1 00:00:00,080 --> 00:00:05,310 - Hello and welcome to the Android Security and Exploitation training series 2 00:00:05,310 --> 00:00:10,620 by Pentester Academy. My name is Aditya and I am your course instructor for this 3 00:00:10,620 --> 00:00:17,290 training series. So, in this video we are going to have a look at one of the other 4 00:00:17,290 --> 00:00:24,470 tools that is called Introspy. So, this is a tool which basically helps you with API 5 00:00:24,470 --> 00:00:32,220 hooking and you can analyze what an application is doing and what all APIs are 6 00:00:32,220 --> 00:00:36,790 dis-calling and the best part is everything is completely automated in case 7 00:00:36,790 --> 00:00:42,540 of Introspy. So you simply select the APIs that you want to hook and analyze and it 8 00:00:42,540 --> 00:00:48,210 will hook to those APIs and prepare a HTML report for you. So that is really, really 9 00:00:48,210 --> 00:00:54,800 handy in any application which you are analyzing. So, Introspy comes with two 10 00:00:54,800 --> 00:00:59,380 different applications that is the Introspy-core which basically consists of 11 00:00:59,380 --> 00:01:05,260 core functionality and all the API hooking code. And the other application is 12 00:01:05,260 --> 00:01:09,770 Introspy-Config which allows the user to select the applications they want to 13 00:01:09,770 --> 00:01:17,910 analyze. Now this entire tool is written on top of mobile substrate which is a 14 00:01:17,910 --> 00:01:22,070 framework written by Jay Freeman, also known as Saurik, who was the creator of 15 00:01:22,070 --> 00:01:28,340 Cydia and all those other related tools. Now, Introspy, it is really easy to set up 16 00:01:28,340 --> 00:01:35,660 hooks on interesting functions. So, let's start off with setting up Introspy for our 17 00:01:35,660 --> 00:01:42,510 device. So, we actually need to install couple of different applications. So we'll 18 00:01:42,510 --> 00:01:48,190 start out with Supersu and then we will move to Cydia Substrate and then the 19 00:01:48,190 --> 00:01:56,290 Introspy-core and the Introspy-Config. So, in the VM you will have a 20 00:01:56,290 --> 00:02:05,770 IntroSpy+CydiaAPK.zip. You can simply unzip it and if you look over here, you 21 00:02:05,770 --> 00:02:11,490 have the Introspy-Analyzer-master, Introspy-Android-master, 22 00:02:11,490 --> 00:02:15,800 com.saurik.substrate, and we need one more application that is the Supersu. Let me 23 00:02:15,800 --> 00:02:24,760 also copy it. Training/eu.chainfire.supersu.apk. So, we 24 00:02:24,760 --> 00:02:36,140 will start off by installing this. In my case, it might already be installed. No. 25 00:02:36,140 --> 00:02:42,210 Let's go ahead and install it. So, this one hasn't installed properly. So, let me 26 00:02:42,210 --> 00:02:48,660 just go ahead and set up the the Supersu so I can continue. I will go with the 27 00:02:48,660 --> 00:02:57,380 normal mode. Allow. Uninstall the other Supersu application and that's basically 28 00:02:57,380 --> 00:03:08,160 all of the Supersu installation. Right. So once we have installed a Supersu, the next 29 00:03:08,160 --> 00:03:18,020 step is to install the Saurik Substrate, which is over here so adb install 30 00:03:18,020 --> 00:03:25,720 com.saurik.substrate. This will install the Saurik Substrate. So all you need to 31 00:03:25,720 --> 00:03:34,920 do is click on link substrate files and grant it the permissions of superuser. 32 00:03:34,920 --> 00:03:40,200 Click, come back to the application, click it again and you will see that it has the 33 00:03:40,200 --> 00:03:46,380 substrate files linked. So all you need to is restart system soft which will restart 34 00:03:46,380 --> 00:03:57,320 the Android system and now this has been linked. Let's also confirm that Cydia 35 00:03:57,320 --> 00:04:03,220 Substrate has been added to Supersu list and it has been added, so this means that 36 00:04:03,220 --> 00:04:10,710 the installation is successful. And now let's go ahead and install the config and 37 00:04:10,710 --> 00:04:26,090 core apks. So let's install this one first, copy, adb install, paste and let's 38 00:04:26,090 --> 00:04:34,200 also install the config.apk. Right. So this will install both the applications. 39 00:04:34,200 --> 00:04:41,000 Now you should note that Introspy-Android Core.apk does not create any icon on a 40 00:04:41,000 --> 00:04:48,150 device. So it's simply a core application which is without an icon and what you will 41 00:04:48,150 --> 00:04:53,670 see over here is the Introspy Config and this will basically have all the APIs 42 00:04:53,670 --> 00:04:58,070 which you can hook to and all the applications which is currently installed, 43 00:04:58,070 --> 00:05:07,670 right. So this is simply all the installation of Introspy and let's also 44 00:05:07,670 --> 00:05:15,470 grant it superuser permission by selecting any application. And here you can select 45 00:05:15,470 --> 00:05:20,540 the application which you want to analyze. So, let's say I want to analyze 46 00:05:20,540 --> 00:05:28,320 InsecureBank, I can just check on it and I have these all API hooks already, so I can 47 00:05:28,320 --> 00:05:34,780 now go ahead and use the application, InsecureBank. And in the background 48 00:05:34,780 --> 00:05:42,340 Introspy will create all the reports for me which is simply wonderful. Log in, 49 00:05:42,340 --> 00:05:59,810 let's perform something, transfer. Also, let's have a look at the logcat and it 50 00:05:59,810 --> 00:06:04,240 says that one of the file is missing where it actually stores the raw history of all 51 00:06:04,240 --> 00:06:12,410 the transactions. Let's also create that file. It's a adb shell touch and this 52 00:06:12,410 --> 00:06:25,810 particular file. Now, let's do an ls of /mnt/sdcard. I have...let's go and do adb 53 00:06:25,810 --> 00:06:40,020 shell, mnt/sdcard, Let's do a mkdir statements and cd statements, touch 54 00:06:40,020 --> 00:06:47,477 rawhistory.html, right, let's try to transfer again... 55 00:06:57,437 --> 00:07:00,530 So now the transfer is getting successful 56 00:07:00,530 --> 00:07:07,300 without any error, also if you notice in the logcat, now you will have a lot of 57 00:07:07,300 --> 00:07:14,120 Cydia Substrate, excuse me, which is basically the Introspy hooks which you 58 00:07:14,120 --> 00:07:23,010 have configured, right. So depending on what the application does, the Introspy 59 00:07:23,010 --> 00:07:30,670 will create a Introspy.db in the application folder. So, let's go ahead and 60 00:07:30,670 --> 00:07:37,750 analyze it. So, adb shell. Let's go inside the application that we are analyzing, 61 00:07:37,750 --> 00:07:46,240 which is com.android.insecurebank. Now, Introspy sometimes might not create the 62 00:07:46,240 --> 00:07:52,730 database. In that case, you simply need to restart Genymotion. So let's see if it's 63 00:07:52,730 --> 00:07:59,930 able to create. It hasn't created anything so far. So let's simply restart the 64 00:07:59,930 --> 00:08:09,430 Genymotion, and see if it works. Nexus S 4.1.1... 65 00:08:19,342 --> 00:08:26,930 Check the IP 102. Devices, connect 66 00:08:26,930 --> 00:08:42,340 192.168.57.102. Connected. Simply let's wait for the device to come up. 67 00:08:52,100 --> 00:08:56,430 Now let's try it again. So then just by, 68 00:08:56,430 --> 00:09:10,680 configs setup. Let's go ahead and use the InsecureBank. Dinesh, Dinesh@123$. Login. 69 00:09:10,680 --> 00:09:15,580 Any transaction. Transfer. Let's shell 70 00:09:15,580 --> 00:09:27,766 ls/data/data/com.android.insecurebank/ databases/. And now if you see there is a 71 00:09:27,766 --> 00:09:33,148 intropsy.db created over here, right. So let's simply go ahead and pull this 72 00:09:33,148 --> 00:09:39,606 database out and make a HTML report out of it. Now this database might not consist a 73 00:09:39,606 --> 00:09:44,926 lot of information because, just because simply this application isn't doing a lot 74 00:09:44,926 --> 00:09:52,868 many things, right. So let's go to the Introspy-analyzer-master and pull this 75 00:09:52,868 --> 00:10:04,364 database /data/data/com.android. insecurebank/databases/introspy.db 76 00:10:04,364 --> 00:10:13,814 and maybe store it as Insecure.db, right. So if you look over here, there is a 77 00:10:13,814 --> 00:10:25,525 Introspy or insecure.db. So let's create an HTML report out of it. So python 78 00:10:25,525 --> 00:10:34,259 introspy.py, -p for platform which is Android in this case, -o for the output 79 00:10:34,259 --> 00:10:40,678 folder name, let's do it InsecureBank and then simply the name of the db which we 80 00:10:40,678 --> 00:10:51,090 are analyzing. So if you look over here, you can go to InsecureBank and here you'll 81 00:10:51,090 --> 00:11:02,730 have the report.html, right. So the report.html simply is a html file which 82 00:11:02,730 --> 00:11:07,520 shows you what all things have been done and if you'll look over here, so it will 83 00:11:07,520 --> 00:11:11,800 show you all the file system changes as we are hooked into the file system as well 84 00:11:11,800 --> 00:11:20,690 and what all preferences it took and all this sort of things, right. So Introspy is 85 00:11:20,690 --> 00:11:24,040 a really nice tool which helps you analyze all the different things that an 86 00:11:24,040 --> 00:11:29,020 application is doing and if you perform it on a real world application you'll get a 87 00:11:29,020 --> 00:11:33,680 lot of information about the application over here which might also reveal a lot 88 00:11:33,680 --> 00:11:39,830 many different vulnerabilities, right. So this is why Introspy is like one of the 89 00:11:39,830 --> 00:11:47,970 handy tools for a Pentester to start off with assessment. So that's all for this 90 00:11:47,970 --> 00:11:54,260 video and in the next videos, we will move on to some other tools and techniques for 91 00:11:54,260 --> 00:11:59,570 hooking and we will look into them. So I hope you liked the video and if you have 92 00:11:59,570 --> 00:12:05,400 any feedback or queries, feel free to reach out to me at adi@attify.com and you 93 00:12:05,400 --> 00:12:09,929 can also tweet me @adi1391. Thank you.