Introduction to Fridump

Intro

Fridump is an open source memory dumper tool, used to retrieve data stored in RAM from all different devices and operating systems. It is using as base Frida  (excellent framework, if you don’t know it you should give it a look!) to scan the memory from the access level of a specific application and dump the accessible sectors to separate files.

Why?

During several penetration testing assessments I have performed on mobile apps, there were several instances were I needed to perform a memory dump of the device. This is due to the fact that in cases were cryptographic storage is used, if the access controls are not implemented correctly, then the decryption key may be preloaded in memory and potentially be stolen. This can only be performed on a jailbroken device, as root access is required to gain access to the memory space. During my search for a sufficient tool that would perform this operation, I couldn’t find anything easy to use and all guides needed to manually use gdb/lldb. The only guide that got closer to achieving this operation was this post from the guys in Netspi (excellent resource, again check them out!), however I wanted something that would be more automated.
Here is where Frida comes in. Frida injects itself into a process and can read and scan the memory from the perspective of that process. It is fairly reliable and it has proper documentation that keeps expanding with new functionalities all the time. What’s more, it can be scripted using its Python API and can be run standalone on a jailbroken device or potentially built-in an application as a library (haven’t checked it, so I can’t really comment).

The only negatives that I have found while using Frida (and you should keep in mind) are:

  • Both frida-server and frida-client must be running the same version, as significant changes happen between releases, and there is no direct error to point the difference out.
  • Frida can check the memory for address spaces with specific permissions, similar to how it works with linux.
    It can search the address space for access ‘r–‘,rw-‘ or ‘rwx’. However it is looking for exact matches. Therefore, if there is an address space with only read permissions (‘r–‘), it will not be picked up by a search for read & write privileges (there is no OR statement). Therefore if you want to find all addresses that have read or write privileges, you have to scan the memory separately.
  • If the address space is big enough (that depends on device), trying to read the whole memory chunk in one go can crash the application.

Other than these really small negatives, Frida is an awesome tool and that’s why I decided to use it for the memory dumper.

How to use Fridump

To use Fridump, you can call

fridump [-h] [-o dir] [-u] [-v] [-r] [-s] [--max-size bytes] process

The following are the main flags that can be used with fridump:

positional arguments:
process            the process that you will be injecting to

optional arguments:
-h, --help        show this help message and exit
-o dir, --out dir provide full output directory path. (def: 'dump')
-u, --usb         device connected over usb
-v, --verbose     verbose
-r, --read-only   dump read-only parts of memory. More data, more errors
-s, --strings     run strings on all dump files. Saved in output dir.
--max-size bytes  maximum size of dump file in bytes (def: 20971520)

Continue reading

Fridump – Android Examples

On this post, I will show you how you can run Fridump against an Android application. The device is connected on our workstation over USB, hence the use of the -u flag is mandatory.

A reminder of all the flags available for Fridump is:

main

As an example, I decided to use the Damn Insecure and Vulnerable Android (DIVA) app.

We will first run frida-ps -U, to get the application’s process name.

frida-ps Android

The application’s full name is jakhar.aseem.diva and is running with Process ID 18168.

The DIVA app has a lot of areas for testing Android applications, however it didn’t seem to have a specific memory analysis area, as DViA had on the iOS example. Continue reading

Fridump – iOS Examples

On this post, I will show you how you can run Fridump against an iOS application. The device is connected on our workstation over USB, hence the use of the -u flag is mandatory.

A reminder of all the flags available for Fridump is:

main

As first example, I will illustrate how we can dump the memory of the Mobile Safari application on an iOS device.

We will first run frida-ps -U to retrieve the names of all processes currently running on the device.

frida-ps

Mobile Safari is named “Safari” and is running with Process ID 7763. Continue reading

Release: Fridump v0.1

Fridump

Fridump (v0.1) is an open source memory dumping tool, primarily aimed to penetration testers and developers. Fridump is using the Frida framework to dump accessible memory addresses from any platform supported. It can be used from a Windows, Linux or Mac OS X system to dump the memory of an iOS, Android or Windows application.

Usage

How to:

fridump [-h] [-o dir] [-u] [-v] [-r] [-s] [--max-size bytes] process

The following are the main flags that can be used with fridump:

positional arguments:

process            the process that you will be injecting to

optional arguments:

-h, --help         show this help message and exit
-o dir, --out dir  provide full output directory path. (def: 'dump')
-u, --usb          device connected over usb
-v, --verbose      verbose
-r, --read-only    dump read-only parts of memory. More data, more errors
-s, --strings      run strings on all dump files. Saved in output dir.
--max-size bytes   maximum size of dump file in bytes (def: 20971520)

Examples:

fridump -u Safari - Dump the memory of an iOS device associated with the Safari app
fridump -u -s com.example.WebApp - Dump the memory of an Android device and run strings on all dump files
fridump -r -o [full_path] - Dump the memory of a local application and save it to the specified directory

More examples can be found here.

Installation

To install Fridump you just need to clone it from git and run it:

git clone https://github.com/Nightbringer21/fridump.git

python fridump.py -h

Pre-requisites

To use fridump you need to have frida installed on your python environment and frida-server on the device you are trying to dump the memory from.
The easiest way to install frida on your python is using pip:

pip install frida

More information on how to install Frida can be found here

For iOS, installation instructions can be found here.

For Android, installation instructions can be found here.

Note: On Android devices, make sure that the frida-server binary is running as root!

Disclaimer

This is version 0.1 of the software, so I expect some bugs to be present.
I am not a developer, so my coding skills might not be the best.

This tool has been tested on a Windows 7 and a Mac OS X laptop, dumping the memory of:

  • an iPad Air 2 running iOS 8.2
  • aGalaxy Tab running Cyanogenmod 4.4.4
  • a Windows 7 laptop.

Therefore, if this tool is not working for you, I apologise and I will try to fix it.

Any suggestions and comments are welcome!

Cracking Microsoft Office (97-03, 2007, 2010, 2013) password hashes with Hashcat

For anyone that is not familiar with it, Hashcat is one of the most well known password cracking tools at the moment, primarily due to it’s lightning fast speed. There are several versions of the tool, allowing it to take advantage of different platforms, including ocl-hashcat and cuda-hashcat.

On the latest update of the tool (October, 2014) there was a significant addition that did not get the buzz that it should have created. That is the ability to crack Microsoft Office password hashes across all different versions (97-2003, 2007, 2010, 2013). This addition appears to have been added only to the GPU enabled versions of hashcat (ocl-hashcat, cuda-hashcat) at the moment.

There are 6 different flag codes implemented for the 97-03 hashes (depicting different implementations of the hash) and one implementation for each of the other versions of Office, as shown below.

Office 97-03(MD5+RC4,oldoffice$0,oldoffice$1): flag -m 9700 

Office 97-03(MD5+RC4,collider-mode#1): flag -m 9710

Office 97-03(MD5+RC4,collider-mode#2): flag -m 9720

Office 97-03(SHA1+RC4,oldoffice$3,oldoffice$4): flag -m 9800

Office 97-03(SHA1+RC4,collider-mode#1): flag -m 9810

Office 97-03(SHA1+RC4,collider-mode#2): flag -m 9820

Office 2007: flag -m 9400 

Office 2010: flag -m 9500

Office 2013: flag -m 9600

This guide will take you through how to use hashcat (we will use cuda-hashcat as an example) to crack Microsoft Office passwords. Important note: This is not a guide on how to install and use hashcat in general. There are a lot of other guides available on this topic, an example would be this one.

First of all, you will need a password protected document Continue reading

Androguard plugin for Sublime Text: Installation and usage

Androguard is a tool used during Android application assessments, primarily focused on reverse engineering of the apk file and application analysis. The tool is python based and can be used through a command prompt to assess an apk file, by extracting and analysing the Android manifest, identifying all available activities, services and content providers and reverse engineering the dex files to the equivalent Java classes.

Androguard also provides a plugin for Sublime Text, one of the best text editors for developers and testers, which can be used to make significantly faster the first steps of an Android application assessment. This article primarily focus on the installation and usage of the Androguard plugin for Sublime Text and how it can be used to effectively speed up the static analysis process of an Android application.

Installation

First of all, you will need a version of Sublime text to be able to install the plugin. The plugin at the moment works only for version 2 of the software, so it is important to use the correct version.
You can find Sublime Text version 2 here: http://www.sublimetext.com/2

You have to also download the Androguard plugin zip file, which can be found here: https://androguard.googlecode.com/files/ag-st-1.9.zip

There are several versions of sublime text, so I will focus only on the installation of the plugin for the Windows and Portable version of the software. Continue reading

Welcome to PenTest Corner

This site was created to share interesting information, step by step guides and research material that were collected during my experience as a Penetration Tester. The content is accurate to the best of my knowledge, but if you think any of the information presented on this site are inaccurate, feel free to contact me.