Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Monitor iOS CommonCrypto Usage #430

Merged
merged 7 commits into from
Feb 17, 2021
Merged

Monitor iOS CommonCrypto Usage #430

merged 7 commits into from
Feb 17, 2021

Conversation

gagnonca
Copy link
Contributor

These hooks allow penetration testers and security researchers to monitor iOS CommonCrypto usage in real time.

Command: ios crypto monitor

Usage: ios crypto monitor

Hooks CommonCrypto to output information about cryptographic operation. Works best for AES with PKCS7 Padding.
Currently the following hooks are supported: 
 - SecRandomCopyBytes
 - CCKeyDerivationPBKDF
 - CCCrypt
 - CCCryptorCreate
 - CCCryptorUpdate
 - CCCryptorFinal

Examples:
   ios crypto monitor

Sample output:
alt text

@gagnonca
Copy link
Contributor Author

@leonjza I just noticed some style things I want to fix before you review. Just cleaning up the code a bit. I will push it tomorrow.

@leonjza
Copy link
Member

leonjza commented Dec 11, 2020

Amazing! Thanks for this. I'll wait for you to be done before I start a review. Overall, looking good! 👍

@gagnonca
Copy link
Contributor Author

Just pushed the commit. Feel free to take a look whenever you get a chance.

@leonjza
Copy link
Member

leonjza commented Feb 17, 2021

Such a good PR! I am going to make a few small tweaks such as moving the command into a monitor category instead, but you have done the hard work. Thanks so much. 🙌

@leonjza leonjza merged commit 746d08d into sensepost:master Feb 17, 2021
@gagnonca
Copy link
Contributor Author

Thanks. I'm really glad you like it. I am also working on hooks for monitoring system crypto APIs for Android as well as expanding what we hook for iOS (i.e. including asymmetric). Moving to monitor makes a lot of sense.

@leonjza
Copy link
Member

leonjza commented Feb 17, 2021

Awesome. I think there are plenty of things we can monitor which I am excited about. :D

@snoerenberg
Copy link

Thanks for the nice addition!

It was meant to be used with this command: "ios monitor crypto monitor"?
I was not expecting to put "monitor" again at the end :)

Thanks again
Stephan

@leonjza
Copy link
Member

leonjza commented Feb 19, 2021

Yeah I think it will make more sense to change this to enable to compliment the disable command.

@gagnonca
Copy link
Contributor Author

I actually was thinking of removing the monitor at the end of the command to make it just ios monitor crypto. Instead of disable we can use the existing jobs kill ... command to disable the hooks.

I already wrote the patch yesterday and can do a PR today if we like it better this way. I also removed some other dead code from the crypto hooks.

@leonjza
Copy link
Member

leonjza commented Feb 19, 2021

That is an excellent point and makes the most sense. Thanks.

@gagnonca gagnonca mentioned this pull request Feb 19, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@gagnonca @leonjza @snoerenberg @corey-gagnon