Objekt Cheat Sheet
Überblick
Objection ist ein mobiles Explorationstoolkit, das auf Frida aufgebaut ist, um Sicherheitsforschern und Penetrationsprüfern umfassende Möglichkeiten zur Analyse und Handhabung mobiler Anwendungen während der Laufzeit zu bieten. Das von Leon Jacobs entwickelte Objektion dient als leistungsstarke Schnittstelle zu den dynamischen Instrumentierungsfunktionen von Frida und bietet eine benutzerfreundliche Kommandozeilenschnittstelle für komplexe Sicherheitsbewertungen für mobile Anwendungen. Das Tool unterstützt sowohl iOS- als auch Android-Plattformen, so dass es eine wesentliche Komponente jeder mobilen Sicherheitsprüfung Arsenal.
Die primäre Stärke von Objection liegt in der Fähigkeit, eine Laufzeitmanipulation mobiler Anwendungen durchzuführen, ohne dass Quellcode-Zugriff oder Applikationsrecompilation erforderlich ist. Durch die Verwendung von Fridas Instrumentierungs-Engine kann Objection in Anwendungsfunktionen eingreifen, Verhalten ändern, Sicherheitskontrollen umgehen und sensible Informationen aus laufenden Anwendungen extrahieren. Diese Fähigkeit macht es besonders wertvoll für Black-Box-Sicherheitstests, bei denen herkömmliche statische Analyseansätze unzureichend oder unpraktisch sind.
Objection bietet eine umfassende Reihe von Funktionen wie SSL Pinning Bypass, Root/Jailbreak Erkennung Bypass, Dateisystem Exploration, Speicher Manipulation, und Verfahren Haken. Die modulare Architektur des Tools ermöglicht eine einfache Erweiterung und Anpassung, während seine intuitive Befehlsstruktur es sowohl Anfängern als auch erfahrenen Sicherheitsexperten zugänglich macht. Objection stellt eine signifikante Weiterentwicklung der mobilen Anwendungssicherheitstests dar, die bisher nur über komplexe benutzerdefinierte Frida-Skripte verfügbar waren.
Installation
Python Paket Installation
Objektion installieren Python Paketmanager:
```bash
Install via pip
pip3 install objection
Install specific version
pip3 install objection==1.11.0
Install with development dependencies
pip3 install objection[dev]
Upgrade to latest version
pip3 install --upgrade objection
Install from source
git clone https://github.com/sensepost/objection.git cd objection pip3 install . ```_
Frida Installation
Installieren von Abhängigkeiten von Frida:
```bash
Install Frida tools
pip3 install frida-tools
Install Frida for Python
pip3 install frida
Verify Frida installation
frida --version
Install Frida server for Android
wget https://github.com/frida/frida/releases/latest/download/frida-server-android-arm64 adb push frida-server-android-arm64 /data/local/tmp/frida-server adb shell chmod 755 /data/local/tmp/frida-server ```_
Einrichtung des Geräts
Zielgeräte einrichten:
```bash
Android device setup
adb devices adb root adb shell /data/local/tmp/frida-server &
iOS device setup (jailbroken)
ssh root@ios-device apt-get install frida frida-server &
Verify device connectivity
frida-ps -U ```_
Basisnutzung
Anwendungsentdeckung
Discovering und Listing Anwendungen:
```bash
List running applications
objection -g com.example.app explore
List installed applications
frida-ps -Ua
List running processes
frida-ps -U
Get application information
objection -g com.example.app explore -c "env"
List application activities (Android)
objection -g com.example.app explore -c "android hooking list activities" ```_
Grundlagenforschung
Grundlegende Anwendungsexplorationsbefehle:
```bash
Start Objection session
objection -g com.example.app explore
Get environment information
env
List loaded classes
android hooking list classes
List class methods
android hooking list class_methods com.example.MainActivity
Search for classes
android hooking search classes keyword
Search for methods
android hooking search methods keyword ```_
Dateisystem Operationen
Dateisystem Exploration und Manipulation:
```bash
List files in application directory
ls
Change directory
cd /data/data/com.example.app
Download file from device
file download /data/data/com.example.app/databases/app.db ./app.db
Upload file to device
file upload ./payload.txt /data/data/com.example.app/files/payload.txt
Show file contents
cat /data/data/com.example.app/shared_prefs/settings.xml
Find files by name
find /data/data/com.example.app -name "*.db" ```_
Erweiterte Funktionen
SSL Pinning Bypass
Bypass SSL-Zertifikat Pinning:
```bash
Disable SSL pinning (Android)
android sslpinning disable
Disable SSL pinning (iOS)
ios sslpinning disable
Monitor SSL pinning attempts
android sslpinning monitor
Custom SSL pinning bypass
android hooking set return_value com.example.SSLPinning.verify true ```_
Root/Jailbreak Erkennung Bypass
Umgehung der Wurzel- und Jailbreak-Erkennung:
```bash
Disable root detection (Android)
android root disable
Disable jailbreak detection (iOS)
ios jailbreak disable
Monitor root detection attempts
android root monitor
Simulate non-rooted environment
android root simulate
Hook specific root detection methods
android hooking set return_value com.example.RootDetection.isRooted false ```_
Methode Haken
Hooking und Manipulation von Anwendungsmethoden:
```bash
Hook method and monitor calls
android hooking watch class com.example.MainActivity
Hook specific method
android hooking watch class_method com.example.MainActivity.onCreate
Set method return value
android hooking set return_value com.example.Security.isValid true
Generate method hook template
android hooking generate simple com.example.MainActivity.login
Hook constructor
android hooking watch class_method com.example.User.$init ```_
Speicherbetrieb
Erinnerungsexploration und Manipulation:
```bash
Dump memory regions
memory dump all
Dump specific memory region
memory dump 0x12345678 1024
Search memory for patterns
memory search "password"
Search memory for specific bytes
memory search --pattern "41 42 43 44"
List memory regions
memory list
Write to memory
memory write 0x12345678 "new_value" ```_
Schlüsselspeicher und Kryptographie
Schlüsselspeicher und kryptographische Operationen:
```bash
List keystore entries (Android)
android keystore list
Dump keystore entry
android keystore detail alias_name
Monitor cryptographic operations
android crypto monitor
Hook encryption/decryption methods
android hooking watch class javax.crypto.Cipher
Bypass certificate validation
android sslpinning disable --quiet ```_
Platform-Specific Features
Android-Specific Kommandos
Android-spezifische Funktionalität:
```bash
List activities
android hooking list activities
List services
android hooking list services
List broadcast receivers
android hooking list receivers
Start activity
android intent launch_activity com.example.MainActivity
Send broadcast intent
android intent send_broadcast --action com.example.ACTION
Monitor intents
android intent monitor
Dump application heap
android heap dump
Search heap for objects
android heap search instances com.example.User ```_
iOS-spezifische Befehle
iOS-spezifische Funktionalität:
```bash
List bundles
ios bundles list
List classes in bundle
ios hooking list classes
Monitor pasteboard
ios pasteboard monitor
Dump keychain
ios keychain dump
Monitor URL schemes
ios url_scheme monitor
Hook Objective-C methods
ios hooking watch method "-[ViewController viewDidLoad]"
List frameworks
ios bundles list_frameworks
Monitor file operations
ios file monitor ```_
Automatisierungsskripte
Automatisierte Bewertung
```python
!/usr/bin/env python3
Objection automated assessment script
import subprocess import json import time
class ObjectionAutomation: def init(self, package_name): self.package_name = package_name self.session = None
def start_session(self):
"""Start Objection session"""
cmd = f"objection -g \\\\{self.package_name\\\\} explore"
self.session = subprocess.Popen(
cmd.split(),
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
text=True
)
time.sleep(2)
def execute_command(self, command):
"""Execute command in Objection session"""
if self.session:
self.session.stdin.write(f"\\\\{command\\\\}\n")
self.session.stdin.flush()
time.sleep(1)
def run_security_assessment(self):
"""Run comprehensive security assessment"""
commands = [
"env",
"android sslpinning disable",
"android root disable",
"android hooking list activities",
"android hooking list services",
"android keystore list",
"memory dump all",
"file download /data/data/\\\\{\\\\}/databases/ ./databases/".format(self.package_name),
"android intent monitor"
]
for cmd in commands:
print(f"Executing: \\\\{cmd\\\\}")
self.execute_command(cmd)
time.sleep(2)
def close_session(self):
"""Close Objection session"""
if self.session:
self.execute_command("exit")
self.session.terminate()
Usage
if name == "main": automation = ObjectionAutomation("com.example.app") automation.start_session() automation.run_security_assessment() automation.close_session() ```_
Batch Processing
```bash
!/bin/bash
Objection batch processing script
PACKAGE_LIST="packages.txt" OUTPUT_DIR="objection_results"
mkdir -p $OUTPUT_DIR
while IFS= read -r package; do echo "Processing package: $package"
# Create package-specific directory
mkdir -p "$OUTPUT_DIR/$package"
# Run Objection commands
objection -g $package explore -c "env" > "$OUTPUT_DIR/$package/env.txt"
objection -g $package explore -c "android hooking list activities" > "$OUTPUT_DIR/$package/activities.txt"
objection -g $package explore -c "android hooking list services" > "$OUTPUT_DIR/$package/services.txt"
objection -g $package explore -c "android keystore list" > "$OUTPUT_DIR/$package/keystore.txt"
# Disable security controls
objection -g $package explore -c "android sslpinning disable"
objection -g $package explore -c "android root disable"
echo "Completed processing: $package"
sleep 5
done < "$PACKAGE_LIST"
echo "Batch processing completed" ```_
Benutzerdefinierte Haken Generator
```python
!/usr/bin/env python3
Custom Objection hook generator
import json
class HookGenerator: def init(self): self.hooks = []
def generate_method_hook(self, class_name, method_name, return_value=None):
"""Generate method hook"""
hook = \\\\{
"type": "method_hook",
"class": class_name,
"method": method_name,
"action": "monitor"
\\\\}
if return_value:
hook["return_value"] = return_value
hook["action"] = "modify"
self.hooks.append(hook)
return hook
def generate_class_hook(self, class_name):
"""Generate class hook"""
hook = \\\\{
"type": "class_hook",
"class": class_name,
"action": "monitor_all"
\\\\}
self.hooks.append(hook)
return hook
def generate_objection_script(self):
"""Generate Objection script from hooks"""
script_lines = []
for hook in self.hooks:
if hook["type"] == "method_hook":
if hook["action"] == "monitor":
script_lines.append(f"android hooking watch class_method \\\\{hook['class']\\\\}.\\\\{hook['method']\\\\}")
elif hook["action"] == "modify":
script_lines.append(f"android hooking set return_value \\\\{hook['class']\\\\}.\\\\{hook['method']\\\\} \\\\{hook['return_value']\\\\}")
elif hook["type"] == "class_hook":
script_lines.append(f"android hooking watch class \\\\{hook['class']\\\\}")
return "\n".join(script_lines)
def save_script(self, filename):
"""Save generated script to file"""
script = self.generate_objection_script()
with open(filename, 'w') as f:
f.write(script)
Usage example
generator = HookGenerator() generator.generate_method_hook("com.example.Security", "isValid", "true") generator.generate_method_hook("com.example.Auth", "checkPassword", "true") generator.generate_class_hook("com.example.Crypto")
script = generator.generate_objection_script() print(script) ```_
Integrationsbeispiele
Frida Script Integration
```javascript // Custom Frida script for Objection Java.perform(function() \\{ // Hook login method var MainActivity = Java.use("com.example.MainActivity");
MainActivity.login.implementation = function(username, password) \\\\{
console.log("[+] Login attempt:");
console.log(" Username: " + username);
console.log(" Password: " + password);
// Call original method
var result = this.login(username, password);
console.log(" Result: " + result);
return result;
\\\\};
// Hook encryption method
var CryptoUtils = Java.use("com.example.CryptoUtils");
CryptoUtils.encrypt.implementation = function(data) \\\\{
console.log("[+] Encryption called with: " + data);
// Return plaintext instead of encrypted data
return data;
\\\\};
\\}); ```_
Integration von Burp Suite
```python
!/usr/bin/env python3
Burp Suite and Objection integration
import requests import subprocess import time
class BurpObjectionIntegration: def init(self, burp_proxy, package_name): self.burp_proxy = burp_proxy self.package_name = package_name self.session = requests.Session() self.session.proxies = \\{'http': burp_proxy, 'https': burp_proxy\\} self.session.verify = False
def setup_objection(self):
"""Setup Objection with SSL pinning bypass"""
commands = [
f"objection -g \\\\{self.package_name\\\\} explore",
"android sslpinning disable",
"android root disable"
]
for cmd in commands:
subprocess.run(cmd.split())
time.sleep(2)
def test_endpoints(self, endpoints):
"""Test endpoints through Burp proxy"""
for endpoint in endpoints:
try:
response = self.session.get(endpoint)
print(f"Endpoint: \\\\{endpoint\\\\} - Status: \\\\{response.status_code\\\\}")
except Exception as e:
print(f"Error testing \\\\{endpoint\\\\}: \\\\{e\\\\}")
Usage
integration = BurpObjectionIntegration("http://127.0.0.1:8080", "com.example.app") integration.setup_objection() integration.test_endpoints(["https://api.example.com/login", "https://api.example.com/data"]) ```_
OWASP ZAP Integration
```python
!/usr/bin/env python3
OWASP ZAP and Objection integration
from zapv2 import ZAPv2 import subprocess import time
class ZAPObjectionIntegration: def init(self, zap_proxy, package_name): self.zap = ZAPv2(proxies=\\{'http': zap_proxy, 'https': zap_proxy\\}) self.package_name = package_name
def setup_mobile_testing(self):
"""Setup mobile testing environment"""
# Start Objection
subprocess.Popen([
"objection", "-g", self.package_name, "explore",
"-c", "android sslpinning disable"
])
time.sleep(5)
# Configure ZAP for mobile testing
self.zap.core.set_option_use_proxy_chain(True)
self.zap.core.set_option_proxy_chain_name("127.0.0.1")
self.zap.core.set_option_proxy_chain_port(8080)
def run_active_scan(self, target_url):
"""Run active scan against mobile app endpoints"""
# Spider the application
scan_id = self.zap.spider.scan(target_url)
# Wait for spider to complete
while int(self.zap.spider.status(scan_id)) < 100:
time.sleep(1)
# Run active scan
scan_id = self.zap.ascan.scan(target_url)
# Wait for scan to complete
while int(self.zap.ascan.status(scan_id)) < 100:
time.sleep(1)
# Get results
alerts = self.zap.core.alerts()
return alerts
Usage
integration = ZAPObjectionIntegration("http://127.0.0.1:8080", "com.example.app") integration.setup_mobile_testing() alerts = integration.run_active_scan("https://api.example.com") ```_
Fehlerbehebung
Verbindungsprobleme
```bash
Check Frida server status
adb shell ps|grep frida-server
Restart Frida server
adb shell killall frida-server adb shell /data/local/tmp/frida-server &
Check device connectivity
frida-ps -U
Test Objection connection
objection -g com.android.settings explore -c "env"
Debug connection issues
objection -g com.example.app explore --debug ```_
Bewerbungsfragen
```bash
Check if application is running
adb shell ps|grep com.example.app
Start application
adb shell am start -n com.example.app/.MainActivity
Check application permissions
adb shell dumpsys package com.example.app|grep permission
Clear application data
adb shell pm clear com.example.app
Reinstall application
adb uninstall com.example.app adb install app.apk ```_
Leistungsfragen
```bash
Monitor device resources
adb shell top
Check memory usage
adb shell dumpsys meminfo com.example.app
Monitor CPU usage
adb shell dumpsys cpuinfo
Check storage space
adb shell df
Optimize Frida performance
frida-server -l 0.0.0.0:27042 ```_
Sicherheitsüberlegungen
Operationelle Sicherheit
Gerätesicherheit: - Verwenden Sie spezielle Testgeräte - Implementierung der Geräteisolation - Regelmäßige Sicherheitsupdates - Monitor für Malware - Sichere Datenspeicherung
Netzwerksicherheit: - Verwenden Sie VPN für Ferntests - Implementierung der Verkehrsverschlüsselung - Netzwerkaktivität überwachen - Sichere Proxykonfigurationen - Regelmäßige Netzprüfungen
Rechtliche und ethische Überlegungen
Authorized Testing Only: - ordnungsgemäße Genehmigung erhalten - Testbereich definieren - Alle Aktivitäten - Verantwortliche Offenlegung - Datenschutzrechte achten
Beste Praktiken: - Verwendung in kontrollierten Umgebungen - Regelmäßige Sicherheitsbewertungen - Durchführung von Sanierungsmaßnahmen - Monitor für unbefugte Nutzung - Bewahren Sie Audit-Strecken