Scrounger:一款功能強大的移動端應用程式安全測試套件
今天給大家介紹的是一款名叫Scrounger 的工具,廣大研究人員可以使用這款工具來對移動端應用程式的安全性進行測試。首先,這款工具參考和借鑑了很多目前安全社群裡優秀的測試工具,其次就是它能夠有效地找出移動端應用程式中存在的安全漏洞。
雖然現在社群裡有很多其他的移動端應用程式分析工具,但是沒有一款是能夠同時適用於Android和iOS端的。Scrounger這款類似於Metasploit的工具雖然不能完全自動化地對目標進行滲透測試,但是它可以幫助滲透測試人員完成各種安全評估工作。
區別
Scrounger跟其他工具的區別主要在於:
1. 適用於Android和iOS; 2. 提供了類似Metasploit的命令控制檯和模組; 3. 提供了多種功能模組; 4. 可輕鬆擴充套件其他功能;
技術細節
首先提醒大家,所有由Scrounger發現並識別的內容大家都需要進行人工二次確認。
在使用功能模組時,需要用到Android或iOS裝置,Scrounger要求目標裝置已root或已越獄。
Scrounger已在iOS 11和Android 8.1上進行過測試,並且只支援Python 2.7。
工具安裝
git clone ofollow,noindex" target="_blank">https://github.com/nettitude/scrounger.git
cd scrounger
bash setup.sh
pip install -r requirements.txt
python setup.py install
開發環境
git pull https://github.com/nettitude/scrounger.git
cd scrounger
bash setup.sh
pip install -r requirements.txt
python setup.py develop
工具更新
cd scrounger git pull python setup.py install –upgrade
依賴庫
Android模組
1. java( http://www.oracle.com/technetwork/java/javase/downloads/index.html )
2. jd-cli( https://github.com/kwart/jd-cmd )
3. apktool( https://ibotpeaches.github.io/Apktool/ )
4. d2j-dex2jar( https://github.com/pxb1988/dex2jar )
5. adb( https://developer.android.com/studio/releases/platform-tools )
6. avdmanager(可選): ( https://developer.android.com/studio/#downloads )
iOS模組
1. jtool(Linux) ( http://www.newosxbook.com/tools/jtool.html )
2. otool(MacOS) ( https://developer.apple.com/xcode/ )
3. ldid( https://github.com/daeken/ldid.git )
4. iproxy(Package: libimobiledevice)
5. lsusb(Package: usbutils)
6. unzip
iOS庫
dump_backup_flag dump_file_protection dump_keychain dump_log listapps
安裝指令碼
Linux
#install iproxy lsusb
sudoapt-get install libimobiledevice usbutils
#install jd-cli
if [! -x "$(which jd-cli)" ]; then
curl -L -o /tmp/jdcli.zip https://github.com/kwart/jd-cmd/releases/download/jd-cmd-0.9.2.Final/jd-cli-0.9.2-dist.zip
unzip /tmp/jdcli.zip/usr/local/share/jd-cli
ln -s /usr/local/share/jd-cli/jd-cli/usr/local/bin/jd-cli
ln -s /usr/local/share/jd-cli/jd-cli.jar/usr/local/bin/jd-cli.jar
rm -rf /tmp/jdcli.zip
fi
#install apktool
if [! -x "$(which apktool)" ]; then
mkdir /usr/local/share/apktool
curl -L -o /usr/local/share/apktool/apktool https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/osx/apktool
curl -L -o/usr/local/share/apktool/apktool.jar https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.3.3.jar
chmod +x /usr/local/share/apktool/usr/local/share/apktool/apktool.jar
ln -s /usr/local/share/apktool/usr/local/bin/apktool
ln -s /usr/local/share/apktool.jar/usr/local/bin/apktool.jar
fi
#install dex2jar
if [! -x "$(which d2j-dex2jar)" ]; then
curl -L -o /tmp/d2j.zip https://github.com/pxb1988/dex2jar/files/1867564/dex-tools-2.1-SNAPSHOT.zip
unzip /tmp/d2j.zip -d /tmp/d2j
dirname=$(ls --color=none /tmp/d2j)
mv /tmp/d2j/$dirname/usr/local/share/d2j-dex2jar
ln -s/usr/local/share/d2j-dex2jar/d2j-dex2jar.sh /usr/local/bin/d2j-dex2jar.sh
ln -s/usr/local/share/d2j-dex2jar/d2j-apk-sign.sh /usr/local/bin/d2j-apk-sign.sh
rm -rf /tmp/d2j.zip
fi
if [! -x "$(which d2j-dex2jar)" ]; then
ln -s /usr/local/bin/d2j-dex2jar.sh/usr/local/bin/d2j-dex2jar
fi
#install adb
if [! -x "$(which adb)" ]; then
curl -L -o /tmp/platform-tools.zip https://dl.google.com/android/repository/platform-tools-latest-linux.zip
unzip /tmp/platform-tools.zip -d /tmp/pt
mv /tmp/pt/platform-tools /usr/local/share/
ln -s /usr/local/share/platform-tools/adb/usr/local/bin/adb
ln -s/usr/local/share/platform-tools/fastboot /usr/local/bin/fastboot
fi
#install ldid
if [! -x "$(which ldid)" ]; then
git clone https://github.com/daeken/ldid.git /tmp/ldid
cd /tmp/ldid
./make.sh
mv ldid /usr/local/bin/
cd /tmp
rm -rf /tmp/ldid
fi
#install jtool
if [! -x "$(which jtool)" ]; then
curl-L -o /tmp/jtool.tar http://www.newosxbook.com/tools/jtool.tar
mkdir /tmp/jtool
tar xvf /tmp/jtool.tar -C /tmp/jtool
mv /tmp/jtool/jtool.ELF64/usr/local/bin/jtool
rm -rf /tmp/jtool.tar /tmp/jtool
fi
#install scrounger gitclone [email protected]:nettitude/scrounger.git cdscrounger pipinstall -r requirements.txt pythonsetup.py install MacOS
#install iproxy ldid lsusb brewtap jlhonora/lsusb && brew install lsusb libimobiledevice ldid
#install jd-cli
if [! -x "$(which jd-cli)" ]; then
curl -L -o /tmp/jdcli.zip https://github.com/kwart/jd-cmd/releases/download/jd-cmd-0.9.2.Final/jd-cli-0.9.2-dist.zip
unzip /tmp/jdcli.zip/usr/local/share/jd-cli
ln -s /usr/local/share/jd-cli/jd-cli/usr/local/bin/jd-cli
ln -s /usr/local/share/jd-cli/jd-cli.jar/usr/local/bin/jd-cli.jar
rm -rf /tmp/jdcli.zip
fi
#install apktool
if [! -x "$(which apktool)" ]; then
mkdir /usr/local/share/apktool
curl -L -o /usr/local/share/apktool/apktool https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/osx/apktool
curl -L -o/usr/local/share/apktool/apktool.jar https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.3.3.jar
chmod +x /usr/local/share/apktool/usr/local/share/apktool/apktool.jar
ln -s /usr/local/share/apktool/usr/local/bin/apktool
ln -s /usr/local/share/apktool.jar/usr/local/bin/apktool.jar
fi
#install dex2jar
if [! -x "$(which d2j-dex2jar)" ]; then
curl -L -o /tmp/d2j.zip https://github.com/pxb1988/dex2jar/files/1867564/dex-tools-2.1-SNAPSHOT.zip
unzip /tmp/d2j.zip -d /tmp/d2j
dirname=$(ls --color=none /tmp/d2j)
mv /tmp/d2j/$dirname/usr/local/share/d2j-dex2jar
ln -s/usr/local/share/d2j-dex2jar/d2j-dex2jar.sh /usr/local/bin/d2j-dex2jar.sh
ln -s /usr/local/share/d2j-dex2jar/d2j-apk-sign.sh/usr/local/bin/d2j-apk-sign.sh
rm -rf /tmp/d2j.zip
fi
if [! -x "$(which d2j-dex2jar)" ]; then
ln -s /usr/local/bin/d2j-dex2jar.sh/usr/local/bin/d2j-dex2jar
fi
#install adb
if [! -x "$(which adb)" ]; then
curl -L -o /tmp/platform-tools.zip https://dl.google.com/android/repository/platform-tools-latest-darwin.zip
unzip /tmp/platform-tools.zip -d /tmp/pt
mv /tmp/pt/platform-tools /usr/local/share/
ln -s /usr/local/share/platform-tools/adb/usr/local/bin/adb
ln -s/usr/local/share/platform-tools/fastboot /usr/local/bin/fastboot
fi
#install Xcode / command line tools xcode-select--install
#install scrounger gitclone [email protected]:nettitude/scrounger.git cdscrounger pipinstall -r requirements.txt pythonsetup.py install
新增自定義模組
在安裝該工具時,會自動建立一個資料夾“~/.scrounger”,該資料夾中會有一個名叫“modules/custom”的資料夾,該資料夾負責儲存相應的Scrounger模組,其結構例如:analysis/android/module_name。
示例
新增下列模組(~/.scrounger/modules/custom/misc/test.py):
from scrounger.core.module import BaseModule
class Module(BaseModule):
meta = {
"author": "RDC",
"description":"""Just a Test module""",
"certainty": 100
}
options = [
{
"name":"output",
"description":"local output directory",
"required": False,
"default": None
},
]
def run(self):
print("This is a print from thecustom module")
return {
"print": "This willbe print by scrounger's console."
}
執行
$scrounger-console Starting Scrounger console... scrounger> list custom/misc ModuleCertaintyAuthor Description --------------------- ----------- custom/misc/test100%RDCJust a Test module scrounger> use custom/misc/test scroungercustom/misc/test > options GlobalOptions: NameValue --------- device output /tmp/scrounger-app ModuleOptions (custom/misc/test): NameRequiredDescriptionCurrent Setting -------------------------------------- output Falselocal outputdirectory/tmp/scrounger-app scroungercustom/misc/test > run Thisis a print from the custom module [+]This will be print by scrounger's console. scroungercustom/misc/test >
示例
列舉/搜尋模組
$scrounger-console StartingScrounger console... >help Documentedcommands (type help <topic>): ======================================== add_devicedevices listprintresults setunset backhelpoptionsquitrunshowuse >help list Listsall available modules >list ios ModuleCertaintyAuthor Description --------------------- ----------- analysis/ios/app_transport_security90%RDCChecks if there are anyApplication Transport Security misconfigurations analysis/ios/arc_support90%RDCChecks if a binary was compiled with ARC support analysis/ios/backups90%RDCChecks the application's files have the backup flag on analysis/ios/clipboard_access75%RDCChecks if the application disables clipboard access analysis/ios/debugger_detection75%RDCChecks if the applicationdetects debuggers analysis/ios/excessive_permissions90%RDCChecks if the applicationuses excessive permissions analysis/ios/file_protection90%RDCChecks the application's files specific protection flags analysis/ios/full_analysis100%RDCRuns all modules in analysis and writes a report into the outputdirectory analysis/ios/insecure_channels50%RDCChecks if the application uses insecure channels analysis/ios/insecure_function_calls75%RDCChecks if the applicationuses insecure function calls analysis/ios/jailbreak_detection60%RDCChecks if the application implements jailbreak detection analysis/ios/logs60%RDCChecks if the applicationlogs to syslog analysis/ios/passcode_detection60%RDCChecks if the application checks for passcode being set analysis/ios/pie_support100%RDCChecks if the application was compiled with PIE support analysis/ios/prepared_statements60%RDCChecks if the application uses sqlite calls and if so checks if it alsouses prepared statements analysis/ios/ssl_pinning60%RDCChecks if the application implements SSL pinning analysis/ios/stack_smashing90%RDCChecks if a binary was compiled stack smashing protections analysis/ios/third_party_keyboard65%RDCChecks if an applicationchecks of third party keyboards analysis/ios/unencrypted_communications80%RDCChecks if the application implementscommunicates over unencrypted channels analysis/ios/unencrypted_keychain_data70%RDCChecks if the applicationsaves unencrypted data in the keychain analysis/ios/weak_crypto60%RDCChecks if the application uses weak crypto analysis/ios/weak_random50%RDCChecks if a binary uses weak random functions analysis/ios/weak_ssl_ciphers50%RDCChecks if a binary uses weak SSL ciphers misc/ios/app/archs100%RDCGets the application's available architectures misc/ios/app/data100%RDCGets the application's data from the remote device misc/ios/app/entitlements100%RDCGets the application's entitlements misc/ios/app/flags100%RDCGets the application's compilation flags misc/ios/app/info100%RDCPulls the Info.plist info from the device misc/ios/app/start100%RDCLaunches an application on the remote device misc/ios/app/symbols100%RDCGets the application's symbols out of an installed applicationon thedevice misc/ios/class_dump100%RDCDumps the classes out of a decrypted binary misc/ios/decrypt_bin100%RDCDecrypts and pulls a binary application misc/ios/install_binaries100%RDCInstalls iOS binaries required to run some checks misc/ios/keychain_dump100%RDCDumps contents from the connected device's keychain misc/ios/local/app/archs100%RDCGets the application's available architectures misc/ios/local/app/entitlements100%RDCGets the application's entitlements from a local binary and saves themto file misc/ios/local/app/flags100%RDCGets the application's compilation flags using local tools. Will lookfor otool andjtool in the PATH. misc/ios/local/app/info100%RDCPulls the Info.plist info from the unzipped IPA file and saves an XMLfile withit's contents to the output folder misc/ios/local/app/symbols100%RDCGets the application's symbols out of an installed application on thedevice misc/ios/local/class_dump100%RDCDumps the classes out of a decrypted binary misc/ios/pull_ipa100%RDCPulls the IPA file from a remote device misc/ios/unzip_ipa100%RDCUnzips the IPA file into the output directory
使用Misc模組
$scrounger-console StartingScrounger console... >use misc/android/decompile_apk misc/android/decompile_apk> options GlobalOptions: NameValue --------- device output /tmp/scrounger-app ModuleOptions (misc/android/decompile_apk): NameRequired DescriptionCurrent Setting ------------ -------------------------- output Truelocal output directory/tmp/scrounger-app apkTruelocal path to the APKfile misc/android/decompile_apk> set output scrounger-demo-output misc/android/decompile_apk> set apk ./a.apk misc/android/decompile_apk> options GlobalOptions: NameValue --------- device output /tmp/scrounger-app ModuleOptions (misc/android/decompile_apk): NameRequired DescriptionCurrent Setting ------------ -------------------------- output Truelocal output directoryscrounger-demo-output apkTruelocal path to the APKfile ./a.apk misc/android/decompile_apk> run 2018-05-0110:29:53 -decompile_apk: Creating decompilation directory 2018-05-0110:29:53 -decompile_apk : Decompiling application 2018-05-0110:29:59 -manifest: Checking for AndroidManifest.xml file 2018-05-0110:29:59 -manifest: Creating manifest object [+]Application decompiled to scrounger-demo-output/com.eg.challengeapp.decompiled
使用其他模組輸出的結果
misc/android/decompile_apk> show results Results: NameValue --------- com.eg.challengeapp_decompiledscrounger-demo-output/com.eg.challengeapp.decompiled misc/android/decompile_apk> use analysis/android/permissions analysis/android/permissions> options GlobalOptions: NameValue --------- device output /tmp/scrounger-app ModuleOptions (analysis/android/permissions): NameRequired DescriptionCurrentSetting ------------ -------------------------- decompiled_apk Truelocal folder containing the decompiled apkfile permissionsTruedangerous permissions to check for, seperated by ;android.permission.GET_TASKS;android.permission.BIND_DEVICE_ADMIN;android.permission.USE_CREDENTIALS;com.android.browser.permission.READ_HISTORY_BOOKMARKS;android.permission.PROCESS_OUTGOING_CA analysis/android/permissions> print option permissions OptionName: permissions Value:android.permission.GET_TASKS;android.permission.BIND_DEVICE_ADMIN;android.permission.USE_CREDENTIALS;com.android.browser.permission.READ_HISTORY_BOOKMARKS;android.permission.PROCESS_OUTGOING_CALLS;android.permission.READ_LOGS;android.permission.READ_SMS;android.permission.READ_CALL_LOG;android.permission.RECORD_AUDIO;android.permission.MANAGE_ACCOUNTS;android.permission.RECEIVE_SMS;android.permission.RECEIVE_MMS;android.permission.WRITE_CONTACTS;android.permission.DISABLE_KEYGUARD;android.permission.WRITE_SETTINGS;android.permission.WRITE_SOCIAL_STREAM;android.permission.WAKE_LOCK analysis/android/permissions> set decompiled_apk result:com.eg.challengeapp_decompiled analysis/android/permissions> options GlobalOptions: NameValue --------- device output /tmp/scrounger-app ModuleOptions (analysis/android/permissions): NameRequired DescriptionCurrentSetting ------------ -------------------------- decompiled_apk Truelocal folder containing the decompiled apkfileresult:com.eg.challengeapp_decompiled permissionsTruedangerous permissions to check for, seperated by ;android.permission.GET_TASKS;android.permission.BIND_DEVICE_ADMIN;android.permission.USE_CREDENTIALS;com.android.browser.permission.READ_HISTORY_BOOKMARKS;android.permission.PROCESS_OUTGOING_CA analysis/android/permissions> run 2018-05-0110:54:58 -manifest: Checking for AndroidManifest.xml file 2018-05-0110:54:58 -manifest: Creating manifest object 2018-05-0110:54:58 -permissions: Analysing application's manifest permissions [+]Analysis result: TheApplication Has Inadequate Permissions Report: True Details: *android.permission.READ_SMS
使用裝置
$scrounger-console StartingScrounger console... >show devices AddedDevices: Scrounger ID Device OS Identifier ------------ --------- ---------- >add_device androidios >add_device android 00cd7e67ec57c127 >show devices AddedDevices: Scrounger ID Device OS Identifier ------------ --------- ---------- 1android00cd7e67ec57c127 >set global device 1 >options GlobalOptions: NameValue --------- device 1 output /tmp/scrounger-app >use misc/list_apps misc/list_apps> options GlobalOptions: NameValue --------- device 1 output /tmp/scrounger-app ModuleOptions (misc/list_apps): NameRequired DescriptionCurrent Setting ------------ -------------------------- output Falselocal output directory /tmp/scrounger-app device Truethe remote device1 misc/list_apps> unset output misc/list_apps> options GlobalOptions: NameValue --------- device 1 output /tmp/scrounger-app ModuleOptions (misc/list_apps): NameRequired DescriptionCurrent Setting ------------ -------------------------- output Falselocal output directory device Truethe remote device1 misc/list_apps> run [+]Applications installed on 00cd7e67ec57c127: com.android.sharedstoragebackup com.android.providers.partnerbookmarks com.google.android.apps.maps com.google.android.partnersetup de.codenauts.hockeyapp ...
命令列幫助
$scrounger --help usage:scrounger [-h] [-m analysis/ios/module1;analysis/ios/module2] [-aargument1=value1;argument1=value2;] [-f/path/to/the/app.[apk|ipa]] [-d device_id] [-l] [-o] [-p /path/to/full-analysis.json] [-V][-D] _____ / ____| | (______ _ __ _____ _ ____ ____ _ __ \___ \ / __| '__/ _ \| | | | '_ \ / _` |/ _ \'__| ____) | (__| | | (_) | |_| | | | | (_| |__/ | |_____/ \___|_|\___/ \__,_|_| |_|\__, |\___|_| __/ | |___/ optionalarguments: -h, --helpshow this help message and exit -m analysis/ios/module1;analysis/ios/module2,--modules analysis/ios/module1;analysis/ios/module2 modules to be run -seperated by ; - will be run in order -a argument1=value1;argument1=value2;,--arguments argument1=value1;argument1=value2; arguments for themodules to be run -f /path/to/the/app.[apk|ipa],--full-analysis /path/to/the/app.[apk|ipa] runs a full analysis onthe application -d device_id, --device device_id device to be used bythe modules -l, --listlist available devices and modules -o, --optionsprints the required options for theselected modules -p /path/to/full-analysis.json,--print-results /path/to/full-analysis.json prints the results of afull analysis json file -V, --verboseprints more information when runningthe modules -D, --debugprints more information when runningscrounger
使用命令列
$scrounger -o -m "misc/android/decompile_apk" ModuleOptions (misc.android.decompile_apk): NameRequired DescriptionDefault ------------ ------------------ output Truelocal output directoryNone apkTruelocal path to the APKfile None $scrounger -m "misc/android/decompile_apk" -a"apk=./a.apk;output=./cli-demo" ExcutingModule 0 2018-05-0111:17:42 -decompile_apk: Creating decompilation directory 2018-05-0111:17:42 -decompile_apk: Decompiling application 2018-05-0111:17:46 -manifest: Checking for AndroidManifest.xml file 2018-05-0111:17:46 -manifest: Creating manifest object [+]Application decompiled to ./cli-demo/com.eg.challengeapp.decompiled
演示視訊
視訊地址: https://asciinema.org/a/hC7sfGHVc5x7CWa57IXcGb3Um
*參考來源: scrounger ,FB小編Alpha_h4ck編譯,轉載請註明來自FreeBuf.COM