Grey bar Blue bar
Share this:

Tue, 20 May 2014

Mobile Training Reloaded - Las Vegas

Get some.

Exploiting next gen apps
With the explosion in mobile device popularity and the applications that go along with these, testing mobile application security has become a key skill in every pentester's arsenal. Last year we launched the Hacking by Numbers: Mobile, course at BlackHat Las Vegas and follow up training at BlackHat WestCoast Trainings. This year we are taking Mobile training to the next level with Hacking by Numbers reloaded, Mobile Bootcamp (https://www.blackhat.com/us-14/training/hacking-by-numbers-reloaded-mobile-bootcamp.html)


The course has undergone the full reloaded treatment, with our trainers pouring new tips, tricks and skills into the course, along with incorporating feedback from previous students.

You said mobile?


The mobile space has numerous platforms, each with their own nuances, that would leave any new pentester dizzy. Fortunately this is where the Mobile bootcamp course excels, offering the perfect blend of introductory and advanced techniques, the training is ideal for anyone looking to start testing mobile applications or the experienced tester who is looking to branch out to new platforms.


The training introduces all the core skills required to test applications across the major mobile platforms, particularly:


  • Android

  • IOS

  • Blackberry

  • Windows Phone 8


Training is built around around demonstration and hands-on practical exploitation, with custom practical exercises derived from real-world application security fails.


For a full break-down of the course structure check-out our BlackHat training page (https://www.blackhat.com/us-14/training/hacking-by-numbers-reloaded-mobile-bootcamp.html)

Who should attend?


The course is relevant for attackers, defenders and developers. Students should have some technical ability in Linux, and understand networking fundamentals, but this is a bootcamp level course. Basic programming knowledge is recommended but not essential.


Your trainers will be Etienne (@kamp_staaldraad) and Jurgens, both crazy about mobile security and have executed numerous killshots on all the major mobile platforms.


- Etienne and Jurgens -


 


 

Wed, 12 Feb 2014

RAT-a-tat-tat

Hey all,


So following on from my talk (slides, video) I am releasing the NMAP service probes and the Poison Ivy NSE script as well as the DarkComet config extractor.



An example of finding and extracting Camellia key from live Poison Ivy C2's:
nmap -sV -Pn --versiondb=nmap-service-probes.pi --script=poison-ivy.nse <ip_address/range)
Finding Poison Ivy, DarkComet and/or Xtreme RAT C2's:
nmap -sV -Pn --versiondb=nmap-service-probes.pi <ip_range>


If you have any questions, please contact research@sensepost.com
Cheers

Fri, 7 Feb 2014

Channel 4 - Mobile Phone Experiment


This evening we were featured on Channel 4's DataBaby segment (link to follow). Channel 4 bought several second hand mobile phones that had been "wiped" (or rather reset to factory default) from various shops. Our challenge was to recover enough data from these seemingly empty phones to identify the previous owners.


After a long night of mobile forensics analysis, we had recovered personal data from almost every phone we had been provided with. This information included:


  • Browsing history

  • Cookies (e.g. email and Facebook)

  • Contacts

  • SMS messages

  • Photographs

  • Address information

  • Personal documents


It would have been theoretically possible to use the cookies to impersonate the users - i.e. log in as the previous owners. We opted not to do this, as it was crossing an ethical line.

What's the lesson here?


Be very careful when selling your phone. It's fairly trivial to recover large amounts of data from mobile phones - and the tools to do so are freely available.

How can I protect myself?


This will depend on what type of phone you have, and specifically whether the data is encrypted, and if it is, if the key is recoverable. Unencrypted phones were easy game.


iPhone devices encrypt their data by default, which makes it hard (almost impossible) to recover data after performing a factory reset. There are some attacks against iPhones older than 4s which may have more success.


Android devices by default have no encryption, which means that somebody (like us) could easily recover large amounts of supposedly deleted data. It's a good idea to keep your phone encrypted.


Both Windows phone 8 and BlackBerry allow optional encryption to be configured, but this is not enabled by default. Windows phone 7 does not support encryption of the core filesystem.


If you have an existing phone that you're about to sell we'd recommend you encrypt the phone twice after resetting it to factory default (once to destroy your data, the second time to destroy the key used for the first round).


Keep in mind, this applies to all storage media - hard drives on laptops, camera memory cards, etc. It's largely recoverable, even when seemingly deleted.


We would like to thank Paolo Dal Checco (@forensico) and fellow SensePost'er Vlad (@v1ad_o) for their help during the experiment.


On a legal note, the experiment was conducted on a laptop with full disk encryption, and *all* data was deleted after returning the phones to Channel 4.

Fri, 22 Nov 2013

Mobile Hacking on the West Coast

December sees SensePost presenting Hacking by Numbers: Mobile at BlackHat West Coast Trainings. This course was first presented at BlackHat Vegas 2013 and 44Con 2013, growing in popularity and content with each iteration. For more information continue reading below or visit https://blackhat.com/wc-13/training/Hacking-by-Numbers-Mobile.html.


The mobile environment has seen immense growth and has subsequently seen organisations racing to be the first to market with the next best app. The rapid increase in mobile popularity and the speed at which developers are forced to produce new applications has resulted in an ecosystem full of security vulnerabilities. As more organisations are moving from web applications to mobile applications, penetration testers are required to adapt their testing methodology to keep pace with the changing platforms. Mobile applications developers have been lulled into a false sense of security due to the belief that "the platform will take care of the security". The Hacking by Numbers: Mobile course aims to help both penetration testers and mobile applications developers to find and understand common security vulnerabilities on a wide range of mobile platforms. The course teaches a mobile application security testing methodology that can easily be applied to mobile applications on Android, iOS, Blackberry and Windows Mobile.


Rather than focus on a specific mobile platform or a set of testing tools, the Hacking by Numbers Mobile course covers the following:


  • Android, iOS, RIM and Windows 8 Platform security

  • Communication protocols

  • Programming languages for mobile development

  • Building your own mobile penetration testing lab

  • Mobile application analysis

  • Static Analysis

  • Authentication and authorization

  • Data validation

  • Session management

  • Transport layer security and information disclosure


The structure of the course makes it ideal for testers and developers new to the mobile application security space, starting with the basic concepts of mobile security testing all the way through to decompilation, analysis and modification of mobile applications. As with all Hacking by Numbers courses, the mobile edition focuses on hands-on experience, with numerous lab exercises designed to provide students with practical experience to match the theory.Previous iterations of the course has seen real world applications being downloaded from the app store and common security vulnerabilities being identified.


Lab exercises include:


  • Finding and retrieving sensitive files.

  • Interception and Analysis of network traffic.

  • Runtime analysis of Application memory state.

  • Decompilation and static analysis of applications.

  • Runtime modification of application functions.
    And many more...


Training will be held from 11-12 December and more information can be found at https://blackhat.com/wc-13/training/Hacking-by-Numbers-Mobile.html.


Looking forward to seeing you all in Seattle!

Hacking by Numbers - The mobile edition

West Coast in the house, well actually more like an African visiting Seattle for Blackhat's West Coast Trainings.


We've had a great year delivering the latest course in our amazing Hacking by Numbers training series: Mobile. What's cool about this course, is like the others, we teach a hacking methodology rather than punting a tool or a magic, do it all solutions.


Mobile was created to match the continuous growth in mobile phone usage, with a specific focus on showing you how you would go about testing the mobile platforms and installed applications, to ensure they have been developed in a secure manner. HBN Mobile provides a complete and practical window into the methods used when attacking mobile platforms and presents you with a methodology that can be applied across platforms. This course is structured to cater to penetration testers who are new to the mobile area and who need to understand how to analyze and audit applications on various mobile platforms using a variety of tools.


Some of the material covered in the course includes:


  • Android, iOS, RIM and Windows 8 Platform security

  • Communication protocols

  • Programming languages for mobile development

  • Building your own mobile penetration testing lab

  • Mobile application analysis

  • Static Analysis

  • Authentication and authorization

  • Data validation

  • Session management

  • Transport layer security and information disclosure


The methodology presented is structured to allow testing to be performed on different mobile platforms and is demonstrated using both the Android and iOS platforms. Like all the HBN courses, the mobile edition focuses heavily on demonstration and hands-on practicals.



Blackhat Las Vegas 2013 saw the introduction HBN Mobile with two training sessions being presented. The course was well attended and consisted of students with varying degrees of mobile experience, however, the vast majority were new to Mobile application security and HBN Mobile provided the ideal launch pad for them. The great thing about the HBN series is that it accommodates people from all technical and security backgrounds. This held true with the Mobile edition, where we had reverse engineers, penetration testers, development managers, aerospace engineers and developers just to name a few. The feedback from the course was extremely positive and has been fed back into the course and used to improve it even further. Then we had the chance to give it to students over at 44Con in London and this again gave us a chance to take your feedback and make the course even better.


What's slightly different about this course is that you get to find flaws in common mobile applications available both in the Google Play and Apple App store. In addition, we have devices for you to use, so not everything is done in an emulator. As a result, students on the last course found common security vulnerabilities in numerous well known and popular applications.


On the 11th December in Seattle, I'll be delivering Hacking by Numbers: Mobile edition at Blackhat and I cannot wait to get on that plane. If you want to learn more about how to tear apart mobile apps, this is definitely for you. The regular price goes up on the 5th of December, so take advantage of this now and book your place.



Look forward to seeing you there.