iOS Pentesting Behind VPN Pentest Environment Setup

Intro


I recently had a fair bit of difficulty arriving at a suitable network setup for pen testing an iOS app (Note this is a hybrid app - and heavily based on APIs), as I was testing an environment behind VPN (such as Cisco Anyconnect), I had go for dual vpn setup to access the APIs within the Corporate network.



So I wrote this article basically to make sure this will help someone and more importantly I don't forget. One of the primary goal with any pentesting is to MITM the traffic from the iDevice.
This can be achieved by using OpenVPN (on Ubuntu VM) and OpenConnect Client (on iDevice). Additionally, we need to ensure the Burp invisible proxy is enabled, literally we are treating the app as a proxy-unaware app.

Credits:
https://security.stackexchange.com/questions/190568/optimal-way-to-capture-https-traffic-on-proxy-unaware-ios-applications
https://portswigger.net/burp/documentation/desktop/tools/proxy/options/invisible

Pre-Reqs:
  • Jail-Broken iPhone(iDevice) (I was on 12.4 with checkra1n exploit installed, Cydia installed - key tools installed -- like openssh) 
  • Macbook (may be a QEMU based OSX would work; don't hold be responsible!!)
  • Ubuntu VM (Bridged and I prefer this way as it's easy to remove and backup test environments)
  • Burp / iDevice configured to proxy -- the normal way working HTTPS calls intercepted (i.e. all the SSL bit sorted. I got stuck for not enabling PortSwigger certificate on FULL trust; Settings > General > About > Certificate Trust Settings)

Step 1 : The main goal in this step is to create a OpenVPN server (UbuntuVM) and client environment (iDevice).

$ curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh

$ chmod +x openvpn-install.sh

$ sudo bash openvpn-install.sh

*Leave all the default settings here (we are setting a temp system we are throwing away after the test anyways.

At the end of the setup create a client profile, I just gave the name of my iPhone.

Confirm if the OpenVPN process has started:

$ sudo ss -tunlp | grep openvpn
$ ifconfig

A new 'tun0' interface should be created.

Copy the *.ovpn file to the device.

Install OpenVPN app on iOS, load the profile.

Step 2 : Configure IPTables on Ubuntu VM

I followed the StackOverflow article listed above and setup my new OpenVPN 'tun0' interface to forward traffic to port '8080' on localhost.

iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 443 -j REDIRECT --to-port 8080

Step 3 : Configure BurpSuite further

Goto Proxy > Options > Add > then select > All Interfeces > Add port : 8080; like this below:


And the support the invisible proxying. 


Enabling Invisible Proxy support ensures to treat the app as a proxy-unaware app and ensures all traffic goes through the listener. 

Step 4 : Connect to the VPN 

Now, on the UbuntuVM connect to the corporate VPN (in my case it was using Cisco Anyconnect).

That's it.

Now that's done -- Connection/setting environment is one thing, attacking a React Based iOS app is another... :-)

















Popular posts from this blog

The correct way to install Jython (for Burpsuite)

You need to install Jython the correct way in order to ensure some of the Burp plugins work correctly. Some of these Burp plugins depend on Python libraries for e.g. requests, so installing Jython and then using  $ wget https://repo1.maven.org/maven2/org/python/jython-installer/2.7.2/jython-installer-2.7.2.jar $ java -jar jython-installer-2.7.2.jar -s -d /path/to/install/jython -t standard Further for e.g. if you need requests install it like this: Download requests-2.25.1.tar.gz from the official repo ( https://pypi.org/project/requests/#files ), then go to that directory in terminal, and type the following command, java -jar /Users/brutus/Downloads/jython-standalone-2.7.2.jar setup.py install
Read more

RFID cloning with Proxmark3 Easy

Image
In this post, I would like to explain how in a recent Red Team engagement, I successfully managed to clone an RFID Access Control card and gained entry into the premise. #TheKit The client was using HiD 125khz cards. I used "Proxmark 3 Easy" which is a low cost RFID cloning kit, is a stripped down version of the real “ Proxmark 3 RDV 2 ”. The "Proxmark3 easy" does not support several things like battery, relaying and doesn't have an amplifier, also it has a smaller memory. But the device is quite sufficient during a Red Team Physical engagement. It looks something like this when you order on Amazon. I wanted to build a mobile RFID cloning kit and use it for my Red Team engagements, but note with this setup the scanning distance of 6cm is useless in real engagements, I'm not that brave enough and you really have to get up close to clone a card so the setup initially didn't work, however I got lucky and me and my partner found a lost targe
Read more

Extracting an IPA; App distributed through Testflight

So in one of my iOS app pentest the app was distributed on TestFlight, I needed a clean IPA to makesure, I review the app after unpacking it. The option was for me to use a Jailbroken device and use Ext3nder, which allows the app to be re-packaged. Once you do that you could use SCP to download the IPA and use it to analyse or side load through xCode.
Read more