Enviroment SetUp
Last updated
Last updated
Install in PC USB Driver:
Activate Developer Mode in the phone: Settings > Device Information > Touch 5 times "Compilation Number"
Activate USB Debug: Settings > System > Developers Options > USB Debugging
Then, in PC, unlock the bootloader: Download latest release and take note of the code for a later search.
Unchek the following options:
Lock Bootloader
Skip Secondary
Force Debuggable
Check the following options:
Wipe Device
Force Flash all partitions
Disable Verity
Disable Verification
Install build and confirm.
Extract boot.img and save it in Downloads folder.
Fire up Magisk and select the boot.img file, this will generate <whatever>.img.
Move it to the PC and from the PC, use adb reboot loader command to call the mobile bootloader.
Once in the bootloader, fire up fastboot: flash boot magisk <whatever>.img
To install the burp certificate in Android 7 to 13:
Move the .zip file to the Downloads folder in the mobile, open Magisk > Plugins > Install > Select the .zip file.
To install the burp certificate in Android 14:
Move the .zip file to the Downloads folder in the mobile, open Magisk > Plugins > Install > Select the .zip file.
To import it, we can download it from the PC and move it to the phone. We could also import it from the Gmail App.
Once downloaded the certificate to the phone, use "Always trust certs" or "Conscript trust certs" to install the Burp CA, then, reboot the system and the certificate will be added to system.
To conect to the mobile through ssh:
Move the .zip file to the Downloads folder in the mobile, open Magisk > Plugins > Install > Select the .zip file.
Then generate a certificate with puttygen or other similar, extract the key and move it to the mobile filesystem with the following commands:
adb shell
su
echo <key> >> /data/ssh/root/.ssh/authorized_keys
echo <key> >> /data/ssh/shell/.ssh/authorized_keys
! use >>
and not >
To bypass anti-root defenses.
Move the .zip file to the Downloads folder in the mobile, open Magisk > Plugins > Install > Select the .zip file.
Instrumentation of mobile applications in real time.
Move the .zip file to the Downloads folder in the mobile, open Magisk > Plugins > Install > Select the .zip file.
Use always the same version as the one in the VM.
Reboot after instalation and check with Frida-ps -U
.
Instrumentation of mobile applications in real time in stealh mode.
Move the .zip file to the Downloads folder in the mobile, open Magisk > Plugins > Install > Select the .zip file.
In the pentest, create a configuratio file pointing to the app to be audited:
adb shell 'su -c cp /data/local/tmp/re.zyg.fri/config.json.example /data/local/tmp/re.zyg.fri/config.json'
adb shell 'su -c sed -i s/com.example.package/your.target.application/ /data/local/tmp/re.zyg.fri/config'
To create a nice config acording to the different scenarios:
To demostrate if the app is runing with root phone.
Proxy switch to skip the native steps.
Configurate the Burp IP and port.
VPN that will be usefull to create a transparent proxy.
Here we will add the certificate generated with the VM.
For screen mirroring.
Install the agent in the phone and then in the PC.
Download Palera1n (recomended) or similar:
Fire up the exploit with the 'Create Fake FS' option checked and wait 5/10 minutes.
Fire up the exploit again by default.
Open the Palera1n App to set up the ssh password.
Log into the ssh witht the mobile user and the selected password.
Execute chpasswd root and accept conditions, then, setup the root password.
To connect to the Mobile SSH, open the 'Sileo' App and download openssh, then conect trough ssh from the PC to the phone with the previouslly setted credentials.
To bypass anti-jailbreak defenses.
Then install Shadow (the non-legacy one)
Now, in Settings > Shadow, we can select the desired options for each App.
To bypass certificate pinning without any instrumentation tools.
Then install Sslkillswitch3.
Now, in Settings > SSLKillswitch we can activate or deactivate the desired options depending on the scenario.
To install Apps when the client provides the .ipa file.
Then install Appinst.
Now we can connect through SSH and install the app with Appinst <app-name>.ipa
To extract apps to the .ipa file for static analysis.
Download https://gist.github.com/joanbono/fd23d54aa6871d2b60f74a570dd17957 and move it to the /mobile/var/root
iPhone folder from ssh.
chmod a+x extract-ipa.sh
./extract-ipa.sh /private/var/containers/Bundle/Application/<BundleID>
Instrumentation of mobile applications in real time.
Then install Frida.
Use always the same version as the one in the VM.
Reboot after instalation and check with Frida-ps -U
.
VPN that will be usefull to create a transparent proxy.
Here we will add the certificate generated with the VM.
For screen mirroring.
Install the agent in the phone and then in the PC.
To proxy the activity through BurpSuite go to Settings > Wifi > Proxy and configurate the Burp IP and port.
To activate the CA, go to Settings > General > Information > Trusted Certificates.
UI for the instrumentation of iOS and Android mobile applications with automations.
Require NodeJS and Frida in both, the phone and the VM.
To install and configure it:
npm install rms-runtime-mobile-security
rms
UI for the instrumentation of iOS mobile applications with automations.
Require NodeJS and Frida in both, the phone and the VM.
To install and configure it:
npm install -g igf
igf
UI for manual code review and with and with smali sarong functionality.
Call the App and load the .apk for manual analysis.
For iOS and Android libraries reversing.
Android IDE. Also usefull for Android VMs.
iOS IDE to compile and ipa signing.
Instrumentation of mobile applications in real time.
sudo pip install frida-tools
Use always the same version as the one in the VM.
Reboot after instalation and check with Frida-ps -U
.
Memory dump utility.
Use always the same version as the one in the VM.
fridump -U <app-name>
fridump -U -s <package-name>
Instrumentation of mobile applications and reversing.
Requires radare2, pkg-config (not neccesary for Windows) and nodejs.
To set it up on Linux:
git clone https://github.com/nowsecure/r2frida.git
cd r2Frida
make
make-userinstall
Copy b\r2frida.dll in r2 -H R2_USER_PLUGINS
To set it ip on Windows:
Decompress the downloaded release.
cd r2Frida
.\preconfigure.bat
.\configure.bat
.\make.bat
Copy b\r2frida.dll in r2 -H R2_USER_PLUGINS
For screen mirroring.
To set up a VPN Server.
Once downloaded and installed we will generate a VPN certificate to install in the mobile devices.
Kit of dynamic scripts for iOS and Android and monitoring functions.
git clone https://github.com/Ch0pin/medusa
pip install -r requirements.txt
pip install gnureadline
To sing .ipa files.
Requires nodejs.
sudo npm install applesign
applesign
To sing .apk files and smail mofidying.
Then, assign apktool, adb and ube apk signer where each one is pointed to.
Download Android Platform-Tools ().
Download and install Magisk apk ().
Open the 'Sileo' App and the the following repo:
Open the 'Sileo' App and the the following repo:
Open the 'Sileo' App and the the following repo:
Open the 'Sileo' App and the the following repo:
Connect to the proxy and navigate to and download and install it.
Requires Java (), apktool (), jadx (), Android platform-tools(https://developer.android.com/tools/releases/platform-tools?hl=es-419) and Uber apk signer ().