GitBook: [#2952] No subject
This commit is contained in:
parent
fe34f3ebc9
commit
b4fe26f96d
26
SUMMARY.md
26
SUMMARY.md
|
@ -505,19 +505,19 @@
|
|||
* [GCP - Buckets Enumeration](cloud-security/gcp-security/gcp-buckets-enumeration.md)
|
||||
* [Github Security](cloud-security/github-security/README.md)
|
||||
* [Basic Github Information](cloud-security/github-security/basic-github-information.md)
|
||||
* [Kubernetes Security](cloud-security/pentesting-kubernetes/README.md)
|
||||
* [Kubernetes Enumeration](cloud-security/pentesting-kubernetes/enumeration-from-a-pod.md)
|
||||
* [Abusing Roles/ClusterRoles](cloud-security/pentesting-kubernetes/hardening-roles-clusterroles/README.md)
|
||||
* [K8s Roles Abuse Lab](cloud-security/pentesting-kubernetes/hardening-roles-clusterroles/k8s-roles-abuse-lab.md)
|
||||
* [Pentesting Kubernetes Services](cloud-security/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md)
|
||||
* [Kubernetes Role-Based Access Control (RBAC)](cloud-security/pentesting-kubernetes/kubernetes-role-based-access-control-rbac.md)
|
||||
* [Attacking Kubernetes from inside a Pod](cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md)
|
||||
* [Kubernetes Basics](cloud-security/pentesting-kubernetes/kubernetes-basics.md)
|
||||
* [Exposing Services in Kubernetes](cloud-security/pentesting-kubernetes/exposing-services-in-kubernetes.md)
|
||||
* [Kubernetes Hardening](cloud-security/pentesting-kubernetes/kubernetes-hardening/README.md)
|
||||
* [Monitoring with Falco](cloud-security/pentesting-kubernetes/kubernetes-hardening/monitoring-with-falco.md)
|
||||
* [Kubernetes SecurityContext(s)](cloud-security/pentesting-kubernetes/kubernetes-hardening/kubernetes-securitycontext-s.md)
|
||||
* [Kubernetes NetworkPolicies](cloud-security/pentesting-kubernetes/kubernetes-hardening/kubernetes-networkpolicies.md)
|
||||
* [Kubernetes Security](pentesting/pentesting-kubernetes/README.md)
|
||||
* [Kubernetes Enumeration](pentesting/pentesting-kubernetes/enumeration-from-a-pod.md)
|
||||
* [Abusing Roles/ClusterRoles](pentesting/pentesting-kubernetes/hardening-roles-clusterroles/README.md)
|
||||
* [K8s Roles Abuse Lab](pentesting/pentesting-kubernetes/hardening-roles-clusterroles/k8s-roles-abuse-lab.md)
|
||||
* [Pentesting Kubernetes Services](pentesting/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md)
|
||||
* [Kubernetes Role-Based Access Control (RBAC)](pentesting/pentesting-kubernetes/kubernetes-role-based-access-control-rbac.md)
|
||||
* [Attacking Kubernetes from inside a Pod](pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md)
|
||||
* [Kubernetes Basics](pentesting/pentesting-kubernetes/kubernetes-basics.md)
|
||||
* [Exposing Services in Kubernetes](pentesting/pentesting-kubernetes/exposing-services-in-kubernetes.md)
|
||||
* [Kubernetes Hardening](pentesting/pentesting-kubernetes/kubernetes-hardening/README.md)
|
||||
* [Monitoring with Falco](pentesting/pentesting-kubernetes/kubernetes-hardening/monitoring-with-falco.md)
|
||||
* [Kubernetes SecurityContext(s)](pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-securitycontext-s.md)
|
||||
* [Kubernetes NetworkPolicies](pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-networkpolicies.md)
|
||||
* [Kubernetes Access to other Clouds](cloud-security/pentesting-kubernetes/kubernetes-access-to-other-clouds.md)
|
||||
* [Cloud Security Review](cloud-security/cloud-security-review.md)
|
||||
* [AWS Security](cloud-security/aws-security.md)
|
||||
|
|
|
@ -6,4 +6,4 @@ Go to **Cydia** app and add Frida’s repository by going to **Manage -> Sources
|
|||
|
||||
![](https://miro.medium.com/max/614/0\*qSD26kBtgt\_UIZk1.png)
|
||||
|
||||
After installed, you can use in your PC the command `frida-ls-devices` and check that the device appears (your PC needs to be able to access it).
|
||||
After installed, you can use in your PC the command `frida-ls-devices` and check that the device appears (your PC needs to be able to access it). Execute also `frida-ps -Uia` to check the running processes of the phone.
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# iOS Hooking With Objection
|
||||
|
||||
For this section the tool [**Objection**](https://github.com/sensepost/objection) is going to be used.
|
||||
For this section the tool [**Objection**](https://github.com/sensepost/objection) is going to be used.\
|
||||
Start by getting an objection's session executing something like:
|
||||
|
||||
```bash
|
||||
|
@ -8,251 +8,247 @@ objection -d --gadget "iGoat-Swift" explore
|
|||
objection -d --gadget "OWASP.iGoat-Swift" explore
|
||||
```
|
||||
|
||||
You can execute also `frida-ps -Uia` to check the running processes of the phone.
|
||||
|
||||
## Basic Enumeration of the app
|
||||
|
||||
### Local App Paths
|
||||
|
||||
* `env`: Find the paths where the application is stored inside the device
|
||||
* `env`: Find the paths where the application is stored inside the device
|
||||
|
||||
```bash
|
||||
env
|
||||
```bash
|
||||
env
|
||||
|
||||
Name Path
|
||||
----------------- -----------------------------------------------------------------------------------------------
|
||||
BundlePath /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F546068/iGoat-Swift.app
|
||||
CachesDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library/Caches
|
||||
DocumentDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Documents
|
||||
LibraryDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library
|
||||
```
|
||||
Name Path
|
||||
----------------- -----------------------------------------------------------------------------------------------
|
||||
BundlePath /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F546068/iGoat-Swift.app
|
||||
CachesDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library/Caches
|
||||
DocumentDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Documents
|
||||
LibraryDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library
|
||||
```
|
||||
|
||||
### List Bundles, frameworks and libraries
|
||||
|
||||
* `ios bundles list_bundles`: List bundles of the application
|
||||
* `ios bundles list_bundles`: List bundles of the application
|
||||
|
||||
```bash
|
||||
ios bundles list_bundles
|
||||
Executable Bundle Version Path
|
||||
------------ -------------------- --------- -------------------------------------------
|
||||
iGoat-Swift OWASP.iGoat-Swift 1.0 ...8-476E-BBE3-B9300F546068/iGoat-Swift.app
|
||||
AGXMetalA9 com.apple.AGXMetalA9 172.18.4 ...tem/Library/Extensions/AGXMetalA9.bundle
|
||||
```
|
||||
```bash
|
||||
ios bundles list_bundles
|
||||
Executable Bundle Version Path
|
||||
------------ -------------------- --------- -------------------------------------------
|
||||
iGoat-Swift OWASP.iGoat-Swift 1.0 ...8-476E-BBE3-B9300F546068/iGoat-Swift.app
|
||||
AGXMetalA9 com.apple.AGXMetalA9 172.18.4 ...tem/Library/Extensions/AGXMetalA9.bundle
|
||||
```
|
||||
* `ios bundles list_frameworks`: List external frameworks used by the application
|
||||
|
||||
* `ios bundles list_frameworks`: List external frameworks used by the application
|
||||
```bash
|
||||
ios bundles list_frameworks
|
||||
Executable Bundle Version Path
|
||||
------------------------------ -------------------------------------------- ---------- -------------------------------------------
|
||||
ReactCommon org.cocoapods.ReactCommon 0.61.5 ...tle.app/Frameworks/ReactCommon.framework
|
||||
...vateFrameworks/CoreDuetContext.framework
|
||||
FBReactNativeSpec org.cocoapods.FBReactNativeSpec 0.61.5 ...p/Frameworks/FBReactNativeSpec.framework
|
||||
...ystem/Library/Frameworks/IOKit.framework
|
||||
RCTAnimation org.cocoapods.RCTAnimation 0.61.5 ...le.app/Frameworks/RCTAnimation.framework
|
||||
jsinspector org.cocoapods.jsinspector 0.61.5 ...tle.app/Frameworks/jsinspector.framework
|
||||
DoubleConversion org.cocoapods.DoubleConversion 1.1.6 ...pp/Frameworks/DoubleConversion.framework
|
||||
react_native_config org.cocoapods.react-native-config 0.12.0 ...Frameworks/react_native_config.framework
|
||||
react_native_netinfo org.cocoapods.react-native-netinfo 4.4.0 ...rameworks/react_native_netinfo.framework
|
||||
PureLayout org.cocoapods.PureLayout 3.1.5 ...ttle.app/Frameworks/PureLayout.framework
|
||||
GoogleUtilities org.cocoapods.GoogleUtilities 6.6.0 ...app/Frameworks/GoogleUtilities.framework
|
||||
RCTNetwork org.cocoapods.RCTNetwork 0.61.5 ...ttle.app/Frameworks/RCTNetwork.framework
|
||||
RCTActionSheet org.cocoapods.RCTActionSheet 0.61.5 ....app/Frameworks/RCTActionSheet.framework
|
||||
react_native_image_editor org.cocoapods.react-native-image-editor 2.1.0 ...orks/react_native_image_editor.framework
|
||||
CoreModules org.cocoapods.CoreModules 0.61.5 ...tle.app/Frameworks/CoreModules.framework
|
||||
RCTVibration org.cocoapods.RCTVibration 0.61.5 ...le.app/Frameworks/RCTVibration.framework
|
||||
RNGestureHandler org.cocoapods.RNGestureHandler 1.6.1 ...pp/Frameworks/RNGestureHandler.framework
|
||||
RNCClipboard org.cocoapods.RNCClipboard 1.5.1 ...le.app/Frameworks/RNCClipboard.framework
|
||||
react_native_image_picker org.cocoapods.react-native-image-picker 2.3.4 ...orks/react_native_image_picker.framework
|
||||
[..]
|
||||
```
|
||||
* `memory list modules`: List loaded modules in memory
|
||||
|
||||
```bash
|
||||
ios bundles list_frameworks
|
||||
Executable Bundle Version Path
|
||||
------------------------------ -------------------------------------------- ---------- -------------------------------------------
|
||||
ReactCommon org.cocoapods.ReactCommon 0.61.5 ...tle.app/Frameworks/ReactCommon.framework
|
||||
...vateFrameworks/CoreDuetContext.framework
|
||||
FBReactNativeSpec org.cocoapods.FBReactNativeSpec 0.61.5 ...p/Frameworks/FBReactNativeSpec.framework
|
||||
...ystem/Library/Frameworks/IOKit.framework
|
||||
RCTAnimation org.cocoapods.RCTAnimation 0.61.5 ...le.app/Frameworks/RCTAnimation.framework
|
||||
jsinspector org.cocoapods.jsinspector 0.61.5 ...tle.app/Frameworks/jsinspector.framework
|
||||
DoubleConversion org.cocoapods.DoubleConversion 1.1.6 ...pp/Frameworks/DoubleConversion.framework
|
||||
react_native_config org.cocoapods.react-native-config 0.12.0 ...Frameworks/react_native_config.framework
|
||||
react_native_netinfo org.cocoapods.react-native-netinfo 4.4.0 ...rameworks/react_native_netinfo.framework
|
||||
PureLayout org.cocoapods.PureLayout 3.1.5 ...ttle.app/Frameworks/PureLayout.framework
|
||||
GoogleUtilities org.cocoapods.GoogleUtilities 6.6.0 ...app/Frameworks/GoogleUtilities.framework
|
||||
RCTNetwork org.cocoapods.RCTNetwork 0.61.5 ...ttle.app/Frameworks/RCTNetwork.framework
|
||||
RCTActionSheet org.cocoapods.RCTActionSheet 0.61.5 ....app/Frameworks/RCTActionSheet.framework
|
||||
react_native_image_editor org.cocoapods.react-native-image-editor 2.1.0 ...orks/react_native_image_editor.framework
|
||||
CoreModules org.cocoapods.CoreModules 0.61.5 ...tle.app/Frameworks/CoreModules.framework
|
||||
RCTVibration org.cocoapods.RCTVibration 0.61.5 ...le.app/Frameworks/RCTVibration.framework
|
||||
RNGestureHandler org.cocoapods.RNGestureHandler 1.6.1 ...pp/Frameworks/RNGestureHandler.framework
|
||||
RNCClipboard org.cocoapods.RNCClipboard 1.5.1 ...le.app/Frameworks/RNCClipboard.framework
|
||||
react_native_image_picker org.cocoapods.react-native-image-picker 2.3.4 ...orks/react_native_image_picker.framework
|
||||
[..]
|
||||
```
|
||||
```bash
|
||||
memory list modules
|
||||
Name Base Size Path
|
||||
----------------------------------- ----------- ------------------- ------------------------------------------------------------------------------
|
||||
iGoat-Swift 0x104ffc000 2326528 (2.2 MiB) /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F54...
|
||||
SubstrateBootstrap.dylib 0x105354000 16384 (16.0 KiB) /usr/lib/substrate/SubstrateBootstrap.dylib
|
||||
SystemConfiguration 0x1aa842000 495616 (484.0 KiB) /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguratio...
|
||||
libc++.1.dylib 0x1bdcfd000 368640 (360.0 KiB) /usr/lib/libc++.1.dylib
|
||||
libz.1.dylib 0x1efd3c000 73728 (72.0 KiB) /usr/lib/libz.1.dylib
|
||||
libsqlite3.dylib 0x1c267f000 1585152 (1.5 MiB) /usr/lib/libsqlite3.dylib
|
||||
Foundation 0x1ab550000 2732032 (2.6 MiB) /System/Library/Frameworks/Foundation.framework/Foundation
|
||||
libobjc.A.dylib 0x1bdc64000 233472 (228.0 KiB) /usr/lib/libobjc.A.dylib
|
||||
[...]
|
||||
```
|
||||
* `memory list exports <module_name>`: Exports of a loaded module 
|
||||
|
||||
* `memory list modules`: List loaded modules in memory
|
||||
|
||||
```bash
|
||||
memory list modules
|
||||
Name Base Size Path
|
||||
----------------------------------- ----------- ------------------- ------------------------------------------------------------------------------
|
||||
iGoat-Swift 0x104ffc000 2326528 (2.2 MiB) /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F54...
|
||||
SubstrateBootstrap.dylib 0x105354000 16384 (16.0 KiB) /usr/lib/substrate/SubstrateBootstrap.dylib
|
||||
SystemConfiguration 0x1aa842000 495616 (484.0 KiB) /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguratio...
|
||||
libc++.1.dylib 0x1bdcfd000 368640 (360.0 KiB) /usr/lib/libc++.1.dylib
|
||||
libz.1.dylib 0x1efd3c000 73728 (72.0 KiB) /usr/lib/libz.1.dylib
|
||||
libsqlite3.dylib 0x1c267f000 1585152 (1.5 MiB) /usr/lib/libsqlite3.dylib
|
||||
Foundation 0x1ab550000 2732032 (2.6 MiB) /System/Library/Frameworks/Foundation.framework/Foundation
|
||||
libobjc.A.dylib 0x1bdc64000 233472 (228.0 KiB) /usr/lib/libobjc.A.dylib
|
||||
[...]
|
||||
```
|
||||
|
||||
* `memory list exports <module_name>`: Exports of a loaded module
|
||||
|
||||
```bash
|
||||
memory list exports iGoat-Swift
|
||||
Type Name Address
|
||||
-------- -------------------------------------------------------------------------------------------------------------------------------------- -----------
|
||||
variable _mh_execute_header 0x104ffc000
|
||||
function _mdictof 0x10516cb88
|
||||
function _ZN9couchbase6differ10BaseDifferD2Ev 0x10516486c
|
||||
function _ZN9couchbase6differ10BaseDifferD1Ev 0x1051648f4
|
||||
function _ZN9couchbase6differ10BaseDifferD0Ev 0x1051648f8
|
||||
function _ZN9couchbase6differ10BaseDiffer5setupEmm 0x10516490c
|
||||
function _ZN9couchbase6differ10BaseDiffer11allocStripeEmm 0x105164a20
|
||||
function _ZN9couchbase6differ10BaseDiffer7computeEmmj 0x105164ad8
|
||||
function _ZN9couchbase6differ10BaseDiffer7changesEv 0x105164de4
|
||||
function _ZN9couchbase6differ10BaseDiffer9addChangeENS0_6ChangeE 0x105164fa8
|
||||
function _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS0_6ChangeE 0x1051651d8
|
||||
function _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS1_6vectorINS0_6ChangeENS1_9allocatorIS8_EEEE 0x105165280
|
||||
variable _ZTSN9couchbase6differ10BaseDifferE 0x1051d94f0
|
||||
variable _ZTVN9couchbase6differ10BaseDifferE 0x10523c0a0
|
||||
variable _ZTIN9couchbase6differ10BaseDifferE 0x10523c0f8
|
||||
[..]
|
||||
```
|
||||
```bash
|
||||
memory list exports iGoat-Swift
|
||||
Type Name Address
|
||||
-------- -------------------------------------------------------------------------------------------------------------------------------------- -----------
|
||||
variable _mh_execute_header 0x104ffc000
|
||||
function _mdictof 0x10516cb88
|
||||
function _ZN9couchbase6differ10BaseDifferD2Ev 0x10516486c
|
||||
function _ZN9couchbase6differ10BaseDifferD1Ev 0x1051648f4
|
||||
function _ZN9couchbase6differ10BaseDifferD0Ev 0x1051648f8
|
||||
function _ZN9couchbase6differ10BaseDiffer5setupEmm 0x10516490c
|
||||
function _ZN9couchbase6differ10BaseDiffer11allocStripeEmm 0x105164a20
|
||||
function _ZN9couchbase6differ10BaseDiffer7computeEmmj 0x105164ad8
|
||||
function _ZN9couchbase6differ10BaseDiffer7changesEv 0x105164de4
|
||||
function _ZN9couchbase6differ10BaseDiffer9addChangeENS0_6ChangeE 0x105164fa8
|
||||
function _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS0_6ChangeE 0x1051651d8
|
||||
function _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS1_6vectorINS0_6ChangeENS1_9allocatorIS8_EEEE 0x105165280
|
||||
variable _ZTSN9couchbase6differ10BaseDifferE 0x1051d94f0
|
||||
variable _ZTVN9couchbase6differ10BaseDifferE 0x10523c0a0
|
||||
variable _ZTIN9couchbase6differ10BaseDifferE 0x10523c0f8
|
||||
[..]
|
||||
```
|
||||
|
||||
### List classes of an APP
|
||||
|
||||
* `ios hooking list classes`: List classes of the app
|
||||
* `ios hooking list classes`: List classes of the app
|
||||
|
||||
```bash
|
||||
ios hooking list classes
|
||||
```bash
|
||||
ios hooking list classes
|
||||
|
||||
AAAbsintheContext
|
||||
AAAbsintheSigner
|
||||
AAAbsintheSignerContextCache
|
||||
AAAcceptedTermsController
|
||||
AAAccount
|
||||
AAAccountManagementUIResponse
|
||||
AAAccountManager
|
||||
AAAddEmailUIRequest
|
||||
AAAppleIDSettingsRequest
|
||||
AAAppleTVRequest
|
||||
AAAttestationSigner
|
||||
[...]
|
||||
```
|
||||
AAAbsintheContext
|
||||
AAAbsintheSigner
|
||||
AAAbsintheSignerContextCache
|
||||
AAAcceptedTermsController
|
||||
AAAccount
|
||||
AAAccountManagementUIResponse
|
||||
AAAccountManager
|
||||
AAAddEmailUIRequest
|
||||
AAAppleIDSettingsRequest
|
||||
AAAppleTVRequest
|
||||
AAAttestationSigner
|
||||
[...]
|
||||
```
|
||||
* `ios hooking search classes <search_term>`: Search a class that contains a string. You can **search some uniq term that is related to the main app package** name to find the main classes of the app like in the example:
|
||||
|
||||
* `ios hooking search classes <search_term>`: Search a class that contains a string. You can **search some uniq term that is related to the main app package** name to find the main classes of the app like in the example:
|
||||
|
||||
```bash
|
||||
ios hooking search classes iGoat
|
||||
iGoat_Swift.CoreDataHelper
|
||||
iGoat_Swift.RCreditInfo
|
||||
iGoat_Swift.SideContainmentSegue
|
||||
iGoat_Swift.CenterContainmentSegue
|
||||
iGoat_Swift.KeyStorageServerSideVC
|
||||
iGoat_Swift.HintVC
|
||||
iGoat_Swift.BinaryCookiesExerciseVC
|
||||
iGoat_Swift.ExerciseDemoVC
|
||||
iGoat_Swift.PlistStorageExerciseViewController
|
||||
iGoat_Swift.CouchBaseExerciseVC
|
||||
iGoat_Swift.MemoryManagementVC
|
||||
[...]
|
||||
```
|
||||
```bash
|
||||
ios hooking search classes iGoat
|
||||
iGoat_Swift.CoreDataHelper
|
||||
iGoat_Swift.RCreditInfo
|
||||
iGoat_Swift.SideContainmentSegue
|
||||
iGoat_Swift.CenterContainmentSegue
|
||||
iGoat_Swift.KeyStorageServerSideVC
|
||||
iGoat_Swift.HintVC
|
||||
iGoat_Swift.BinaryCookiesExerciseVC
|
||||
iGoat_Swift.ExerciseDemoVC
|
||||
iGoat_Swift.PlistStorageExerciseViewController
|
||||
iGoat_Swift.CouchBaseExerciseVC
|
||||
iGoat_Swift.MemoryManagementVC
|
||||
[...]
|
||||
```
|
||||
|
||||
### List class methods
|
||||
|
||||
* `ios hooking list class_methods`: List methods of a specific class
|
||||
* `ios hooking list class_methods`: List methods of a specific class
|
||||
|
||||
```bash
|
||||
ios hooking list class_methods iGoat_Swift.RCreditInfo
|
||||
- cvv
|
||||
- setCvv:
|
||||
- setName:
|
||||
- .cxx_destruct
|
||||
- name
|
||||
- cardNumber
|
||||
- init
|
||||
- initWithValue:
|
||||
- setCardNumber:
|
||||
```
|
||||
```bash
|
||||
ios hooking list class_methods iGoat_Swift.RCreditInfo
|
||||
- cvv
|
||||
- setCvv:
|
||||
- setName:
|
||||
- .cxx_destruct
|
||||
- name
|
||||
- cardNumber
|
||||
- init
|
||||
- initWithValue:
|
||||
- setCardNumber:
|
||||
```
|
||||
* `ios hooking search methods <search_term>`: Search a method that contains a string
|
||||
|
||||
* `ios hooking search methods <search_term>`: Search a method that contains a string
|
||||
```bash
|
||||
ios hooking search methods cvv
|
||||
[AMSFinanceVerifyPurchaseResponse + _dialogRequestForCVVFromPayload:verifyType:]
|
||||
[AMSFinanceVerifyPurchaseResponse - _handleCVVDialogResult:shouldReattempt:]
|
||||
[AMSFinanceVerifyPurchaseResponse - _runCVVRequestForCode:error:]
|
||||
[iGoat_Swift.RCreditInfo - cvv]
|
||||
[iGoat_Swift.RCreditInfo - setCvv:]
|
||||
[iGoat_Swift.RealmExerciseVC - creditCVVTextField]
|
||||
[iGoat_Swift.RealmExerciseVC - setCreditCVVTextField:]
|
||||
[iGoat_Swift.DeviceLogsExerciseVC - cvvTextField]
|
||||
[iGoat_Swift.DeviceLogsExerciseVC - setCvvTextField:]
|
||||
[iGoat_Swift.CloudMisconfigurationExerciseVC - cvvTxtField]
|
||||
[iGoat_Swift.CloudMisconfigurationExerciseVC - setCvvTxtField:]
|
||||
```
|
||||
|
||||
```bash
|
||||
ios hooking search methods cvv
|
||||
[AMSFinanceVerifyPurchaseResponse + _dialogRequestForCVVFromPayload:verifyType:]
|
||||
[AMSFinanceVerifyPurchaseResponse - _handleCVVDialogResult:shouldReattempt:]
|
||||
[AMSFinanceVerifyPurchaseResponse - _runCVVRequestForCode:error:]
|
||||
[iGoat_Swift.RCreditInfo - cvv]
|
||||
[iGoat_Swift.RCreditInfo - setCvv:]
|
||||
[iGoat_Swift.RealmExerciseVC - creditCVVTextField]
|
||||
[iGoat_Swift.RealmExerciseVC - setCreditCVVTextField:]
|
||||
[iGoat_Swift.DeviceLogsExerciseVC - cvvTextField]
|
||||
[iGoat_Swift.DeviceLogsExerciseVC - setCvvTextField:]
|
||||
[iGoat_Swift.CloudMisconfigurationExerciseVC - cvvTxtField]
|
||||
[iGoat_Swift.CloudMisconfigurationExerciseVC - setCvvTxtField:]
|
||||
```
|
||||
|
||||
## Basic Hooking
|
||||
## Basic Hooking 
|
||||
|
||||
Now that you have **enumerated the classes and modules** used by the application you may have found some **interesting class and method names**.
|
||||
|
||||
### Hook all methods of a class
|
||||
|
||||
* `ios hooking watch class <class_name>`: Hook all the methods of a class, dump all the initial parameters and returns
|
||||
* `ios hooking watch class <class_name>`: Hook all the methods of a class, dump all the initial parameters and returns
|
||||
|
||||
```bash
|
||||
ios hooking watch class iGoat_Swift.PlistStorageExerciseViewController
|
||||
```
|
||||
```bash
|
||||
ios hooking watch class iGoat_Swift.PlistStorageExerciseViewController
|
||||
```
|
||||
|
||||
### Hook a single method
|
||||
|
||||
* `ios hooking watch method "-[<class_name> <method_name>]" --dump-args --dump-return --dump-backtrace`: Hook an specific method of a class dumping the parameters, backtraces and returns of the method each time it's called
|
||||
* `ios hooking watch method "-[<class_name> <method_name>]" --dump-args --dump-return --dump-backtrace`: Hook an specific method of a class dumping the parameters, backtraces and returns of the method each time it's called
|
||||
|
||||
```bash
|
||||
ios hooking watch method "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" --dump-args --dump-backtrace --dump-return
|
||||
```
|
||||
```bash
|
||||
ios hooking watch method "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" --dump-args --dump-backtrace --dump-return
|
||||
```
|
||||
|
||||
### Change Boolean Return
|
||||
|
||||
* `ios hooking set return_value "-[<class_name> <method_name>]" false`: This will make the selected method return the indicated boolean
|
||||
* `ios hooking set return_value "-[<class_name> <method_name>]" false`: This will make the selected method return the indicated boolean
|
||||
|
||||
```bash
|
||||
ios hooking set return_value "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" false
|
||||
```
|
||||
```bash
|
||||
ios hooking set return_value "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" false
|
||||
```
|
||||
|
||||
### Generate hooking template
|
||||
|
||||
* `ios hooking generate simple <class_name>`:
|
||||
* `ios hooking generate simple <class_name>`:
|
||||
|
||||
```bash
|
||||
ios hooking generate simple iGoat_Swift.RCreditInfo
|
||||
```bash
|
||||
ios hooking generate simple iGoat_Swift.RCreditInfo
|
||||
|
||||
var target = ObjC.classes.iGoat_Swift.RCreditInfo;
|
||||
var target = ObjC.classes.iGoat_Swift.RCreditInfo;
|
||||
|
||||
Interceptor.attach(target['+ sharedSchema'].implementation, {
|
||||
onEnter: function (args) {
|
||||
console.log('Entering + sharedSchema!');
|
||||
},
|
||||
onLeave: function (retval) {
|
||||
console.log('Leaving + sharedSchema');
|
||||
},
|
||||
});
|
||||
Interceptor.attach(target['+ sharedSchema'].implementation, {
|
||||
onEnter: function (args) {
|
||||
console.log('Entering + sharedSchema!');
|
||||
},
|
||||
onLeave: function (retval) {
|
||||
console.log('Leaving + sharedSchema');
|
||||
},
|
||||
});
|
||||
|
||||
|
||||
Interceptor.attach(target['+ className'].implementation, {
|
||||
onEnter: function (args) {
|
||||
console.log('Entering + className!');
|
||||
},
|
||||
onLeave: function (retval) {
|
||||
console.log('Leaving + className');
|
||||
},
|
||||
});
|
||||
Interceptor.attach(target['+ className'].implementation, {
|
||||
onEnter: function (args) {
|
||||
console.log('Entering + className!');
|
||||
},
|
||||
onLeave: function (retval) {
|
||||
console.log('Leaving + className');
|
||||
},
|
||||
});
|
||||
|
||||
|
||||
Interceptor.attach(target['- cvv'].implementation, {
|
||||
onEnter: function (args) {
|
||||
console.log('Entering - cvv!');
|
||||
},
|
||||
onLeave: function (retval) {
|
||||
console.log('Leaving - cvv');
|
||||
},
|
||||
});
|
||||
Interceptor.attach(target['- cvv'].implementation, {
|
||||
onEnter: function (args) {
|
||||
console.log('Entering - cvv!');
|
||||
},
|
||||
onLeave: function (retval) {
|
||||
console.log('Leaving - cvv');
|
||||
},
|
||||
});
|
||||
|
||||
|
||||
Interceptor.attach(target['- setCvv:'].implementation, {
|
||||
onEnter: function (args) {
|
||||
console.log('Entering - setCvv:!');
|
||||
},
|
||||
onLeave: function (retval) {
|
||||
console.log('Leaving - setCvv:');
|
||||
},
|
||||
});
|
||||
```
|
||||
|
||||
Interceptor.attach(target['- setCvv:'].implementation, {
|
||||
onEnter: function (args) {
|
||||
console.log('Entering - setCvv:!');
|
||||
},
|
||||
onLeave: function (retval) {
|
||||
console.log('Leaving - setCvv:');
|
||||
},
|
||||
});
|
||||
```
|
||||
|
|
|
@ -52,8 +52,8 @@ Another important details about enumeration and Kubernetes permissions abuse is
|
|||
|
||||
If you have compromised a K8s account or a pod, you might be able able to move to other clouds. This is because in clouds like AWS or GCP is possible to **give a K8s SA permissions over the cloud**.
|
||||
|
||||
{% content-ref url="kubernetes-access-to-other-clouds.md" %}
|
||||
[kubernetes-access-to-other-clouds.md](kubernetes-access-to-other-clouds.md)
|
||||
{% content-ref url="../../cloud-security/pentesting-kubernetes/kubernetes-access-to-other-clouds.md" %}
|
||||
[kubernetes-access-to-other-clouds.md](../../cloud-security/pentesting-kubernetes/kubernetes-access-to-other-clouds.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## Labs to practice and learn
|
|
@ -108,8 +108,8 @@ helm --host tiller-deploy.kube-system:44134 version
|
|||
|
||||
You could abuse this service to escalate privileges inside Kubernetes:
|
||||
|
||||
{% content-ref url="../../pentesting/44134-pentesting-tiller-helm.md" %}
|
||||
[44134-pentesting-tiller-helm.md](../../pentesting/44134-pentesting-tiller-helm.md)
|
||||
{% content-ref url="../44134-pentesting-tiller-helm.md" %}
|
||||
[44134-pentesting-tiller-helm.md](../44134-pentesting-tiller-helm.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### cAdvisor
|
Loading…
Reference in New Issue