Pentesting Web Applications

21 Nov

I use these slides for my training. Initially I thought of not sharing with anyone. Later I felt, even if someone use my slides, they cannot teach like me :)



iPhone 4- Gevey sim unlock useful tips

31 Oct

If you are using Gevey unlock and want to upgrade your iPhone to ios 5 , do not directly update it through iTunes. Use redsnow and create a custom os bundle which preserves the old baseband. Detailed steps can be found at - Update to iOS 5 by preserving baseband

After installing iOS 5 you need to activate the phone. Activation is different from unlocking . To activate the phone you will require an original sim (carrier to which the phone is locked). If you do not have the original sim, close iTunes and use redsnow to jailbreak the phone. After jailbreaking, open iTunes and activate the phone.

Now insert your Gevey sim to unlock the iPhone. It works perfectly on iOS 5 and baseband 4.10.1.

Gevey sim problems that I have faced and the solutions

- After the sync with iTunes (over USB), Gevey sim stopped working (you will see no service message). It seems Apple is sending some instructions to phone to disable the Gevey sim. I removed the sim and inserted it again. Then Gevey sim started working.

- To get rid of this problem, I am disconnecting the internet from my machine (on which iTunes is running) while syncing the phone. So far, I did not face any problem with this method.

- After syncing the phone with iTunes over Wi-Fi, Gevey sim stopped working and I spent a lot of time to make it work. One solution that I found is – sync the phone with iTunes (disconnect internet from laptop) over USB then remove the sim and insert it again. Hereafter Gevey sim worked well .

- After downloading GPRS or 3G settings, those settings did not work. To make it work, I restarted the phone, removed the sim and inserted it again.

- If none of those techniques work or if you see invalid sim message: Remove & insert the sim. After few minutes you will see No service message. Dial 112 and end the call in a minute. Turn on airpot and off it in a minute. It will show SIM Failure message. You might get signal by this time. If not, it might have shown you invalid sim message. Now remove the sim and insert it again. And do not do anything. You will see the signal in few minutes.

- If you have jailbroken iOS 5 (currently only tethered jailbreak is available), when you restart the phone you have to use redsnow just boot option to make the phone work. If you Want to restart your phone without connecting it to laptop, one alternative is, use of software restart called respring. Download sbsettings from Cydia and it will show respring option. Now on-wards whenever you want to restart the phone, use respring option.

- Turning on 3g may drops the signal, then remove and insert the sim, gevey displays accept message. Click on it. Wait for 1 minute and dial 112 and hangup. Turn on airplane mode till you see no sim card installed message. Turn off airplane mode. It displays the signal now (even for gevey ultra sim, you have to follow all the steps).

- This technique worked for all kind of signal problems: Remove the sim card when you notice no service message. If you see other messages like invalid sim, turn on and off airplane mode until you see no service message. Insert sim, then gevey displays accept message. Click on it. Wait for 1 minute (you may notice no service message) and dial 112 and hangup. Turn on airplane mode till you see no sim card installed message. Turn off airplane mode. Wait for few seconds. You will notice sim failure, invalid sim message. Later it starts searching for signal and displays the full signal (all the steps are necessary even for gevey ultra sim) .

- Turning on 3g sometimes may show only one signal bar and slowly drops the signal. To get rid of this problem, always first turn on cellular data then turn on 3g.

[Update: 01-Feb-2012]
Gevey sim is working with iOS 5.0.1 (base band 4.10.01). Preserver base band before updating it - Update iOS 5.0.1 by preserving baseband

It is good to update to 5.0.1 because untether jailbreak is available. Which means you can turn on/off phone happily.

[Update: 14-Feb-2012]
When you want to use internet, Turning on cellular data may not work. If it does not work turn on cellular data and data roaming.

[Update: 26-Apr-2012]
Gevey sim is no more required. You can directly unlock your iPhone running on any baseband with SAM unlock method. Details are available at -

No more gevey sim problems …..

[Update: 03-May-2012]
SAM unlock is no more working. Now the only unlock solution available is Gevey sim. Latest version of gevey sim (Ultra S) also supports iPhone4 – 4.11.08 baseband.


Pentesting iPhone Applications

17 Oct

I have given a presentation on Pentesting iPhone Applications in c0c0n. This presentation mainly focuses on methodology, techniques and the tools that will help security testers while assessing the security of iPhone applications.




Mac Os X Lion – Copying files to Pen Drive

14 Oct

Mac OS X default file system is HFS (It also supports FAT 32 file system). If you connect a Pen Drive which is formatted in NTFS format, Mac detects it as a disk. You can read files from disk, but you can not write into it. So if you try to copy some files from Mac to Pen Drive it will not work. To do that, format the Pen Drive in FAT 32 format. Then Mac recognizes it as a hard drive. Now you can drag files from Mac to Pen Drive.

In Mac OS X, everything is complicated. Not as easy as in windows. In Windows if you copy files from NTFS formatted drive to FAT 32 drive, it automatically converts from one format to other. But it takes extra space to store those format conversion details.


Installing Mac OS X in Vmware

28 Sep

Apple has some sort of tie-up with Vmware/VirutalBox to disable the Mac OS virtualization. So when you try to install Mac OS in vmware, it will fail.

Follow the below steps to get a Mac OS X Lion VM-

1)  Download VMware workstation 7 – Torrent Link
2)  Install a patch for VMware workstation and this enables Mac OS virtualization.
Download the patch from - VMware Workstation Unlocker
3)  Enable hardware virtualization in the computer BIOS – If you don’t know how to do this, Read this link
4)  Download Mac OS X Lion Developer Preview Vmware Image – Torrent Link
5)  Extract the Vmware image and click on .vmx file. It will load the Mac OS X Lion VM. Have Fun :)

To develop applications for iPhone or iPad, you must need XCode developer tools. To install Xcode on OS X, follow the steps -

1) Download and install OS X developer preview latest update –  Lion OS X DP4
2) Download the latest XCode from Mac AppStore. To download apps from AppStore, you will require an Apple account. To create an Apple ID without supplying your credit card details visit this link.
3) Double click on XCode installer to install it.  Now you can develop your own ios Apps :)

[Update on Jan-05-2012]
VMware workstation 8 guest unlocker is available now and you can download it from below links.
VMware workstation 8
VMware Guest unlocker


SSL Trust Factor in Android Native Apps

29 Aug

Android Native applications that use HTTP for communication with the server may use default APIs provided by the platform. By default, the android APIs validate SSL certificates issued by the server before jumping into the client logic. When the native app is configured via HTTP proxy for testing/auditing purposes, the native app fails to load up. It may or may not show any reason to the user.

Finally it may appear, platform’s behavior is causing TROUBLE for penetration testers and all those who want to test the native applications.

Thanks to open source community, we have a way to hack into android OS settings which will let us carry out our work.

This article only walks us through hacking android OS security setting assuming basic working knowledge of ADB (Android Device Bridge) and the device file system.

Disclaimer: The methods described below are only tested for Android 2.1 on Samsung Galaxy S (I9000). Always take back ups of the files that are being replaced. The device should have been rooted.

>   command prompt on the working machine

$   shell access to the device with normal privileges

#   shell access to the device with root privileges

Device (Samsung Galaxy S):

>adb shell
>adb pull /system/etc/security/cacerts.bks .
>keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath “C:Program FilesJavajdk1.6.0_24libbcprov-jdk16-141.jar” -storepass changeit -import -v -trustcacerts -alias -file “C:sslcertsproxyca.cer”
>adb shell mount -o remount, rw /system
>adb push cacerts.bks /sdcard/
#cd /system/etc/security
#cat cacerts.bks > cacerts.bks.bak
#rm cacerts.bks
#cat /sdcard/cacerts.bks  > cacerts.bks
>adb shell mount -o remount, ro /system
Restart the device (Mandatory). As we have successfully added our proxy’s CA certificate to the keystore that holds the trusted CA certs, every time an SSL certificate that is signed by proxy’s CA will be considered trusted and lets us carry out interception of the HTTP traffic.

Limitation:The above process is very specific to physical devices. But often for testing purposes many want to be safe from bricking the device and may prefer using emulator to test the application. Emulator’s behavior is to not persist any changes that are made to the system settings. Every reset of the emulator starts from the image that was downloaded during the setup of the emulator. Below is the workaround for the limitation.

Emulator (Android 2.1):

>emulator –avd youravdname –partition-size 128
>adb shell
>adb pull /system/etc/security/cacerts.bks .
>keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath “C:Program FilesJavajdk1.6.0_24libbcprov-jdk16-141.jar” -storepass changeit -import -v -trustcacerts -alias -file “C:sslcertsproxyca.cer”
>adb shell mount -o remount, rw /system
>adb shell
# mount
# chmod 777 /system
>adb push cacerts.bks /system/etc/security/
>adb push mkfs.yaffs2.arm /data/data/temp/mkfs.yaffs2
>adb shell chmod 777 /data/data/temp/mkfs.yaffs2
>adb shell
#mkfs.yaffs2 /system /data/data/temp/system.img
>adb pull /data/data/temp/system.img system.img
>adb shell mount -o remount,ro -t yaffs2 /dev/block/mtdblock0 /system
Go to “your android SDK homeplatformstarget-versionimages” (IMAGEHOME)
    ex) E:devandroid-sdk-windowsplatformsandroid-2.0images
Back up your system.img
    ex) Rename system.img to system.img.bak
Move the fresh image captured using mkfs.yaffs2 which is in WORKDIRsystem.img to IMAGEHOME
Restart the emulator (Mandatory). Now the emulator is launched using the modified image of OS which has the modified keystore containing our proxy CA.


No Comments

Posted by KC

Page 10 of 13« First...89101112...Last »