domingo, 16 de febrero de 2014

[How to] Quick Tip: Enabling the Android Move To SD Card Feature

Found it some time ago, actually for android it's not very useful, but for users with old versions of android is very useful :)

Tip

Best regards

lunes, 10 de febrero de 2014

Damn Vulnerable IOS Application | learning Apple IOS security

ABOUT - Damn Vulnerable IOS Application:

was born from the need to have a tool where a user can test their IOS penetration testing skills in a safe and legal environment. Also, this application can be used by mobile security enthusiasts and students to learn or review the basics of mobile application security.

Vulnerabilities and Challenges Include …

Insecure Data Storage
Jailbreak Detection
Runtime Manipulation
Transport Layer Security
Client Side Injection
Information Disclosure
Broken Cryptography
Application Patching

All these vulnerabilities and their solutions have been tested upto IOS 7.0.4

The app also contains a section on IOS Application Security Tutorials for those who want to learn IOS Application Pentesting. Every challenge/vulnerability has a link for a tutorial that users can read to learn more on that topic.

This app will only run on devices running IOS 7 or later. Users can download the source code and run the application on previous versions of IOS as well.

If you would like to sponsor DVIA, please use the contact form below to get in touch.

LEARN The complete list of tutorials can be found below

IOS Application Security Part 1 – Setting up a mobile pentesting platform
IOS Application Security Part 2 – Getting class information of IOS app
IOS Application Security Part 3 – Understanding the Objective-C Runtim
IOS Appllication Security Part 4 – Runtime Analysis Using Cycript (Yahoo Weather App)
IOS Application Security Part 5 – Advanced Runtime analysis and manipulation using Cycript (Yahoo Weather App
IOS Application Security Part 6 – New Security Features in IOS 7
IOS Application Security Part 7 – Installing and Running Custom Applications on Device without a registered developer account
IOS Application Security Part 8 – Method Swizzling using Cycript
IOS Application Security Part 9 – Analyzing Security of IOS Applications using Snoop-it
IOS Application Security Part 10 – IOS Filesystem and Forensics
IOS Application Security Part 11 – Analyzing Network Traffic over HTTP/HTTPS
IOS Application Security Part 12 – Dumping Keychain Data
IOS Application Security Part 13 – Booting a custom Ramdisk using Sogeti Data Protection tool
IOS Application Security Part 14 – Gathering information using Sogeti Data Protection tools
IOS Application Security Part 15 – Static Analysis of IOS Applications using iNalyzer
IOS Application Security Part 16 – Runtime Analysis of IOS Applications using iNalyzer
IOS Application Security Part 17 – Black-Box Assessment of IOS Applications using INTROSPY
IOS Application Security Part 18 – Detecting custom signatures with Introspy
IOS Application Security Part 19 – Programmatical Usage of Introspy
IOS Application Security Part 20 – Local Data Storage
IOS Application Security Part 21 – ARM and GDB Basics
IOS Application Security Part 22 – Runtime Analysis and Manipulation using GDB
IOS Application Security Part 23 – Defending against runtime analysis and manipulation
IOS Application Security Part 24 – Jailbreak Detection and Evasion
IOS Application Security Part 25 – Secure Coding Practices for IOS Development
IOS Application Security Part 26 – Patching IOS Applications using IDA Pro and Hex Fiend
IOS Application Security Part 27 – Setting up a mobile pentesting environment with IOS 7 Jailbreak
IOS Application Security Part 28 – Patching IOS Application with Hopper
IOS Application Security Part 29 – Insecure or Broken Cryptography

Source

domingo, 9 de febrero de 2014

[How to] Unzip files in RAM memory

Is very easy unzip files, you can found many examples on internet, but here is one which works perfect for me.

Here you have a POC:

import requests 
import tempfile 
import zipfile  

zip = requests.get(zip_file_url)

temp = tempfile.TemporaryFile()
temp.write(zip.content)
temp.seek(0) 

zfile = zipfile.ZipFile(temp)

#set password if needed 
zfile.setpassword('infected') 
 
for name in zfile.namelist():
    ram_file = zfile.open(name).read()

temp.close()

For large files you can use:
import requests
import tempfile
import zipfile

zip  = requests.get(zip_file_url)
temp = tempfile.TemporaryFile()

content = ''

for block in zip.iter_content(1048576):
    
    if not block:
        break
        
    content += block
    
temp.write(content)
temp.seek(0)

zfile = zipfile.ZipFile(temp)

#set password if needed
zfile.setpassword('infected')

for name in zfile.namelist():
    ram_file = zfile.open(name).read()
    
temp.close()
with this don't work :(
with tempfile.TemporaryFile() as temp
    for block in zip.iter_content(1048576):
    
        if not block:
            break
        
        temp.write(block)


For more information about tempfile look here

Best regards