iOS Extracting Entitlements From Compiled Application

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Muhtasari wa ukurasa https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0069/#review-entitlements-embedded-in-the-compiled-app-binary

Extracting Entitlements and Mobile Provision Files

Wakati wa kushughulikia IPA ya programu au programu iliyosanikishwa kwenye kifaa kilichovunjwa, kupata faili za .entitlements au faili ya embedded.mobileprovision moja kwa moja huenda isiwezekane. Hata hivyo, orodha za mali za entitlements bado zinaweza kutolewa kutoka kwa binary ya programu, kufuata taratibu zilizoelezwa katika sura ya "iOS Basic Security Testing", hasa sehemu ya "Acquiring the App Binary".

Hata na binaries zilizofichwa, hatua fulani zinaweza kutumika kutoa faili hizi. Ikiwa hatua hizi zitashindwa, zana kama Clutch (ikiwa inafaa na toleo la iOS), frida-ios-dump, au zana zinazofanana zinaweza kuhitajika kufichua na kutoa programu.

Extracting the Entitlements Plist from the App Binary

Ikiwa binary ya programu inapatikana kwenye kompyuta, binwalk inaweza kutumika kutoa faili zote za XML. Amri hapa chini inaonyesha jinsi ya kufanya hivyo:

$ binwalk -e -y=xml ./Telegram\ X

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
1430180       0x15D2A4        XML document, version: "1.0"
1458814       0x16427E        XML document, version: "1.0"

Mbadala, radare2 inaweza kutumika kutekeleza amri kwa kimya na kutoka, ikitafuta nyuzi zote katika binary ya programu zinazohusisha "PropertyList":

$ r2 -qc 'izz~PropertyList' ./Telegram\ X

0x0015d2a4 ascii <?xml version="1.0" encoding="UTF-8" standalone="yes"?>...
0x0016427d ascii H<?xml version="1.0" encoding="UTF-8"?>...

Mifumo yote miwili, binwalk na radare2, inaruhusu utoaji wa plist faili, huku ukaguzi wa wa kwanza (0x0015d2a4) ukionyesha urejeleaji wa mafanikio wa faili ya awali ya entitlements kutoka Telegram.

Kwa programu za binary zinazofikiwa kwenye vifaa vilivyovunjwa (kwa mfano, kupitia SSH), amri ya grep yenye lippu -a, --text inaweza kutumika kutibu faili zote kama maandiko ya ASCII:

$ grep -a -A 5 'PropertyList' /var/containers/Bundle/Application/...

Adjusting the -A num, --after-context=num flag allows for the display of more or fewer lines. Hii mbinu inapatikana hata kwa binaries za programu zilizofichwa na imethibitishwa dhidi ya programu nyingi za App Store. Zana zilizotajwa hapo awali zinaweza pia kutumika kwenye vifaa vya iOS vilivyovunjwa kwa madhumuni sawa.

Note: Matumizi ya moja kwa moja ya amri strings hayapendekezwi kwa kazi hii kutokana na mipaka yake katika kupata habari muhimu. Badala yake, kutumia grep na bendera -a kwenye binary au kutumia radare2 (izz)/rabin2 (-zz) inashauriwa kwa matokeo bora zaidi.

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousiOS Custom URI Handlers / Deeplinks / Custom Schemes NextiOS Frida Configuration

Last updated 7 days ago