Dear PenTest Readers,
Mobile devices and applications have dominated our lives. As the global population becomes highly dependent on using pocket-sized technologies in plenty of aspects of its everyday functioning, the demand for skilled mobile pentesters and other security specialists is growing steadily. A good knowledge of the topic is simply a must, and that’s why we decided to enrich our library with an edition dedicated to mobile pentesting this month.
The opening article of the issue, written by our regular contributor Staford Titus, presents how to build your custom malware for the Android operating system. Obviously, for ethical usage only!
Next, you will read a comprehensive presentation of tools and techniques for mobile security assessment. You will learn how to set up Android Studio, how to run and use a virtual device, how to perform log analysis of Android apps using Logcat, using the Drozer console for dynamic and static analysis, and many more! As the author, Sandeep Kumar Singh, states in the conclusion - the presented techniques aren’t limited to just Android. A great read for every mobile security enthusiast.
Our contributors didn’t forget about those who work on iOS. Teo Kok Sang will show you how to prevent iOS mobile apps from being debugged - in a secure way. A very powerful reverse engineering technique of exploring applications using a debugger awaits to become your acquaintance!
William Tan contributes with a scenario in which he included a Metasploit payload, to show you a great example of understanding and overcoming anti-malware defences.
The last (but not least!) article dedicated to the main topic in this edition, written by Antonio Scibilia, deals with HTTPS traffic interception in Android environments, with a focus on dynamic analysis with the Frida GUI tool. A fantastic, practical read for everyone!
If you’re into other offensive security topics, our authors bring to the table a really interesting choice of content for various tools, techniques, and case studies. Filipi Pires presents another interesting case study - this time on a false positive in a threat hunting context. Pablo Gonzalez Perez and Fran Ramirez help you discover other advantages of their amazing tool, ATTPwn - perhaps some of you might have got to know it in previous editions. This month you will learn how to integrate MITRE ATT&CK with it. There is also a practical tutorial by Rodolpho Concurde on covert channel type of attacks, another interesting Hack The Box walkthrough by Saifullah Dabir, and an article on recovering hacked credit and debit cards by Jamal Uddin.
Loads of interesting stuff for everyone!
Without further ado,
Enjoy the reading!
PenTest Magazine's Editorial Team
Table of Contents
Debilitating Defense: Building an Android Malware
by Staford Titus
The infrastructure of the malware allows it to infiltrate and obtain sensitive messages from the compromised device, all while extending a reverse shell for almost complete control over the device. The SMS messages from the compromised mobile get relayed to a predefined HTTP server, which stores it in a database for future reference. Well, it has become quite popular to make use of Metasploit and such tools for activities such as this. But building your malware has some sweet perks. For starters, you get to define its capabilities and customize it to your liking.
Mobile Security Assessment Tools and Techniques
by Sandeep Kumar Singh
The rapid growth of smartphone adaption has also led to an increase in security threats and attacks. As an app developer, it’s important to build mobile applications with inherited security and the right set of defenses to keep the users protected. This article discusses the tools and techniques useful in analyzing the security posture of a mobile app.
Preventing an iOS Mobile Application from Being Debugged – The Secure Way
by Teo Kok Sang
The cyber landscape is ever-changing. Despite the best efforts of cybersecurity specialists in securing systems, there will always be new methods of breaking down these security safeguards. The technique demonstrated in this article is just one of many to deter hackers. In any case, a determined hacker will employ various methods to eventually bypass it. Hence, it is good practice to continuously review and refresh techniques to keep an application secure. Do refer to the OWASP Mobile Security Testing Guide frequently for new techniques and methods to secure mobile applications.
Understanding and Overcoming Android Anti-Malware Defences
by William Tan
In this scenario, I included a Metasploit payload as is and it didn’t trigger any detection. This was quite unusual as Metasploit is a widely known framework that most anti-malware products should protect against. Nevertheless, if our malware was indeed detected, improvements can be made to the payload by employing anti-malware evasion techniques and obfuscating all strings and method names within the payload generated by MSFvenom as well.
Intercepting HTTPS Traffic on Android Mobile Apps
by Antonio Scibilia
Having identified the presence of the classes and methods used to manage authentication via client certificate, it is now necessary to perform a dynamic analysis to get the Input/Output runtime values of the affected methods. For this purpose, the RMS (Runtime Mobile Security) tool was used, which is a Frida GUI. Frida is a tool that allows us to dynamically analyze the behavior of a mobile application, intercepting and modifying the operating logic of the Java class methods by manipulating the input and output values.
How to Treat False Positive with Threat Hunting [FULL ARTICLE AVAILABLE IN THE FREE PREVIEW VERSION]
by Filipi Pires
The purpose of this document is to conduct an investigation on Malops (Malware Operations) that were recurring in our environment. The existence of the same domain was observed, being accessed by many machines from different teams, on different days, at different times. This report was based on one of the pillars for IOA (Indicator of Attack) research, multiple alarm events from the many different hosts for a single domain. We validated that the domain was really malicious and verified that there were some APT underway in our environment, we performed a lot of research and analysis was carried out regarding the appropriate behaviors. With the final product, the front responsible for the product will have an instrument capable of guiding a process of mitigation and/or correction, as well as optimized improvement, based on the criticality of risks.
ATTPwn: How to Create Your Own Implementation of a MITRE ATT&CK Technique
by Pablo Gonzalez Perez and Fran Ramirez
Let's continue with our series, explaining the functionalities and features that our ATTPWN tool has. As we have commented in other articles, ATTPWN is intended to be a collaborative tool looking for the community's maximum participation. That's the reason why, in this article, we're going to explain how to implement a MITRE ATT&CK technique with ATTPWN. In the future, we will simplify the process so that it can be done from the ATTPwn web interface itself, but today the process is what we are going to explain next.
Covert Channel Technique Explained
by Rodolpho Concurde
Covert Channel is the technique to hide sensitive data in a network protocol when an attacker wants to exfiltrate data from a network in a scenario post-exploitation. In this article, we’ll see IP, ICMP and DNS convert channel. Let’s get started! :)
Cronos - Hack the Box Walkthrough
by Sk Saifullah Dabir
This HackThe Box scenario walkthrough will show you the importance of understanding networking concepts to have guessed a possibility of virtual routing and perform DNS Enumeration. You will learn how to escalate to bypass authentication via SQL Injection and getting a shell onto the target machine via Command Injection. The writeup also presents how preconfigured cron jobs with insecure permissions can be exploited to get root access.
Hacked Credit/Debit Card Recovery
by Jamal Uddin
"Fullz" is another kind of monetary accreditation traded in the underground. It's cybercriminal terminology for the full data of the victim, including the victim’s name, address, credit card data, social security number, date of birth, mother's family name, driver's permit number and many more. As a dependable guideline, the more data you have on your victim, the more cash you can make out of the credential. "Fullz" are typically pricier than the standard credit or debit card record yet cost under $100 per record. This kind of accreditation can be traded out in various ways, for example, utilizing a bank's telephone service while acting like the victim in question, doing "change of billing" and ordering credit cards, applying for mortgages and more. Indeed "Dead Fullz," which are "Fullz" accreditations that are not, at this point legitimate, can be utilized for things like opening a "mule account" in the interest of the victim without his or her knowledge.