ECSA/ LPT
ECSA/ LPT
EC
Council
EC
-
Council
Module XXXVII
Bluetooth and Hand Held
Device Penetration Testing
Penetration Testing Roadmap
Start Here
Information
Vulnerability External
Gathering
Analysis Penetration Testing
ill
Router and
Internal
F
i
rewa
ll
Penetration Testing
Router

and

Switches
Penetration Testing
Internal

Network
Penetration Testing
IDS
Penetration Testing
Wireless
Network
Penetration Testing
Denial of
Service
Penetration Testing
Password
Cracking
Stolen Laptop, PDAs
and Cell Phones
Social
Engineering
Application
Cont’d
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration Testing
Penetration Testin
g
Penetration Testing
Penetration Testing
Penetration Testing Roadmap
(cont
’

d)
(cont d)
Cont’d
Physical
Si
Database
Pii
VoIP
PiTi
S
ecur
i
t
y
Penetration Testing
P
enetrat
i
on test
i
ng
P
enetrat
i
on
T
est
i
n
g

Vi d
Vi
rus an
d

Trojan
Detection
War Dialing
VPN
Penetration Testing
Log
Management
Penetration Testing
File Integrity
Checking
Bluetooth and
Hand held
Device
Penetration Testing
Telecommunication
And Broadband
Communication
Email Security
Penetration Testin
g
Security
Patches
Data Leakage
Penetration Testing
End Here

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Communication

Penetration Testing
g
Penetration Testing
Penetration

Testing
iPhone
iPhone
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Jailbreaking in an iPhone
Jailbreaking is the process to unlock the
iPhone and iPod touch devices to
p
ermit the
p
installation of third-party applications.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps for iPhone Penetration
Testing
Testing
1

• Try to jailbreak the iPhone
2
• Try to unlock the iPhone
3
• Try to activate the voicemail button on your unlocked iPhone
•Tr
y
to hack iPhone usin
g
Metas
p
loit
4
ygp
5
• Check for access point with same name and encryption type
6
• Check whether malformed data can be sent to the device
Ch k h h b i i i f i b d
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
7
•
Ch
ec
k
w
h
et

h
er
b
as
i
c

memory

mapp
i
ng
i
n
f
ormat
i
on

can
b
e

extracte
d
Step 1: Try to Jailbreak the
iPhone
iPhone
Jailbreak the iPhone using different jailbreaking
Jailbreak the iPhone using different jailbreaking

tools such as iDemocracy, iActivator, and
iFuntastic.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Jailbreaking Using iFuntastic
Download the iPhone hacking kit, and install iFuntastic in your applications folder
A
fter installin
g,

p
erform the followin
g
ste
p
s:
Reboot your Mac safely, so that the iFuntastic is not crushed during this process
Switch on your iPhone and then connect it into your Mac by using the appropriate
bl
g, p g p
ca
bl
e
As iPhone is connected to Mac, iTunes application launched; close the application
lh i i
Now
l
aunc
h i

Funtast
i
c
Press the Prepare button present on the left side of the iFuntastic window
Click the Jailbreak button present at the bottom of the window
Follow the six steps on the next page of the window
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
You will see the screenshot as given in the next slide
Jailbreaking Using iFuntastic
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Jailbreaking using AppSnapp
Go to on your iPhone or iPod Touch to automatically jailbreak
and
p
ut Installer.a
pp
on the device
ppp
At the bottom of the page, click the Install AppSnap button, then you will see the “Slide to
Unlock
”
screen
Unlock screen
After unlocking the device, you will find the “Installer” icon on your screen, click the
“I ll ” i h li k “S ” d i ll h “C i S ” k
“I

nsta
ll
er
” i
con,

t
h
en

c
li
c
k “S
ources
”
,

an
d i
nsta
ll
t
h
e
“C
ommun
i
t
y S

ources
” p
ac
k
a
g
e

Under the
“
System
”
tab install the BDS subsystem and openSSH
Under the System tab
,
install the BDS subsystem
,
and openSSH
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Now
y
our iPhone is read
y
to receive and use the third-
p
art
y
binaries

Tool for Jailbreaking:
iDemocracy
iDemocracy
iDemocracy is the iPhone jailbreak and third
party
iDemocracy is the iPhone jailbreak and third
-
party
app installation solution for the Window’s platform.
It installs Installer.app (for 3rd party apps/games),
custom ringtones, and SIM unlock.
It has new features like free ringtones on firmwares
as well as File Browsing
as well as File Browsing
.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
iDemocracy: Screenshot
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool for Jailbreaking: iActivator
iActivator is a Cocoa-based application for the Mac.
iActivator is a graphical interface providing iPhone
activation/deactivation tools and methods for breaking/restoring the
jail.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

iActivator: Screenshot
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool for Jailbreaking:
iNdependence
iNdependence
iNde
p
endence is a Cocoa-
p
based application for Mac
OS X which provides an
easy-to-use interface for
j ilb k ti ti SSH
It allows unauthorized
third-party application
installation on your
iPh
j
a
ilb
rea
k
,

ac
ti
va
ti

on,
SSH
installation, and ringtone.
iPh
one.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 2: Try to Unlock the iPhone
Ul k
th
iPh
i
tl
h
U
n
l
oc
k
th
e
iPh
one us
i
ng
t
oo
l
ssuc

h
as
iPhoneSimFree and anySIM.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool to Unlock iPhone: anySIM
anySIM is a GUI-based SIM unlocking
solution for iPhone.
This is for iPhones working with OS v1.1.1
running on it or iPhones that were
running on it or iPhones that were
upgraded from 1.0.2 to 1.1.1.
It is described as fully automatic, requiring
only to be copied to a "jailbroken" iPhone
and launched from the Springboard’s
interface
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
interface
.
Unlocking your iPhone using
AnySIM
AnySIM
Jailbreak your iPhone with iActivator or iNdependence.
Set it up to install third-party applications.
Use the following steps to put AnySIM on it:
1. Download AnySIM 1.1 and extract it.
2. Move the “anySIM” file to the applications folder.

3
O t i l (l t d i / li ti / tiliti ) d t th
3
.
O
pen
t
erm
i
na
l (l
oca
t
e
d i
n
/
app
li
ca
ti
ons
/
u
tiliti
es
)
an
d t
ype

th
e

following:
scp -r /Applications/anySIM.app
root@IPADDRESS:/Applications/
root@IPADDRESS:/Applications/

Where, IPADDRESS is the IP Address of your iPhone.
4. Restart your iPhone.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
5. Run the AnySIM application to unlock your iPhone.
Step 3: Try to Activate the Voicemail
Button on your Unlocked iPhone
Button on your Unlocked iPhone
Get the voicemail number of your carrier
Dial: *5005*86*
xxx
#
Get the voicemail number of your carrier
Dial: *5005*86*
xxx
#
Where xxx is your voicemail number
Tap the call
Click on the voicemail button, which automatically calls
to your voicemail service
EC-Council

Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
to your voicemail service
Step 4: Try to Hack iPhone using
Metasploit
Metasploit
h
li
l l i h l bili i i
Use

t
h
e

Metasp
l
o
i
ttoo
l
to

exp
l
o
i
t

t

h
e

vu
l
nera
bili
t
i
es
i
n

iPhone.
This allows the attacker to:
• Control an iPhone remotely.
• Gain root access to the iPhone.
• Remotely access recently modified files.
• Access stored emails.
•
View the
iPhone
'
s
web browsing history
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
View the
iPhone s

web browsing history
.
Step 5: Check for Access Point with
Same Name and Encryption Type
Same Name and Encryption Type
iPhone identifies the access points by SSID.
If the user gets attacker-controlled access
point with the same name and encryption
type, iPhone will automatically use the
malicious access point.
This adds the exploit to web page browser,
and replaces it with a page containing the
lit
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
exp
l
o
it
.
Step 6: Check Whether Malformed
Data Can be Sent to the Device
Data Can be Sent to the Device
Perform this attac
k
on iPhone with a MobileSafari
browser.
Extract
the

binaries
from
the
device
by
jailbreaking
Extract
the
binaries
from
the
device
by
jailbreaking
.
Anal
y
ze the binaries b
y
usin
g
adisassemblersuchas
y
y
g
diStorm64.
Perform
the
source
code

audit
Perform
the
source
code
audit
.
Send the malformed data to the device to cause a fault
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
and make it crash.
Step 7: Check Whether Basic Memory
Ma
pp
in
g
Information Can
b
e Extracted
pp g b
It id i t l
Run the Mac OS X crash
reporter.
It
prov
id
es

reg

i
s
t
er

va
l
ues

and basic memory
mapping information.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
BlackBerry
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Vulnerabilities in BlackBerry
A
boundar
y
error exists in the attachment service while handlin
g
the
y
g
malformed TIFF image attachments.
While
handling

the
Server
Routing
Protocol
(SRP)
packets,
some
errors
While
handling
the
Server
Routing
Protocol
(SRP)
packets,
some
errors
are committed:
Thi
l bilit
it t
th
iti
bt
Bl kB
•
Thi
svu
l

nera
bility
i
n
t
errup
t
s
th
ecommun
i
ca
ti
on
b
e
t
ween
Bl
ac
kB
err
y
Enterprise Server and BlackBerry Router, resulting into a DoS attack.
Boundary
error
exists
in
the
attachment

service
while
handling
the
Boundary
error
exists
in
the
attachment
service
while
handling
the
malformed Microsoft Word (.doc) file:
•
This
vulnerability
results
into
buffer
overflow
and
the
arbitrary
code
is
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

•
This
vulnerability
results
into
buffer
overflow
and
the
arbitrary
code
is
executed on the BlackBerry attachment service.