Scrounger – Mobile Application Testing Toolkit

0
45
Scrounger – Mobile Application Testing Toolkit

Scrounger – an individual who borrows from or lives off others.

There isn’t any higher description for this instrument for 2 important causes, the primary is as a result of this instrument takes inspiration from many different instruments which have already been revealed, the second cause is as a result of it lives off cellular software’s vulnerabilities.

Why

Even although a number of different cellular software evaluation instruments have been developed, there isn’t any one instrument that can be utilized for each android and ios and could be referred to as a “standard” should use on each cellular software evaluation.

The thought behind Scrounger is to make a metasploit-like instrument that won’t do a pentesters work however assist the pentester on his evaluation by executing mundane duties that should be carried out on all assessments.

The Difference

The important options Scrounger gives that others do not:

  • Works with Android and iOS
  • Metasploit-like console and modules
  • Offers a variaty of modules that may be run to provide the pentester a place to begin
  • Easily extendable

Inspiration / Thanks

Scrounger was impressed by different instruments, an enormous due to the builders of:

Technical

As a disclaimer, all recognized findings by Scrounger ought to at all times be manually double checked.

When utilizing modules that want an Android or iOS machine, Scrounger wants a Rooted or Jailbroken machine respectively

Install

git pull https://github.com/nettitude/scrounger.git
cd scrounger
bash setup.sh
pip set up -r necessities.txt
python setup.py set up

Development

git pull https://github.com/nettitude/scrounger.git
cd scrounger
bash setup.sh
pip set up -r necessities.txt
python setup.py develop

Update

cd scrounger
git pull
python setup.py set up --upgrade

Required Binaries

For Android Modules

For iOS Modules

iOS Binaries

  • Bundled Binaries:
    • clutch
    • dump_backup_flag
    • dump_file_protection
    • dump_keychain
    • dump_log
    • listapps
  • Cydia Karen’s Repository (https://cydia.angelxwind.net) (Optional):
    • AppSync Unified (Package: internet.angelxwind.appsyncunified)
    • appinst (Package: com.linusyang.appinst)
  • Other (Optional):

Install Scripts

Linux

# set up iproxy lsusb
sudo apt-get set up libimobiledevice usbutils

# set up jd-cli
if [ ! -x "$(which jd-cli)" ]; then
    curl -L -o /tmp/jdcli.zip https://github.com/kwart/jd-cmd/releases/obtain/jd-cmd-0.9.2.Final/jd-cli-0.9.2-dist.zip
    unzip /tmp/jdcli.zip /usr/native/share/jd-cli
    ln -s /usr/native/share/jd-cli/jd-cli /usr/native/bin/jd-cli
    ln -s /usr/native/share/jd-cli/jd-cli.jar /usr/native/bin/jd-cli.jar
    rm -rf /tmp/jdcli.zip
fi

# set up apktool
if [ ! -x "$(which apktool)" ]; then
    mkdir /usr/native/share/apktool
    curl -L -o /usr/native/share/apktool/apktool https://uncooked.githubusercontent.com/iBotPeaches/Apktool/grasp/scripts/osx/apktool
    curl -L -o /usr/native/share/apktool/apktool.jar https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.3.3.jar
    chmod +x /usr/native/share/apktool /usr/native/share/apktool/apktool.jar
    ln -s /usr/native/share/apktool /usr/native/bin/apktool
    ln -s /usr/native/share/apktool.jar /usr/native/bin/apktool.jar
fi

# set up dex2jar
if [ ! -x "$(which d2j-dex2jar)" ]; then
    curl -L -o /tmp/d2j.zip https://github.com/pxb1988/dex2jar/recordsdata/1867564/dex-instruments-2.1-SNAPSHOT.zip
    unzip /tmp/d2j.zip -d /tmp/d2j
    dirname=$(ls --color=none /tmp/d2j)
    mv /tmp/d2j/$dirname /usr/native/share/d2j-dex2jar
    ln -s /usr/native/share/d2j-dex2jar/d2j-dex2jar.sh /usr/native/bin/d2j-dex2jar.sh
    ln -s /usr/native/share/d2j-dex2jar/d2j-apk-signal.sh /usr/native/bin/d2j-apk-signal.sh
    rm -rf /tmp/d2j.zip
fi

if [ ! -x "$(which d2j-dex2jar)" ]; then
    ln -s /usr/native/bin/d2j-dex2jar.sh /usr/native/bin/d2j-dex2jar
fi

# set up adb
if [ ! -x "$(which adb)" ]; then
    curl -L -o /tmp/platform-instruments.zip https://dl.google.com/android/repository/platform-instruments-newest-linux.zip
    unzip /tmp/platform-instruments.zip -d /tmp/pt
    mv /tmp/pt/platform-instruments /usr/native/share/
    ln -s /usr/native/share/platform-instruments/adb /usr/native/bin/adb
    ln -s /usr/native/share/platform-instruments/fastboot /usr/native/bin/fastboot
fi

# set up ldid
if [ ! -x "$(which ldid)" ]; then
    git clone https://github.com/daeken/ldid.git /tmp/ldid
    cd /tmp/ldid
    ./make.sh
    mv ldid /usr/native/bin/
    cd /tmp
    rm -rf /tmp/ldid
fi

# set up jtool
if [ ! -x "$(which jtool)" ]; then
    curl -L -o /tmp/jtool.tar http://www.newosxbook.com/instruments/jtool.tar
    mkdir /tmp/jtool
    tar xvf /tmp/jtool.tar -C /tmp/jtool
    mv /tmp/jtool/jtool.ELF64 /usr/native/bin/jtool
    rm -rf /tmp/jtool.tar /tmp/jtool
fi

# set up scrounger
git clone [email protected]:nettitude/scrounger.git
cd scrounger
pip set up -r necessities.txt
python setup.py set up

MacOS

# set up iproxy ldid lsusb
brew faucet jlhonora/lsusb && brew set up lsusb libimobiledevice ldid

# set up jd-cli
if [ ! -x "$(which jd-cli)" ]; then
    curl -L -o /tmp/jdcli.zip https://github.com/kwart/jd-cmd/releases/obtain/jd-cmd-0.9.2.Final/jd-cli-0.9.2-dist.zip
    unzip /tmp/jdcli.zip /usr/native/share/jd-cli
    ln -s /usr/native/share/jd-cli/jd-cli /usr/native/bin/jd-cli
    ln -s /usr/native/share/jd-cli/jd-cli.jar /usr/native/bin/jd-cli.jar
    rm -rf /tmp/jdcli.zip
fi

# set up apktool
if [ ! -x "$(which apktool)" ]; then
    mkdir /usr/native/share/apktool
    curl -L -o /usr/native/share/apktool/apktool https://uncooked.githubusercontent.com/iBotPeaches/Apktool/grasp/scripts/osx/apktool
    curl -L -o /usr/native/share/apktool/apktool.jar https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.3.3.jar
    chmod +x /usr/native/share/apktool /usr/native/share/apktool/apktool.jar
    ln -s /usr/native/share/apktool /usr/native/bin/apktool
    ln -s /usr/native/share/apktool.jar /usr/native/bin/apktool.jar
fi

# set up dex2jar
if [ ! -x "$(which d2j-dex2jar)" ]; then
    curl -L -o /tmp/d2j.zip https://github.com/pxb1988/dex2jar/recordsdata/1867564/dex-instruments-2.1-SNAPSHOT.zip
    unzip /tmp/d2j.zip -d /tmp/d2j
    dirname=$(ls --color=none /tmp/d2j)
    mv /tmp/d2j/$dirname /usr/native/share/d2j-dex2jar
    ln -s /usr/native/share/d2j-dex2jar/d2j-dex2jar.sh /usr/native/bin/d2j-dex2jar.sh
    ln -s /usr/native/share/d2j-dex2jar/d2j-apk-signal.sh /usr/native/bin/d2j-apk-signal.sh
    rm -rf /tmp/d2j.zip
fi

if [ ! -x "$(which d2j-dex2jar)" ]; then
    ln -s /usr/native/bin/d2j-dex2jar.sh /usr/native/bin/d2j-dex2jar
fi

# set up adb
if [ ! -x "$(which adb)" ]; then
    curl -L -o /tmp/platform-instruments.zip https://dl.google.com/android/repository/platform-instruments-newest-darwin.zip
    unzip /tmp/platform-instruments.zip -d /tmp/pt
    mv /tmp/pt/platform-instruments /usr/native/share/
    ln -s /usr/native/share/platform-instruments/adb /usr/native/bin/adb
    ln -s /usr/native/share/platform-instruments/fastboot /usr/native/bin/fastboot
fi

# set up Xcode / command line instruments
xcode-choose --install

# set up scrounger
git clone [email protected]:nettitude/scrounger.git
cd scrounger
pip set up -r necessities.txt
python setup.py set up

Adding Custom Modules
When putting in the appliance a folder ~/.scrounger can be created. Inside ~/.scrounger can be a folder referred to as modules/customized with the identical construction because the default scrounger modules, e.g., evaluation/android/module_name.
To create a brand new customized module simply add a brand new file with the module title you need and it is going to be included the following time you launch scrounger.

Example
Added the next module (~/.scrounger/modules/customized/misc/check.py):

from scrounger.core.module import BaseModule

class Module(BaseModule):
    meta = {
        "author": "RDC",
        "description": """Just a Test module""",
        "certainty": 100
    }

    choices = [
        {
            "name": "output",
            "description": "local output directory",
            "required": False,
            "default": None
        },
    ]

    def run(self):

        print("This is a print from the custom module")

        return {
            "print": "This will be print by scrounger's console."
        }

Execution

$ scrounger-console
Starting Scrounger console...

scrounger > listing customized/misc

Module            Certainty  Author  Description
------            ---------  ------  -----------
customized/misc/check  100%       RDC     Just a Test module

scrounger > use customized/misc/check

scrounger customized/misc/check > choices

Global Options:

    Name    Value
    ----    -----
    machine
    output  /tmp/scrounger-app

Module Options (customized/misc/check):

    Name    Required  Description             Current Setting
    ----    --------  -----------             ---------------
    output  False     native output listing  /tmp/scrounger-app

scrounger customized/misc/check > run
This is a print from the customized module
[+] This can be print by scrounger's console.

scrounger customized/misc/check >

Examples

Listing / Searching modules

$ scrounger-console
Starting Scrounger console...

> assist

Documented instructions (sort assist <matter>):
========================================
add_device  units  listing     print  outcomes  set   unset
again        assist     choices  give up   run      present  use


> assist listing
Lists all accessible modules

> listing ios

Module                                  Certainty Author Description
------                                  --------- ------ -----------
evaluation/ios/app_transport_security     90%       RDC    Checks if there are any Application Transport Security misconfigurations
evaluation/ios/arc_support                90%       RDC    Checks if a binary was compiled with ARC help
evaluation/ios/backups                    90%       RDC    Checks the appliance's recordsdata have the backup flag on
evaluation/ios/clipboard_access           75%       RDC    Checks if the appliance disables clipboard entry
evaluation/ios/debugger_detection         75%       RDC    Checks if the appliance detects debuggers
evaluation/ios/excessive_permissions      90%       RDC    Checks if the appliance makes use of extreme permissions
evaluation/ios/file_protection            90%       RDC    Checks the appliance's recordsdata particular protection flags
evaluation/ios/full_analysis              100%      RDC    Runs all modules in evaluation and writes a report into the output listing
evaluation/ios/insecure_channels          50%       RDC    Checks if the appliance makes use of insecure channels
evaluation/ios/insecure_function_calls    75%       RDC    Checks if the appliance makes use of insecure operate calls
evaluation/ios/jailbreak_detection        60%       RDC    Checks if the appliance implements jailbreak detection
evaluation/ios/logs                       60%       RDC    Checks if the appliance logs to syslog
evaluation/ios/passcode_detection         60%       RDC    Checks if the appliance checks for passcode being set
evaluation/ios/pie_support                100%      RDC    Checks if the appliance was compiled with PIE help
evaluation/ios/prepared_statements        60%       RDC    Checks if the appliance makes use of sqlite calls and in that case checks if it additionally makes use of ready statements
evaluation/ios/ssl_pinning                60%       RDC    Checks if the appliance implements SSL pinning
evaluation/ios/stack_smashing             90%       RDC    Checks if a binary was compiled stack smashing protections
evaluation/ios/third_party_keyboard       65%       RDC    Checks if an software checks of third social gathering keyboards
evaluation/ios/unencrypted_communications 80%       RDC    Checks if the appliance implements communicates over unencrypted channels
evaluation/ios/unencrypted_keychain_data  70%       RDC    Checks if the appliance saves unencrypted information within the keychain
evaluation/ios/weak_crypto                60%       RDC    Checks if the appliance makes use of weak crypto
evaluation/ios/weak_random                50%       RDC    Checks if a binary makes use of weak random features
evaluation/ios/weak_ssl_ciphers           50%       RDC    Checks if a binary makes use of weak SSL ciphers
misc/ios/app/archs                      100%      RDC    Gets the appliance's accessible architectures
misc/ios/app/information                       100%      RDC    Gets the appliance's information from the distant machine
misc/ios/app/entitlements               100%      RDC    Gets the appliance's entitlements
misc/ios/app/flags                      100%      RDC    Gets the appliance's compilation flags
misc/ios/app/information                       100%      RDC    Pulls the Info.plist information from the machine
misc/ios/app/begin                      100%      RDC    Launches an software on the distant machine
misc/ios/app/symbols                    100%      RDC    Gets the appliance's symbols out of an put in software on the machine
misc/ios/class_dump                     100%      RDC    Dumps the courses out of a decrypted binary
misc/ios/decrypt_bin                    100%      RDC    Decrypts and pulls a binary software
misc/ios/install_binaries               100%      RDC    Installs iOS binaries required to run some checks
misc/ios/keychain_dump                  100%      RDC    Dumps contents from the related machine's keychain
misc/ios/native/app/archs                100%      RDC    Gets the appliance's accessible architectures
misc/ios/native/app/entitlements         100%      RDC    Gets the appliance's entitlements from a neighborhood binary and saves them to file
misc/ios/native/app/flags                100%      RDC    Gets the appliance's compilation flags utilizing native instruments. Will search for otool and jtool within the PATH.
misc/ios/native/app/information                 100%      RDC    Pulls the Info.plist information from the unzipped IPA file and saves an XML file with it is contents to the output folder
misc/ios/native/app/symbols              100%      RDC    Gets the appliance's symbols out of an put in software on the machine
misc/ios/native/class_dump               100%      RDC    Dumps the courses out of a decrypted binary
misc/ios/pull_ipa                       100%      RDC    Pulls the IPA file from a distant machine
misc/ios/unzip_ipa                      100%      RDC    Unzips the IPA file into the output listing

Using Misc Module

$ scrounger-console
Starting Scrounger console...

> use misc/android/decompile_apk

misc/android/decompile_apk > choices

Global Options:

    Name   Value
    ----   -----
    machine
    output /tmp/scrounger-app

Module Options (misc/android/decompile_apk):

    Name   Required Description                Current Setting
    ----   -------- -----------                ---------------
    output True     native output listing     /tmp/scrounger-app
    apk    True     native path to the APK file

misc/android/decompile_apk > set output scrounger-demo-output

misc/android/decompile_apk > set apk ./a.apk

misc/android/decompile_apk > choices

Global Options:

    Name   Value
    ----   -----
    machine
    output /tmp/scrounger-app

Module Options (misc/android/decompile_apk):

    Name   Required Description                Current Setting
    ----   -------- -----------                ---------------
    output True     native output listing     scrounger-demo-output
    apk    True     native path to the APK file ./a.apk

misc/android/decompile_apk > run
2018-05-01 10:29:53 -                  decompile_apk : Creating decompilation listing
2018-05-01 10:29:53 -                  decompile_apk : Decompiling software
2018-05-01 10:29:59 -                       manifest : Checking for AndroidManifest.xml file
2018-05-01 10:29:59 -                       manifest : Creating manifest object
[+] Application decompiled to scrounger-demo-output/com.eg.challengeapp.decompiled

Using outcomes from different modules

misc/android/decompile_apk > present outcomes

Results:

    Name                             Value
    ----                             -----
    com.eg.challengeapp_decompiled scrounger-demo-output/com.eg.challengeapp.decompiled

misc/android/decompile_apk > use evaluation/android/permissions

evaluation/android/permissions > choices

Global Options:

    Name   Value
    ----   -----
    machine
    output /tmp/scrounger-app

Module Options (evaluation/android/permissions):

    Name           Required Description                                        Current Setting
    ----           -------- -----------                                        ---------------
    decompiled_apk True     native folder containing the decompiled apk file
    permissions    True     harmful permissions to test for, seperated by ; android.permission.GET_TASKS;android.permission.BIND_DEVICE_ADMIN;android.permission.USE_CREDENTIALS;com.android.browser.permission.READ_HISTORY_BOOKMARKS;android.permission.PROCESS_OUTGOING_CA

evaluation/android/permissions > print possibility permissions

Option Name: permissions
Value: android.permission.GET_TASKS;android.permission.BIND_DEVICE_ADMIN;android.permission.USE_CREDENTIALS;com.android.browser.permission.READ_HISTORY_BOOKMARKS;android.permission.PROCESS_OUTGOING_CALLS;android.permission.READ_LOGS;android.permission.READ_SMS;android.permission.READ_CALL_LOG;android.permission.RECORD_AUDIO;android.permission.MANAGE_ACCOUNTS;android.permission.RECEIVE_SMS;android.permission.RECEIVE_MMS;android.permission.WRITE_CONTACTS;android.permission.DISABLE_KEYGUARD;android.permission.WRITE_SETTINGS;android.permission.WRITE_SOCIAL_STREAM;android.permission.WAKE_LOCK

evaluation/android/permissions > set decompiled_apk consequence:com.eg.challengeapp_decompiled

evaluation/android/permissions > choices

Global Options:

    Name   Value
    ----   -----
    machine
    output /tmp/scrounger-app

Module Options (evaluation/android/permissions):

    Name           Required Description                                        Current Setting
    ----           -------- -----------                                        ---------------
    decompiled_apk True     native folder containing the decompiled apk file    consequence:com.eg.challengeapp_decompiled
    permissions    True     harmful permissions to test for, seperated by ; android.permission.GET_TASKS;android.permission.BIND_DEVICE_ADMIN;android.permission.USE_CREDENTIALS;com.android.browser.permission.READ_HISTORY_BOOKMARKS;android.permission.PROCESS_OUTGOING_CA

evaluation/android/permissions > run
2018-05-01 10:54:58 -                       manifest : Checking for AndroidManifest.xml file
2018-05-01 10:54:58 -                       manifest : Creating manifest object
2018-05-01 10:54:58 -                    permissions : Analysing software's manifest permissions
[+] Analysis consequence:
The Application Has Inadequate Permissions
    Report: True
    Details:
* android.permission.READ_SMS

Using units

$ scrounger-console
Starting Scrounger console...

> present units

Added Devices:

    Scrounger ID Device OS Identifier
    ------------ --------- ----------

> add_device
android  ios

> add_device android 00cd7e67ec57c127

> present units

Added Devices:

    Scrounger ID Device OS Identifier
    ------------ --------- ----------
    1            android   00cd7e67ec57c127

> set international machine 1

> choices

Global Options:

    Name   Value
    ----   -----
    machine 1
    output /tmp/scrounger-app

> use misc/list_apps

misc/list_apps > choices

Global Options:

    Name   Value
    ----   -----
    machine 1
    output /tmp/scrounger-app

Module Options (misc/list_apps):

    Name   Required Description            Current Setting
    ----   -------- -----------            ---------------
    output False    native output listing /tmp/scrounger-app
    machine True     the distant machine      1

misc/list_apps > unset output

misc/list_apps > choices

Global Options:

    Name   Value
    ----   -----
    machine 1
    output /tmp/scrounger-app

Module Options (misc/list_apps):

    Name   Required Description            Current Setting
    ----   -------- -----------            ---------------
    output False    native output listing
    machine True     the distant machine      1

misc/list_apps > run
[+] Applications put in on 00cd7e67ec57c127:

com.android.sharedstoragebackup
com.android.suppliers.partnerbookmarks
com.google.android.apps.maps
com.google.android.partnersetup
de.codenauts.hockeyapp
...

Command Line Help

$ scrounger --help
utilization: scrounger [-h] [-m analysis/ios/module1;analysis/ios/module2]
                 [-a argument1=value1;argument1=value2;]
                 [-f /path/to/the/app.[apk|ipa]] [-d device_id] [-l] [-o]
                 [-p /path/to/full-analysis.json] [-V] [-D]

   _____
  / ____|
 | (___   ___ _ __ ___  _   _ _ __   __ _  ___ _ __
  ___  / __| '__/ _ | | | | '_  / _` |/ _  '__|
  ____) | (__| | | (_) | |_| | | | | (_| |  __/ |
 |_____/ ___|_|  ___/ __,_|_| |_|__, |___|_|
                                     __/ |
                                    |___/

elective arguments:
  -h, --help            present this assist message and exit
  -m evaluation/ios/module1;evaluation/ios/module2, --modules evaluation/ios/module1;evaluation/ios/module2
                        modules to be run - seperated by ; - can be run so as
  -a argument1=value1;argument1=value2;, --arguments argument1=value1;argument1=value2;
                        arguments for the modules to be run
  -f /path/to/the/app.[apk|ipa], --full-evaluation /path/to/the/app.[apk|ipa]
                        runs a full evaluation on the appliance
  -d device_id, --device device_id
                        machine for use by the modules
  -l, --list            listing accessible units and modules
  -o, --options         prints the required choices for the chosen modules
  -p /path/to/full-evaluation.json, --print-outcomes /path/to/full-evaluation.json
                        prints the outcomes of a full evaluation json file
  -V, --verbose         prints extra information when working the modules
  -D, --debug           prints extra data when working scrounger

Using the command line


$ scrounger -o -m "misc/android/decompile_apk"

Module Options (misc.android.decompile_apk):

    Name   Required Description                Default
    ----   -------- -----------                -------
    output True     native output listing     None
    apk    True     native path to the APK file None

$ scrounger -m "misc/android/decompile_apk" -a "apk=./a.apk;output=./cli-demo"
Excuting Module 0
2018-05-01 11:17:42 -                  decompile_apk : Creating decompilation listing
2018-05-01 11:17:42 -                  decompile_apk : Decompiling software
2018-05-01 11:17:46 -                       manifest : Checking for AndroidManifest.xml file
2018-05-01 11:17:46 -                       manifest : Creating manifest object
[+] Application decompiled to ./cli-demo/com.eg.challengeapp.decompiled

MoreTip.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.