Slides - RVAsec

4 stars based on 53 reviews

The Mobile App Pentest cheat sheet was created to provide concise collection of high value information on specific mobile application penetration testing topics. This work is licensed under a Creative Commons Attribution 4. Something wrong with this page? Introducing the Tidelift Subscription.

Professional-quality security updates and maintenance for the open source projects you depend on. GitHub Mobile Application Penetration Testing Cheat Sheet The Mobile App Pentest cheat sheet was created to provide concise collection of high value information on specific mobile application penetration testing topics. It can decode resources to nearly original form and rebuild them after making some modifications.

Converting apt file into jar file dex2jar [apk file] Oat2dex - A tool for converting. Deoptimize boot classes The output will be in "odex" and "dex" folders java -jar oat2dex. Qark - This tool is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs.

AndroBugs - AndroBugs Framework is an efficient Android vulnerability scanner that helps developers or hackers find potential security vulnerabilities in Android applications. No need to install on Windows. Simplify - A tool for de-obfuscating android package into Classes. Dynamic and Runtime Analysis Introspy-Android - Blackbox tool to help understand what an Android application is doing at runtime and assist in the identification of potential security issues.

Cydia Substrate - Cydia Substrate for Android enables developers to make changes to existing software with Substrate extensions that are injected in to the target process's memory.

Xposed Framework - Xposed framework enables you to modify the system or application aspect and behaviour at runtime, without modifying any Android application package APK or re-flashing. CatLog - Graphical log reader for Android. Droidbox - DroidBox is developed to offer dynamic analysis of Android applications. Frida - The toolkit works using a client-server model and lets you inject in to running processes not just on Android, but also on iOS, Windows and Mac.

Drozer - Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.

Starting a session adb forward tcp: Wireshark - An open-source packet analyzer. Burp Suite - Burp Suite is an integrated platform for performing security testing of applications. Android-ssl-bypass - an Android debugging tool that can be used for bypassing SSL, even when certificate pinning is implemented, as well as other debugging tasks. The tool runs as an interactive console. RootCoak Plus - Patch root checking for commonly known indications of root. XTrustManager should perform the customary X checks in addition to performing the pinning configuration.

Android Pinning - A standalone library project for certificate pinning on Android. Proguard - ProGuard is a free Java class file shrinker, optimizer, obfuscator, and preverifier. It detects and removes unused classes, fields, methods, and attributes.

Secure Preferences - Android Shared preference wrapper than encrypts the keys and values of Shared Preferences. Trusted Intents - Library for flexible trusted interactions between Android apps.

Reverse Engineering and Static Analysis otool - The otool command displays specified parts of object files or libraries. Clutch - Decrypted the application and dump specified bundleID into binary or. Dumpdecrypted - Dumps decrypted mach-o files from encrypted iPhone applications from memory to disk. This tool is necessary for security researchers to be able to look under the hood of encryption. Weak Classdump - A Cycript script that generates a header file for the class passed to the function.

Most useful when you cannot classdump or dumpdecryptedwhen binaries are encrypted etc. Show current view cy UIApp. Introspy-iOS - Blackbox tool to help understand what an iOS application is doing at runtime and assist in the identification of potential security issues. BinaryCookieReader - A tool to dump all the cookies from the binary Cookies.

Xcon - A tool for bypassing Jailbreak detection. The delegate must implement connection: Contribution Your contributions and suggestions are welcome. License This work is licensed under a Creative Commons Attribution 4. Project Statistics Sourcerank 0 Size

Trend following in binary options how to employ this trading strategy

  • Wie funktioniert binare option

    99 profit in 1 day in real account part one binary options fxstrategyxyz

  • Algobit was thebest known automatic system in binary options

    60 second binary option trading strategy 2018 nfl

Software trade associations

  • Binary options frontstocks and more forexpros gbp ron

    Binary options ma strategy

  • Forex trading training online for free dubai

    Solucion de etiqueta blanca forex

  • Best currency pairs in binary options

    Beste videos fur binare optionen

Investing in oil dubai hotels

13 comments Category archives binary options broker networks

Demo binary options brokers

Tofsee is a multi-purpose malware with wide array of capabilities — it can mine bitcoins, send emails, steal credentials, perform DDoS attacks, and more. All of this is possible because of its modular nature. Reading or at least skimming it is probably required to fully understand this post. Note that it is meant as an extension of that research, focusing on plugin functionality that we previously ignored. We will shortly summarize each plugin and highlight its most important features.

This plugin can perform DDOS attacks. This plugin listens for TCP connections on 0. After extracting them from the registry, they are decrypted and used to send more emails. Additionally, it generates email in form [computer name] mail. This is HTTP server plugin. It can serve files, probably for other bots. It is able to blacklist some IPs — probably security analysts for example Forcepoint and Google are banned. Very important module — it generates and sends emails.

Most interesting thing about it is the fact that it uses its own dedicated scripting language for generating messages. We have never seen something like this, so we analyzed interpreter of this language. The syntax is rather simple, but very assemblish and primitive. A lot of opcodes are supported — take a look at this simplified parsing function for example:. This plugin checks if a bot is listed as a spambot and blacklisted.

Technical details are outside of the scope of this post, but any interested reader can take a look at http: This is as the name suggests cryptocurrency miner.

This plugin only coordinates the work, but it has few accompanying binaries, that perform the dirty work. Other binaries are downloadable through URLs specified in configs — in theory.

In practice, servers distributing miners seem to be dead, so we were not able to download miners. This short plugin processes malicious attachments — encodes them with base64 and appends to emails. This plugin is used to spread Tofsee through social media: Facebook, Twitter and Skype communicator.

Exact method depends on the browser, but generally plugin reads cookies stored on disk by the browser — for example cookies. List of friends is downloaded through API and a message is sent to them. Format of message is stored in configuration, for example:. Twitter is handled very similarly: VKontakte also seems to be supported, but that functionality is optional and held in another plugin. Plugin can also spread itself through Skype, but reverse engineering Skype protocol was clearly too hard for malware authors, so plugin waits until Skype is started, and then sends windows messages to Skype window:.

The plugin has dozens of strings hardcoded, so analyzing it in disassembler is a breeze. Few more interesting groups:. This plugin uses methods more than 15 years old, and tries to spread Tofsee through… infected USB drives! The malicious binary that will be spread is downloaded from the internet see also sys. This plugin seems to be a downloader or rather an updater. If we send this request to that IP address on port 80, we will get yet another malicious binary.

Different requests lead to different binaries. This plugin tries to locate iexplore. List of hooked functions:. Hooks intercept called functions and can change their parameters. This plugin is rather short. Also adds port mapping using UPnP, in the same way as plugin 4 proxyR. A deeper look at Tofsee modules Date of publication: The post is rather long — for the impatient, list of hashes and table of contents in one: The binary contains a lot of strings, what simplifies analysis greatly: When any value is missing in configuration, binary has some sane defaults inside.

Strings from the binary give a little more insight about the purpose of this plugin: A lot of opcodes are supported — take a look at this simplified parsing function for example: J lbl — J ump to label lbl.

W text — W rite something to output — in this case to final email. Again, few from the most interesting strings from that binary: Nothing interesting here, as can be seen in hardcoded strings: After that, plugin uses that cookies to impersonate user in facebook API: Format of message is stored in configuration, for example: Plugin can also spread itself through Skype, but reverse engineering Skype protocol was clearly too hard for malware authors, so plugin waits until Skype is started, and then sends windows messages to Skype window: Few more interesting groups: Strings related to Facebook spread: Strings related to cookie stealing: Strings related to Skype hijacking: Finally, things needed to send stolen cookies somewhere: Nothing too interesting in hardcoded strings, except operation logs: If a request is invalid, or not supported, following image is sent instead: We appreciate the humor.

Nothing surprising in hardcoded strings: List of hooked functions: For completeness, interesting hardcoded strings: