SANS Penetration Testing

iPillaging - Snarfing Useful Data from iOS Images

[Editor's Note: Tim Medin has taken the SANS Security 575 course on Mobile Device Security and Penetration Testing more than any other human. His frequent stints as a teaching assistant for Josh Wright (yes, mandatory back rubs) has ensured that unique distinction. In the course, they look at all kinds of cool ways to analyze and exploit security weaknesses in iOS, Android, Blackberry, and Windows Phone environments. In the article below, Tim provides practical information on extracting useful goodies from iOS devices, specifically finding and extracting relevant info from plist files and sqlite databases. It's all wrapped up in a bizarre super-hero fantasy too. Enjoy! -Ed.]

After taking the new SANS 575: Mobile Device Security and Ethical Hacking class, I was really excited to play with some of the techniques I learned. When I got home, I started rooting all of my devices and looking for interesting information leaked by applications.

Sometimes when I'm working at home, I like to pretend that I'm fighting comic book criminals. Naturally, I'm wearing my underwear^h^h^h^h^h^h^h^h^h^h^h^h a cape and fighting crime. I'm not one of the those superheroes everyone knows about, but instead, I'm the nerdy super hero with an all-too-small cape and uncomfortable tights. Welcome to my mind, where I apply practical knowledge of analyzing mobile devices in my own nerdy super-hero fantasies...

Department X is trying to track down and stop the evil Dr. Loki. An iPhone was taken from one of the not-so-good Dr.'s minions after he was captured trying to steal large quantities of trout from a hatchery. My tiny cape and I need a quick way to rip through the file system of an iPhone and look for clues. We aren't sure of Dr. Loki's plans, and our department has little funding (we can't even afford a longer department name or a properly sized cape), so I needed to do it cheap...and fast! (These tights are starting to constrict blood flow.)

I need a way to quickly rip through the file system and search for data related to Dr. Loki's evil plan. Fortunately, the minion rooted his phone and didn't change the default credentials of root/alpine, which allowed Department X to quickly copy the iPhone's file system. Now that I have the file system, what should I look for? If you aren't familiar with the iOS platform, most of the important data exists in plist files or sqlite database files. We need to find these files and search inside them for specific keywords. Let's start with plist files.

Plist files come in a two flavors, the regular vanilla XML text flavor and the Apple flavored binary format. Parsing the regular text XML format is easy, but the Apple proprietary format is a different story. Ideally, we would like to use the same tools to read each, but the built-in tools on a Mac don't exist on the other platforms. To quickly extract the data from a plist file via a Mac, I can use this command:

$ plutil -convert xml1 -o - somefile.plist

The plutil command allows for all sorts of interaction with plist files. This command will read a plist file (binary or text) and output it as text XML. The "-convert xml1" does the conversion and "-o -" outputs the results, where the dash (-) means send the output to STDOUT.

We can read plist files, but we need to find them first. To find plist files we can use the aptly named find command. The find command's -exec option allows another command to be executed based on the found files. The combined search and execute looks like this:

$ find . -name '*.plist' -exec plutil -convert xml1 -o - {} \;

This command will find the plist files and then output them in text format. Some good ol' grep fu can be appended to find interesting data in the files. We may need to run this more than once, so a script format like this is handy.

#!/bin/sh find . -name '*.plist' -exec plutil -convert xml1 -o - {} \; | grep $1 $2 $3 $4 $5 $6 $7 $8 $9

The first portion of the command is the same as earlier; the only difference is the grep command and the extra parameters. That way, we can pass extra grep options to grep in addition to the required search string. For example, this command will highlight our matching string and display four lines of context after a case-insensitive match (-i) of the word "plan":

$ ./ --color=always -A 4 -i plan

Step 1 of the plan is to get large quantities of trout
Step 2 of the plan is <redacted>
Step <redacted> of the plan is get some pizza
Step 4 of the plan is TBD
Step 5 profit

Searching in plist files on other platforms isn't as easy. I encountered some issues with Python's libplist and it, much like my cape, proved to be useless. Fortunately, the biplist library works well with both text and binary formats. YEAH!

I created a python script called (which you can get here) to find plist files and dump them to STDOUT. You can run this script on any machine where you have a python interpreter installed, thus freeing you from the plist prison of the Mac and allowing you to adventure forth on Linux or Windows machines. The output of the script can be used with grep for filtering/searching. The script includes features that will find plist files (Windows people may need this) and functionality to search inside the found plist files. If the search string is not specified, then plist files are dumped to STDOUT where OS-specific tools can be used to find the strings (grep on Linux, Find and FindStr on Windows).

We found some interesting information in the plist files, but there must be more. Time to check the sqlite3 databases.

Searching in sqlite3 database files is pretty simple. The sqlite3 executable allows SQL commands to be executed right from the command line. To dump the contents of a database file we can use this simple command:

$ sqlite3 sms.db .dump

The hard part is that the sqlite files can be named whatever the developer wants to call them. To find the files we need to do a little extra fu with the find command.

$ find . \( -name *.db -or -name *.sqlite -or -name *.sqlite3 -or -name *.sqlitedb -or -name *.sqlite3db -or -name *.mddb \) -exec sqlite3 {} .dump \;

This command will search for files that end in .db, .sqlite, .sqlite3, .sqlitedb, .sqlite3db, or .mddb. We then use the -exec option with the find command to execute sqlite3 and dump the contents. We can then use grep to search the output.

Sorry, but this only works on OSX and Linux. On Windows you can use PowerShell thusly:

PS C:\DrLoki_Image> ls -r | ? { ".db", ".sqlite", ".sqlite3", ".sqlitedb", ".sqlite3db", ".mddb" -contains $_.Extension} | % { C:\bin\sqlite3.exe $_.Path .dump } | Select-String trout -Context 0, 4

where r we going 2 get the machin guns 4 all the troutz

we'll unleash the trout <redacted> with <redacted> and <redacted> sauce

This quick and dirty technique is useful for quickly looking through the iOS file system and here, we used it to prevent a catastrophe! While I'm not able to disclose the details of what happened in my head for security reasons, I can say that you should be happy that St. Patrick's Day wasn't interrupted by machine gun toting armies of stinky fish.

By the way, if you are interested in signing up for the AWESOME 575 course, there are several upcoming sessions in cities around the world, including Monterey CA, Reston VA, San Diego CA, Berlin Germany, Washington DC, and Canberra Australia. Check them all out here: The course really provides a huge amount of useful information about attacking (and defending) mobile devices and the infrastructures that support them!

-Tim Medin
Counter Hack Challenges


Posted March 20, 2013 at 3:04 PM | Permalink | Reply

Joshua Wright

Feature request: use the output of the file utility to identify SQLite and plist files instead of filename extensions so we can use the Python script against iTunes backup files as well.

Posted March 21, 2013 at 3:05 PM | Permalink | Reply

Zack Schaefer

Excellent writeup Super Tim''I am however still trying to erase the visual of you in your tighty whities and a cape.
I just started exploring the OSX tools.
I really enjoyed the class last week, thanks again guys!

Posted April 10, 2013 at 4:29 PM | Permalink | Reply

Tim Medin

Josh, here is your command to find the files by type (*nix/Mac only)
find . -type f | while read FILENAME; do file $FILENAME | grep -i sqlite

Posted April 16, 2013 at 4:52 PM | Permalink | Reply

Tim Medin

File names with spaces will mess up the previous command. This one will also dump the contents but it is significantly slower.
find . -type f | while read FILE; do file "$FILE" | grep -i sqlite >/dev/null

Post a Comment


* Indicates a required field.