Capturing SSH Keystrokes (Continued)

So, the test on my macbook from the previous post worked nicely. I contacted my supervisor to get his opinion on the method I decided upon. Porting this method over to the iPhone was a little messy but seems to be working nicely. Firstly, I set up my macbook as a central logging server. This was done by modifying the /etc/syslog.conf.

Firstly, we move the existing syslog.conf to a backup file to restore later:

mv /etc/syslog.conf /etc/syslog.conf.bak; touch /etc/syslog.conf

I then copy the following configuration into /etc/syslog.conf using an editor:

*.* /var/log/logclient.log

And finally, restart the syslog service:

launchctl unload /System/Library/LaunchDaemon/com.apple.syslog.plist

launch load /System/Library/LaunchDaemon/com.apple.syslog.plist

At this point, I opened up a terminal and ran tail -f /var/log/logclient.log to keep an eye (in real time) of the logs being generated (if any). Setting up the iPhone as a client was a different story. On OSX systems, the plist file (the configuration) file is stored as a plist at /System/Library/LaunchDaemons/com.apple.syslogd.plist in XML. However, on the iPhone, it’s stored as a binary file and the iOS base doesn’t include plutil to convert it back to XML for modification. To circumvent this problem, I decided to create my own config instead. This was done by creating a /etc/syslog.conf file and adding the following configuration:

*.* @192.168.1.100

To load this configuration, I restart syslog on the iPhone.

launchctl unload /System/Library/LaunchDaemon/com.apple.syslog.plist

launch load /System/Library/LaunchDaemon/com.apple.syslog.plist

Obviously, in the above, the IP of the central logging server (my macbook) is at 192.168.1.100. At this point, I generated some alerts by opening SMS, sending an email, launching a third-party application to ensure logs were being generated and sent over the network via syslog.

Jul 15 16:33:34 192.168.1.102 abnev-ip1 MobileSMS[489]: MS:Notice: Installing: com.apple.MobileSMS [MobileSMS] (478.52)

Jul 15 16:33:34 192.168.1.102 abnev-ip1 MobileSMS[489]: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/MailToAttachmentMessageUI.dylib

Jul 15 16:33:34 192.168.1.102 abnev-ip1 UIKitApplication: com.apple.MobileSMS[0xe734][489]: MS:Warning: message not found [NSFileManager rawDirectoryContentsAtPath:]

Jul 15 16:33:34 192.168.1.102 abnev-ip1 MobileSMS[489]: *** _NSAutoreleaseNoPool(): Object 0x10c210 of class NSPathStore2 autoreleased with no pool in place – just leaking\nStack: (0x326edf87 0x326c2135 0x326c3bb3 0x326c4b15 0x326c47c3 0x326c4639 0x326c5f33 0x336079c5 0x33477b27 0x3347ce93 0x3347a245 0x33477a11 0x33477747 0x334784df 0x33477337 0x334774ef 0x47408 0x47a7c 0x43c14 0x2fe0be0d 0x2fe0be31 0x2fe09d7f 0x2fe0a16d 0x2fe01dd9 0x2fe08247 0x328c4975 0xa038 0x2fe0bd7d 0x2fe0be39 0x2fe09d7f 0x2fe0a16d 0x2fe0228b 0x2fe06a15 0x2fe016fd 0x2fe01050)

Jul 15 16:33:34 192.168.1.102 abnev-ip1 MobileSMS[489]: *** _NSAutoreleaseNoPool(): Object 0x10c710 of class NSPathStore2 autoreleased with no pool in place – just leaking\nStack: (0x326edf87 0x326c2135 0x326c3bb3 0x326c31a7 0x326c5b9d 0x326c46f3 0x326c5f33 0x336079c5 0x33477b27 0x3347ce93 0x3347a245 0x33477a11 0x33477747 0x334784df 0x33477337 0x334774ef 0x47408 0x47a7c 0x43c14 0x2fe0be0d 0x2fe0be31 0x2fe09d7f 0x2fe0a16d 0x2fe01dd9 0x2fe08247 0x328c4975 0xa038 0x2fe0bd7d 0x2fe0be39 0x2fe09d7f 0x2fe0a16d 0x2fe0228b 0x2fe06a15 0x2fe016fd 0x2fe01050)

Jul 15 16:33:34 192.168.1.102 abnev-ip1 UIKitApplication: com.apple.MobileSMS[0xe734][489]: MS:Warning: message not found [MailComposeController _setupForMessageWithURL:]

Jul 15 16:33:34 192.168.1.102 abnev-ip1 MobileSMS[489]: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/WinterBoard.dylib

Jul 15 16:33:34 192.168.1.102 abnev-ip1 MobileSMS[489]: WB:Notice: WinterBoard

Jul 15 16:33:34 192.168.1.102 abnev-ip1 MobileSMS[489]: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/iNoRotate.dylib

Now that the syslog was working correctly, It was necessary to get bash logging keystrokes. I originally thought about writing a patch but then thought using logger would be easier. Unfortunately, logger isn’t part of the base iOS so alternitives were looked at such as script(1) and tee(1). However, to ensure the correct functionality as per the previous post, it was necessary to have logger working.

To achieve this, I checked out the source of FreeBSD 8 and found logger.c in /usr/src/usr.sbin/logger/logger.c which included a Makefile. I tar’ed this up and moved it onto my macbook. After unpacking the files, I attempted to compile on OSX. This failed due to the following errors:

logger.c:47: error: expected declaration specifiers or ‘…’ before string constant

logger.c:47: warning: data definition has no type or storage class

Inspecting line 47 showed:

47 __FBSDID(“$FreeBSD: src/usr.bin/logger/logger.c,v 1.17.2.1.2.1 2009/10/25 01:10:29 kensmith Exp $”);

I removed this line and attempted to copile suing gcc -o logger logger.c omitting the -DINET6 flag as specified in the Makefile for IPV6 support. This compiled fine. Using my script, gcc2 from previous posts, I cross-compiled logger.c for use on the iPhone. This compiled without errors. I sftp’ed the binary up to the iPhone and tested it by executing on the command line over SSH. Once it produced the usage output, I copied it over to /usr/sbin on the iPhone filesystem and modified the /etc/profile script to include the following:

# System-wide .profile for sh(1)

if [ -x /usr/libexec/path_helper ]; then

eval `/usr/libexec/path_helper -s`

fi

if [ “${BASH-no}” != “no” ]; then

[ -r /etc/bashrc ] && . /etc/bashrc

fi

function log2syslog

{

declare COMMAND

COMMAND=$(fc -ln -0)

logger -p local1.notice -t bash -i — “${USER}:${COMMAND}”

}

trap log2syslog DEBUG

Modifying the user accounts to launch bash was necessary. As a quick fix, I sym-linked using ln(1) /bin/sh to /bin/bash (bash was installed form Cydia). I then restarted syslog and logged out of the shell and reestablished the connection to the iPhone on the root account.

launchctl unload /System/Library/LaunchDaemons/com.apple.syslog.plist

launch load /System/Library/LaunchDaemons/com.apple.syslog.plist

exit

On establishing the SSH connection, I tried out some simple commands, e.g. ls(1), cd(1), uname(1) etc. and checked the /var/log/logclient.log on my macbook to ensure the keystrokes were being sent as expected. The following were the contents:

Jul 15 16:19:27 192.168.1.102 abnev-ip1 bash[474]: root: ls -al

Jul 15 16:19:32 192.168.1.102 abnev-ip1 bash[477]: root: cat /etc/profile

Jul 15 16:19:33 192.168.1.102 abnev-ip1 bash[480]: root: ls -al

Jul 15 16:19:34 192.168.1.102 abnev-ip1 bash[483]: root: w

Success. I’ll await to see my supervisors response, but I think this is very promising. I may be ready to run a pilot tonight. In the meantime, I’ll charge up my old-skool Nokia phone to swap out the SIM, backup the iPhone using iTunes and create a host of fake contacts and information to place on the iPhone.

Building Bridges with Iron, Braun and Steel

After much pain, I’ve managed to build myself a network tap or bridge as it’s more commonly known using FreeBSD 8.0 and an array of network interfaces. I haven’t posted in a bit but I’ve been doing a lost of testing with various techniques to record network traffic wired and wireless bridges, various router firmwares, port spanning using additional interfaces etc. Currently, I have a basic set up working using two wired network interfaces. I abandoned the wireless interface bridging the WAN to the LAN using a network hub due to support (or lackthereof rather) issues in FreeBSD. It seemed to be working but I couldn’t associate with the network. Attempting various configurations open, closed, ad-hoc, wep enabled, wpa, wpa2[personal/enterprise] etc. to no avail. Taking bits from the attic, I’ve managed to build a box. The specs are primitive but usable; Pentium III Xeon/Celeron processor, 447.69MHz, 40GB hard drive, 2 network interfaces (rl0, vr0), video card, and power supply. A picture of this can be found below.

Using a Zyxel Prestiage router, a Linksys WRT54G and heaps of cables the netowrk was created. This included a hub and a wireless network to allow people in the house use the internet as normal.  The bridge needed to be configured correctly first. The following are the commands required to set up a bridge after the network interfaces were tested by assigning an addresses and pinging various machines around the netowrk both wired and on the wireless interfaces.

# ifconfig bridge create
bridge0
# ifconfig bridge0
bridge0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 96:3d:4b:f1:79:7a
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
        root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0

Add the member network interfaces to the bridge. For the bridge to forward packets all member interfaces and the bridge need to be up:

# ifconfig bridge0 addm rl0 addm vr0 up
# ifconfig rl0 up
# ifconfig vr0 up

The bridge is now forwarding Ethernet frames between rl0 and vr0. The equivalent configuration in /etc/rc.conf so the bridge is created at startup is:

cloned_interfaces="bridge0"
ifconfig_bridge0="addm rl0 addm vr0 up"
ifconfig_rl0="up"
ifconfig_fvr0="up"

Finally, enabling IP forwarding by modifying the kernel parameters using sysctl:

# sysctl -w net.inet.ip.forwarding=1

Thus leaving us with a functioning bridge:

I need to start working on some keystroke logging. I have looked at several options; either hacking openssh to log keystrokes, writing a patch for bash to record it, or launching a script which uses tee() to record everything to a file. I’m currently running tests by seeing if i can get the bash patch to log via syslog-ng to a remote logging server. In the meantime, I shall complete a test of recording traffic to see the average data collected etc and then conduct a pilot when the ssh server is ready. I may write my own server in python also using the twisted framework – I’ve found some tutorials on this.

Basic Bridge Plan

Previously, I had decided to create a bridge to aid in traffic logging. I did up a quick plan for this (attached below) and aim to use FreeBSD 8.0 as the OS. The concept is simple, the bridge is to act completely transparent so the attacker has absoutely no knowledge or suspicion in the fact that they are being passed through a bridge, thus allowing for complete network logging (with the exception of SSH, of course). The SSH issue will be another milestone to overcome. I have the use of a static IP address at home so I may as well put it to use.

The idea behind this is thus; a single static address on the router which is configured to pass-through connections to the bridge. The interface connecting to the router will have no IP assigned to it and will be configured to pass-through all connections through a second interface with the help of ipf (aka ipfilter – which will be compiled into the kernel). The second interface will connect to a wireless access point (AP) which will allow the iPhone to connect to the network. This is where I enter unfamiliar territory. The fact that the AP is connected to the bridge via a wired connection (cross over cable), the AP will appear to have the external address. This is not exactly what we want as the iPhone will have to utilise some network address translation (NAT) to obtain any external access which will be problematic.

To overcome this I propose amalgamating the wireless AP and the bridge into a single system. Thus, the second interface will in-fact become a ad-hoc interface utilising a prism2 chipset and the 2.4GHz spectrum. This can be achieved by replacing the second interface with a wireless card, compiling wireless support into the kernel and setting up the interface using wiconfig. By associating the iPhone with the bridge in ad-hoc mode and configuring ipf to pass-through all connections to the wireless interface I believe our objective can be met.

It’s now just a matter of convincing the family they’ll survive without the internet for a few days while I take apart the network. I’ll work on getting the bridge set up. I may have to visit my computer graveyard in the attic and throw together anything I can find.

Fundamentals

Around Christmas I bought myself a brand new shiny iPhone 3GS which currently running  OS version 3.1.3 (7E18), Carrier O2 5.1. I have decided to use this phone within this project which requires a few tests and a little hacking. To begin, access to the file system must be granted. To do this, the phone is jailbroken and a number of tools are installed to enable remote SSH access for ease during the project.

Until recently, @geohot‘s blackra1n only offered an tethered jailbreak for the iPhone. This meant that if the phone died or was switched off, it was necessary to hook up the phone to a system which could run blackra1n to inject the exploit code again. Luckily for me, an untethered jailbreak was released which eased the process. This application is called Spirit and is a quick plug-in and click job. It is important to note that this application doesn’t offer any carrier unlock but as I’m already on O2 this is fine.

Once unlocked, Cydia (a package management application) is upgraded and installed. Using this we can install OpenSSH as per http://www.hackthatphone.com/2x/open_ssh.html. This allowed me open an SSH connection to the iPhone from Terminal.app thus gaining access to the filesystem.

As a side note, there are two usable accounts on all iPhones by default. Inspecting the /etc/passwd file shows:

root:*:0:0:System Administrator:/var/root:/bin/sh

mobile:*:501:501:Mobile User:/var/mobile:/bin/sh

Note, the root password by default is “alpine” and is used as the system administrator account. The mobile account is used for standard usage (launching applications from the UI etc) and can be accessed via SSH or by logging in as root and issuing “su — mobile” on the command line. If logged in as the mobile user, use “login -pf root” to become root.

At this point, I played around with the filesystem and explored the various commands available. Being familiar with BSD 4.4 FS (Thank you FreeBSD!) and Darwin (Thank you Macbook), a lot of the basic commands were missing: ps, man, netstat, text editor, etc. Exploring Cydia, I found some of these tools were easily downloadable.