Enviroment SetUp

Android SetUp

Root

https://www.youtube.com/watch?v=TJBMmuMp9ZM

  1. Install in PC USB Driver: https://developer.android.com/studio/run/win-usb?hl=es-419

  2. Activate Developer Mode in the phone: Settings > Device Information > Touch 5 times "Compilation Number"

  3. Activate USB Debug: Settings > System > Developers Options > USB Debugging

  4. Then, in PC, unlock the bootloader: Download https://flash.android.com/ latest release and take note of the code for a later search.

  5. Unchek the following options:

  • Lock Bootloader

  • Skip Secondary

  • Force Debuggable

  1. Check the following options:

  • Wipe Device

  • Force Flash all partitions

  • Disable Verity

  • Disable Verification

  1. Install build and confirm.

  2. Download Android Platform-Tools (https://developer.android.com/tools/releases/platform-tools?hl=es-419).

  3. Download and install Magisk apk (https://github.com/topjohnwu/Magisk/releases).

  4. Extract boot.img and save it in Downloads folder.

  5. Fire up Magisk and select the boot.img file, this will generate <whatever>.img.

  6. Move it to the PC and from the PC, use adb reboot loader command to call the mobile bootloader.

  7. Once in the bootloader, fire up fastboot: flash boot magisk <whatever>.img

Burp Certificate

To install the burp certificate in Android 7 to 13:

https://github.com/NVISOsecurity/MagiskTrustUserCerts/releases

Move the .zip file to the Downloads folder in the mobile, open Magisk > Plugins > Install > Select the .zip file.

To install the burp certificate in Android 14:

https://github.com/nccgroup/ConscryptTrustUserCerts

Move the .zip file to the Downloads folder in the mobile, open Magisk > Plugins > Install > Select the .zip file.

To import it, we can download it from the PC and move it to the phone. We could also import it from the Gmail App.

Once downloaded the certificate to the phone, use "Always trust certs" or "Conscript trust certs" to install the Burp CA, then, reboot the system and the certificate will be added to system.

SSH

To conect to the mobile through ssh:

https://github.com/Magisk-Modules-Repo/ssh

Move the .zip file to the Downloads folder in the mobile, open Magisk > Plugins > Install > Select the .zip file.

Then generate a certificate with puttygen or other similar, extract the key and move it to the mobile filesystem with the following commands:

adb shell

su

echo <key> >> /data/ssh/root/.ssh/authorized_keys

echo <key> >> /data/ssh/shell/.ssh/authorized_keys

! use >> and not >

MagiskHidePropfConf

To bypass anti-root defenses.

https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf

Move the .zip file to the Downloads folder in the mobile, open Magisk > Plugins > Install > Select the .zip file.

Frida

Instrumentation of mobile applications in real time.

https://github.com/ViRb3/magisk-frida

Move the .zip file to the Downloads folder in the mobile, open Magisk > Plugins > Install > Select the .zip file.

Use always the same version as the one in the VM.

Reboot after instalation and check with Frida-ps -U.

ZygiskFrida

Instrumentation of mobile applications in real time in stealh mode.

https://github.com/lico-n/ZygiskFrida

Move the .zip file to the Downloads folder in the mobile, open Magisk > Plugins > Install > Select the .zip file.

In the pentest, create a configuratio file pointing to the app to be audited:

adb shell 'su -c cp /data/local/tmp/re.zyg.fri/config.json.example /data/local/tmp/re.zyg.fri/config.json'

adb shell 'su -c sed -i s/com.example.package/your.target.application/ /data/local/tmp/re.zyg.fri/config'

To create a nice config acording to the different scenarios:

https://github.com/lico-n/ZygiskFrida/blob/main/docs/simple_config.md

https://github.com/lico-n/ZygiskFrida/blob/main/docs/advanced_config.md

RootChecker

To demostrate if the app is runing with root phone.

https://play.google.com/store/apps/details?id=com.joeykrim.rootcheck&hl=es&gl=US

ProxyDroid

Proxy switch to skip the native steps.

https://play.google.com/store/apps/details?id=org.proxydroid&hl=es&gl=US

Configurate the Burp IP and port.

OpenVPN

VPN that will be usefull to create a transparent proxy.

https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=es&gl=US

Here we will add the certificate generated with the VM.

Vysor

For screen mirroring.

https://play.google.com/store/apps/details?id=com.koushikdutta.vysor&hl=es&gl=US

Install the agent in the phone and then in the PC.

iOS SetUp

Jailbreak

  1. Download Palera1n (recomended) or similar:

https://github.com/palera1n/palera1n https://github.com/palera1n/palen1x https://onejailbreak.com/blog/winra1n-jailbreak/

  1. Fire up the exploit with the 'Create Fake FS' option checked and wait 5/10 minutes.

  2. Fire up the exploit again by default.

  3. Open the Palera1n App to set up the ssh password.

  4. Log into the ssh witht the mobile user and the selected password.

  5. Execute chpasswd root and accept conditions, then, setup the root password.

OpenSSH

To connect to the Mobile SSH, open the 'Sileo' App and download openssh, then conect trough ssh from the PC to the phone with the previouslly setted credentials.

Shadow

To bypass anti-jailbreak defenses.

Open the 'Sileo' App and the the following repo: https://ios.jjolano.me/

Then install Shadow (the non-legacy one)

Now, in Settings > Shadow, we can select the desired options for each App.

SSLKillswitch3

To bypass certificate pinning without any instrumentation tools.

Open the 'Sileo' App and the the following repo: https://repo.misty.moe/apt

Then install Sslkillswitch3.

Now, in Settings > SSLKillswitch we can activate or deactivate the desired options depending on the scenario.

Appinst

To install Apps when the client provides the .ipa file.

Open the 'Sileo' App and the the following repo: https://cydia.akemi.ai/

Then install Appinst.

Now we can connect through SSH and install the app with Appinst <app-name>.ipa

Extract_ipa.sh

To extract apps to the .ipa file for static analysis.

Download https://gist.github.com/joanbono/fd23d54aa6871d2b60f74a570dd17957 and move it to the /mobile/var/root iPhone folder from ssh.

chmod a+x extract-ipa.sh

./extract-ipa.sh /private/var/containers/Bundle/Application/<BundleID>

Frida

Instrumentation of mobile applications in real time.

Open the 'Sileo' App and the the following repo: https://build.frida.re/

Then install Frida.

Use always the same version as the one in the VM.

Reboot after instalation and check with Frida-ps -U.

OpenVPN

VPN that will be usefull to create a transparent proxy.

https://apps.apple.com/es/app/openvpn-connect-openvpn-app/id590379981

Here we will add the certificate generated with the VM.

Vysor

For screen mirroring.

https://apps.apple.com/es/app/vysor/id1577813680

Install the agent in the phone and then in the PC.

Proxy

To proxy the activity through BurpSuite go to Settings > Wifi > Proxy and configurate the Burp IP and port.

Burp Certificate

Connect to the proxy and navigate to http://burp and download and install it.

To activate the CA, go to Settings > General > Information > Trusted Certificates.

VM SetUp

Runtime Mobile Security

UI for the instrumentation of iOS and Android mobile applications with automations.

Require NodeJS and Frida in both, the phone and the VM.

To install and configure it:

npm install rms-runtime-mobile-security

rms

Grape Fruite

UI for the instrumentation of iOS mobile applications with automations.

Require NodeJS and Frida in both, the phone and the VM.

To install and configure it:

npm install -g igf

igf

JadX

UI for manual code review and with and with smali sarong functionality.

https://github.com/skylot/jadx/releases

Call the App and load the .apk for manual analysis.

Hopper / Ghidra / Radare

For iOS and Android libraries reversing.

https://www.hopperapp.com/download.html

https://github.com/NationalSecurityAgency/ghidra

https://rada.re/r/down.html

Android Studio

Android IDE. Also usefull for Android VMs.

https://sensepost.com/blog/2021/android-application-testing-using-windows-11-and-windows-subsystem-for-android/

https://developer.android.com/studio?hl=es-419

Xcode

iOS IDE to compile and ipa signing.

https://apps.apple.com/es/app/xcode/id497799835?mt=12

Frida

Instrumentation of mobile applications in real time.

sudo pip install frida-tools

Use always the same version as the one in the VM.

Reboot after instalation and check with Frida-ps -U.

Fridump

Memory dump utility.

https://github.com/Nightbringer21/fridump

Use always the same version as the one in the VM.

fridump -U <app-name>

fridump -U -s <package-name>

R2Frida

Instrumentation of mobile applications and reversing.

Requires radare2, pkg-config (not neccesary for Windows) and nodejs.

To set it up on Linux:

git clone https://github.com/nowsecure/r2frida.git

cd r2Frida

make

make-userinstall

Copy b\r2frida.dll in r2 -H R2_USER_PLUGINS

To set it ip on Windows:

Decompress the downloaded release.

cd r2Frida

.\preconfigure.bat

.\configure.bat

.\make.bat

Copy b\r2frida.dll in r2 -H R2_USER_PLUGINS

Vysor

For screen mirroring.

https://www.vysor.io/download/

OpenVPN

To set up a VPN Server.

https://openvpn.net/community-downloads/

Once downloaded and installed we will generate a VPN certificate to install in the mobile devices.

Medusa

Kit of dynamic scripts for iOS and Android and monitoring functions.

git clone https://github.com/Ch0pin/medusa

pip install -r requirements.txt

pip install gnureadline

Node-Applesign

To sing .ipa files.

Requires nodejs.

sudo npm install applesign

applesign

ApkStudio

To sing .apk files and smail mofidying.

Requires Java (https://www.java.com/es/download/), apktool (https://apktool.org/docs/install), jadx (https://github.com/skylot/jadx/releases), Android platform-tools(https://developer.android.com/tools/releases/platform-tools?hl=es-419) and Uber apk signer (https://github.com/patrickfav/uber-apk-signer/releases).

Then, assign apktool, adb and ube apk signer where each one is pointed to.

PreviousMobile PentestingNextAndroid Pentest

Last updated