Turning your iPhone/iPod Touch into a handheld hacking device

By: L33tdawg

This is a brief guide for all iphone and ipod touch hackers looking to turn your device into a truly portable and powerful hacking tool. The iPod Touch makes the perfect companion device for the security professional and can be quite handy for the quick hack when you're without your notebook/laptop. It's small and inconspicuous (basically you just look like you're listening to your tunes while you sniff the network *evil grin*) What you'll need

- A jail broken / hacked ipod touch or iphone - For this article I used an 8GB iPod touch but the same instructions should apply for all you iphone users. In fact the iPhone has the benefit of having GPRS data connectivity options which means you could still get some hacking done without a wifi connection although it would be painfully slow. The method you use to jailbreak your device is really and truly up to you and is honestly beyond the scope of this article. Here are some useful links to jailbreaking for both the touch and iPhone:

http://iphone.fiveforty.net/wiki/index.php/Main_Page
http://www.ipodtouchhacks.com/
http://www.ipodtouchfans.com/

- Installer.app (I would assume if you have a hacked iTouch/iPhone this would be one of the first things you'd install anyway or if you've used one of the newer 1.1.1 unlockers, Installer.app usually comes installed by default). If you're running OS X, I would seriously give iJailBreak a go - http://code.google.com/p/ijailbreak/. I've used it and it's absolutely painless. Super impressive as well that it's written by a 13 year old!

- SSH Client on your desktop - Putty is fine or if you're in OS X you can just use the client from the terminal

- SFTP Client on your desktop - I like CyberDuck although you can most certainly use the command line sftp as well

- XCode / Developer Tools and the arm-apple-darwin environment - If you're really serious about building your own customized security suite, you're going to need the arm-apple-darwin source so you can build / port applications over to the ARM architecture. XCode and the developer tools are on the Tiger or Leopard installation DVD under Optional Installs. Once you've got that set up, you'll also need the decrypted iPhone/iPod root filesystem - You can either decrypt the restore software (a pain in the ass imho) or just scp the files over from the device. This method here: http://www.touchdev.net/wiki/Jailbreak_Guide works pretty well. I put my filesystem in /usr/local/ipodfs. You'll need to set an environment variable named $HEAVENLY to the path where you placed your fs:

export HEAVENLY=/usr/local/ipodfs

Now to get the rest of the stuff set up.
Grab a copy of Low Level Virtual Machine or LLVM from svn

svn co http://llvm.org/svn/llvm-project/llvm/trunk llvm-svn -r 42498 (or -r 42286. I've found that the 42498 revision doesn't build for me on Leopard 10.5, however the older 42286 rev seems to work perfectly fine)

cd llvm-svn
./configure --enable-optimized
make ENABLE-OPTIMIZED=1 (do note this does take a fair amount of time to build)
make install
export LLVMOBJDIR=`pwd`

Grab a copy of iphone-dev from svn and build odcctools and csu

mkdir /usr/local/arm-apple-darwin (to hold the resulting toolchain - binaries will be placed in /usr/local/bin/)

svn co http://iphone-dev.googlecode.com/svn/trunk/ iphone-dev
cd iphone-dev
mkdir -p build/odcctools

cd build/odcctools
../../odcctools/configure --target=arm-apple-darwin --disable-ld64
export INCPRIVEXT="-isysroot /Developer/SDKs/MacOSX10.4u.sdk" (you'll need this step if you're on Leopard)
make && make install
cd ../../

cd include
./configure --with-macosx-sdk=/Developer/SDKs/MacOSX10.4u.sdk
sudo bash install-headers.sh
cd ../

Build csu

mkdir -p build/csu
cd build/csu
../../csu/configure --target=arm-apple-darwin
sudo make install
cd ../../

Now here comes the hardest part - building LLVM-GCC

mv llvm-gcc-4.0-iphone/configure llvm-gcc-4.0-iphone/configure.old
sed 's/^FLAGS_FOR_TARGET=$/FLAGS_FOR_TARGET=${FLAGS_FOR_TARGET-}/g' llvm-gcc-4.0-iphone/configure.old > llvm-gcc-4.0-iphone/configure
chmod +x llvm-gcc-4.0-iphone/configure
sudo ln -s /usr/local/arm-apple-darwin/lib/crt1.o /usr/local/arm-apple-darwin/lib/crt1.10.5.o
mkdir -p build/llvm-gcc-4.0-iphone
cd build/llvm-gcc-4.0-iphone
export FLAGS_FOR_TARGET="-mmacosx-version-min=10.1"
../../llvm-gcc-4.0-iphone/configure --enable-llvm=`llvm-config --obj-root`
--enable-languages=c,c++,objc,obj-c++ --target=arm-apple-darwin
--enable-sjlj-exceptions --with-heavenly=$HEAVENLY
--with-as=/usr/local/bin/arm-apple-darwin-as
--with-ld=/usr/local/bin/arm-apple-darwin-ld
make LLVM_VERSION_INFO=2.0-svn-iphone-dev-0.3-svn
sudo make install
cd ../../../

If everything worked correctly you should have arm-apple-darwin-gcc in /usr/local/bin/

Creating more space

If you've freshly jail broken your device you'll most likely want to create a symlink to a larger storage area for all the tools and scripts you're going to be installing. To do this, SSH into your iTouch and issue the following as root (the root password is 'alpine' by default.)

mv Applications /private/var/
ln -s /private/varApplications /Applications

The basic framework

There are a few apps that you're going to need to get installed through Installer.app before you can proceed.

Community Sources - gives you access to a greater number of apps
BSD Subsystem - A set of UNIX tools and commands
Perl - you'll need this to run the Metasploit framework as well as Nikto (the web application scanner)
Python - if you want to run the sqlmap sql-injection scanner/enumerator
DNS Tools - includes nslookup, dig, nc
Stumbler - for getting details on available wireless networks
VNsea - VNC client for the iphone/itouch
MobileFinder - So you can browse the filesystem and open files
MobileTextEdit - Ideal for viewing output from scans, tcpdump logs etc
SysInfo - a good tool to kill, relaunch, renice processes.
Term-vt100 - This is much better than Terminal.app and has tab completion (which is a real boone when you're working on the tiny touch soft keyboard)
Services - This little app allows you to turn the SSH service on and off without having to use the command line tools. Quite handy when you need to conserve power.
OpenSSH - Depending on which jailbreak/unlocker app you used, you should already have dropbear installed and running once you've jailbroken your device. This provides you with the basic SSH access into the device, however it does not give you command line ssh access FROM your ipod. Installing OpenSSH fixes this issue. You have the option of manually removing dropbear from the ipod once you have OpenSSH installed however it makes not difference if you leave it there or remove it.

The security tools

Granted there are a 1001 security tools out there but we certainly don't need a 1001 solutions to get the job done. Also the iphone toolchain is still in its infancy and problems with getting a working compiler will keep you busy for at least a couple of hours if not days. As such a number of cool tools have not been ported to the iphone/ipod touch yet; hopefully this will change in the weeks and months to come :) I'm guessing by the time the full SDK rolls out, you'll start to see a lot of cool apps being ported.

Metasploit - Currently Metasploit 2 (written in Perl) works and msfweb seems to run and work most of the time - Metasploit 3 does not run due to the (still) broken installation of Ruby which is provided through Installer.app. In order to get Metasploit to work most reliably, you will need to ensure you ONLY run msfweb and Safari - running anything else in addition will either cause the ipod to restart or for safari to crash on load.

First grab a copy of the metasploit framework from here http://www.metasploit.com/tools/framework-2.7.tar.gz
Untar the framework and upload it to your ipod using sftp
I placed my install in tools/msf/
Create a symbolic link to msfweb in /usr/bin/ so you can start up msfweb from the terminal without too much typing:

ln -s /root/tools/msf/msfweb /usr/bin/msfweb

Open the terminal and run msfweb & to place the process into the background. If you don't append the &, the process will quit as soon as you switch away from Terminal to Safari. Do note that while the Ipod touch does have a fairly beefy processor, it does take a good 2 - 3 minutes before the msfweb service will be available via Safari so give it some time to load. If all goes well and you see the "msfweb started" message in the terminal you can now open Safari and surf to http://127.0.0.1:55555 If Safari crashes while loading, just reopen it again and it usually loads fine on the second attempt. You might also want to create a bookmark to Metasploit in Safari to save you the trouble of retyping the URL each time you want to use it. To stop msfweb, kill the perl process through SysInfo.app

Nikto - The web application scanner runs perfectly well from the ipod and makes a great little companion app even though it's kinda of pointless against the newer web 2.0 apps. It runs on PERL and version 2.0 currently works perfectly fine on the itouch/iphone. it would be a good idea to pipe the output from any scans into a text file which you can then read with MobileTextEdit. You can grab a copy of Nikto from here: http://www.cirt.net/code/nikto.shtml be sure to run ./nikto.pl --update once you've transferred the folder over to the itouch/iphone or you could also run it before copying the folder over.

Sqlmap - this little python script works pretty well for retrieving remote databases, tables, columns and data through sql-injection methods. You can download it through svn:
svn checkout https://sqlmap.svn.sourceforge.net/svnroot/sqlmap sqlmap Do note that only the older 0.5-rc2 version works perfectly on the ipod touch - The newer 0.5 and the latest svn version (0.6-rc4) does not run and complains of a missing parser.

Tcpdump - This already comes installed with BSD Subsystem and works pretty well. You'll need to pipe the output from the dumps into a text file for easy reading later.

Other apps worth trying to port

nmap - Even though the iphone toolchain is fairly robust, it seems it still requires a bit more work before you can cross compile almost anything. At the moment trying to build nmap for arm-apple-darwin dies when trying to either build libpcap-bpf or when building libpcre. Hopefully a future release of the toolchain will fix this issue.

ngrep - the same is true for ngrep at the moment - refuses to build with --with-pcap=bpf although I'm sure with a little messing around of the Makefile it will compile.

ettercap - I haven't tried compiling this yet

Photos

The main dashboard with Summerboard installed (sorry for the blurry pic)

tcpdump in action

top although Sysinfo works pretty well too

starting up msfweb

msfweb interface in Safari

Some other useful links

http://conceitedsoftware.com/iphone/site/
http://iphone.natetrue.com/
http://ericasadun.com/

Tags: