Monday, June 26, 2017

Dynamic Binary Instrumentation (pt2)

Quick how to:

After install of Frida on your machine, you will need to install your server agent on your (use case is phone) iphone/android/qnx device ... (emulators) too in the case of android (yet to test on blackberry emulator)

get the download/s here:

moving on...

setting up on Android:

(am currently using android, so i will focus more on this)

The use case can be on any device there is enough documentation for the all the current (common) mobile OS platforms.


What i aim to achieve:

Use Frida as a mobile penetration testing tool, on high end/secure (mostly banking/social media) applications

I cannot fully disclose the vulnerabilities on this applications seeing this is not ethical and in terms of responsible disclosure in the cases i find vulnerabilities.

The following cases shall be examined:

Root Check Evasion
SSL Pinning defeat
Encryption defeat
Obfuscation defeat (dynamic application mapping/reverse engineering)
Proxy bypass

I will start this in the manner they are arranged :)

(short post but should be longer practical ones after this)

REF: Frida -

Sunday, April 16, 2017

Dynamic Binary Instrumentation aka DBI (pt1)

Ok hear me out, i kid you not ... my dad actually calls me a lazy genius, 90% of the time, i only do 'what i want, at my own convenience in a time frame that is under my desire' now reason for this is because my curiosity and work related incidences have led me to bug hunting ... i know, i reverse binaries/files/protocols etc... so lets see i handle this :)

what is DBI: 

So simply put:

peeking under the hood while the car is running... and making changes, adding fuel/gas , adding passengers/disembarking while again still in movement/running

so why do DBI kind of things?

well, catch bugs
dump memory
really cool debugger (yes imagine running it on pretty much every platform, using the same scripting language)
memory hooking
API hooking

alrighty, so what tools are we using?

enter ----> FRIDA

so who is FRIDA and why do i like her so much to blog and use her... instead of other girls i mean frameworks

So FRIDA is a DBI tool, that uses Javascript as its core scripting language (V8/DuckTape/JavaScriptCore) you inject the code into a binary (running or otherwise) Its Multi-Arch (name them) it also has bindings meaning :) ... python, C, Node.js , .NET and of course our favorite bit.... OpenSource

so install?

pip install frida

theres a sudo if you get stuck on the easy bit hehe

now pt2 covers how to use FRIDA

Friday, February 10, 2017


unhackable is not a way to address any product, but neither is it a way to address anything, even humans, enter...

the UberWave-S phone:

I got this from a  friend, he reached out to me with this exact words "you cannot hack my secure phone" and always being up to a challenge and previously hacked the cryptophone500 , i was really feeling the need to go at this phone, after a few passive research points i could find nothing about UberWave-S , was this guy trolling me, or was it so top secret? I moved to waiting for his communication via email.

we started communicating late 2016 and he sent the phone around November from Greece, this was the package that arrived :)

and this was what i found inside

back view

front view

battery removed and 'inside' view

yes, a feature phone, as per his explanation:

Because I am a practical person, with lots of real life practical tests of the devices that I create, I decided to take a more realistic approach. I am not saying that my device is invulnerable to all kinds of attacks, but it is stealth to most of the attacks of today's technology. For example, my device is totally invulnerable in OsmocomBB attacks of any kind. Also, it is stealth to all commercial or non commercial IMSI catchers, making voice and SMS decryption impossible. Another great feature is that security is always guaranteed with the device for the user, without the need for a second device, although the security will be compromised if the recipient of the call or SMS is not using the same device AND it is under attack. But if the user of the device is under attack and the recipient is not, then the security is valid for both parties. There are some vulnerabilities, and some solutions for them, but I would like to discuss them after you test the device."

i wanted his theory and practicality to put to test, and went ahead to test it.

So i booted up my RogueBTS

and went on an MITM escaped

capturing more than enough phones in the area, but sadly i could not catch the little minx, i rebooted severally changed parameters such as distance between the phone and BTS, 5-10 meters spacing, hopped on different channels, manipulated GPS settings, this variables dictate how fast you get a connection.

however my rogueBTS works on this principles

uses 2G (attacks)/(modern ones attack 3G and downgrade to 2G)
attacks nearest BTS to jam signal and forces phone to connect to it
drops any encryption to allow direct/un-encrypted SMS/voice calls

So did i catch it, NO short answer, explanation, on removing the battery , the phone had been tampered on the screws meaning some hardware modification had been done, not wanting to mess with it i did not do any research on this however the creator did tell me this:

unscrewed-screws :)

"To give you some more information about my Secure Phone, it's not an Android or iOS device, but a feature phone and more specifically, a Samsung GT-S5610.
I am working with OsmocomBB since it's birth in 2008 and especially with the hardware part and this is where I am focused. I am not one of the developers of OsmocomBB, but since I noticed OsmocomBB, I am stuck with it, and I am mostly working on the hardware part, since I'm very good at this field. Also, my main research is in real life applications of these attacks and how to implement the hardware so the attacks are feasible in real world environments. Also, I am working mostly in the hardware part, because I'm not so good with the software, but I am very good at hardware and especially with RF.
 So, after many years of experience, I saw that there was not really a device that you could say that you're 100% protected. The 100% secure device still does not exist, but I was stunned how people was hooked up to cryptophones, and without even touching a cryptophone, I immediately knew it's vulnerabilities. Your researched verified my suspicions. It packs some security, but you must use 2 cryptophones to have a secure communication. From that point on, everything else is compromised.
 My Secure Phone was created in 2012, after a client of mine asked for a secure as possible device. I already told him that there's not such thing, but he insisted. So, by using my experience and skills, you will see the device that you will have in your hands. I tried to use a different, more radical approach, and the first thing I tossed out is the usage of major OS distributions like Android and iOS, due to the unique thing that so far no OS is secure enough and constantly new exploits are made. So, because a major requirement was secure as possible voice, SMS and data, I selected to use a feature phone. Feature devices do not use a 100% secure OS, but at least, if an attacker does not have access to the device, it's very difficult to inherit insecurities through OS upgrades and "unnecessary" connections to the internet.
 I am sorry, but I can't reveal yet more details on the conversions that I've made, but I can give you some hints. First of all, the device is totally invulnerable to OsmocomBB attacks of any kind. The device is just stealth to OsmocomBB. It is also stealth to around 99% of modern IMSI catchers. I leave 1% just in case. There is only one big problem that I can't overcome, and this is because the hack is due to an insecurity in the design of the 3gpp protocols, and there's not much to be done. Although I've found a solution to this problem, the solution degraded the device usability. An updated "patch" can be done, but as I explained, I am not a software guy to make it work as it should.
 To use the Secure Phone is very simple. You simply use it. No extra codes or mutual authentication is needed. Also, you do not need to use 2 Secure Phones to use the security features, although for both parties security, it is advised to use both parties a Secure Phone. For example. If the owner of the device is under attack and the other party is not under attack, there is no way to compromise both parties communication, all voice, SMS and data are secure. But if both parties are under attack, and the other party does not use a Secure Phone, then both parties are compromised. This is normal, but a lot better that the cryptophone's mandatory default usage from both parties of cryptophones. Also, there is no delay in the voice calls or dropped called due to non mutual authentication. No other special action is required. The safety features are enabled by default. If you can't use the device, the user of the Secure Phone is either under attack, or the Secure Phone rejects and does not accept to use insecure communication methods.
 Since you are going to make a research on a operator, I also suggest you to test my Secure Phone. Of course, the best way to do that is to use a SIM from another provider, and try do any kind of test with the equipment of the operator that you have access on."

So, as per his request he allowed sharing this information alongside his contact information

NB: this phone was created for government entities, further explanations to why the phone is not caught is because it has been 'cut off from the 2G platform' from his explanation:

"Very happy to hear that your 2G BTS didn't brake my device. The same will apply with 3G/4G, for the same reasons that your 2G didn't break the device but also, because 3G/UMTS uses mutual authentication. 4G connections provide even more information of the 4G clients to the telco providers. Also 4G does not carry voice yet. So, if you make a 3G/UMTS BTS and use a SIM from a real provider and try to break my phone, then this would not be possible, due to mutual authentication. The only way to "break" my device is to use your own programmed 3G/UMTS SIM and try to camp to your 3G BTS, but that's not an attack schenario, because you already own the 3G SIM and the keys inside. As a conlusion, even a 3G rogue BTS, your's or more advanced and professional rogue BTS, will not break the secure phone, but it would be nice for you to do any further tests that you please.
You can document, share and publish all your findings, including my contact information. "

So without much a-do Ladies and Gents, spiders and bots hackers and enthusiasts, Mr UberWave-S together with his mail address, :) 
Kindly reach out for more info on this from me or him with best regards.

Tuesday, February 7, 2017

Kali Linux and VMware [why you no co-operate]


Alienware Mx14 r3 its a beast, but i miss my mac for not breaking shit when i have to do something as simple as install VMware (fusion) for workstation its another B8!@3 , so lets make this short, and under lesson learnt,

I upgrade to kali linux uname -r : 4.9.0-kali1-amd64

i try to install latest vmware workstation :( trouble starts here .... vmware 12.5.2 build-4638234)

I get complains , some modules wont compile :(

(screenshots are forgotten at this point as i have a API documentation and testing to do , and i need my vmware (yes i hate vbox sue me)

error looks (something) like this:

module_/tmp/modconfig-eTZynd/vmnet-only' failed

I mean come on ..... i try all fixes from installing headers but , naaah thats not it... i mean okay lets fix this :)

  • Make a backup of /usr/lib/vmware/modules/source/vmnet.tar
  • Go to /usr/lib/vmware/modules/source
  • Extract vmnet.tar (tar xvf vmnet.tar)
  • Change to vmnet-only directory (cd vmnet-only)
  • Make a backup of /usr/lib/vmware/modules/source/vmmon.tar
  • Go to /usr/lib/vmware/modules/source
  • Extract vmnet.tar (tar xvf vmmon.tar)
  • Change to vmnet-only directory (cd vmmon-only)

As I could not find any patches for VMware – and the latest version 12.5.2 still fails to compile, I created a nasty hack myself..

Warning – This is not an official patch, and I am not an expert in kernel code, but I applied this to vmmon and vmnet, and both compile OK, and load/run, on Kernel 4.9-rc3..

In vmnet-only/userif.c, around line 113, change

    retval = get_user_pages(addr, 1, 1, 0, &page, NULL);
    retval = get_user_pages(current, current->mm, addr,
                1, 1, 0, &page, NULL);

     retval = get_user_pages(addr, 1, 0, &page, NULL);
     retval = get_user_pages(addr, 1, 1, 0, &page, NULL);
     retval = get_user_pages(current, current->mm, addr,
                 1, 1, 0, &page, NULL);
– and in vmmon-only/linux/hostif.c, around line 1162, change

   retval = get_user_pages((unsigned long)uvAddr, numPages, 0, 0, ppages, NULL);
   retval = get_user_pages(current, current->mm, (unsigned long)uvAddr,
                           numPages, 0, 0, ppages, NULL);

   retval = get_user_pages((unsigned long)uvAddr, numPages, 0, ppages, NULL);
   retval = get_user_pages((unsigned long)uvAddr, numPages, 0, 0, ppages, NULL);
   retval = get_user_pages(current, current->mm, (unsigned long)uvAddr,
                           numPages, 0, 0, ppages, NULL);

Recreate vmnet.tar  & vmmon.tar (tar cvf vmnet.tar vmnet-only/)
Recompile VMWare (vmware-modconfig --console --install-all)
Optionally, remove vmnet-only  && vmmon-only directory (rm -rf vmnet-only)



:) No longer posting, all articles should be treated as archived and outdated