Transcription
Introducing the Smartphone PentestingFrameworkGeorgia WeidmanBulb Security LLCApproved for Public Release, Distribution Unlimited
Disclaimer“The views expressed are those of theauthor and do not reflect the officialpolicy or position of the Department ofDefense or the U.S. Government.” Thisis in accordance with DoDI 5230.29,January 8, 2009.
3 to DARPAllDARPA Cyber Fast Track program funded thisprojectWithout them I'd still be a junior pentester atsome companylNow I'm CEO!l 3 3 3 3 3
The Problem: Smartphones in theWorkplace
The Problem: Smartphones in theWorkplace
The Problem: Smartphones in theWorkplace
Smartphones in the workplacelAccess your datalStore company emailslConnect to VPNslGenerate 1 time passwords
Threats against smartphones: AppslllMalicious apps steal your data, remotely controlyour phone, etc.Happens on all platforms. Some easier thanothers.If your employees have a malicious angry birdsadd-on what is it doing with your data?
Threats against smartphones:software bugslBrowsers have bugslApps have bugslKernels have bugslMalicious apps, webpages, etc. can exploitthese and gain access to data
Threats against smartphones: socialengineeringllUsers can be tricked into opening maliciouslinksDownloading malicious apps
Threats against smartphones:jailbreakinglllSmartphones can be jailbrokenGiving a program expressed permission toexploit your phoneOnce it is exploited, what else does thejailbreaking program do?
The QuestionA client wants to know if the environment issecureI as a pentester am charged with finding outThere are smartphones in the environmentHow to I assess the threat of these smartphones?
What's out there now?Pentesting from Smartphones: zAntiSmartphone tool live cds: MobiSec (anotherDARPA project)Pentesting smartphone apps: MercuryPentesting smartphone devices: ?
Structure of the framework
Framework console
Framework GUI
Framework GUI
Framework Smartphone App
Framework Smartphone App
Framework Smartphone App
What you can test forRemote vulnerabilitiesClient side vulnerabilitiesSocial engineeringLocal vulnerabilities
Remote Vulnerability ExampleJailbroken iPhones all have the same defaultSSH passwordHow many jailbroken iPhones have the defaultSSH password (anyone can log in as root)?
Client Side Vulnerability ExampleSmartphone browsers, etc. are subject tovulnerabilitiesIf your users surf to a malicious page theirbrowsers may be exploitedAre the smartphone browsers in yourorganization vulnerable to browser exploits?
Social Engineering VulnerabilityExampleSMS is the new email for spam/phishing attacks“Open this website” “Download this app”Will your users click on links in text messages?Will they download apps from 3rd parties?
Local Vulnerability ExampleSmartphones have kernel vulnerabilitiesUsed my jailbreaks and malicious appsAre the smartphones in your organization subjectto local privilege escalation vulnerabilities?
Post exploitationCommand shellApp based agentPayloads: information gatheringlocal privilege escalationremote control
Demos!lUsing the consolelUsing the GUIlUsing the applUsing an agentlUsing a shelllRemote testlClient side testlLocal test
Future of the ProjectlMore modules in each categorylMore post exploitation optionslContinued integration with Metasploit and othertoolslCommunity driven featureslMore reporting capabilities
ContactGeorgia WeidmanBulb Security, LLCgeorgia @ bulbsecurity.comgeorgiaweidman.com bulbsecurity.com@georgiaweidman
Introducing the Smartphone Pentesting Framework Georgia Weidman Bulb Security LLC Approved for Public Release, Distribution Unlimited. Disclaimer "The views expressed are those of the author and do not reflect the official policy or position of the Department of
