🔴
Hacking
  • 1. Hacking Infrastructure
    • Infra Planification
      • Infrastructure Diagram & Requirements
    • Infra Configuration
      • Attack Server
      • C2 Server
      • Redirector
      • Payload Server
      • Phishing Server
  • 2. Reconnaissance and Information Gathering
    • OSINT (Open-Source Intelligence)
      • Enviroment
      • Android Virtualization
      • Web Browsers
      • Sock Puppets (Covert Accounts)
      • All-purpose Advanced Tools
      • Search Engines
      • People Search Engines
      • Websites & Domains
      • IP Addresses
      • Users & Emails
      • Social Media
      • Documents
      • Images
      • Videos & Lives
      • Metadata
      • Telephone Numbers
      • Online Maps
      • Virtual Currencies
      • Leaks, Breaches, Logs and Ransomware
      • Government & Business Records
    • Port, Version, Vuln Scanning
      • Nmap
      • Shodan
      • Network Mapping
      • Researching Potential Vulnerabilities
      • Dark Web Scanning
  • 3. Social Engeniering
    • Phising
      • Recycling Domains
      • Header Manipulation
      • Email Creation and Delivery
      • Email Spoofing & Warning Disabling
      • Site Building
      • Evilginx
      • Payload Hosting Obfuscation
      • Diverting the Analysts
      • VBA Macros & RTI
      • HTML Smuggling & HTA Files
      • JS Files
      • Other File Types
    • SMS Spoofing
      • SMSpubli
    • Social Engineering Toolkit (SET)
      • SET Installation
  • 4. Exploitation
    • Password Cracking
      • SetUp
      • Wordlist Building
      • Tools
    • Payloads - File Transfer - Coding - MalDev - ExploitDev
      • Payload Triggering
        • Shell File Transfer
        • PS Execution - Donwload Craddles
      • Normal Shells
        • Reverse Shells vs Bind Shells
        • Direct Reverse Shell Commands
        • Interactive Shell
        • Normal Reverse Shell Tools
        • PHP Webshells
        • ASPX Webshells
        • Kraken Webshell
        • Python Webshells
      • Coding Basics
        • Bash
        • Python
        • C
        • C++
        • C#
        • x86-64 (Intel) Assembly - NASM & MASM
      • Windows MalDev
        • MDLC & Tools
        • Architecture, Memory Management, APIs & Processes
        • PEs & DLLs
        • Malware Binary Signing & Metadata Modification
        • Payload Placement
        • Payload Execution Control
        • Payload Encryption & Obfuscation
        • Malware Optimization: Entropy Reduction & Compile Settings
        • Local Payload Execution
        • Process Enum, Injection & Hollowing
        • Payload Staging
        • Thread Hijacking
        • APC Injection
        • Callback Code Execution
        • Mapping Injection
        • Function Stomping Injection
        • PPID Spoofing
        • Process Argument Spoofing
        • API Hooking
        • String Hashing
        • IAT Hiding, Obfuscation & Camouflage
        • Anti-Debugging
        • Anti-Virtualization
        • Syscalls
        • NTDLL Refreshing
      • Windows ExploitDev
        • Tools
        • x86 Vanilla Stack BOF
      • Linux ExploitDev
        • BOF GNU/Linux 32-bit
    • Active Directory
      • Host and Domain Recon
        • SMB (139,445) Enum
        • RPC (135, 1024-5000) Enum
        • LDAP (389,636,3268,3269) Enum
        • PowerView
        • Other tools / Commands
        • BloodHound
      • Attacks and procedures
        • Password Spraying
        • User Impersonation
        • Lateral Movement
        • Kerberos (88)
        • Certificate Services (AD CS)
        • ACLs/ACEs
        • Group Policy
        • MS SQL Servers
        • LAPS (Local Administrator Password Solution)
        • Microsoft Configuration Manager
        • Domain Dominance
        • Forest & Domain Trusts
        • MiTM & Relaying Attack
    • Cloud
      • Azure
        • Basic Info
        • Initial Access
        • Enumeration
        • Privilege Escalation
        • Lateral Movement
        • Persistence
        • Data Exfiltration
      • AWS
        • Basic Info
        • Initial Access
        • Enumeration
        • Privilege Escalation
        • Lateral Movement
        • Post-Exp & Persistence
        • Data Exfiltration
      • Google Cloud
        • Basic Info
        • Initial Access
        • Enumeration
        • Privilege Escalation & Lateral Movement
        • Credential Access
        • Data Exfiltration
    • Web
      • Fingerprinting
      • Automated Scanners
      • Proxies
        • WAFs & Attack Obfuscation
        • HTTP Request Smuggling
      • CMS's: Content Management Systems
      • Authentication
        • Authentication vulnerabilities
        • OAuth 2.0 Authentication Vulnerabilities
        • Access Control
      • Files
        • File Upload
      • Reflected Values
        • Command Injection
        • HTML & XSS Injection
        • SSRF: Server-Side Request Forgery
        • SSTI: Server-Side Template Injection
        • CRLF Injection
        • CSV Injection
        • Openredirect
        • Prototype Pollution
        • ShellShock Attack
      • Search functionalities
        • LFI - RFI - Path traversal
        • SQL Injection
        • NoSQL injection
        • LDAP Injection
        • XPath Injection
      • Forms, WebSockets and PostMsgs
        • CSRF: Croos-Site Request Forgery
        • WebSocket Attacks
      • HTTP Headers
        • Clickjacking
        • CORS
        • Host Header Injection
      • Structured objects - Specific functionalities
        • XML External Entity (XXE) Injection
        • Deserialization Attacks
        • Padding Oracle Attack
      • Whitebox
        • Source Code Recovery, Analysis & Debugging
        • Python PoC Building
        • File Upload
        • SQL Injection
        • JavaScript Injection
        • SSTI (Server-Side Template Injection)
        • PHP Type Juggling
        • Prototype Pollution
        • Password Reset Attacks
    • Network Services
      • FTP 21
      • SSH 22
      • DNS 53,5353
      • FINGER 79
      • POP3 110,995
      • SNMP 161,162,10161,10162
      • MYSQL 3306
      • VNC 5800,5801,5900,5901
      • Ansible
      • Artifactory (8081)
      • Citrix
    • Wireless Pentesting
      • Wireless Reconnaissance
      • Wifite
      • RogueAP
      • WiFi Pineapple Mark VII
    • Camera Pentesting
      • Identifying Unsecured Web Cams
      • Default Passwords
      • Cameraradar
    • SCADA/ICS
      • Reconnaissance
      • Metasploit Modbus
      • modbus-cli
    • Mobile Pentesting
      • Enviroment SetUp
      • Android Pentest
      • iOS Pentest
  • 5. Privesc and Post-explotation
    • Linux Privilege Escalation
      • Manual Testing Elevation of privileges
      • Enumeration Commands
      • Enumeration Scripts
      • Looting for passwords & Interesting Information
      • Writable Files
      • SUDO
      • SSH Key
      • Scheduled tasks
      • SUID
      • Capbilities
      • NFS Root Squashing (Network File Sharing)
      • Shared Library
      • Docker Breakeout
      • Hijack TMUX session
      • Wildcard
      • Kernel Exploits
    • Linux Post-Explotation
      • SSH Backdoor
      • Manual Backdoors
      • Pillaging/Data Harvesting
    • Windows Privilege Escalation
      • Enumeration Scripts
      • Manual Enumeration
      • Metasploit tools
      • Processes Enumeration and Tasks
      • Incorrect permissions in services
      • Unquoted Service Paths
      • Insecure GUI Apps
      • Autorun
      • AlwaysInstallElevated
      • $PATH Interception
      • Looting for passwords
      • Runas
      • Impersonation Privileges
      • From local administrator to NT SYSTEM
      • Common Vulnerabilities and Exposure (CVE)
      • Kernel Exploitation
      • Named Pipes
      • Vulnerable Drivers
      • Abusing Shadow Copies
    • Windows Post-Explotation
      • Credential Theft
      • RDP Hijacking
      • Session Spying
      • WDigest
      • User backdoor
      • Manual Backdoors
      • SharPersist
      • WMI Event Subscriptions Persistance
      • Hunting for COM Hijacks
      • Mail Harvesting
    • Data Exfiltration
  • 6. Evasion Techniques
    • Linux - Evasion Techniques
    • Windows - Evasion Techniques
      • Detection Mechanisms & Evasion Techniques
      • Microsoft Defender Antivirus
      • AMSI & UAC Bypasses
      • AppLocker and Powershell CLM
      • PowerShell Script Block Logging
      • MDE (Microsoft Defender for Endpoint)
      • Altered scripts & Automations
      • Command Reimplementation C#/C
      • EDR Killing
  • 7. Tunneling
    • Port Forwarding
      • SSH Port Forwarding
      • Chisel Port Forwarding
      • Metasploit SSH Port Forwarding
    • Pivoting
      • Linux Tools & Methedology
      • Windows Tools
      • SSH Pivoting
    • C2 (Command and Control)
      • Cobalt Strike
        • Set Up and Team Server
        • Listeners
        • Payloads
        • Attacks
        • Beacon Commands
        • Session Passing
        • Maleable Profiles
        • Artifact Kit
        • Resource Kit
        • Behavioural Detections
        • Aggressor Scripts
        • Beacon Object Files (BOFs)
        • NTLM Relaying Methodology w/ Cobalt
      • Metasploit
        • Schema Cheat Sheet
        • Staged vs Non-Staged Payloads
        • Metasploit Options
        • Start MSF DB (Kali)
        • Listeners
        • Meterpreter Commands
        • Pivoting
        • Meterpreter Pass a Shell
        • Msfvenom Payloads
        • Meterpreter Pillaging/Data Harvesting
      • Havoc
        • Set Up and Team Server
        • Listeners
        • Payloads
        • Deamon Commands
      • Empire
      • Custom C2s
        • HTTP mini C2
  • 8. Profesional Reports
    • LaTeX
      • Tools
      • Variable Config
      • Template definition & PDF Preview
      • Commands
      • Pentest Report Template
    • Documentation Tools
      • Note-Taking
      • Advanced Text Editors
      • Appendix
      • Quality and Diversity of Sources
      • Document Sanitization
    • Report Anatomy
      • OSINT Report Anatomy
Powered by GitBook
On this page
  • MASVS-STORAGE
  • MASTG-TEST-0052
  • MASTG-TEST-0060
  • MASTG-TEST-0053
  • MASVS-CRYPTO
  • MASTG-TEST-0061
  • MASTG-TEST-0063
  • MASTG-TEST-0062
  • MASVS-AUTH
  • MASVS-AUTH-1
  • MASVS-AUTH-3
  • MASVS-NETWORK
  • MASTG-TEST-0066
  • MASTG-TEST-0067
  • MASTG-TEST-0022
  • MASVS-PLATFORM
  • MASTG-TEST-0069
  • MASTG-TEST-0059
  • MASVS-CODE
  • MASVS-CODE-1
  • MASTG-TEST-0085
  • MASVS-RESILIENCE
  • MASTG-TEST-0088
  • MASTG-TEST-0092
  • MASTG-TEST-0090
  • MASTG-TEST-0091
  1. 4. Exploitation
  2. Mobile Pentesting

iOS Pentest

MASVS-STORAGE

MASTG-TEST-0052

To verify how an app manage and store sensitive data locally.

Connect to the phone via SSH and grep for sesitive data within the /data/path/appname directory.

MASTG-TEST-0060

To check memory leaks.

frida-ps -U {obtain app name or package name}

fridump -U {appname}

fridump -u {package name}

string * | grep -B 5 -A 5 -i "{text to search}"

MASTG-TEST-0053

To check logs leaks.

Use the following extension: https://codeshare.frida.re/@neil-wu/fridanslogger/ or https://github.com/libimobiledevice/libimobiledevice

frida --codeshare neil-wu/fridanslogger -f {app}

idecicesyslog | grep -i {app name}

MASVS-CRYPTO

MASTG-TEST-0061

To check weak cipher algorithms.

Check this with Mobsf.

MASTG-TEST-0063

To check weak random number generation functions.

Check with Mobsf.

MASTG-TEST-0062

To check the lack of secure cipher implementation.

Use thie following frida package to check if the cipher and keys are easly extractable: https://codeshare.frida.re/@xperylab/cccrypt-dump/

frida --codeshare xperylab/cccrypt-dump -f {app}

MASVS-AUTH

MASVS-AUTH-1

To check for IDORs.

Modify requests with Burp Suite and try evading security controls.

MASVS-AUTH-3

To check incorrect implementation of 2FA/MFA.

Modify requests with Burp Suite and try evading security controls (session tokens, expiration tokens, …).

MASVS-NETWORK

MASTG-TEST-0066

To check for TLS vulnerabilities and weak cipher algorithms whithin secure comunications.

Use testssl.sh

MASTG-TEST-0067

To check the lack of certificate implementation.

Use burp and check the app requests.

MASTG-TEST-0022

To bypass certificate pinning.

Use RMS and the different options within the default scripts.

Use the following frida package: https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/

frida --codeshare akabe1/frida-multiple-unpinning -f {app}

Use SSLKillswitch 3: Activate in settings

MASVS-PLATFORM

MASTG-TEST-0069

To check permissions missconfigurations.

Use Mobsf and check if the app permissions are consisten with the app functionality.

MASTG-TEST-0059

To check for information leak from app sent to background.

Post-authenticated sent the app to the background and call the background to check if there is sensitive data or if its blured.

MASVS-CODE

MASVS-CODE-1

To discover leaks and API in source code.

Use Mobsf to check leaks (most of them will be false positives).

Use Hopper for manually search.

MASTG-TEST-0085

To check vulnerable thrid-party libraries.

Mobsf will check this.

MASVS-RESILIENCE

MASTG-TEST-0088

To check antiroot/antijb measures.

Open app with jailbreaked mobile and use + Palera1n! app along with the app sent to background to evidence this.

MASTG-TEST-0092

To check for anti-virtualization measures.

Use Corellium (GLHF) and open the app to check.

MASTG-TEST-0090

To check the lack of application integrity checks.

Use Xcode or Node-applesign and sing the IPA with a certificate.

MASTG-TEST-0091

To check anti-instrumentation measures.

Open the app with Frida, if this does not crash, then is vulnerable.

PreviousAndroid PentestNext5. Privesc and Post-explotation

Last updated 1 year ago