Welcome to the iOS-Pentesting wiki!

JB Testing

Re-sign

List identities

./applesign.js -L

Re-sign

./applesign.js -i ABCDEFGHIJKLMNOPQRST /blah/blah.ipa

Deploy with impactor or ios-deploy/ipa-deploy

https://slashedm.gitbook.io/xcode-app-signing/where-do-we-go-now/newer-versions

Objection

frida-ps -Uia objection --gadget "com.apple.AppStore" explore

objection explore --startup-command 'ios jailbreak simulate'

Non-JB Testing

Connect phone to Mac - run a test app in xcode and fix signing certificates. This should generate a provisioning file.

Find code sigs

security find-identity -p codesigning -v

Patch Frida dylib to ipa

objection patchipa --source blah.ipa --codesign-signature 1234BLAH

Deploy in debugging mode

ios-deploy --bundle blah.app -W -d

Run in debug mode without installing again

ios-deploy -b blah.app -W -m

Reversing/Patching - use Hopper

Runtime debuggin (this is deprecated) - no one uses cycript anymore

##Cycript:

var app = [ UIApplication sharedApplication ] app.delegate !# you can also just use UIApp.delegate var delegate = new Instance(0x2315f0)

!#call delegate [ delegate pinLockControllerDidFinishUnlocking ] for bool values: [ UIApp.delegate userIsLogged: YES ]

Show current view

cy# UIApp.keyWindow.rootViewController.topViewController.visibleViewController

Get an array of existing objects of a certain class

cy# choose(UIViewController)

List method at runtime

cy# [classname].messages or cy# function printMethods(className) { var count = new new Type("I"); var methods = class_copyMethodList(objc_getClass(className), count); var methodsArray = []; for(var i = 0; i < *count; i++) { var method = methods[i]; methodsArray.push({selector:method_getName(method), implementation:method_getImplementation(method)}); } free(methods); free(count); return methodsArray; } cy# printMethods("[classname]")

Prints out all the instance variables

cy# function tryPrintIvars(a){ var x={}; for(i in a){ try{ x[i] = (a)[i]; } catch(e){} } return x; } cy# a=#0x15d0db80 cy# tryPrintIvars(a)

Manipulating through property

cy# [a pinCode] cy# [a setPinCode: @"1234"] cy# [a isValidPin] cy# a->isa.messages['isValidPin'] = function(){return 1;}

Random Stuff

Restart SpringBoard

killall -HUP SpringBoard

Connect via USB to JB iPhone

iproxy 2222 22

Connect over Wi-Fi

For iOS 10 yalu JB run on device dropbear -R -p 2222

Downloads folder for iFunbox iOS 10 JB

/User/Media/Downloads or /var/mobile/Media

Needle installation on Kali Rolling

git clone https://github.com/mwrlabs/needle.git

apt-get install python2.7 python2.7-dev sshpass sqlite3 lib32ncurses5-dev

If kali has'nt been updated in a while will have to update apt source and gpg key

wget -q -O - https://archive.kali.org/archive-key.asc | apt-key add

In needle to install all dependencies on device:

use device/dependency_installer

Install lipo from org.coolstar.cctools

Change plist to allow access over Wi-Fi

launchctl unload /Library/LaunchDaemons/dropbear.plist launchctl load /Library/LaunchDaemons/dropbear.plist

Once stash is installed Dropbear is moved to stash location below

/var/db/stash/_.cBfT4d/bin

dropbear -F -R -p 22

Fix dropbear after re-jb

#!/bin/bash
launchctl unload /Library/LaunchDaemons/dropbear.plist
launchctl load /Library/LaunchDaemons/dropbear.plist
/var/db/stash/_.cBfT4d/bin/dropbear -F -R -p 22