Android Penetration Testing (PenTesting Android Apps)

October 18th, 2011 No comments

A report by McAfee for last quarter states that the
‘Count of new Android-specific malware moved to number one, with J2ME (Java Micro Edition), coming in second while suffering only a third as many malware.’ In simple words if you own a Android phone, the chances of it being compromised is 2.5 times more than any other platform.

With industry reporting so many new android exploits and malwares, it is becoming a tedious job for developers to secure their applicaitons. With nearly all IT companies having expertise in Web penetration Testing solutions, they have started building solutions for Mobile Penetration testing. But whats the need of creating a different solution for mobile apps testing? Isn’t it same as web applicaiton testing? If you consider ‘Thin client’ mobile apps, the answer is yes. For thin client mobile apps, penetration testing is almost same as that of Web application testing. But If you consider ‘Thick Client’ or ‘Native Mobile Apps’ which gets installed into the device, the penetration testers have to add some more test cases and the testing environment needs a bit of tweak.
If we compare Web penetration Testing and Mobile PT, what exactly is the difference?? One of the major difference is that the user in the case of Web applicaitons do not have access to the files of application (php,asp,jsp files) whereas in the case of mobile, user has access to the application as it is installed in the device itself. All of the platforms provide some kind of databases for those applicaitons to store data(SqlLite3 in Andoid). In case of web, applicaitons only have privilages to store data temporarily using cookies or cache. One more major drawback with mobile apps is that they can be reversed very easily, whether it’s a dex(android), jar/jad(j2me) or a sis(Symbian).
For Penetration testing of Android Application we have to mainly consider the following things ;-

* Settings up the PT lab/Environment.
In this you will learn about how to setup the test environment using emulator,proxy tools. Using these proxy tools you can force emulator to pass the traffic via a proxy. But this setting only works for browser inside the emulator. For apps to work with proxy you need some different environment setting which is discussed in detail. Click here to read more..

* Using debugging tools like ADB,DDMS.
Using debugging tool like ADB you can run commands on emulator and device itself to perform any kind on action. You can get the shell,view the files stored, databases,install new apps, uninstall apps,pull and push files from the device. DDMS in just a GUI version of ADB. To get more detail about all this click here.

* Reversing Apps.
One of the major drawbacks with Mobile apps is that they can be Reversed. We have many opensource tools for reversing android apps like apktool,baksmali,dex2jar. Click here to read more about this.

Thanks for Watching.. Next article will be on “Deep Dive into Android Malwares”
Njoy!!

Using Adb and DDMS for Android Penetration Testing

October 18th, 2011 No comments

Android Debug Bridge (adb) is a versatile command line tool that lets you communicate with an emulator instance or connected Android-powered device. It is a client-server program that includes three components:

* A client, which runs on your development machine. You can invoke a client from a shell by issuing an adb command. Other Android tools such as the ADT plugin and DDMS also create adb clients.
* A server, which runs as a background process on your development machine. The server manages communication between the client and the adb daemon running on an emulator or device.
* A daemon, which runs as a background process on each emulator or device instance.
Source: developers.android.com
To view the Best available description about ADB visit http://developer.android.com/guide/developing/tools/adb.html.
To see how adb can be helpful for Penetration testing of Android apps watch the video embedded below.

Reversing and Spoofing Android Applications

October 18th, 2011 No comments

One of the major drawbacks with Mobile apps is that they can be Reversed. If we look at the Android app architecture, it contains a source code which is developed by user. That source code is compiled and finally created as a ‘.dex’ file which is the dalvik executable. This ‘.dex’ file can be compared with ‘.jar’ file of java. Dex file clubbed with the resources files are archived to become a APK file. So this apk file is just a archive file similar to a zip file whose contents can be extracted using any archive explorer tool like winzip or 7-zip. After extracting files from an apk file you’ll get a ‘classes.dex’ file which contains the actual code of the application. This dex file can be reversed using my opensource tools like Baksmali(click here to download), dex2jar , apktool.
The video attached below will show you how we can use baksmali tool to decompile and compile the application again. The one thing which gets eliminated by this process is the Application signature. After compiling the application we need to add signature to it so that it can be installed on a device or emulator.

.
.

.
.

Hope you enjoyed it!!
We’ll upload some more tutorials for dex2jar and apktool pretty soon!!

How To Bypass or Hack Windows Password ?

October 13th, 2011 No comments

When it comes to protecting data in windows, the first thing which comes in my mind is to set password for my windows account. We generally think that setting up the password is more than enough to make our PC secure. In this article we’ll tell you how to bypass this ‘First thing’ of securing windows account, i.e Bypassing Windows Password. It is easier to bypass windows account password. All you need is little bit patience, two pendrive or flashdrives.

 

Step 1:  We need two pendrives, let say A and B.

 

Step 2:  Make pendrive A bootable with any lighter version of linux flavor. I prefer “SliTaz”. Because its very light flavor of  linux, its only 30MB in size. You can download “SliTaz” from http://www.slitaz.org/en/get/.  Pendrive B we need to save the SAM file in it.

 

Step 3:  Make pendrive bootable with any software you like, but I prefer “UNetbootin”. You can download it from http://unetbootin.sourceforge.net/.

 

Step 4:  Now let’s assume your computer is Comp-A and the Target Computer is  Comp-T. Now, boot your computer with Pendrive A, which has bootable linux and copy the SAM file of Comp-A windows (Which contains NO PASSWORD) into pendrive B.

Note:  SAM file can’t be copy or edited when you are logged in to windows, because at that time windows is using the SAM file. SAM file is the file which contains windows user account password in Hash format. Make Sure if you are coping the SAM  file of Windows XP, then It’ll work only in XP in other computer, so operating system should be same in your computer and in the Target computer.
The location of the SAM file is:  “c:\windows\system32\config\sam”.

 

Step 5:  After coping the SAM file of Comp-A, Boot the Comp-T that is target computer with pendrive A. Now, replace the SAM file of the Comp-T with the SAM file of the Comp-A. Reboot the Comp-T, normally. After that computer boots to windows without asking any windows password.
Now you can get any data from Target computer and you will have admin access to that computer.

Don’t forget to replace the original SAM file back. If you do so, the owner of ‘Target Machine’ will not have no idea what actually happened with his system.

Have Fun……!!!!!!!!!!!

Hadoop Installation Guide For CentOS

October 2nd, 2011 No comments

The article describes how to install & configure a Hadoop Cluster in a Linux Cent-OS system. It explains each step of configuration in depth. To configure Fully Distributed Mode (also known as Multi-Node Cluster), we need to have at least two nodes (One as a Master node & Second as Slave node). All the nodes should have a static IP address and they should be connected on a same network.

Anti Debugging unleashed series # Part 2

September 29th, 2011 No comments
NTGlobalFlag 

NTGlobalFlag lies at an offset 0x68 from PEB. The value of NTGlobalFlag
 is 0 when the process is not bein debugged. However, if the process is
 being debugged, the value of this flag is 0x70.

First we see the starting of PEB in windbg:

0:000> !peb
PEB at 7ffd6000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            Yes
    ImageBaseAddress:         00400000

Lets parse the PEB:

0:000> dt _PEB 7ffd6000
ntdll!_PEB
   +0x000 InheritedAddressSpace : 0 ''
   +0x001 ReadImageFileExecOptions : 0 ''
   +0x002 BeingDebugged    : 0x1 ''
   +0x003 SpareBool        : 0 ''
   +0x004 Mutant           : 0xffffffff
   +0x008 ImageBaseAddress : 0x00400000
   +0x00c Ldr              : 0x00271ea0 _PEB_LDR_DATA
   +0x010 ProcessParameters : 0x00020000 _RTL_USER_PROCESS_PARAMETERS
   +0x014 SubSystemData    : (null)
   +0x018 ProcessHeap      : 0x00170000
   +0x01c FastPebLock      : 0x7c980600 _RTL_CRITICAL_SECTION
   +0x020 FastPebLockRoutine : 0x7c901000
   +0x024 FastPebUnlockRoutine : 0x7c9010e0
   +0x028 EnvironmentUpdateCount : 1
   +0x02c KernelCallbackTable : (null)
   +0x030 SystemReserved   : [1] 0
   +0x034 AtlThunkSListPtr32 : 0
   +0x038 FreeList         : (null)
   +0x03c TlsExpansionCounter : 0
   +0x040 TlsBitmap        : 0x7c9805c0
   +0x044 TlsBitmapBits    : [2] 1
   +0x04c ReadOnlySharedMemoryBase : 0x7f6f0000
   +0x050 ReadOnlySharedMemoryHeap : 0x7f6f0000
   +0x054 ReadOnlyStaticServerData : 0x7f6f0688  -> (null)
   +0x058 AnsiCodePageData : 0x7ffb0000
   +0x05c OemCodePageData  : 0x7ffc1000
   +0x060 UnicodeCaseTableData : 0x7ffd2000
   +0x064 NumberOfProcessors : 2
   +0x068 NtGlobalFlag : 0x70

As you can see, the NtGlobalFlag is set to 0x70.

Following is the assembly code to detect the same:
MOV EAX, fs:[0x30]       ;PEB in eax

MOV EAX, dword ptr[EAX+0x68]  ;Value of NTGlobalFlag in EAX

CMP EAX,0x70			 ;If equal, means debugger present

HeapFlags
As a side effect of NtGlobalFlags being set, heaps that are created
will have some flags turned on that can be used for anti debugging.
 Every process has a default process heap. Flags and ForceFlags for
a heap are 0x02(means the heap can grow) and 0 respectively. However,
 when debugging, they are set to 0x50000062 and 0x40000060

   Lets see the whole picture in windbg:

0:000> dt _PEB 7ffd6000
ntdll!_PEB
   +0x000 InheritedAddressSpace : 0 ''
   +0x001 ReadImageFileExecOptions : 0 ''
   +0x002 BeingDebugged    : 0x1 ''
   +0x003 SpareBool        : 0 ''
   +0x004 Mutant           : 0xffffffff
   +0x008 ImageBaseAddress : 0x00400000
   +0x00c Ldr              : 0x00271ea0 _PEB_LDR_DATA
   +0x010 ProcessParameters : 0x00020000 _RTL_USER_PROCESS_PARAMETERS
   +0x014 SubSystemData    : (null)
   +0x018 ProcessHeap : 0x00170000
   +0x01c FastPebLock      : 0x7c980600 _RTL_CRITICAL_SECTION

So, we know that the default process heap gets created at address
0x00170000. Lets parse the heap at this address:

0:000> dt _HEAP 170000
ntdll!_HEAP
   +0x000 Entry            : _HEAP_ENTRY
   +0x008 Signature        : 0xeeffeeff
   +0x00c Flags : 0x50000062
 +0x010 ForceFlags : 0x40000060
   +0x014 VirtualMemoryThreshold : 0xfe00
   +0x018 SegmentReserve   : 0x100000
   +0x01c SegmentCommit    : 0x2000

So, malware authors can check these values for detecting the debuggers. Following is the assembly code to find the same(consider the debugger running):

MOV EAX, FS:[0x30]      ;Go to PEB

MOV EAX, dword ptr[EAX+0x18]   ;EAX holds the address of default
                               ;process heap

MOV EBX, dword ptr[EAX+0xc]     ;EBX holds the value of Flags

MOV ECX, dword ptr[EAX+0x10]   ;ECX holds the ForceFlags

			

PE Parser

September 29th, 2011 No comments

Understanding the structure of PE file is very important from the reverser’s point of view. And, I think the best way to learn it is to code a PE file parser itself. So, here is my PE Parser. This was compiled using Visual studio 8.

(Change the exetension to .rar)

PE_Parser download

 

Ch33r5 !!! :)

Anti Debugging unleashed series # Part 1

September 26th, 2011 1 comment

This is the first in the series of anti debugging tricks. I will discuss the various anti debugging tricks one by one in my further posts:

 

I will start with the most basic ones.

 

The first one in the race is the PEB.BeingDebugged flag.

PEB refers to Process Environment Block, and it contains the information regarding the Environment and various parameters of a process. fs:[0x30] always points to PEB. The structure of PEB can be seen using the following command in windbg:

 

0:000> dt _PEB

 

+0×000 InheritedAddressSpace : UChar

+0×001 ReadImageFileExecOptions : UChar

+0×002 BeingDebugged : UChar

+0×003 SpareBool : Uchar

 

For a process that is being debugged, note the peb.BeingDebugged flag below in windbg:

 

!peb

PEB at 7ffda000

InheritedAddressSpace: No

ReadImageFileExecOptions: No

BeingDebugged: Yes

ImageBaseAddress: 00400000

Ldr 00261ea0

 

Hence, a program using the anti debugging techniques can use this flag to know whether the program is being debugged or not.

 

The api IsDebuggerPresent() in kernel32.dll checks this flag to determine the presence of the debugger.

 

This check can be easily bypassed by patching the PEB.BeingDebugged flag to 0.

 

Ch33r5 !!!

 

Basics of Apache Hadoop

September 19th, 2011 1 comment

Apache Hadoop is a Java software framework that allows for the distributed processing of large data set.The presentation talks about the Hadoop Introduction, its Architecture, Hadoop Distributed File System and the Map-Reduce framework. The presentation is targeted to people who are new to Hadoop & want to understand Hadoop basics.

Making your Gmail and Google account more secure

September 15th, 2011 1 comment

Making your Gmail and Google account more secure – A 5 point checklist.

Have you ever gave a thought what will it be like, if our Gmail or Google accounts password is compromised?? For a person like me who keeps backup of all important document, research papers, links, photos (the ones you cannot keep on home computer too :-) ) and nearly everything on the Google cloud. Most of us have no idea where and in what form my data is stored there but still I trust Google more then my personal laptop. We use so many applications like Gmail, Google docs, Picasa, Orkut but hey all share your same Google accounts password, and if that gets compromised it’ll be like tsunami for us, and with the number of hackers (including the ethical ones :-) ) growing in this world, the probability of it becomes pretty high. People can hack using a
network level attack, or using a poor password recovery options or if you think you are too intelligent to use your vehicle name or girlfriend/boyfriend name as password, your hacker friend will not take much time to prove that you a ‘@#$#@$’.
Well coming to the point, “How to make your Gmail and Google accounts more secure”. There is no special trick or hack to do so. It’s just that Google has provided you many features and options to do so; you have to use them in right way. Here is the check list of options you should use, to insure that your google accounts is safe enough.

1.) Use a secure connection when signing in – Google uses https by default but to make sure that Google uses https always, use the
“Always use https” option in “Browser connection:” under “General” Tab in Settings of your Gmail.

This will make sure that your user credentials are passed in encrypted form which will prevent network level attacks.

2.) Change your password regularly – With ’123456′ as the most commonly used password in this world you should start using a combination of numbers,characters, and case-sensitive letters for your password and avoid dictionary words. (Even if your dear one’s name is not there in dictionary avoid using such passwords :) )

3.) Update your account recovery options – Make sure that your Recovery email address is correct and you are still using it. It’s
really important as I have seen a case where a person’s recovery email id was never used and expired, which was available for anyone to take. Make sure to add your mobile number as Google can send you a recovery code via SMS, which can very handy. Last recovery option is the ‘Secret Question’ which is only available if you have not signed in during past 24 hours. The answer to the security question should be hard for others to guess, so better choose a difficult secret question and make sure you yourself remember the password :-) .

4.) Turn on 2-step verification - This option adds up one more factor of authentication (Two factor authentication) to your Google accounts. Two factor authentication implies the use of two independent means of evidence to assert an entity, rather than two iterations of the same means. Usually “Something one knows”, “something one has”, and “something one is” are useful simple summaries of three independent factors. For 2-step verification Google uses a verification code which is time specific. If you Turn on this option for your Google accounts, each time you try to login, a Google verification code will be asked(You can remember it for a computer). The next question may be how to get this verification code?? The answer is that Google provides many ways to get this verification code. You can install a mobile application to access this code, or Google can send you a SMS containing the code, and the last option is that you can print some static codes and keep then someplace accessible, like your wallet. You can turn on 2-step verification using this link “https://www.Google.com/accounts/b/0/SmsAuthConfig”. Try to subscribe to all the ways from which you can get your verification code as not all are accessible everytime. For example there may be a case where in you have subscribed to SMS as a way of accessing verification code, in this case if you forget to take your mobile somewhere you will not be able to access your google account.

5.) Keep monitoring your account details – Check the lists of websites that are authorized to access your Google account data. Go to My Account > Authorizing applications and sites. You’ll see the list of all third-party sites you’ve granted access to. If you see a website to which you think you have not granted the access, immediately revoke the access for that site. Second thing you should monitor is the ‘Last Account Activity’. At the bottom right of your page you’ll see ‘Last account activity’ with a link for details. By clicking on that link you can monitor, how many sessions are presently open with Access type, location and time of access.

Don’t forget to visit Google security tips and Gmail security checklist from Google for further information.
Reference :
Google security tips : http://www.google.com/help/security/index.html
Gmail Security Checklist : https://mail.google.com/support/bin/static.py?page=checklist.cs&tab=29488
Two-Factor Aunthentication from Wikipedia

Categories: Application Security Tags:

Switch to our mobile site