Hack Android Application Through Exposed Components

Yeahhh I'm back...After long time I'm going to write blog and in this blog we'll walk through how we can use exposed components to perform attack on android application.

The first thing strike in mind what is components ? well component is an entry point through which the system or user can interact with app and some components depend on others.

There are four different types of app components:

• Activity : An activity is the first thing which allow users to interact with app. It represents a single screen with a user interface. For example an password storing app first activity is login page and second activity is show your list of password already saved into application. As such, a different app can start any one of these activities if the app allows. For example, a camera app can start the activity in the email app that composes new mail to allow the user share a picture.

• Service : A service is a general-purpose entry point for keeping an app running in the background for all kinds of reasons. It is a component that runs in the background to perform long-running operations or to perform work for remote processes. For example music player.

• Broadcast receivers : Broadcast Receivers simply respond to broadcast messages from other applications or from the system. For example, applications can also initiate broadcasts to let other applications know that some data has been downloaded to the device and is available for them to use, so this is broadcast receiver who will intercept this communication and will initiate appropriate action.Many broadcasts originate from the system—for example, a broadcast announcing that the screen has turned off, the battery is low, or a picture was captured. 

• Content Providers: We can simply say "Content Providers are used to share data between the applications". Through the content provider, other apps can query or modify the data if the content provider allows it. For example, the Android system provides a content provider that manages the user's contact information. As such, any app with the proper permissions can query the content provider, such as ContactsContract.Data, to read and write information about a particular person.

Intents: Intent is used to invoke components. It is mainly used to:

• Start the service 
• Launch an activity 
• Display a web page 
• Display a list of contacts 
• Broadcast a message 
• Dial a phone call etc.

Test Application:

I'm using sieve vulnerable app for the demonstration of the vulnerabilities. Sieve is A ‘Password Manager’ App, showcasing some common Android vulnerabilities created by MWR Labs.

Viewing Manifests

We'll get the manifest file using apktool :

Now you can analyze the manifest file and list all activity to check the exposed data through activity and explore application functionality. Some time activity exposing user sensitive data by calling activity without providing credential which cause expose users sensitive data.


Activity Manager (am) : Within an adb shell, you can issue commands with the activity manager (am) tool to perform various system actions, such as start an activity, force-stop a process, broadcast an intent, modify the device screen properties, and more.

$ adb shell am start -n <package_name>/<activity_name>

Let's call the .PWList/ activity and check the list of password saved into application.

We can use the Drozer a semi-automatic framework developed by MWR InfoSecurity, which help us to extract exposed component of the application and perform attack on the application.

Drozer uses an agent (APK) which is installed on the device and provides a shell for executing the commands. First, download drozer agent from MWR Labs website and install it on the tested device/emulator. After installing the agent, launch the app and turn-on the agent.

After that, set up a port-forward so that your PC can connect to a TCP socket opened by the Agent inside the emulator, or on the device:

             $ adb forward tcp:31415 tcp:31415

And then launch the drozer console.

             $ drozer console connect

Lets search the target application package name using drozer command.

Check application attack surfaces.

As we can see there are 3 Activities, 2 Content Providers, and 2 Services are exported. For further, we can analyze  all exported attack surfaces.

Lets start with the activities :

There are three packages are listed. Lets check hidden Activities.

In picture we can see some hidden activities are listed which could may expose user sensitive information.

Executing the following command will launch an activity.

Exploiting Insecure Content Providers

A common root cause of content provider problems is the fact that they are not explicitly
marked as exported="false" in their manifest declarations because the assumption is
that they follow the same default export behavior as other components.

Lets explore the content providers in sieve application try to understand the vulnerabilities.

This reveals that two content providers don’t require any permissions for users who want
to read from or write to them. However, the DBContentProvider requires that users have
permissions to read from or write to the /Keys path.

Lets check the content URIs.

Using Drozer list of URIs

The newly discovered path is /Passwords. This does not have any permissions protecting it, and querying this URI leads to the disclosure of all the accounts stored in this password manager. Here is the command for querying this content URI:

The content provider leaked the all the stored password but the developer of the application was clever and encrypted or obfuscated the password field. 

Lets scan for SQL injection and try to figure out whether we can extract information from content providers.

Looks like injection in projection. We can confirm sql injection by providing single quote into the projection which causes an error in the structure of the query that SQLite received.

You can now use this injection point to find all the tables available in the same SQLite database by using a projection of * from sqlite_master where type='table'--.

Lets extract the data from key table

Great... Here we got the login password and pin of the application. This shows a complete compromise of the password manager’s master password and pin used to protect the data.

Conclusion:

In this article we walk through the android application components and technique to exploit them. We also understand the Drozer framework to perform security Assessment on Android Application.

Read More →

CTF Mr-Robot: 1 Challenge

If you looking to start real pentesting and want to hack any box or do real time pentesting I would suggest start with the CTF.

Mr-Robot – CTF Let’s takes this challenge and cracks this CTF. You can get the VM from VulnHub.

If you want to do pentesting on any target you should have to start with these following steps

•  Reconnaissance 
•  Scanning.
•  Exploitation.
•  Gaining Access.

Let’s start with Reconnaissance and Scanning phase on the target and get the valuable information to use for future steps.

So here I have target IP is “192.168.56.103”. Let’s do Nmap scan to know about the open ports on the target IP.

As we got the nmap result and we found that there are two ports are opened 80 and 443 and Apache service is running on.

Let’s browse this on port 80.

Whenever I do testing me always using Nikto to start first point of scan the target and get some information. It is also important for web application to spider the host. Let’s do both things.

So here what we interesting things found after scans.

·         Robots.txt is a text (not html) file you put on your site to tell search robots which pages you would like them not to visit. Robots.txt is by no means mandatory for search engines but generally search engines obey what they are asked not to do.

·         /wp-login/ :
word press admin path found.

Let’s check the Robots.txt file and explore the unhidden paths.

Wawoo !! we found first flag as key-1.

Let’s check the second path.

Seems that its contain huge amount of word list.

Now let’s check the other part of the scan which is wp-loin page.

The first thing in my mind pop-up with that we should have to do brute force attack on login page to get the username password.


We previously found the huge amount of word list data while exploring robots.txt file.

Before moving the next step we should have to check for removing duplicate value from the fsocity.dic.

root@kali:~#sort fsocity.dic | uniq > sorted.dic

Now we have sorted.dic file with removed duplicate values.

Let’s move the next step and figure out the username by bruteforce using burp intruder.

Here we found three correct usernames ELLIOT, elliot, Elliot.

Now it’s time to get the password using same method by burp intruder.

 

Here we go… and found password as ER28-0652.

Now it’s time to get the root access on the machine.

We can upload the php shell into wordpress and get the reverse shell on it.

I previously aware about the pentestmonkey php-reverse shell http://pentestmonkey.net/tools/web-shells/php-reverse-shell let’s download this and upload in the .php page.

Boom !!! we got the shell as daemon. Now let's figure out the flags inside the box.

After checking some file systems and folders got that in home > robot folder containing two files as key-2-of-3.txt, password.raw-md5.

Here we got the second flag in key-2-of-3.txt file.

Oh!! Wait… we don’t have access on this file.

 

Let’s check the second file password.raw-md5.

Looks like this is password of user robot as MD5. We need to crack this password as we know we can use John the Ripper tool.

Congrats!! we got the robot user password. Next is to login into as robot user.

When you try to su robot here I got the error. Let’s get as terminal by using python.

python -c 'import pty; pty.spawn("/bin/sh")'

Here we got the second flag key-2-of-3.txt

822c73956184f694993bede3eb39f959

Now the next thing in my mind to go into root folder and get check the what data are stored into.

But wait we don’t have permission. We need to get the root privilege.

No luck to get any clue after all the file systems and folder I checked. Now it’s time to check what applications installed under which privilege.

After checking the all file folders finally got to know that there is nmap installed as root privilege which will useful to get the root privilege.

After googling and reading many article got to know that –interactive help us to escalate the privilege.

And finally catch the third flag into key-3-of-3.txt

Read More →

Windows Mobile Application Security Testing - Part 6

In this article we will learn how to analysis the local storage of device and will look into way to do static analysis by doing reverse engineering. If you had not yet rooted your device please read my previous article where I have written the process to root the device.

Exploring application binaries, .NET assemblies, and other assets

In device installed applications have two main directories one is where application binaries, .NET assemblies assets are stored and another is app’s local storage directory where the app can store the local data.

All installed app have their own installation directory located at D:\Computer\Windows Phone\Phone\Data\PROGRAMS\{GUID}\Install\.

Also each app has its own local storage directory which run in their own filesystem sandbox. The local storage directory for an app is located at D:\Computer\Windows Phone\Phone\Data\Users\DefApps\APPDATA\{GUID}

Application Manifests file

Let's start with Manifest file of application which give us information about the application and their structure which help us to understand about the application.

In Windows Phone 8 Manifests file name as WMAppManifest.xml in XAP files and in Windows 8.x application Manifests name as Package.appxmanifest in APPX packages.

Manifest file support multiple XML elements, some of them are interesting as security view.

• Capabilities (<Capabilities>) - Which defines the capabilities required by the application.
• File Type Association (<FileTypeAssociation>) - Which defines the file extensions that are associated with the application.
• Protocol (<Protocol>) - Defines URL schemes that the app wishes to register for Activatable Class (<ActivatableClass>) - Defines classes that are used by the app that are external to it.
• Interface(<Interface>) - Specifies interfaces that the app implements that are external to it

Check the capabilities

<Capabilities>
<Capability Name="ID_CAP_IDENTITY_DEVICE" />
<Capability Name="ID_CAP_IDENTITY_USER" />
<Capability Name="ID_CAP_LOCATION" />
<Capability Name="ID_CAP_MICROPHONE" />
<Capability Name="ID_CAP_NETWORKING" />
<Capability Name="ID_CAP_PHONEDIALER" />
<Capability Name="ID_CAP_PUSH_NOTIFICATION" />
<Capability Name="ID_CAP_SENSORS" />
<Capability Name="ID_CAP_WEBBROWSERCOMPONENT" />
<Capability Name="ID_CAP_ISV_CAMERA" />
<Capability Name="ID_CAP_CONTACTS" />
<Capability Name="ID_CAP_APPOINTMENTS" />
<Capability Name="ID_CAP_MEDIALIB_AUDIO" />
<Capability Name="ID_CAP_MEDIALIB_PHOTO" />
<Capability Name="ID_CAP_MEDIALIB_PLAYBACK" /> 
</Capabilities>

Seems that application using Capability Location, Microphone, Networking, phone dialer, contacts, Medialib Photo. These all susceptible and collecting user information.

Analysis Local Storage

As we know that application need local storage to save or cache file and folder for further uses. Lets analysis the local storage of the application into device.

Application data — C:\Data\Users\DefApps\APPDATA\{GUID}\...

Install directory — C:\Data\Programs\{GUID}\Install\...

Here are the some interesting folders to analysis the local storage.

Framework Temp - Some framework temporary data storing.

INetCache - Storing webView cache files

INetCookies - Storing WebCookies data.




INetHistory - Storing History of the web pages

Local - This is the folder where most of the application storing sensitive data. Also we can call isolated storage of application.

LocalLow - Low integrity code execute in this folder. Code executing with low integrity can only write to a small number of locations on the disk, such as the LocalLow folder you mentioned. (FOLDERID_LocalAppDataLow)

PlatformData - The system will create a directory in the top level of the app’s isolatedstorage.

Let's move into the local storage >

D:\Data\Users\DefApps\APPDATA\{513D7B13-D7A9-4B59-ACB0-B4629E4A7EEE}\Local

So above we have list of all local storage data. __ApplicationSettings and userdata seems that storing sensitive data. Lets open the __ApplicationSettings file.

Wooo!! application login username and password stored plain text in__ApplicationSettings

Now check the userdata database file where all data has been stored.

In order to open userdata.sdf file which is in the form of SQL Server compact database we need to use sdf viewer or Compact Viewer.

You can download CompactView_1.4.12.0 and install in your system.

Okay, so here we got the database where all data has been stored. But seems that data has been encoded into some numeric value. To get the know about which numeric value these data has been encoded we have to do reverse engineering and from the code let's understand the data encoding.

Reverse Engineering on the Application

In order to analyzing application binaries we have to extract all application binaries and .NET assemblies from the device where application installation files has been installed. Move into install directoryC:\Data\Programs\{GUID}\Install\..

D:\Data\PROGRAMS\{513D7B13-D7A9-4B59-ACB0-B4629E4A7EEE}\Install

Okay, after extract all the binaries from the device we’ll going to disassembled/decompiled and analyzed by doing manual testing. It is also need to review source code.

Most of the .dll files are seems that googleAds and GoogleAnalytics but we have to decompiled application .dll file. PhoneApp5.dll is seems that application .dll file. Let’s decompile this file using ILSpy. Its allow you to decompile .NET assemblies.

Now let's load the PhoneApp5.dll file into ILSpy and decompile assemblies.

As above picture you can view all the class has dicomplied and we are able to view C# code. Now let's review the code and figure-out some security issue.

We can start looking into .net Libraries, namespace and classes. So let’s start from first class AboutUs as by name it's look like all information about the application.

If you look into the code, he has embedded his name with his mail ID. Which will used for further attacks. Many time and most of the application you can able to extract information about developers. Let’s move other classes.

On the top of the class you can review the .net Libraries which will help you to figure out security issues.

Here in the action class if you look on the top you can see there are some Libraries list.

using GoogleAds;
using GoogleAnalytics;
using Microsoft.Phone.Controls;
using System;
using System.ComponentModel;
using System.Diagnostics;
using System.IO.IsolatedStorage; //
using System.Windows;
using System.Windows.Controls;
using System.Windows.Input;

In this class action  using System.IO.IsolatedStorge  which mean that the class using IsolatedStorage to store data.




If you look into snippet code username and password storing into __ApplicationSettings() without doing any encryption that found in our local storage analysis into __ApplicationSettings  file.

Lets move another classes to check for local storage database.

using GoogleAnalytics;
using Microsoft.Phone.Controls;
using PhoneApp5.MyClasses;
using System;
using System.Diagnostics;
using System.Linq; //
using System.Windows;
using System.Windows.Controls;
using System.Windows.Navigation;

If you look into these Libraries list there is using System.Linq namespace provides classes and interfaces that support queries that use Language-Integrated Query (LINQ).



In this picture if you look closely UserDataContext is publicly used class were DB connection established and created as userdata.sdf database file were all the data has been stored.

Next things all Bank data has stored and updated by class userDataContext. If you look closely in the code before storing data into database they parse with Function Scramble.

In our local storage analysis we got userdata.sdf database file and using compactView we have view the data which being stored into userdata.sdf file. But data has encoded into some numeric value which is not in plain text. So the application using Scramble function to puzzle the words using some programming method.

Let's look closely and figure out how the data has been decoded.



Okay, we manage to get the function UnScramble which is using decoding the data stored into database file while display the information to the users. Also we got he unscramble program to decode all users data from the database.

By the way for this application we got the username password in plain text stored into __ApplicaitonSetting file which will use to unlock the application and view all data of users. But I want to show you approach for source code review by doing reverse engineering on the application.

Secure way Storing Data in Windows Phone

If you are developer and used to save data in local storage of device then I would say saving confidential data in a phone’s isolated storage is not secure. Also if you encrypted your all data and save decryption key inside the device its not increase your security, its about how well the key is hidden.

Microsoft have DPAPI (Data Protection API)to encrypt and decrypt entire isolated storage. DPAPI generating and storing a cryptographic key by using the user and device credentials to encrypt and decrypt data. You can use the Protected Data class that provides you access to DPAPI through Protect and Unprotect methods. You use the Protect method to encrypt the data and the Unprotect method to decrypt the data. On a Windows Phone device, every app gets its own decryption key, which is created when you run the app for the first time. Calls to Protect and Unprotect will implicitly use the decryption key and make sure that all the data remains private to the app.

Protect and Unprotect API using optional parameter call optionalEntropy.If you are using DPAPI recommended to use OptionalEntropy because of all data protected by DPAPI on Windows Phone is encrypted using the same key. If an attacker on the device or any app is able to get access to a DPAPI-encrypted data, and if the target app not using an optionalEntropy parameter, then it can recover the data by simply calling into ProtectedData.Unprotect().So you should always use the optionalEntropy parameter if you want to use DPAPI in your apps. However hard code optionalEntropy or store it on the device will allow to attackers to decrypt entire data if he/she have full access on the device. In this case you should base it on secret passphrase known only by the app user. You can use PBKDF2 which password only the user knows.

Windows Phone local database encryption

If you want to encrypt your database you can simply use the Password property in your database’s connection string:

// Create the data context.
MyDataContext db = new MyDataContext("Data Source='isostore:/mydb.sdf';Password='securepassword';");

// Create an encrypted database after confirming that it does not exist.
if (!db.DatabaseExists()) db.CreateDatabase();

But if you hard coding the key or secure credential is not good idea. As we see how we can decompile the code by doing reverse Engineering on the application and get the secrete key.

In this case you can use SQLite-based database and use SQLite Encryption Extension (SEE) and SQLCipher.

Conclusion:

In this article we did analysis internal device local storage and database of the application. Also we learned secure way to store data into the device. We learned how to perform source code review by doing reverse engineering.

If you want to learn more about the Windows Mobile Application security I recommend you to read
"The Mobile Application Hacker's Handbook".

Reference:

https://msdn.microsoft.com/en-us/library/windows/apps/hh487164(v=vs.105).aspx

https://msdn.microsoft.com/en-us/library/windows/apps/hh202861(v=vs.105).aspx

https://msdn.microsoft.com/en-us/library/windows/apps/hh133478(v=vs.105).aspx

https://msdn.microsoft.com/en-us/library/windows/apps/system.security.cryptography.protecteddata(v=vs.105).aspx

Read More →