[align=center]|=-----------------------------------------------------------------------=|
|=--------=[ Exploiting using mobile device(iPod touch / iPhone ]=--------=|
|=-----------------------------------------------------------------------=|
|=---------------=[ By: Chroniccommand ]=--------------=|
|=---------------=[ CodeShock.org ]=--------------=|
|=---------------=[ ]=--------------=|
|=---------------=[ chroniccommand@gmail.com ]=--------------=|
|=-----------------------------------------------------------------------=|[/align]

---[ Contents

1 - Introduction

2 - Breaking out
2.1 - Cydia

3 - Tools
3.1 - Fingerprinting
3.2 - Networking
3.3 - Programming utilities
3.4 - Metasploit

4 - Conclusion

--[ 1 - Introduction
This paper is being written with a Phrack layout. This will be a paper on exploitation with Apple mobile devices(iPod touch / iPhone). I will be using a jailbroken iPod touch 2G with 3.0 firmware installed. I will go over things such as the tools, methods and experiences of exploitation and finding vulnerabilities on an iPod touch / iPhone

--[ 2 - Breaking out
Jailbreaking is a term used for modifying an iPod touch / iPhone. Let me first briefly describe the jailbreaking history. The first jailbreak was preformed by GeoHot(George Hotz). He modded the first iPod touch / iPhone versions. The process was very simple with first generations. All you had to do was go to a site like http://jailbreakme.com/ and press a button. This occurred due to a vulnerability in the first generation Mobile Safari. It would download all the necessary files and executables, then it would use execute to preform the jailbreak process. Now you see, Apple is retarded and cant code for their lives so there is so many vulnerability's on the devices it is usually jailbroken within a couple months or less of a patch. Now jailbreaking is a bit more complex, but still user friendly. When I first got my iPod touch 2G for christmas, I had no idea what a "jailbreak" was until my friend told me about it. I was eager to find out what this term meant so I swiftly used google to figure it out. I had to wait a couple months for the iPhone Dev-Team to release redsn0w lite, which was a beta version of the iPod touch 2G 2.2.x jailbreak. Redsn0w lite was a tool that was hard to use. I was currently running Winblows. The process of jailbreaking included moving files, modding files, modding firmware by myself etc.. Then I would have to use the command prompt to type in ARM codes. If even one slight mistake was made, my iPod could have been gone forever. It was a tethered jailbreak meaning every time the iPod shut off, I had to do the entire process over. It was a hassle but it was worth it. Now there are tools to do this for you in a matter of minutes. I will not make this a guide on jailbreaking so I'll continue with the next portion of this paper.

----[ 2.1 - Cydia
When an Apple mobile device is jailbroken, many many things can be added on. An essential is a package manager. The most simple form of it is the apt-get command in Mobile Terminal. But 90% of users have no clue how to operate a terminal, so they need some form of a GUI(Graphical User Interface). The first form of a GUI was called "Installer". This was a simple app that used repositories to download packages and install them. The reason the first jailbreak occurred was because at first, there was no App store(Which sucked). But now the main reason people jailbreak there iPod / iPhone is to make it look cool with themes they can install. In this guide I will be going over exploitation and vulnerability identification with your mobile device. The most popular GUI package manager today is called "Cydia". It was created and is still maintained by Jay Saurik. It allows users to install a very wide range of packages and utilities within a click of a couple buttons.

--[ 3 - Tools
Like stated above, when you jailbreak your mobile device, you're opening opportunities for both security flaws and advantages. You can install tons of packages, from networking(Pirni), to exploitation tools(Metasploit). I will explain in this portion what these tools are and how they can be used.

----[ 3.1 - Fingerprinting
Fingerprinting is the art of "scoping out" the "enemy". This is used to gather intel on the opposing target. We can use tools such as nmap to achieve this. We can banner grab, port scan etc. To install nmap, install Mobile Terminal from your package manager. Do this command:
aptitude install nmap
This will install nmap onto your mobile device. Now if we wanted to do fingerprinting with nmap we can. We can do banner grabbing scans, port scans etc. Unfortunately there is no Nessus implementation(Yet).

----[ 3.2 - Networking
Networking. It's how our networks and computer's interact. Based off the OSI model. Including things such as ARP, IP, TCP and tons of other keywords used when mentioning networking. You can install a wide variety of tools to achieve network exploitation. One that is typically used is Pirni. Pirni can be used as a MiM(Man In The Middle) client. It will sniff out all packets from a target. Try installing it. Now once you have it installed we must open up Mobile Terminal and we can use it. It captures packets into a .pcap file. After capturing packets we can move them to a computer and dissect the captured packets with tools such as ettercap and Wireshark. So now let's sniff some packets. Try this command in the Mobile Terminal:
pirni -s <Router IP> -d <target IP> -f "tcp dst port 80" -o log.pcap
So obviously change Router IP with your router IP and target IP with your target's IP. Now this will capture all packets with tcp dst on port 80 into "log.pcap" which can later be used for dissection.

----[ 3.3 - Programming utilities
Also when jailbreaking a mobile device, we can install things such as Python, C, C++, Ruby etc. We can edit them, save them and compile / run them. If you're interested on programming on the go, you may install these through your package manager. Once you install them you can save them as the extensions. Let's say I wanted to write a C program. I'd save it as program.c and compile it with GCC, just the same way we would if we were on a computer using GCC.

----[ 3.4 - Metasploit
Now the last part of exploitation on a mobile device is actually exploiting. We can either code our own exploits if we're good enough, or we can take the Metasploit path. You may install Metasploit the same way as any other package. Now we just open up Mobile Terminal and run the command:
msfconsole
After a bit it should open up the MSF(MetaSploitFramework) console. From here we can use the targets we fingerprinted in stage one and attack them with some of the exploits available on Metasploit
NOTE: Metasploit portable takes up alot of memory. Be sure to clear memory before running to avoid crashing of MSF.

--[ 4 - Conclusion
Here is a short and simple conclusion of this article. When you jailbreak your mobile device, you get a wide range of options and a Unix type operating system. The iPod / iPhone uses a Darwin kernel and is like Unix and Mac OSX. We can use this to our advantages and do tons of exploitation and vulnerability finding / exploiting on our mobile devices.

--Chroniccommand