Thursday, January 5, 2017

SANS Holiday Hack 2016-Santa's APK

SantaGram Apk

Read 

SANS Pen Testing Blog:  Mining Android Secrets by Jeff McJunkin
https://pen-testing.sans.org/blog/2016/12/10/mining-android-secrets-decoding-android-app-resources

SANS Pen Testing Blog:  Ghost In The Droid:  Reverse Engineering Android Apps by Joshua Wright
https://pen-testing.sans.org/blog/2016/12/05/ghost-in-the-droid-reverse-engineering-android-apps

Watch

YouTube:  SANS How Tos:  Manipulating Android Applications by Joshua Wright
https://www.youtube.com/watch?v=mo2yZVRicW0

Obtaining the Apk

The SantaGram_4.2.apk is in the SantaGram_v4.2.zip file that is found in the image of Hermey’s desk on the @santawclaus Instagram page. 

Santa's Instagram Page-Hermey's Desk-Sensitive Info

Image Description:  Image on Santa’s Instagram page depicting where to find the zip file that contains the apk.

To get the apk out of the zip file, use the preferred method to unzip the file.

Note:  there are plenty of options:  Linux: Terminal:  unzip, 7z, Linux GUI: Archive Manager, Windows:  By default windows comes packaged with a GUI application that unzips zip files.  Just double-click on the file and choose the “Extract” tab at the top of the page.  (Windows 10), or Right-Click the file and choose “Extract Here”.  Mac:  Plenty of selections on the app store-7-Zip is one of them.  Simply drag and drop the zip file onto it and it automatically extracts the zip file.

Exploring the SantaGram Apk

This section is included for readers unfamiliar with some of the tools in this submission.  This section details the basic use of the tools used to explore the SantaGram Apk.  If you are already familiar with the tools-feel free to skip to the “Finding Sensitive Information In SantaGram_4.2.apk” section.  The writer had to learn all of this during the challenge.

Tools
Android Studio
Android Emulator
apktool
JadX
Java Standard Development Kit
Jarsigner.exe
Jartool.exe

Android Studio

Android Studio is the official interactive development environment (IDE) for developing android apps.  There are many tutorials about how to use this application.  It is multi-platform, meaning that it can be installed on different OS’s.  For the purposes of this challenge, it was installed on Microsoft Windows 10.  The only issue is that it doesn’t seem to like virtual machines.

Download the executable from the website, double click on it, follow the directions in the Wizard, and select the necessary options in the Wizard to install it.

How to use the program:

In order to import an apk that is already created, one must first decompile it using apktool. 

apktool d <compiledfile>
apktool d SantaGram_4.2.apk

Once the apk is decompiled, Open Android Studio.  One will be greeted with a screen entitled, “Welcome To Android Studio”, with clickable options on the right hand side.  Select the option to “Import an Existing File”.  If the “Welcome to Android Studio” window doesn’t appear, there is also an “Import an Existing File” option located in the File menu.  Choose the “Create From Existing Sources” option, Click Next, Choose the Name of the Project and Path, Click Finish.

Android Studio is a GUI similar to Jadx in structure.  The directory path appears on the left-hand side of the screen.  One can navigate through the directory by clicking on the directory links on the left side of the screen.  When a file is chosen on the left hand side of the screen, it appears on the right hand side of the screen.  The files may be more closely examined by looking at them on the right hand side of the screen.  The directory navigation also appears from left to right just above the left-hand directory structure.

In order to check a program for errors, it may be compiled using the “Build” menu option, and ran using the “Run” menu option.

Android Emulator

Android Emulator is the official emulator for use with Android Studio.  One benefit of using this is that there is an icon that runs the emulator inside of Android Studio.  One may enable adb so that they can install apps on the emulated device, delete apps from the emulated device, create a proxy to intercept traffic between the emulated device and the Internet, via the command line, along with many other options.

This tool was installed on Windows 10.  Download the executable from the website, double click on it, follow the directions in the Wizard, and select the necessary options in the Wizard to install it.

Once it is installed, in Android Studio, there will be a little icon that looks like a phone with the android robot on it.   
If this button is clicked, it brings up the Android Virtual Device (AVD) monitor which is the program that manages the emulator.  (This can also be  selected from the Tools>Android>AVD menu.)
  
AVD Manager

Image Description:  AVD Manager

Different types of devices may be installed by selecting the packages that are necessary and downloading them from the SDK Manager on the SDK platforms tab.  This will also be in the Tools>Android>SDK menu item.   

SDK Manager

Image Description:  SDK Manager Icon

If this is the first time that a device is made, then the device type to be emulated must be selected, as well as the operating system.  Once those are selected, a confirmation screen will appear with advanced options that can be selected.  On this tab, the default settings were chosen.  For this challenge, the device was running an operating system called Marshmallow.  The device that was chosen was a Nexus 5.  Click the Finish button.  It was known that the app could be ran by the Marshmallow Android Platform because when the app was reverse engineered, the AndroidManifest.xml has a platform code value in there of 23.  If one looks on the Android Development site6, that code matches Marshmallow.

To install an app:

First, run the emulator.  (Click on the little icon that looks like a phone with a robot)
Select a device if it has been created, otherwise, click the green + sign box at the bottom, and create a new one.
Wait for the device to boot to the screen with the time on it.
Unlock the device by clicking on it and dragging the mouse right if it has a lock screen
Make certain that the app is signed if it has been manipulated (directions are in the Jarsigner.exe section)
Drag the app onto the screen or open a command prompt, navigate to the emulated devices directory, and type adb install <path>/SantaGram_4.2.apk.  <path> is the directory that the apk is located in.
It should now be installed.

Apktool

The creator of the apktool states “apktool is a tool that can decode resources to nearly original form and rebuild them after making some modifications. It also makes working with an app easier because of the project like file structure and automation of some repetitive tasks like building apk, etc.”

apktool was installed on Windows 10 & Linux.  Directions are for Windows.  Download the apktool.jar and the apktool.bat files.  Place them in the C:\Windows directory so that it is in the executable path.  Run the apktool via the command line.  Execute the following with no spaces between the two dashes:

The apktool should display a version.
apktool -- version
To disassemble a program:
apktool d <program file>
Example:
apktool d SantaGram_4.2.apk
To reassemble a program:
apktool b <program directory>
Example:
apktool b SantaGram

JadX

JadX is great if one has experience with Java programming.  It decompiles the apk to Java.  The only problem is that the apk can’t be recompiled with JadX.

JadX was installed on an Ubuntu Linux VM.  (It can be installed on Windows-just use gradlew.bat instead.)

How to Install:

Open a terminal prompt.
Type git clone https://github.com/skylot/jadx.git into the prompt.
Change the directory to the newly created jadx directory.  cd jadx
Run the gradlew program with the parameter dist. ./gradlew dist

If one desires, they may change their environment variables to contain the path to jadx so that it may be ran from any directory.

How to use the program:

Make sure that the directory is the jadx directory 

pwd

If not, change into the jadx directory 

cd jadx

Change to the directory where the program can be executed 

cd build/jadx/bin/jadx.

To disassemble an apk via command line jadx -d <output directory path> apkname
Example:
jadx -d ~/Desktop SantaGram_4.2.apk
To disassemble an apk via the jadx GUI jadx-gui apkname
Example:
jadx SantaGram_4.2.apk

One advantage of using the command line interface is that the directories may be searched using the grep command.  Like grep -ir password for instance.

One advantage of using the jadx GUI is that there is a search function located near the directory structure on the left hand side of the screen.

Java Standard Development Kit (JDK)

The JDK may be installed by navigating to the java website, downloading the latest version, and double clicking the executable file.  If a wizard pops up, follow the directions of the wizard and select the appropriate selections based on whatever needs there may be.    Select the Customize Option:  If unsure, just select the default options-except for the ask toolbar option-don’t install it or other extra stuff.

Jarsigner.exe

Jarsigner.exe is part of the Java Development Kit.  It allows apks to be signed with keys.

If Java Development Kit is installed, it should already be on the machine.  If not, then visit the appropriate site, download it, and install it.

Paths may differ depending on where the keys and apk are stored.

To sign an apk:

“C:\Program Files\Java\jdk<your version>\bin\keysigner.exe” -sigalg SHA1withRSA -digestalg SHA1 -keystore keys\SantaGram.keystore dist\SantaGram.apk SantaGram

JavaTool.exe

Jartool.exe is part of the Java Development Kit.  It creates a storage area for keys as well as generating keys.

If Java Development Kit is installed, it should already be on the machine.  If not, then visit the appropriate site, download it, and install it.

To create a keystore:

mkdir keys

Make new keystore.
Note:  The path may be different depending on where the keys and manipulated apk were stored.

“C:\Program Files\Java\jdk<your version>\bin\keytool.exe” -genkey -v -keystore keys\SantaGram.keystore -alias SantaGram -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -validity 10000
Enter a keystore password:
Re-Enter new password:
Fill in the requested information or type enter to select the default “Unknown”
Create a new password for keystore, or press enter to accept the same password as the keystore password

Finding Sensitive Information in SantaGram_4.2.apk

Mr. McJunkin suggests looking at resources.arsc on the SANS Pen Testing Blog.  After decompiling the apk with apktool, the apk has the res\values directories in it, which contains decompiled, plain-text xml files.  Mr. Wright makes suggestions in his video on YouTube about where to look for information in an apk file.

There is more than one way to find the username/password in the apk.  One can either disassemble the apk using apktool as described above and use command line utilities like grep -ir “password”, or one can disassemble the apk and use a GUI like JadX or Android Studio.  The downfall of using grep is that it can create a lot of output.  Once the file is found, by using grep, one could navigate to the file and look at it, either via the command line, or their favorite text editor.  In this case, jadx was used to find the username, password, and audio file.  The username that is hard-coded into the apk is “guest”.  The password is “busyreindeer78”.  The credentials were found in the  Source Code>com.northpolewonderland.santagram.b file.  The audio file was found in the Resources>res>raw>discombobulatedaudio1.mp3 file.  The app and client key were found as well.  They were found in Source Code>com.northpolewonderland.santagram.Configs  The app key is “ciy248KmH8uo8efusuTQ”.  The client key is “kC2jgdZT3IGYQ9ZlNflY".

No comments:

Post a Comment