SANS Penetration Testing

Mobile Device Tips, Tricks and Resources

By Josh Wright

[In this third installation of tips originally included in the Ultimate SANS Pen Test Poster, we'll turn to Josh Wright's tips for mobile device penetration testing. Josh shares some really useful insights here, as well as recommendations for tools (software and hardware) and resources for keeping current. Nice stuff!

Click these links for the first two articles in this series:
John Strand's tips on network penetration testing
Steve Sims' tips on exploit development

Methodology Tips

  • Recon - Identify the types of mobile devices used in the target environment, and the applications used. Consider using social networking data ("Posted with Tweetie for iOS"), e-mail headers ("X-Mailer: iPhone Mail (10B143)") or Satori fingerprints for insider or public network/hotspot attacks.
  • Scanning - For local mobile device attacks, identify the wireless networks sought by the mobile device by inspecting network probes. Commonly weak network names such as "attwifi" and "linksys" are easy targets to impersonate and lure a victim into a hostile network.
  • Exploitation - Use man-in-the-middle attacks to intercept and inspect network protocols. Use traffic insertion attacks to deliver client-side exploits to vulnerable devices, or manipulate captured traffic to exploit supporting back-end mobile application servers. If you have physical possession of a device, bypass device passcode use by physically connecting the device to an attack workstation to root or jailbreak the device, exposing the filesystem data.
  • Post-Exploitation - Inspect commonly sensitive data areas on mobile devices for information such as the Notes, SMS, and browser history databases. Look for stored passwords in third-party applications, and for opportunities to extract saved passwords from keychain storage. If it is within scope, consider adding a backdoor to the mobile device and returning to the end-user, giving you remote access to trusted networks.

Must-Have Tools: Software

  • Android Emulator and SDK Tools - The Android Emulator is almost as good as having real Android hardware since it can be used to run and assess Android applications. Pen testers can install the Android Emulator and the associated SDK tools for use in evaluating Android applications, and for attacking "stolen" Android devices. By Google
  • Plist Editor for Windows - The Plist Editor for Windows makes it easy to view and search binary or ASCII preference list files from compromised Apple iOS devices. Pen testers can use the Plist Editor for Windows to extract data from iOS built-in or third-party applications and harvest credentials or other sensitive data from numerous weak applications. By VOWSoft, Ltd.
  • SQLiteSpy - SQLiteSpy reads, searches, and converts SQLite database files used on iOS and Android devices. Pen Testers can inspect the compromised contact, GPS history, browser history, SMS messages and more with SQLiteSpy. By Ralf Junker
  • Elcomsoft Phone Password Breaker* - EPPB is used to brute- force passwords on Apple iTunes backups, BlackBerry backups, and to bypass BlackBerry lock screen passcodes. Pen testers can use EPPB to decrypt and extract Apple and BlackBerry backup data from compromised hosts, and to bypass the passcode selection on BlackBerry devices. By Elcomsoft
  • iPhone Data Protection Tools - The iDPT suite creates an alternate iOS boot environment, allowing pen testers to brute-force PIN- based passcodes on older iPhone, iPod Touch and iPad devices. By Jonathan Zdziarski and a community of contributing developers
  • Redsn0w - Redsn0w is an all-purpose iOS jailbreaking tool for iOS 5 devices. If device theft is in the scope of the mobile device pen test, the pen tester can jailbreak and access confidential data on stolen devices using Redsn0w. By iPhone Dev Team
  • Satori - Satori is a multi-faceted passive operating system fingerprinting tool, combining results from over 25 different protocols for precise results. Pen testers can use Satori to monitor LAN or WLAN traffic and identify the mobile devices that are present to target. By Eric Kollmann
  • Burp Suite* - Burp Suite is commonly used for web application assessments, but it also makes a powerful HTTP/S network manipulation tool when combined with a man-in-the-middle attack. Pen testers can use Burp Suite to exploit HTTP-based mobile applications with server-side and client- side injection attacks. By PortSwigger, Ltd.
  • Ettercap - Ettercap is a powerful man-in-the-middle tool, adding powerful network traffic manipulation and plugin functionality to exploit downstream devices. Pen testers can use Ettercap to capture plaintext passwords, intercept SSL traffic, and manipulate DNS name resolution on mobile devices. By Alberto Ornaghi, Marco Valleri, Emilio Escobar, and Eric Milam
  • Mercury Framework - The Mercury Framework is an Android security testing platform using a client/server architecture with plugin support for dynamic exploit delivery. Pen testers can use Mercury to evaluate the threat of malware on an Android platform, developing or leveraging available exploits to take advantage of Android platform vulnerabilities. By Daniel Bradberry
  • iPhone Configuration Utility - The iPCU tool from Apple provides a set of iOS device management features for small organizations, creating XML profiles that can be installed on iOS devices to specify wireless networks, platform settings, certificate trust, and more. Pen testers can use iPCU to create malicious profiles, adding the attacker as a new trusted root CA as part of a phishing assessment. By Apple Corporation

Must-Have Tools: Hardware

  • Google Nexus* - The Google Nexus is the perfect hardware for experimenting with Android attacks with WiFi, Bluetooth, and NFC wireless capabilities. As a "Google Experience" device, the Nexus also receives software updates to stay current with new Android OS features. By Google
  • iPad Mini* - A lower-cost alternative to an iPad or an unsubsidized iPhone, the iPad Mini runs all iOS applications. After jailbreaking the iPad Mini, pen testers can install and target vulnerable applications, or test the impact of attacks before delivering them to the production target environment. By Apple Corporation

* These tools are available on a commercial (cost) basis.

Great Resources for Staying Current

Twitter - @pod2g |@lookout| @pof | @pentesttips | @joswr1ght

Associated SANS Courses

SEC575: Mobile Device Security and Ethical Hacking
-Josh Wright
Counter Hack


Posted December 5, 2013 at 6:03 PM | Permalink | Reply

Andre Gironda

Agreed on the device choices, but you should add the Hak5 Android adb-p2p cable, a 30-pin- or Lightning- to-firewire convertor, and the great work from Jason Haddix (and the folks at HP and the OWASP Mobile Security Testing projects/docs) and Fran Brown plus Joe Demesey from Bishop Fox.

Posted February 2, 2014 at 2:07 PM | Permalink | Reply


Please anyone tell me how to update android os setting on Xperie

Posted March 30, 2015 at 8:03 AM | Permalink | Reply

Talent Management

This is a topic that is near to my heart'' Many thanks! Where are yoiur contact
details though?

Posted January 2, 2016 at 7:34 AM | Permalink | Reply

How to use WhatsApp without a SIM card - AndroidPIT

Now, it is used more extensively that many people are
buying smartphone's to use whatsapp.

Post a Comment


* Indicates a required field.