using DPAPI recommended to use OptionalEntropy because of all data protected by DPAPI on Windows Phone is encrypted using the same key. If an attacker on the device or any app is able to get access to a DPAPI-encrypted data, and if the target app not using an optionalEntropy parameter, then it can recover the data by simply calling into ProtectedData.Unprotect().So you should always use the optionalEntropy parameter if you want to use DPAPI in your apps. However hard code optionalEntropy or store it on the device will allow to attackers to decrypt entire data if he/she have full access on the device. In this case you should base it on secret passphrase known only by the app user. You can use PBKDF2 which password only the user knows.

Windows Phone local database encryption

If you want to encrypt your database you can simply use the Password property in your database’s connection string:

// Create the data context.
MyDataContext db = new MyDataContext("Data Source='isostore:/mydb.sdf';Password='securepassword';");
// Create an encrypted database after confirming that it does not exist.
if (!db.DatabaseExists()) db.CreateDatabase();

But if you hard coding the key or secure credential is not good idea. As we see how we can decompile the code by doing reverse Engineering on the application and get the secrete key.

In this case you can use SQLite-based database and use SQLite Encryption Extension (SEE) and SQLCipher.

Conclusion:

In this article we did analysis internal device local storage and database of the application. Also we learned secure way to store data into the device. We learned how to perform source code review by doing reverse engineering.

If you want to learn more about the Windows Mobile Application security I recommend you to read "The Mobile Application Hacker's Handbook".

Reference:

https://msdn.microsoft.com/en-us/library/windows/apps/hh487164(v=vs.105).aspx https://msdn.microsoft.com/en-us/library/windows/apps/hh202861(v=vs.105).aspx https://msdn.microsoft.com/en-us/library/windows/apps/hh133478(v=vs.105).aspx https://msdn.microsoft.com/en-us/library/windows/apps/system.security.cryptography.protecteddata(v=vs.105).aspx

Windows Mobile Application Security Testing - Part 5

2016-02-29T00:00:00Z

In this article we will going to learn how to root WP8 Nokia lumia device and inspect internal storage. I am using Nokia Lumia 720 for demo purpose. However Lumia 520, 521, 525, 620, 625, 820, 920, 925, 928, 1020 and 1320 are supported.

XDA developer Heathcliff74 given us powerful tool Windows Phone Internals which allow to unlock the bootloader of selected Lumia Windows Phone models and after unlocking the bootloader, you can enable Root Access on the phone or create and flash Custom ROM's.

OS versions are supported

The following OS versions Root Access can be enabled. To enable Root Access, the bootloader must be unlocked first.

8.10.12393.890
8.10.12397.895
8.10.14219.341
8.10.14226.359
8.10.14234.375
8.10.15116.125
8.10.15148.160
10.0.10512.1000
10.0.10536.1004
10.0.10549.4
10.0.10581.0
10.0.10586.11
10.0.10586.36

In order to root your device you have to carefully follow the instruction. Download the Windows Phone Internals. The instructions you can find in the tool itself.

I followed instruction for my lumia 720 device only may it's change for your devices, please follow the instruction accordingly. Before rooting the device we need unlock the bootloader of the device.

Now Connect you device using USB and unlock your screen. And wait for detection. In order to unlock the bootloader of device its ask you to phone needs to be switched to flash-mode. Click on “Ok”

Now we need FFU-image file which is fresh ROM image of your device. It’s important to get the exact same FFU file for your device. To get the FFU file, you need to use Windows Device Recovery Tool which help you to download FFU file for your device. (You need to switch your device in normal mode by Press and hold the Volume Down and Power buttons at the same time until you feel a vibration (about 10-15 seconds). Your phone will restart automatically.)

Now Connect your device and open Windows Recovery Tool, your device will detect after some seconds.

In case you'r getting error while downloading ROM image from Windows Recovery Tool for your device I recommend you to restart your system as well as your device.

After downloaded the ROM image for your device, the ffu file will be located to path

C:\ProgramData\Microsoft\Packages\Products\RM-885 in your system.

Now again switch to Unlock bootloader in windows phone internals.

Select your .ffu file (Fresh ROM image) which is located at path

C:\ProgramData\Microsoft\Packages\Products\RM-885

You should also select a folder where you have Lumia Emergency Flash Loaders. This tool will try to select the Loader that is suitable for your phone.

Select as C:\ProgramData\Microsoft\Packages\Products\RM-885

Now it is very important to use Engineering SBL3 and be careful before using sbl3 file for you device. Make sure that the sbl3 file should work for your device otherwise your device will not work after using wrong sbl3 file. You can download sbl3 file from xda-developers site for 520, 620, 625, 810, 820, 822, 920, 925 and the 1020. For me lumia 720 I didn't found sbl3 file but when I research on internet someone posted that lumia 520 sbl3 file will work for lumia 720. So pleae do on your risk.

Now click on continue

After the booting your device, as your device bootloader has been unlocked. Now move to “Enable Root Access” and click on Unlock Phone. You device will turned into flash mode and switch to Mass Storage mode. In your system you will see drive “MainOS” get active which is your device internal storage.

Root Tool

Root tool help you to edit your device registry and provide you to full access on device file system, which can easily access all internal files by only connecting your phone with your system.

Previously Windows phone Internal it give you mass storage mode by flashing your phone, but root tool make your task easier in terms of file access. Download Root Tool

Now extract the file and Deploy .XAP file into device.

Be careful while using this tool. If you selected any wrong file path or setting may its break your device.

Now select “Lumia Registry Edit”

Go to options >

Now click on Templates

Select both Interop/Capability Unlock and Full FS Access with MTP > Now Apply the setting.

Now you can able to view or edit your device internal storage without switching into flash mode.

WP8 Native Access Webserver

There is also cool way to access your device file systems. WP8 Native Access Webserver which provide you to install Client WP8 Native Access .XAP file in your device and by using port you can enable your device into webserver. You can download this app from here.

Conclusion:

In this article we learned how we will root our device and inspect internal storage. Next article we will going to learn attack vectors of WP8 application and their vulnerabilities.

Reference:

http://www.wpinternals.net/ http://forum.xda-developers.com/ https://wp8webserver.codeplex.com/

Windows Mobile Application Security Testing - Part 4

2016-02-24T00:00:00Z

Before I start this part of article I want to thanks all of you who have appreciated me for this series. I’m very excited to continue writing on WP8 application security testing.

Previous article we learned setup proxy with device and perform dynamic analysis on the WP8 Applications. In this article we are going to learn analysis of Isolated storage or local file system using Windows power tool.

In case you haven't rooted your device and wants to analysis dynamically local storage of the application, then this article will help you to check local storage of the application. You can able to check local storage or isolated storage for only developer signed apps using Unlocked device. If you haven't Unlocked your device yet then I recommend you to unlock your device using my part 1 article.

So next we need one developer signed application for our demo purpose right. In my previous article I mention found youtube developer signed app from XDA forum. You can also download this application for your learning purpose from here.

Isolated storage

Isolated storage is used to store local data on a Windows Phone. It is "isolated" because other applications can't access this data.

All I/O operations are restricted to isolated storage and do not have direct access to the underlying OS file system, which helps to provide security and prevents unauthorized access and data corruption from other apps. If you want to share data between two applications, you will need some kind of cloud-based service that can share that data for you.

Microsoft has provided two way to store data locally for their developers. The first way is to collection of name/value pairs call IsolatedStorageSetting and other way is through the creation of actual files and folders called IsolatedStorageFile. We will check this later while doing static or reverse engineering analysis.

Windows Phone power Tool

As in my previous article I already written about Windows Phone Power Tool which is powerful tool to deploy WP8 Applications (Only developer signed App) and analysis isolated storage in device. We will use this tool for analysis dynamically storing data into device. If you want to install Windows Phone Power Tool please read my previous blog post.

Let deploy the Youtube application into device using WP power tool

You can see the information about the application in Dev Apps

Now we’ll going to inspect isolated storage. As you can see there is no data found at this time.

Lets use the application by exploring application functionality and save some data. You can also login into application using google account.

After using the application you can refresh the app in WP Power tool by right click on application. Now you can see there are bunch of data available for inspection.

Isolated Storage Explorer

This is one more tool which can help you to explore or modify dynamically storing data into device (isolated storage). You can download and install from here.

Isolated Storage Explorer (ISETool.exe)

Isolated Storage Explorer (ISETool.exe) is a command-line tool that is installed with the Windows Phone SDK. ISETool provide you to explore list of Isolated Storage or you can copy and replace the files into directories of the application.

This tool you can find from the following path.

C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.0\Tools\IsolatedStorageExplor

ISETool.exe <cmd[:param]> <target-device[:param]> <product-id> [<desktop-path>]
<cmd[:param]> - Specifies the command to be executed (one of the following)
 ts -(takesnapshot) to download the contents of isolated store from <target-device> to desktop
    rs -(restoresnapshot) to upload the contents of isolated store from desktop to <target-device>
    dir - lists the contents of the device folder.
    EnumerateDevices  - lists the valid device targets along with their device indices.
<target-device[:param]> - Specifies the target device (one of the following)
    xd - default emulator
    de - Windows Phone device connected to the desktop
    deviceindex:n - device listed at index n. To get the list of devices use the following command
                    "ISETool EnumerateDevices"
<product-id> - Specifies the GUID of the product. This is located in
                 WMAppManifest.xml file of the project
<desktop-path> - desktop path for download and upload

To get the list of devices use the following command

ISETool EnumerateDevices

If you want to get application Product ID or GUID of the product which is located in WMAppManifest.xml. In order to get manifest file you have change application extension .xap to .zip and extract the file. (Only this is for developer signed applications)

Now lists the Application contents of the device folder.

C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.0\Tools\IsolatedStorageExplorerTool\ISETool.exe dir de dcbb1ac6-a89a-df11-a490-00237de2db9e

Now to download the contents of isolated store from device to desktop.

C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.0\Tools\IsolatedStorageExplorerTool

λ ISETool.exe ts de dcbb1ac6-a89a-df11-a490-00237de2db9e G:\test\

Now you can inspect all the file and folder manually. Later we will learn more about the individual files and their functionality.

Conclusion :

In this article we learned about Isolated Storage, tools and technique to inspect isolated files and folders. You can analysis the data of application and how/which data storing inside isolated storage. Later will learn more about the file and their functionality in terms of security.

Windows Mobile Application Security Testing - Part 3

2016-02-22T00:00:00Z

In this blog post will going to learn how will perform Dynamic analysis on Windows phone 8 Mobile applications. Previous article we learned WP8 applications and sideloading developer signed apps.

Dynamic Analysis

Dynamic analysis is way to audit any mobile applications communication which application can communicate or give away data in two way communicating with server or storing to and loading from device storage. We can dive into how to intercept request using proxy tool and how to analysis isolated storage data into device. We can analysis traffic between device and server by intercepting and modifying parameter. For application storage we can just observe the results the data that application has saved.

OWASP Zed Attack Proxy (ZAP)

Most of them are familiar with Zap proxy and using while doing Application penetration testing. Zap proxy is powerful proxy tool for intercepting traffic between client and server. It is open source tool. You can download from here.

Intercept HTTP and HTTPS Traffic

In order to setup zap proxy and intercept request you have to install zap proxy properly. It is important to connect you system and device with same wifi network.

Check your system IP address, if you connected with Wifi you should also connect your device with same Wifi.

Now you have to put your interface IP address inside zap proxy setting. Go to Tools > Options (Ctrl+Alt+O) > Local proxy

Address would be your system interface IP address (in my case 192.168.198.1)

Port you can put as 8080

Now open you device and go to setting > WiFi > select your connected wifi network.

Turn on Proxy and provide your system interface IP i.e 192.168.198.1 in Server/URL, 8080 in port and save the setting.

Installing Certificate

It is very important to install ZAP certificate inside your device to intercept HTTPS enabled applications. Without certificate you can’t intercept the HTTPS request and response. In order to install certificate first you have to export certificate from ZAP and then install certificate by sending certificate into device using e-mail. You can also install certificate using SD card but it may not work properly.

Export the certificate from zap. Go to Tool > Options > Dynamic SSL Certificates (Ctrl+Alt+O). Now save the certificate .

Fig 6. ZAP SSL Certificate

Now you can save this certificate and send certificate using any E-mail. In device download certificate from the attached file. Make sure that the certificate extension should be .cer

And then install the certificate.

In windows phone you can only install any one certificate at a time. Also WP8 does not provide a way to delete it later on.

After installing ZAP certificate you can able to intercept HTTPS enabled applications in your devices.

Most of peoples are comfortable with Burp proxy. In similar way you can also setup BurpProxy and certificate.

But many time burp certificates are not work properly, in this case you can use ZAP outgoing proxy to divert all HTTP/HTTPS request and response traffic via burp proxy.

Go to Tools > Options (Ctrl+Alt+O) > Connection and use proxy chain.

Provide Burp proxy interface in address/Domain and port.

Now you can able to intercept any application in device in order to do dynamic analysis.

Conclusion :

In this article we learned how we setup proxy with Windows Phone and intercept HTTPS request and response in order to perform Dynamic analysis on applications. Next article we learn analysis of Isolated storage or windows internal file system using Windows power tool.

Windows Mobile Application Security Testing - Part 2

2016-02-22T00:00:00Z

Previous article we learned about the windows phone 8 security basics and their features. In this article we’ll going to learn about windows phone 8 applications and sideloading developer signed app in device.

About XAP Files

XAP is the file format used to distribute and install application software and middleware onto Microsoft's Windows Phone 7/8 operating system, and is the file format for Silverlight applications. Beginning with Windows Phone 8.1, XAP will be replaced by APPX as the file format used to install apps on the Windows Phone platform, a move which was done by Microsoft in order to unify the app development platforms for Windows Store apps and Windows Phone apps.

XAP files are ZIP file formatted packages. The MIME type associated with XAP files is application/x-silverlight-app.

If you downloaded app from store and wants to unzip then you can’t able to do so. It's because microsoft signed every app with DRM encryption. However if the app is developer signed then you can easily unzip the XAP file.

Encrypted and Unencrypted XAP file

The difference between a XAP file from the app store and an unencrypted XAP can be inspected by opening the XAP file headers in text editor. A limitation of encrypted XAP files downloaded from the app store is that they cannot run in emulators. When conducting penetration tests of a windows Phone application using emulators it's is required to obtain the XAP files of the application compiled by the developer, not from the Windows Store.

After some google search I found Youtube XAP unencrypted XAP file from xda-developers forum which help us to understand the Encrypted and Unencrypted applications and difference between them.

Sideloading developer signed app

If you want to perform security testing on your client applications in un-rooted devices then you have to ask them for their developer signed app and by sideloading the App you can able to perform dynamic as well as static analysis.

If you downloaded or installed app from store you will only able to perform dynamic analysis on the app. To perform analysis into internal file system (Isolated storage only) you need to get the developer signed app. Later blog post we will learn inspection of isolated storage.

You can sideload your developer signed app using Application Deployment app which will installed in your system while installing SDK.

Search in your system for “Application Deployment” and open the application. In case you would not found the app then you can use the system path C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.0\Tools\XAP Deployment located, where you can run XapDeploy.exe .

You can use any developer signed app and sideload app in your device using this application.

Windows Power Tool.

Windows power tool is very useful while doing pentesting on WP8 application. It is developed for the developers to deploy application, testing the app, check isolated storage and other useful functions. You can download this application from codeplex.

However many time I face below error while installing Windows Power tool, may you can also face the same issue.

So it's better to install offline file which you can find from XDA Developer forum. Download the WPPowerToolsStandaloneAmir.zip file and extract the file.

Now run the WindowsPhonePowerTools.exe file.

In order to connect your device with windows power tool you have to unlock your screen and then click on Connect.

After you have successfully connected with windows power tool you can able to install your developer XAPs file and other useful task able to perform for analysis the application.

Deploy XAPs easily with WPV Xap Deployer

Project My Screen App

Microsoft has developed application for users to project phone screen to an external display which can using USB cable and connect with system to project phone display on systems.

This app is useful for us while doing pentesting on Windows mobile application to get the display on our system.

You can download application from Microsoft site Project My Screen App

Conclusion :

In this article we understanding of how WP8 applications are packaged and distributed. Also we now know the sideloding developer signed app into device. Next article will learn how will do dynamic analysis on WP8 application using Device.

Windows Mobile Application Security Testing - Part 1

2016-02-21T00:00:00Z

In this article series we will learn about the tool and technique required to perform WP application security assessment. Also we’ll create Window mobile application testing environment to perform security assessment on WP applications.

Introduction: Windows phone

Windows Phone is a proprietary smartphone operating system developed by Microsoft. It is the successor to Windows Mobile, although it is incompatible with the earlier platform. With Windows Phone, Microsoft created a new user interface, featuring a design language named "Modern" (which was formerly known as "Metro"). Unlike its predecessor, it is primarily aimed at the consumer market rather than the enterprise market. It was first launched in October 2010 with Windows Phone 7.

Windows Phone 8

WP8 runs ARM hardware architecture, similar to iOS, Android, and Blackberry. WP8 migrated to the Windows NT kernel instead of Windows CE which WP7 used. WP8 also uses the Windows Phone Runtime application architecture, not identical to WinRT, to allow developers convergence between Windows 8 and WP8. Applications for WP8 may be coded in .NET (C# or VB.NET) and C++ but not JavaScript.

WP8 being Windows NT kernel based allows for multiple benefits from a end user security perspective. These security controls do not help a tester but do help make the device more secure and attractive to enterprise users and decision makers.

128-bit BitLocker for full disk encryption
NTFS file system
Sandboxed apps – no access to other apps
SafeBoot: Secure boot with Unified Extensible Firmware Interface (EUFI)
This makes it difficult for software without correct digital signature to be loaded on your Windows Phone. Something jailbreakers will need to bypass. More on the jailbreaking later.
TPM 2.0 standard, requires unique keys to be burned into the chip during production
All Windows Phone 8 binaries must have legit digital signatures from Microsoft to run

New Security Features in Windows Phone 8.1

Microsoft added some security features in WP 8.1 to secure users. A Windows Phone 8.1 mobile device is malware resistant as it uses the same technologies that are used by Windows 8.1 desktop operating system. It secures the boot process, specifically UEFI and its Secure Boot component. UEFI Secure Boot verifies that the boot loader is trusted, and then Trusted Boot protects the rest of the startup process by verifying that all Windows boot components have integrity and can be trusted. If any malware has modified any file, Trusted Boot prevents such files from launching. Unsigned apps not from the Windows Store, are unable to run on Windows Phone.

Secured enrollment with MDM systems
Security policy management
Lock down the phone to a specified set of applications and settings (Assigned Access)
Automatically initiate VPN connections (auto-triggered VPN)
Remote Assistance
Remote business data removal
Encryption of apps and confidential organizational data on removable storage
Support for Secure and Multipurpose Internet Mail Extensions
Support for enterprise Wi-Fi connectivity
Support for virtual smart cards
Support for new virtual private network (VPN) tunnel types.

Digital Right Management (DRM)

Microsoft signing all app in order to run into Locked device (non-developer unlocked) it’s similar to apple requires that code have a signed a binary for it to run non-jailbroken iOS device.

Windows Phone 8 all app are obtained via the windows phone store. Microsoft defined all application submitted to the store are subject to Microsoft defined submission process before being accepted and code signed with a certificate issued by the aptly named Certification Authority, Microsoft Marketplace CA. Signed apps are then made available for purchase or free download to the general public who own Windows Phone 8 devices. In addition to being codesigned, applications from the Store are protected using the FairPlay DRM technology. Tampering with the XAP or APPX files being installed results in the installation being halted.

All applications have to be Microsoft signed to run on WP8 or 8.1 devices. When developer mode is unlocked on a device, applications can be sideloaded, but in the context of Store applications running on the device of a standard consumer, all apps must be signed. We will learn about sideloading later.

Application Sandboxing

Windows phone 8.x closed architecture and applications are sandboxed to control their access to system resources to prevent them from accessing other application data. In windows phone 8.x all third-party applications from the store run in AppContainers.

AppContainer

AppContainer provides high level process-isolation mechanism which offers security permissions check in operating system resources such as file, registry and other resources. Windows phone 8.x all application run inside an appContainer and check app can be only its own private file sandbox. If application wants to read write outside of it, including other application data its fail.

Capabilities

Capabilities is to ability of application to access OS services such as camera or networking which controls by that app capabilities. Capabilities are also used to provision the security of the least privilege chamber (LPC) and reduce the attack surface by only provisioning ACLs for what the application requires. Applications should only be assigned capabilities which they require to perform their functionality and any unused capabilities removed.

ID_CAP_NETWORKING—Outbound and inbound network access ID_CAP_PHONEDIALER—Access to the dialer functionality ID_CAP_MICROPHONE—Access to the microphone API ID_CAP_LOCATION—Access to geolocation data ID_CAP_ISV_CAMERA—Access to device’s built-in camera

<Capabilities>
      <Capability Name="ID_CAP_NETWORKING" />
      <Capability Name="ID_CAP_WEBBROWSERCOMPONENT" />
      <Capability Name="ID_CAP_CONTACTS" />
      <Capability Name="ID_CAP_PHONEDIALER" />
</Capabilities>

Capability elements are entries in the manifest file that notify the user while installing the app of special software capabilities that your app receives.

If you want to check more capability and its function you can check this in Microsoft site.

Prerequisites

Windows 8 OS
Physical Device or Emulator
Windows Phone SDK 8.0 (You can download from here http://download.microsoft.com/download/9/3/8/938A5074-461F-4E3D-89F4-5CE2F42C1E36/wpsdkv80_enu1.iso)

Setup Environment for Windows Mobile Applications testing

Windows 8 OS

For test environment its required windows 8 OS because of windows phone SDK supports only on windows 8 Operating system.

We also need the following system requirement for the windows application testing lab.

System requirements:

In the BIOS, the following features must be supported:

Hardware-assisted virtualization.
Second Level Address Translation (SLAT).
Hardware-based Data Execution Prevention (DEP).
4 GB or more of RAM.
64-bit version of Windows 8 Pro edition or higher. Network requirements:
DHCP.
Automatically configured DNS and gateway settings.
In Windows, Hyper-V must be enabled and running.
You have to be a member of the local Hyper-V Administrators group.

Windows Phone SDK tool

Windows SDK tool is the core tool for development and security assessment on windows 8.x. SDK tool included two of the most important tools are included one is Visual Studio and another is the emulator. Both tool you can use for reviewing code and running apps from source respectively.

Visual studio is Microsoft official integrated development environment and its used for development of WP applications.

You can use Visual Studio in you security assessment for

Manually reviewing source code
Running project from source on an emulator and devices
You can use for debugging tools on source code.

Windows SDK installation

Download and install windows phone SDK 8 in your system. WP 8 SDK provides you with the tools that you use to development and deploy application in device. Also it’s useful for further analysis.

You can download windows sdk as .iso format which can be write the image file to blank DVD or use mount the image file virtual as DVD devices like DAEMON Tools lite.

Windows phone Developer unlocked Device (non-Jailbroken Device)

Microsoft has provided feature to developers, sideload apps in device for debugging and testing purpose. You can unlock your device by registering your phone with windows developer phone registration which will provide you to sideload your developer signed app for testing purpose. Only the limitation of unlocked device that you can only install maximum 3 developer signed apps.

We can use Developer unlocked device to sideload developer signed app and use for further WP application security analysis.

To unlock the device you must should install SDK and by using developer phone registration you can successfully unlock your device.

Registering your phone:

To register a phone, use the Windows Phone Developer Registration tool. This is a stand-alone tool that’s installed as part of the Windows Phone SDK.

Turn on your phone and unlock the phone screen.

On your phone ensure the date and time should correct.

Connect your phone by using USB cable.

On your system search app “Windows Phone Developer Registration” in start screen

In case unable to find the app then you can also use this path to locate the developer registration app: C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.0\Tools\Phone Registration\PhoneReg.exe

Run the app PhoneReg.exe

Ensure that your phone should be unlocked the phone screen.

Now click on the register and provide your any Hotmail or Microsoft account. (If you do not have Microsoft account, recommend you to register account in Hotmail)

Congratulation!!! You have successfully registered your device and unlocked your device.

Now you can now able to sideload apps (only dev signed app) in your device.

Conclusion:

In this article we learned Windows Phone application security basics and setup the environment. Next article we learn about application files and how we’ll sideload the app and which tools we need for deploy the developer signed applications.

Reference:

https://labs.mwrinfosecurity.com/system/assets/651/original/mwri_wp8_appsec-whitepaper-syscan_2014-03-30.pdf

https://msdn.microsoft.com/library/windows/apps/jj206936(v=vs.105).aspx

https://dev.windows.com/en-us/downloads/sdk-archive

https://msdn.microsoft.com/en-in/library/windows/apps/jj206936(v=vs.105).aspx#BKMK_Softwarecapabilities

PayPal Stored XSS using XML file upload

2015-11-03T00:00:00Z

Hey Guys,

Today I’m going to share one of my interesting Stored XSS vulnerability found on PayPal Site using XML file upload.

PayPal allows the users to create an invoice and send to the other users. Also allow attaching the file into invoice. So I started trying to upload file with different types of extensions and found that PayPal allows users to upload XML formatted file.

So the next steps I've tried for XXE vulnerability but no luck which makes me happy. After couple of test cases I've applied, but not found any interesting things to make this vulnerable.

I've noticed that if we upload XML file with script tag, which is working perfectly.

<?xml version="1.0" encoding="UTF-8"?>
<Query>
   <SearchTerm>
      <script xmlns="http://www.w3.org/1999/xhtml">
          alert(document.cookie);
      </script>
   </SearchTerm>
</Query>

Now next steps to exploit!

The exploitation of the bug is very easy. In order to does this attack, create an invoice with xml file and send to victim. When victim open the attached xml file, the script run into his/her browser.

I've reported to PayPal security team and the bug was valid. After the fix PayPal team rewarded me with Bounty under PayPal BugBounty program.

Bypass Google Drive iOS App Passcode using runtime Analysis

2015-01-06T00:00:00Z

Recently I was working on runtime analysis of iOS applications and found that there is way to bypass passcode by hooking into the application runtime, access & modify the instance variables, invoke the instance methods and override the existing methods.

So i started looking for bugs in google iOS applications soon I found that google drive uses a security passcode. once the passcode is set, whenever the app is launched it prompts for the passcode. So this passcode lock can be bypassed by manipulating the iOS runtime with cycript.

Before moving into runtime, I have quickly decrypted the app using clutch and obtained the class information using class-dump.

So now connected to the iPhone over SSH and Launch the Google Drive app and set passcode into Google Drive and also set as Always lock.

Attached Drive process to cycript and obtained the view controller instance.

The app should be sitting at the lock screen so finding out the controller that is current at the time as this is the one will want to manipulate.

The last line we now know the name of the lock screen view controller is GDAPasscodeVC. This is the one we will want to look into.

Looked at the class dump for GDAPasscodeVC interface for interesting methods/variables and noticed an interesting method userWasAuthenticated

I've created a variable named testing to the current ViewController. This is just to make things easier for the future use. You can alternatively just type the following to get the current ViewController.

Cy#testing=UIApp.keyWindow.rootViewController.visibleViewController
Cy#[testing userWasAuthenticated]

When Invoking the userWasAuthenticated method directly from the the cycript prompt, its logged me into the app.

This is one thing we can do with runtime analysis. Typically we can manipulate the runtime to break logic checks, escalate privilege or steal information memory.

Video Demonstration :

Remediation :

We can add an extra parameter to the function that might prevent it invoking from cycript but its not a fully mitigation to protect bypassing passcode reasoning behind this is that it's practically impossible to protect the application against the attacker who can run code within the process of that application (which is what we are doing by attaching a debugger).

The best way to prevent these types of attack is the server side validation. The server side validation is the proper way to protect users from these types of attack.

Password Reset Vulnerability

2014-05-31T00:00:00Z

Hi guys !

Today I am going to share one of my finding on password resetting vulnerability which I found recently.

So while testing mostly I start with login and password resetting functionality. These two functionalities are very critical in any application. If you bypass login functionality you can take over the account and sometime by using password reset functionality you can also compromise an account. So both of these functionalities are very crucial for pentesting and application security.

While testing most of the sites I found that they implement login mechanism and password functionality properly but some time due to some poor logic or minor flow error it can be vulnerable. So always analyze login and password reset functionality and think what you could do to exploit these using logical flaws. Sometime the exploitation process is not so easy and some other time it can be done in easy way.

So let’s start with the Password reset vulnerability I found when performing a pentest. I started looking into application which appeared nice (because it was a dating site :) ). I explored all the functionalities and understood the application work flow which helped me in finding vulnerabilities. Then I focused on the login mechanism. I tried some test cases for authentication bypass but FAILED :(

Now what ?

I asked myself do I need to start testing for common flaws like SQLi,XSS,CSRF ? No I thought of giving them a try after sometime.

Moving on password reset page. And started analyzing it. When I visited password reset page it asked me to enter email or user id which is quite common thing in such page and I did enter the email id and got the password reset token in my mail. (I already had an account for testing that site)

After that I used that token link and reset my password ,everything worked fine and password was successfully changed.

Then I started analyzing the password reset token link that I got clicking on the link provided in the mail. It look quite the same as shown below.

https://site.com/token=7c8bab06c29d8264e391d317744b17e0&lang=US

I realize that token parameter value is looking like hashed with MD5. I Started decrypting but unable to do the same.

I collected more tokens and analyzed but did not get anything interesting.

While analyzing suddenly I found that two types of token links were being used, one was when they are sending token on mail (as i mentioned above) and another was when I was using token as shown below

https://site.com/qw_email/link/ac=VG5wTk1FNVVXVE5OVkd0M1RtcFJlZz09&req=21

So now I had two token links

first : https://site.com/qw_email/link/ac=VG5wTk1FNVVXVE5OVkd0M1RtcFJlZz09&req=21 (what i got in my mail )
second : https://site.com/token=7c8bab06c29d8264e391d317744b17e0&lang=en (what i got after clicking the above link)

Second token was impossible to decrypt !

Now looking into first token which was in my mail. I found that it was not looking like it is Hashed. It was something else.

So I tried to decode it with different decoding techniques but I did not get anything interesting. But after sometime i decode the same with base64 contenuously and after some attempts finally I found some numeric value. :)

Now it's time to understand about numeric value.

Earlier when I was trying to understand about application workflow, I found that the user id value they are using is numeric, so immediately I opened my profile and matched that numeric value and yeah ! that value was same.

So I found that 'ac' parameter is having user id value with thrice base64 encoded.

From my analysis what I got was , when user click on "Reset your password now".First token was send to the email id which contains ac parameter value (the encoded form of userid) and a req parameter. By clicking on that link it requests for second token from server side by validating user id which is there in the first token to get the reset password form.

I needed to cross check it with another user account.So I created another account and note down the user id value, then encoded it thrice using base64.

Victim UserId = 562199544561
Encoded = VGxSWmVVMVVhelZPVkZFd1RsUlplQT09

Then crafted a password reset token which looks as follows:

https://site.com/qw_email/link/ac=VGxSWmVVMVVhelZPVkZFd1RsUlplQT09&req=55

By using this link I was able to reset the password for other user account. Similarly i just need to enumerate the userid (which was possible in that application) then request a password reset in my own account. After getting the password reset link change the ac parameter value to the thrice base64 encoded value of victim account or the account I enumerated. By clicking on the link it will provide me the password reset form to takeover the victim account.

This is just an interesting logical flaw that allowed me to compromise victim account using password reset functionality. I will share other interesting scenarios what I met while pentesting soon.