yuyudhn's notes
  • About
  • 🚉QUICKSTART
    • Prerequisite
    • Reconnaissance
    • Exploitation
    • Post Exploitation
    • ⛈️Misc
  • 🪟Active Directory
    • Basic Command
    • Enumeration
      • PowerView
    • Service Exploitation
      • LDAP
      • SMB
        • MS17-010
      • MSSQL
    • Privilege Escalation
      • Unquoted Service Path
      • UAC Bypass
      • Token Abuse
    • Post Exploitation
      • Tunneling with Ligolo-ng
    • Credential Hunting
      • Group Policy Preferences
      • DPAPI
  • MITRE ATT&CK
    • Defense Evasion
      • Physical Attack: Remove EDR
      • AMSI Bypass
    • Credential Access
      • Dump SAM Hashes via Registry
  • 🐧Linux
    • Misc
    • Linux Post Exploitation
    • Linux Password Hunting
  • 🐚Backdoor Stuff
    • Simple PHP Webshell
    • MSFvenom Generate Payload
  • 📳Mobile Pentest: iOS
    • iOS Penetration Testing
    • Objection
  • 🕸️Web Application
    • Common Applications
      • Tomcat
      • Joomla
    • SSTI
    • File Inclusion
    • XSS
    • Misc
  • 🖊️Machine Writeup
    • HackTheBox
      • Perfection
      • Pilgrimage
      • PC
      • Shoppy
      • GoodGames
      • Photobomb
      • Support
Powered by GitBook
On this page
  • Explore App with Objection
  • Run Objection Command at Spawn Apps
  • Basic Jailbreak Detection Bypass
  • Basic Enumeration
  • Local App Paths
  • List bundles of the application
  • List framework used by the application
  • Basic Hooking
  • List all classes
  • Search for classes
  • Search for methods
  • List class methods
  • Watch class
  • Overwrite Return Value
  • Generate Hooking Template
  • Extract Sensitive Information
  • Dump NSUserDefaults
  • Dump Keychain Data

Was this helpful?

  1. Mobile Pentest: iOS

Objection

List all Objection commands used for iOS mobile app penetration testing.

Explore App with Objection

objection -g com.example.app explore # com.example.app is example apps

Run Objection Command at Spawn Apps

# Example command to run "ios hooking search classes jail" on spawn apps
objection -g com.example.app "ios hooking search classes jail"

Basic Jailbreak Detection Bypass

ios jailbreak disable

# Example output:
com.example.app on (iPhone: 15.4.1) [usb] # 
(agent) [303462] fileExistsAtPath: check for /Applications/Cydia.app failed with: 0x0, marking it as successful.
(agent) [289052] fileExistsAtPath: check for /Applications/Cydia.app was successful with: 0x1, marking it as failed.
(agent) [289052] fileExistsAtPath: check for /bin/bash was successful with: 0x1, marking it as failed.
(agent) [289052] fopen: check for /bin/bash was successful with: 0x103404f98, marking it as failed.
..................

Basic Enumeration

Local App Paths

env

# Example output:
Name               Path
-----------------  -------------------------------------------------------------------------------------------
BundlePath         /private/var/containers/Bundle/Application/81AD95F9-3DA4-4CEB-BD50-442BD55D1D02/Example.app
CachesDirectory    /var/mobile/Containers/Data/Application/9EC4057E-FE48-4B9F-81D3-C0FB75BC2EA3/Library/Caches
DocumentDirectory  /var/mobile/Containers/Data/Application/9EC4057E-FE48-4B9F-81D3-C0FB75BC2EA3/Documents
..........

List bundles of the application

ios bundles list_bundles

# Example output:
com.example.app on (iPhone: 15.4.1) [usb] # ios bundles list_bundles
Executable              Bundle                            Version   Path
----------------------  --------------------------------  --------  -------------------------------------------
AGXMetalA11             com.apple.AGXMetalA11             190.17.2  ...em/Library/Extensions/AGXMetalA11.bundle
Runner                  com.example.app                   11.4.61   ...E-38A1-4FC0-AE77-0B2D26E7BF67/Runner.app

List framework used by the application

ios bundles list_frameworks

# Example output:
Executable                      Bundle                                        Version    Path
------------------------------  --------------------------------------------  ---------  -------------------------------------------
share_plus                      org.cocoapods.share-plus                      0.0.1      ...nner.app/Frameworks/share_plus.framework
webview_flutter_wkwebview       org.cocoapods.webview-flutter-wkwebview       0.0.1      ...orks/webview_flutter_wkwebview.framework
DTTJailbreakDetection           org.cocoapods.DTTJailbreakDetection           0.4.0      ...ameworks/DTTJailbreakDetection.framework

Basic Hooking

List all classes

ios hooking list classes

# Example output:
com.example.app on (iPhone: 15.4.1) [usb] # ios hooking list classes
AAAFoundationSwift.AAFTimedAnalyticsEvent
AAAFoundationSwift.BroadcastMessageSender
AAAFoundationSwift.DependencyRegistry
AAAFoundationSwift.MessageSender
AAAFoundationSwift.OSActivity
AAAFoundationSwift.OSTransaction
AAAFoundationSwift.WeakWrapper
.................

Search for classes

# Search a class that contains a string
ios hooking search classes jailbreak

# Example output:
com.example.app on (iPhone: 15.4.1) [usb] # ios hooking search classes jailbreak
PodsDummy_DTTJailbreakDetection
DTTJailbreakDetection
PodsDummy_flutter_jailbreak_detection
flutter_jailbreak_detection.SwiftFlutterJailbreakDetectionPlugin
FlutterJailbreakDetectionPlugin
..............

Search for methods

# Search a method that contains a string
ios hooking search methods jail

# Example output:
com.example.app on (iPhone: 15.4.1) [usb] # ios hooking search methods jail
[DTTJailbreakDetection + isJailbroken]
[UIScreen + _shouldDisableJail]
[UIScreen - _unjailedReferenceBoundsForInterfaceOrientation:]
[UIScreen - _unjailedReferenceBoundsInPixels]
..........

List class methods

# List methods of a specific class
ios hooking list class_methods DTTJailbreakDetection

# Example output:
com.example.app on (iPhone: 15.4.1) [usb]
+ isJailbroken

Found 1 methods

Watch class

# Hook all the methods of a class, dump all the initial parameters and returns
ios hooking watch class DTTJailbreakDetection

# Hook an specific method of a class dumping the parameters, backtraces and returns of the method each time it's called
ios hooking watch method "*[iRoot isJailBroken]" --dump-args --dump-return --dump-backtrace

Overwrite Return Value

ios hooking set return_value "*[iRoot isJailBroken]" false

Generate Hooking Template

ios hooking generate simple iRoot

Extract Sensitive Information

Dump NSUserDefaults

NSUserDefaults is a simple storage mechanism commonly used for storing small amounts of data or user preferences. However, it's not a secure place to store sensitive information like passwords because it can be accessed easily by other apps or by jailbroken devices.

ios nsuserdefaults get

# Example output:
..........
"flutter.isStartStopGps" = 0;
    "flutter.isUploadResolution" = 0;
    "flutter.logACallObjectType" = 1;
    "flutter.mPin" = 1337;
    "flutter.mPinTime" = 7;
    "flutter.userEmail" = "redacted@redacted.com";
    "flutter.userId" = 1337;
.............

Dump Keychain Data

Extracts the keychain items for the current application.

ios keychain dump
PreviousiOS Penetration TestingNextCommon Applications

Last updated 1 year ago

Was this helpful?

Note: This page is incomplete and will be regularly updated. If you have any ideas or resources that need to be added, please contact me at .

📳
yuyudhn@gmail.com