mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Translated ['src/mobile-pentesting/ios-pentesting/ios-pentesting-without
This commit is contained in:
Translator
parent
07b800003e
commit
179ff2cc34
@ -2,17 +2,15 @@
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
## Wazo Kuu
|
||||
|
||||
Programu zilizosainiwa na **entitlement `get_task_allow`** zinawaruhusu programu za upande wa tatu kuendesha kazi inayoitwa **`task_for_pid()`** na kitambulisho cha mchakato wa programu ya awali kama hoja ili kupata bandari ya kazi juu yake (kuwa na uwezo wa kuidhibiti na kufikia kumbukumbu yake).
|
||||
|
||||
Hata hivyo, si rahisi kama tu kuvuta IPA, kuisaini tena na entitlement, na kuirudisha kwenye kifaa chako. Hii ni kwa sababu ya ulinzi wa FairPlay. Wakati saini ya programu inabadilika, funguo za DRM (Usimamizi wa Haki za Kidijitali) **zinabatilishwa na programu haitafanya kazi**.
|
||||
Hata hivyo, si rahisi kama tu kuvuta IPA, kuisaini tena na entitlement, na kuirudisha kwenye kifaa chako. Hii ni kwa sababu ya ulinzi wa FairPlay. Wakati saini ya programu inabadilika, funguo za DRM (Digital Rights Management) **zinabatilishwa na programu haitafanya kazi**.
|
||||
|
||||
Kwa kifaa cha zamani kilichovunjwa, inawezekana kufunga IPA, **kuifungua kwa kutumia chombo unachokipenda** (kama Iridium au frida-ios-dump), na kuirudisha kutoka kwenye kifaa. Ingawa, ikiwa inawezekana, inapendekezwa kuomba tu kwa mteja kwa IPA iliyofunguliwa.
|
||||
Kwa kifaa cha zamani kilichovunjwa, inawezekana kufunga IPA, **kuikodisha kwa kutumia chombo unachokipenda** (kama Iridium au frida-ios-dump), na kuirudisha kutoka kwenye kifaa. Ingawa, ikiwa inawezekana, inapendekezwa kuwasiliana na mteja kwa IPA iliyokodishwa.
|
||||
|
||||
|
||||
## Pata IPA iliyofunguliwa
|
||||
## Pata IPA iliyokodishwa
|
||||
|
||||
### Pata kutoka Apple
|
||||
|
||||
@ -20,15 +18,14 @@ Kwa kifaa cha zamani kilichovunjwa, inawezekana kufunga IPA, **kuifungua kwa kut
|
||||
2. Funga na uzindue [Apple Configurator](https://apps.apple.com/au/app/apple-configurator/id1037126344?mt=12) ndani ya macos yako
|
||||
3. Fungua `Terminal` kwenye Mac yako, na cd hadi `/Users/[username]/Library/Group\\ Containers/K36BKF7T3D.group.com.apple.configurator/Library/Caches/Assets/TemporaryItems/MobileApps`. IPA itaonekana katika folda hii baadaye.
|
||||
4. Unapaswa kuona kifaa chako cha iOS. Bonyeza mara mbili juu yake, kisha bonyeza Ongeza + → Programu kutoka kwenye menyu ya juu.
|
||||
5. Baada ya kubonyeza Ongeza, Configurator itashusha IPA kutoka Apple, na kujaribu kuisukuma kwenye kifaa chako. Ikiwa ulifuata mapendekezo yangu awali na kufunga IPA tayari, ujumbe wa kukuuliza ufungue tena programu utaonekana.
|
||||
6. IPA inapaswa kushushwa ndani ya `/Users/[username]/Library/Group\\ Containers/K36BKF7T3D.group.com.apple.configurator/Library/Caches/Assets/TemporaryItems/MobileApps` ambapo unaweza kuichukua
|
||||
5. Baada ya kubonyeza Ongeza, Configurator itashusha IPA kutoka Apple, na kujaribu kuisukuma kwenye kifaa chako. Ikiwa ulifuata mapendekezo yangu awali na tayari umefunga IPA, ujumbe wa kukuuliza ufungue programu tena utaonekana.
|
||||
6. IPA inapaswa kushushwa ndani ya `/Users/[username]/Library/Group\\ Containers/K36BKF7T3D.group.com.apple.configurator/Library/Caches/Assets/TemporaryItems/MobileApps` ambapo unaweza kuichukua.
|
||||
|
||||
Angalia [https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed](https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed) kwa maelezo zaidi kuhusu mchakato huu.
|
||||
|
||||
### Kuikodisha programu
|
||||
|
||||
### Kufungua programu
|
||||
|
||||
Ili kufungua IPA tunakwenda kuifunga. Hata hivyo, ikiwa una iPhone ya zamani iliyovunjwa, huenda toleo lake halitaungwa mkono na programu kwani kawaida programu zinasaidia tu matoleo ya hivi karibuni.
|
||||
Ili kuikodisha IPA tunakwenda kuifunga. Hata hivyo, ikiwa una iPhone ya zamani iliyovunjwa, huenda toleo lake halitasaidiwa na programu kwani kawaida programu zinasaidia tu matoleo ya hivi karibuni.
|
||||
|
||||
Hivyo, ili kuifunga, fungua tu IPA:
|
||||
```bash
|
||||
@ -36,7 +33,7 @@ unzip redacted.ipa -d unzipped
|
||||
```
|
||||
Angalia `Info.plist` kwa toleo la chini linaloungwa mkono na ikiwa kifaa chako ni cha zamani zaidi ya hicho, badilisha thamani ili iweze kuungwa mkono.
|
||||
|
||||
Zipisha tena IPA:
|
||||
Zip back IPA:
|
||||
```bash
|
||||
cd unzipped
|
||||
zip -r ../no-min-version.ipa *
|
||||
@ -45,30 +42,77 @@ Kisha, sakinisha IPA kwa mfano na:
|
||||
```bash
|
||||
ideviceinstaller -i no-min-version.ipa -w
|
||||
```
|
||||
Kumbuka kwamba unaweza kuhitaji **AppSync Unified tweak** kutoka Cydia ili kuzuia makosa yoyote ya `invalid signature`.
|
||||
Note that you might need **AppSync Unified tweak** from Cydia to prevent any `invalid signature` errors.
|
||||
|
||||
Mara tu inapowekwa, unaweza kutumia **Iridium tweak** kutoka Cydia ili kupata IPA iliyotafsiriwa.
|
||||
Once intalled, you can use **Iridium tweak** from Cydia in order to obtain the decrypted IPA.
|
||||
|
||||
### Patch entitlements & re-sign
|
||||
|
||||
Ili kusaini upya programu na `get-task-allow` entitlement kuna zana kadhaa zinazopatikana kama `app-signer`, `codesign`, na `iResign`. `app-signer` ina kiolesura rafiki cha mtumiaji ambacho kinaruhusu kusaini kwa urahisi faili ya IPA kwa kuashiria IPA ya kusaini upya, kuweka **`get-taks-allow`** na cheti na profaili ya usambazaji ya kutumia.
|
||||
### Patch entitlements & re-sign
|
||||
|
||||
Kuhusu vyeti na profaili za kusaini, Apple inatoa **profaili za kusaini za watengenezaji bure** kwa akaunti zote kupitia Xcode. Unda tu programu na uipange. Kisha, panga **iPhone kuamini programu za watengenezaji** kwa kuenda kwenye `Settings` → `Privacy & Security`, na bonyeza kwenye `Developer Mode`.
|
||||
Ili kusaini upya programu na `get-task-allow` entitlement kuna zana kadhaa zinazopatikana kama `app-signer`, `codesign`, na `iResign`. `app-signer` ina kiolesura rafiki cha mtumiaji ambacho kinaruhusu kusaini upya faili la IPA kwa urahisi kwa kuashiria IPA ya kusaini upya, kuweka **`get-taks-allow`** na cheti na profaili ya ugawaji ya kutumia.
|
||||
|
||||
Kwa IPA iliyosainiwa upya, ni wakati wa kuisakinisha kwenye kifaa ili kuifanya pentest:
|
||||
Kuhusu vyeti na profaili za kusaini, Apple inatoa **profaili za kusaini za watengenezaji bure** kwa akaunti zote kupitia Xcode. Unda tu programu na uipange. Kisha, panga **iPhone kuamini programu za watengenezaji** kwa kuingia kwenye `Settings` → `Privacy & Security`, na bonyeza `Developer Mode`.
|
||||
|
||||
With the re-signed IPA, it's time to install it in the device to pentest it:
|
||||
```bash
|
||||
ideviceinstaller -i resigned.ipa -w
|
||||
```
|
||||
### Hook
|
||||
---
|
||||
|
||||
Unaweza kwa urahisi kuunganisha programu yako kwa kutumia zana za kawaida kama frida na objection:
|
||||
### Wezesha Hali ya Mwandishi (iOS 16+)
|
||||
|
||||
Tangu iOS 16 Apple ilianzisha **Hali ya Mwandishi**: binary yoyote inayobeba `get_task_allow` *au* iliyosainiwa na cheti cha maendeleo itakataa kuanzishwa hadi Hali ya Mwandishi iwezeshwe kwenye kifaa. Hutaweza pia kuunganisha Frida/LLDB isipokuwa bendera hii iwepo.
|
||||
|
||||
1. Sakinisha au sukuma **yoyote** IPA iliyosainiwa na mwandishi kwenye simu.
|
||||
2. Nenda kwenye **Mipangilio → Faragha & Usalama → Hali ya Mwandishi** na iwashe.
|
||||
3. Kifaa kitaanzisha upya; baada ya kuingiza nambari ya siri utaulizwa **Washa** Hali ya Mwandishi.
|
||||
|
||||
Hali ya Mwandishi inabaki hai hadi uizime au kufuta simu, hivyo hatua hii inahitaji kufanywa mara moja tu kwa kifaa. [Hati za Apple](https://developer.apple.com/documentation/xcode/enabling-developer-mode-on-a-device) zinaelezea athari za usalama.
|
||||
|
||||
### Chaguzi za kisasa za sideloading
|
||||
|
||||
Sasa kuna njia kadhaa za kisasa za sideloading na kuweka IPAs zilizosainiwa up-to-date bila jailbreak:
|
||||
|
||||
| Chombo | Mahitaji | Nguvu | Mipaka |
|
||||
|--------|----------|-------|--------|
|
||||
| **AltStore 2 / SideStore** | msaidizi wa macOS/Windows/Linux anayesaini tena IPA kila siku 7 kwa profaili ya bure ya mwandishi | Upakuaji wa moja kwa moja kupitia Wi-Fi, inafanya kazi hadi iOS 17 | Inahitaji kompyuta kwenye mtandao mmoja, kikomo cha programu 3 kilichowekwa na Apple |
|
||||
| **TrollStore 1/2** | Kifaa kwenye iOS 14 – 15.4.1 kilicho hatarini kwa hitilafu ya CoreTrust | *Saini ya kudumu* (hakuna kikomo cha siku 7); hakuna kompyuta inayohitajika mara tu inapowekwa | Haipatikani kwenye iOS 15.5+ (hitilafu imefanyiwa marekebisho) |
|
||||
|
||||
Kwa pentests za kawaida kwenye toleo la sasa la iOS, Alt/Side-Store mara nyingi ni chaguo bora zaidi.
|
||||
|
||||
### Hooking / uhandisi wa dynamic
|
||||
|
||||
Unaweza kuhook programu yako kama ilivyo kwenye kifaa kilichofungwa mara tu inapokuwa imesainiwa na `get_task_allow` **na** Hali ya Mwandishi ikiwa wazi:
|
||||
```bash
|
||||
objection -g [your app bundle ID] explore
|
||||
# Spawn & attach with objection
|
||||
objection -g "com.example.target" explore
|
||||
|
||||
# Or plain Frida
|
||||
frida -U -f com.example.target -l my_script.js --no-pause
|
||||
```
|
||||
## Marejeo
|
||||
Recent Frida releases (>=16) automatically handle pointer authentication and other iOS 17 mitigations, so most existing scripts work out-of-the-box.
|
||||
|
||||
### Automated dynamic analysis with MobSF (no jailbreak)
|
||||
|
||||
[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) inaweza kuingiza IPA iliyosainiwa na developer kwenye kifaa halisi kwa kutumia mbinu ile ile (`get_task_allow`) na inatoa UI ya wavuti yenye kivinjari cha mfumo wa faili, kukamata trafiki na console ya Frida【turn6view0†L2-L3】. Njia ya haraka zaidi ni kuendesha MobSF kwenye Docker kisha kuunganisha iPhone yako kupitia USB:
|
||||
```bash
|
||||
docker pull opensecurity/mobile-security-framework-mobsf:latest
|
||||
docker run -p 8000:8000 --privileged \
|
||||
-v /var/run/usbmuxd:/var/run/usbmuxd \
|
||||
opensecurity/mobile-security-framework-mobsf:latest
|
||||
# Browse to http://127.0.0.1:8000 and upload your resigned IPA
|
||||
```
|
||||
MobSF itapeleka kiotomatiki binary, iwezeshe seva ya Frida ndani ya sandbox ya programu na kuunda ripoti ya mwingiliano.
|
||||
|
||||
### iOS 17 & Kikwazo cha Modu ya Kufunga
|
||||
|
||||
* **Modu ya Kufunga** (Mipangilio → Faragha & Usalama) inazuia linker ya dynamic kupakia maktaba za dynamic zisizo na saini au zilizotiwa saini na nje. Unapojaribu vifaa ambavyo vinaweza kuwa na hali hii imewezeshwa hakikisha ime **zimwa** au vikao vyako vya Frida/objection vitakatishwa mara moja.
|
||||
* Uthibitishaji wa Pointer (PAC) unatekelezwa kwa mfumo mzima kwenye vifaa vya A12+. Frida ≥16 inashughulikia PAC stripping kwa uwazi — hakikisha unashikilia *frida-server* na zana za Python/CLI zikiwa za kisasa wakati toleo jipya kuu la iOS linatolewa.
|
||||
|
||||
## Marejeleo
|
||||
|
||||
- [https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed](https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed)
|
||||
|
||||
- Hati za maendeleo za Apple – Kuwawezesha Modu ya Mende kwenye kifaa: <https://developer.apple.com/documentation/xcode/enabling-developer-mode-on-a-device>
|
||||
- Mfumo wa Usalama wa Simu (MobSF): <https://mobsf.github.io/Mobile-Security-Framework-MobSF/>
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user