- Setup
- Android & iOS
- Android
- iOS
Setup
Install Objection
The objection python package will need to be installed as well as frida-tools:
1
| pip3 install frida-tools objection
|
Test Objection
Ensure the package is working by running the objection command:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| root@kali:~# objection
Usage: objection [OPTIONS] COMMAND [ARGS]...
_ _ _ _
___| |_|_|___ ___| |_|_|___ ___
| . | . | | -_| _| _| | . | |
|___|___| |___|___|_| |_|___|_|_|
|___|(object)inject(ion)
Runtime Mobile Exploration
by: @leonjza from @sensepost
By default, communications will happen over USB, unless the --network
option is provided.
|
Find Application
Use Frida to check for installed applications on the phone:
Show running applications:
-U for USB mode-a for applications only
Show all installed applications:
-i for install applications
You should see something like this:
1
2
3
4
5
| root@kali:~# frida-ps -Ua
PID Name Identifier
---- ---------- -------------------------
2594 DuckDuckGo com.duckduckgo.mobile.ios
|
Attach to Application
Once we know the name of our target application, we can attach to it with the following command:
1
| objection -g NAME explore
|
- Where
NAME is DuckDuckGo or com.duckduckgo.mobile.ios in the above example.
A command can be executed as soon as Objection attaches to an application using:
1
| objection -g com.duckduckgo.mobile.ios explore --startup-command "COMMAND"
|
COMMAND might be something like ios sslpinning disable on an iPhone.
A single command can be executed instead of exploring the application:
1
| objection -g com.duckduckgo.mobile.ios run "COMMAND"
|
COMMAND might be something like ios cookies get on an iPhone.
Android & iOS
Files
| Description | Command |
|---|
| Get Environment Info | env |
| View files in current Dir | ls |
| Print current Dir | pwd |
| Print file contents | file cat FILENAME |
| Download file (from Phone) | file download PHONE_FILE [PC_FILE] |
| Upload file (to Phone) | file upload PC_FILE [PHONE_FILE] |
HTTP Server
| Description | Command |
|---|
| Start HTTP Server (in current dir) | file http start |
| Stop HTTP Server | file http stop |
| Status of HTTP Server | file http status |
Hooking
ios examples used below. Commands should work for both ios and android.
| Description | Command |
|---|
| List Application Classes | ios hooking list classes |
| Search for Class | ios hooking search classes SEARCH_STRING |
| List Class Methods | ios hooking list class_methods CLASS_NAME |
| Search for Methods | ios hooking search methods SEARCH_STRING |
| Hook ALL Class Methods (View params) | ios hooking watch class CLASS_NAME |
| Hook Single Class Methods | ios hooking watch method "-[CLASS_NAME METHOD_NAME]" –dump-args –dump-return –dump-backtrace |
| Change Boolean Method Return Value | ios hooking set return_value "-[CLASS_NAME METHOD_NAME]" false |
| Generate Frida hooking template | ios hooking generate simple CLASS_NAME |
Other
| Description | Command |
|---|
| View Jobs | jobs list |
| Stop/Kill Jobs | jobs kill JOB_ID |
Android
SSLPinning & Root Detection
| Description | Command |
|---|
| Disable SSLPinning | android sslpinning disable |
| Disable SSLPinning (quiet mode) | android sslpinning disable –quiet |
| Disable Jailbreak Detection | android root disable |
Android Hooking
| Description | Command |
|---|
| List Activities | android hooking list activities |
| List Receivers | android hooking list receivers |
| List Services | android hooking list services |
| Get Current Activity | android hooking get current_activity |
iOS
SSLPinning & Jailbreak Detection
| Description | Command |
|---|
| Disable SSLPinning | ios sslpinning disable |
| Disable SSLPinning (quiet mode) | ios sslpinning disable –quiet |
| Disable Jailbreak Detection | ios jailbreak disable |
iOS Application Info
| Description | Command |
|---|
| Get Binary Info | ios info binary |
| Get PList Files | ios plist cat Info.plist |
| Get Application Bundles | ios bundles list_bundles |
| Get External Frameworks | ios bundles list_frameworks |
iOS DataStorage
| Description | Command |
|---|
| Get Keychain | ios keychain dump |
| Get Keychain (Auto-Decode) | ios keychain dump –smart |
| Get Keychain (Save-As JSON) | ios keychain dump –json keychain.json |
| View Cookies | ios cookies get |
| View NSUserDefaults | ios nsuserdefaults get |
| View NSURLCredentialStorage | ios nsurlcredentialstorage dump |
| Pasteboard Monitor | ios pasteboard monitor |