Category: Uncategorized

The primary work of mobile pentester is static and dynamic analysis of applications using some predefined tools like Jd-GUI or Frida and Objection. In this blog we will cover some concepts of dynamic analysis of android apps.
Dynamic analysis means interpreting or modifying the apps in runtime. In this blog we will cover the tool called Objection for Dynamic analysis of android app called diva-beta.apk and we will use Non-rooted android device POCO F1.

Link for the app will be provided below:-

Diva-beta. Apk

What is Objection?

Objection is a tool using for Dynamic analysis of android based application. It allow us to assess mobile applications and their security posture without rooting and Jail breaking the mobile device. It is built on the top of the Frida which is also a great tool for dynamic analysis. Most of the Pentester Bug hunter using this tools now a days to perform Dynamic Application Analysis.
To start with Dynamic analysis of application, the first step in this process is to setup tool in your operating systems like Ubuntu, Kali Linux etc. we are going to cover all the steps to setup tool in Kali Linux, below are the steps for setting up the tool.

Step 1:   Installation of Objection in Linux

We need to install Python3 and pip3, you can install the python and pip3 repo in Kali linux by using below syntaxes.

Sudo apt-get install python3                   # it will install the python repo in you Kali
Sudo apt-get install pip3                          # it will install the pip3 repo in your Kali

(Or) Sudo apt-get install python3-pip
After installing python and pip repo, the next step is to install Objection.
Note:-If you have Objection already installed then you can use pip3 install –upgrade objection for upgrading the version of Objection.

Pip3 install objection
Now we have to install some utilities for Objection. You just need run these commands.

Sudo apt install Zipalign
Sudo apt install aapt

Note: Zipalign is a tool for optimizing app and aapt turns your sdk resources in binary.

Step 2:   Apktool installation:

Before going further, we can also setup Apktool, so below are steps available to setup process.

Download Linux wrapper script (Right click, Save Link As apktool)
https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool

Download apktool-2 (find newest here)
https://bitbucket.org/iBotPeaches/apktool/downloads/
After downloading the latest version, then rename downloaded jar to apktool.jar.

Next step is to move both files (apktool.jar & apktool) to location /usr/local/bin (root access required)
Make sure both files are executable if not then change the permissions using chmod (chmod +x).
Try running apktool via cli.

Step3: Installation of Jarsigner or Apksigner

Next step is to setup either Jarsigner or Apksigner in Kali linux. Why these tools are required.
The Jarsigner tool is used to sign Java Archive (JAR) files, and to verify the signatures and integrity of signed JAR files. The JAR feature enables the packaging of class files, images, sounds, and other digital data in a single file for faster and easier distribution. A tool named jar enables developers to produce JAR files. (Technically, any ZIP file can also be considered a JAR file, although when created by the jar command or processed by the Jarsigner command, JAR files also contain a META-INF/MANIFEST.MF file.)

To install Jarsigner below are the commands.

Sudo apt-get install Jarsigner or sudo apt-get install apksigner

What is patching and why do we require our apps to get patched?
Patching is a process through which, we are injecting Frida dylib library in our application which is apk file and install in our device i.e. POCO F1 (this device is using for this analysis).

Objection is built on top of Frida and objection is working on the basis of client-server model. So whenever we are patching applications we are injecting Frida dylib library into our app so that it will act as Frida server and our linux machine will act as client.

Commands for patching application.

In the terminal use below commands:

Objection –help
Objection patchapk -s /home/kali/Downloads/diva-beta.apk -a arm64-v8a

-s         : stands for source

-a         : stands for architecture

Note:-Objection will automatically detect architecture. In case if it is not detecting architecture we have to mention -a as mentioned. Objection is case sensitive.Dont use capital O so use small o.

Installation of patchapk

After patching a new file diva-beta.objection.apk is created in /home/kali/Downloads.

For installing patched apk “diva-beta.objection.apk” we have to run command:
adb install diva-beta.objection.apk

Note:-usb debugging should be enabled in your device for installing apps from adb. Usb debugging is in developed option. To enable developer option simply click on Build no or check device manual or search for your model no in any search engine.

For installation of adb here is link:
https://www.xda-developers.com/install-adb-windows-macos-linux/

Procedure after patching

Now the next step is to launch your patched diva beta.apk in our mobile device.

In this app we will try to trace hardcode part 1 classes and methods

Commencement of Objection in linux
For connecting our objection linux machine i.e. client to our server that is our mobile device POCO F1, we have to simply type the following command in you kali terminal for connecting client to server (patched apk).

objection explore

Hooking of classes and methods

For hooking classes and methods first we have to search the class and methods related to hardcode information. Here in app we will try to find it using we will try to find keyword called hardcode by using objection command Android hooking search class hardcode.

Now look at classes we found three classes. The class we will hook here is jakhar.aseem.diva.HardcodeActivity because it look familiar as per our need. Now we will watch for this method using Android hooking watch class jakhar.aseem.diva.HardcodeActivity

Now we found that whenever we click on access button we can find method of classes which are invoking at runtime. There are 3 methods invoking but one methods looks which we have some importance is jakhar.assem.diva.HardcodeActivity.access(android.view.view)

Now we found name of methods now we will try to hook these method using Android hooking watch class_methods jakhar.assem.diva.HardcodeActivity.access. You will get result like these

Note: we can use Android hooking watch classes Jakhar.aseem.diva.HardcodeActivity –dump-args –dump-return if you want return value and arguments.

Setting value using objection
We don’t have any method in diva-beta.apk but assume if we have is device rooted Boolean value in our class. Let us assume we have jakhar.assem.diva.usermainactivity class and jakhar.assem.diva.usermainactivity.is device rooted.

Now we want to try to set value to false using objection. Why this is required? Because sometimes apps are not running because of root functionality in phone, so what we can do here is to just bypass root detection for app by using objection. Android set return value jakhar.assem.diva.usermainactivity.is device rooted now false.

Final words
As we come to end of our journey assuming you like this blog. Objection is a great tool for dynamic analysis especially in case of when the code is obfuscated or not clear. Overall Objection is great tool for Dynamic analysis.

Troubleshoot
While performing the patching process, if you are facing trouble or getting error, so below is the error which you can get while doing this process. So to resolve issue you can do below steps.

If your Objection is showing temporary file error then the command we have to run is:-

objection patchapk -s /home/kali/Downloads/diva-beta.apk –skip-resources -k -n

Note: in replace of –skip-resources we can use –D, -k stands for “not cleaning up temp files” and -n stands for ignore native libs

Author: Sujay Chaurasia, Director, Cybersecurity, Development and DevOps, GRhombus Technologies

It is You!!!  You are already facing the Corona virus. Do you know Corona is already your invisible friend? Do you know when it turns into your enemy? Be mindful about your feelings and emotions. Emotions are particularly important to keep mind, body, and soul together. Corona is attached with soul and its energy. When you eat tasty food or listen to good music – body gets it through mind and mind makes soul happy, and there by, cells in the human body remain energetic without any disturbance.

Why Corona attacks you?

When you are negative minded and leading a stressful, depressive, and sorrowful life with unhealthy food habit, mind receives negative emotions that disturbs soul’s energy. Now the invisible friend, Corona becomes your enemy to fight your body cells and damages cells, consequently organs gets damaged which in turn leads to death for the body, not for the soul.

Keep Away Corona with Mantra and Sankalpa

So to overcome or win over Corona follow this simple mantra – “Keep Inner Peace” – practice to think positive, be happy, have clean habits, love your neighbor, pay gratitude for whatever you receive, observe mother nature and be sensitive to her, satisfy with what you have today and lead happy life, laugh louder, lead trust worthy friendship, have permitted and healthy sex life, mindful about your body and breath, do not take bad news deep into your mind, do not utter negative words, be open to learn at any age. We born out of mother nature with five elements: Earth, Water, Fire, Air and Ether. All these are perfectly related a body: flesh and bones of body is to the Earth, body has 70% Water, Agni (Fire) is to Internal Energy in the body, Air is that we breath sustains life in the body, Ether is the space occupies around the body. When we are from nature, and living in this nature, we are not different from nature. Be in sync with the nature and its cycles through Body, Mind, and Soul. Eventually that develops egoless, positive life within you. In such state you will get what you want from this universe upon just a true wish (dharmic sankalpa).  That is the key to Successful life!

Author: Srirama Murala, Director, GRhombus Technologies

Yes! It is.
Robotic Process Automation is a simple “software” or “robot” or “bot” that takes set of instructions to automate human-computer-based tasks, for example copying data or moving files from source to another system, especially into legacy system.

Engaging humans to do the robotic work? Why don’t you go for Robotic Process Automation?

Few examples of potential candidate for RPA :

1. If accounts department receives invoices from vendors over email frequently and needs frequent updation of the required fields into SAP FI accounts payable system.
2. When a customer support team receives huge number of emails on daily basis and replying them takes huge time & efforts.
3. A product sales analyst and his team regularly web scrapes data from different eCommerce websites and copies to excel sheet, and then imports into analytics database to identify the trends.

Ever since computers are invented, out of many day-to-day repetitive tasks computers are performing to sustain business processes like HR onboarding, finance department making invoices and payments, IT user provisioning etc. where all these business functions attract RPA.

Goods purchased online when returned, processing consumes manual effort, time and money which is a costly endeavor. When a company implements RPA that can manage goods returns without adding to the cost or causing a delay. Also, it saves time and reduces errors in the process of sending a message confirming receipt of the return, updating the inventory system, making the payment adjustment to the customer, invoice processing, ensuring that the internal billing system is updated.

Company staff who is handling repetitive tasks, mundane tasks, bridge system and data integration can automate tasks by providing simple instructions like commands to RPA robot to let their task done, so that staff can take care of other tasks that results job satisfaction.

Even though RPA is complex to implement, it is a viable solution for organizations and when it is implemented properly, with a process having robots and relevant people in place shows successful results by reducing the cost to the company.

If Artificial Intelligence (AI) / Machine Learning (ML) implemented with RPA, ML improves robot performance and decision making and hence results in ROI.

The sectors attract RPA are:

Supply Chain Management (SCM), Customer Service, Accounting, Financial services, Health Care, Hospitality, Government, Human Resources, Insurance, e-Commerce, Retail, Transportation, Communication service providers, Media and Entertainment, Energy and Utilities, Manufacturing.

Gartner is the world’s leading research and advisory company, for example, has predicted that 73% of corporate controllers will implement some form of RPA in their finance departments by 2020.

Commercial tools with free edition or trail version	Free Open Source Tools
Blue Prism, UiPath, Automation Anywhere, WorkFusion, PegaSystems	TagUI, Taskt (sharpRPA)

Author: Srirama Murala, Director, GRhombus Technologies

Among available programming languages to choose between OOPs approach and scripting, less lines of code, platform independent and flexible language, and easy to learn.Python is developer’s choice when compared with other technologies and OOPs languages because of inbuilt libraries availability, for example, Numpy for scientific computation, Scipy for advanced figuring out/calculating and Pybrain for machine learning, making Python one of the best languages for AI.

For AI, Python leads with more than 50% votes among developers, over popular language like C++. That is because Python is easy to learn and put into use and availability of many libraries used for data analysis.

Python vs C++ for AI:

Python is winner over C++ especially among new developers because C++ being a lower-level language needs/demands more experience and skill to master.

Performance of C++ is better than Python. This is because C++ has the advantage of being a statically typed language and that’s the reason for there are no type related errors during runtime. C++ also creates more compact and faster runtime code. However, Python is a simple (the set of rules for forming language) language which  is faster for development when compared to C++ because it is more natural to (intelligent/obvious) ETL (Extract, Transform, Load) process, and allows developers to test machine learning sets of computer instructions without having to put into use them quickly.

Python vs Java for AI:

The two languages are also written differently. A structure in Java is enclosed in braces. Python uses dent to (do/complete) the same tasks.

Java is also performance wise slower, and for developing high-end computer programs in AI, Python is more preferred by developers.

Java is a compiled language whereas Python is an interpreted language.

Conclusion:

AI needs a lot of research, and because of this we can’t rely on 500 KB commonly used Java code to test a new educated guess which will never finish the project. In Python, almost every idea can be quickly validated through less code. Therefore, it is a pretty useful language for the benefit of AI.

Author: Nandini N – Software Engineer– Test automation framework developer and technology enthusiast at GRhombus.

SQL Injection is most favorite and most attacked vulnerabilities that Hackers, performs nowadays. From last three times Injection i.e. SQL Injection becomes first web attack published by OWASP.

SQL Injection can be defined as “It is an Injection attack in which attacker tries interface sql queries or sql statement by sending malicious payload to the website.”SQL Injection mainly Categories into three major types:-

In-Band SQL Injection

In-band is common methodology and easy-to-exploit of SQL Injection. In these injection attack, attacker uses same communication channel to both launch the attack and gather results.

In-Band SQL Injection is of two types:-

Error-based Injection:-

Error-based SQLi technique that relies on error messages thrown by the database server to obtain information about the structure of the database. For some Web application, error-based SQL injection alone is enough for a hacker to enumerate an entire database and get the relevant information.

Union-based Injection:-

Union-based SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response and tries to get the database information for an attacker.

Inferential Injection:-

Inferential SQL Injection, may take longer time for an attacker to exploit, however, it is some time difficult to exploit the sql injection. In an Inferential SQLi attack, no data is actually transferred via the web application and the attacker would not be able to see the result of an attack as seen in in-band injection. This attacker has to reconstruct the database queries by sending different payload, observing the web application’s response and behavior of database. It is also called as Blind SQL Injection (Blind SQLi).
Inferential band SQL Injection is of two types:-

Boolean-based SQL Injection

Boolean-based SQL Injection is a technique that relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.

Time-based SQL Injection

Time-based SQL Injection is a technique that relies on sending an SQL query to the database which forces the database to wait or lock for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE.
Basic Syntax for Time based SQL Injection is waitfordelay(), die().

Out-of-band SQL Injection

Out-of-band SQL Injection is most difficult type of SQL Injection that attacker performs, mainly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL Injection occurs when an attacker is unable to use the same channel to launch the attack and gather results.

Out-of-band SQLi techniques would rely on the database server’s ability to make DNS or HTTP requests to deliver data to an attacker. Such is the case with Microsoft SQL Server’s xp_dirtree command, which can be used to make DNS requests to a server an attacker controls; as well as Oracle Database’s UTL_HTTP package, which can be used to send HTTP requests from SQL and PL/SQL to a server an attacker controls. Happy Hacking !!!!!!!!!

Author: Sujay Chaurasia, Director, Cybersecurity, Development and DevOps, GRhombus Technologies

Tcpdump is one of the open source tools like Wireshark for network traffic monitoring. Just like in Wireshark, we can dump network traffic using Tcpdump. This tool is easily available in debian like kali Linux. TCPdump is command-line packets sniffer or you can also say as package analyzer tool which is used to capture or filter TCP/IP packets that received or transferred over a network on a specific interfaces.
TCPdump also gives you an option to save captured packets in a file for future analysis. It saves the file in a pcap format, that can be viewed by TCPdump command or an open source GUI based tool like Wireshark that reads TCPdump pcap format files.

How to install tcpdump in Ubuntu/Debian?
You can install tcpdump in Kali linux by using following commands.

$ sudo apt install tcpdump
The general syntax for the tcpdump command is as follows:
$ tcpdump [options] [expression]

1. The command options allow you to control the behavior of the command.
2. The filter expression defines which packets will be captured.

To dump the traffic we can you different commands

To capture packets from a particular Ethernet interface

When you execute tcpdump command without any option, it will capture all the packets flowing through all the interfaces. -i option with tcpdump command, allows you to filter on a particular Ethernet interface.
$ tcpdump -i [interface name]
$ tcpdump -i eth1
Above tcpdump captured all the packets flows in the interface eth1 and displays in the standard output. Where ‘-i’ = interface
Note: Editcap utility is used to select or remove specific packets from dump file and translate them into a given format.

To capture only N number of packets

When you execute tcpdump command it gives packets until you cancel the tcpdump command. Using -c option you can specify the number of packets to capture.
$ tcpdump -c 2 -i eth0
Above tcpdump command captured only 2 packets from interface eth0. Where ‘-c’ specify the number of packets to be captured.
Note: Mergecap and TShark: Mergecap is a packet dump combining tool, which will combine multiple dumps into a single dump file. Tshark is a powerful tool to capture network packets, which can be used to analyze the network traffic. It comes with Wireshark network analyzer distribution.

To display captured packets in ASCII

When you want to the packets in ASCII, then you can execute the command.
$ tcpdump -A -i eth0

To display captured packets in HEX and ASCII

When you want to the packets in hex values. tcpdump provides you a way to print packets in both ASCII and HEX format.
$tcpdump -XX -i eth0

To Reading and write the capture packets into a file

tcpdump allows you to save the packets to a file, and later you can use the packet file for further analysis.
$ tcpdump -w <File Name>.pcap -i eth0
-w option writes the packets into a given file. The file extension should be .pcap, which can be read by any network protocol analyzer.
$ tcpdump -r <file_name>.pcap
By using ‘-r’ option that stands for “read”.

To find all network interfaces

When you want to fetch the list of all available network interfaces, we can use the command:
$ tcpdump -D
Use ‘-D‘ option to display all the available interfaces for tcpdump command.

To capture all network packets

To capture all the inbound and outbound network packets we can use ‘any’ option to capture data packets that go through all network interfaces. This can be done by using the interface option ‘-i’.
$ tcpdump -v -i any

To capture packets of a protocol-specific

When you want to capture packets belonging to a particular network protocol, we can append the name of the protocol at the end. You can specify one of these protocols: wlan, ip, ip6, Arp, tcp and udp etc.
$ tcpdump  -i any tcp
The following example captures only arp packets flowing through the eth0 interface.
$ tcpdump -i eth0 arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

To capture host-specific packets

To capture the host specific packets, for that we can use ‘host’ keyword along with ‘tcpdump’, we can filter all the packets that are exchanged with a particular host.
$ tcpdump -nn -c 5 -i any host X.X.X.X
‘-nn’, specify to translates the hostnames to their numeric Internet addresses.
Note: The packets appear only if there is an actual network connection with the specific IP address.

To capture the packet from particular Source or Destination.

To capture the packet from particular Source or Destination We can use option ‘src’ (source) followed by an address.
$ tcpdump -nn -c 5 -i any src X.X.X.X
For destination-specific query, ‘dst’ is used.
$ tcpdump -nn -c 5 -i any dst  X.X.X.X

To receive packets flows on a particular port using tcpdump port

We can capture all the packets received by a particular port on a machine, to capture the packet we can used tcpdump command.
$ tcpdump -i eth0 port 21

To Capture packets for particular destination IP and Port

When we have source and destination IP and port numbers. Using tcpdump we can apply filters on source or destination IP and port number. To captures packets flows though network interface (eth0), with a particular destination ip (X.X.X.X) and specific port number 21.
$ tcpdump -w xpackets.pcap -i eth0 dst X.X.X.X and port 21

To Capture TCP communication packets between two hosts

If there is two different process from two different machines are communicating and they using tcp protocol for communication, then we can capture those packets using tcpdump using command.
$ tcpdump -w comm.pcap -i eth0  src X.X.X.X and port 21 and dst X.X.X.X and port 21

Capturing only IP address packets on a specific Interface

By Using -n option in tcpdump command we can capture only IP address packets on specific interface, example is shown below,
$ tcpdump -n -i eth0

Author: Sujay Chaurasia, Director, Cybersecurity, Development and DevOps, GRhombus Technologies