Objekt Cheat Sheet¶
Überblick¶
Objection ist ein mobiles Explorationstoolkit, das auf Frida aufgebaut ist, um Sicherheitsforschern und Penetrationsprüfern umfassende Möglichkeiten zur Analyse und Handhabung mobiler Anwendungen während der Laufzeit zu bieten. Das von Leon Jacobs entwickelte Objektion dient als leistungsstarke Schnittstelle zu den dynamischen Instrumentierungsfunktionen von Frida und bietet eine benutzerfreundliche Kommandozeilenschnittstelle für komplexe Sicherheitsbewertungen für mobile Anwendungen. Das Tool unterstützt sowohl iOS- als auch Android-Plattformen, so dass es eine wesentliche Komponente jeder mobilen Sicherheitsprüfung Arsenal.
Die primäre Stärke von Objection liegt in der Fähigkeit, eine Laufzeitmanipulation mobiler Anwendungen durchzuführen, ohne dass Quellcode-Zugriff oder Applikationsrecompilation erforderlich ist. Durch die Verwendung von Fridas Instrumentierungs-Engine kann Objection in Anwendungsfunktionen eingreifen, Verhalten ändern, Sicherheitskontrollen umgehen und sensible Informationen aus laufenden Anwendungen extrahieren. Diese Fähigkeit macht es besonders wertvoll für Black-Box-Sicherheitstests, bei denen herkömmliche statische Analyseansätze unzureichend oder unpraktisch sind.
Objection bietet eine umfassende Reihe von Funktionen wie SSL Pinning Bypass, Root/Jailbreak Erkennung Bypass, Dateisystem Exploration, Speicher Manipulation, und Verfahren Haken. Die modulare Architektur des Tools ermöglicht eine einfache Erweiterung und Anpassung, während seine intuitive Befehlsstruktur es sowohl Anfängern als auch erfahrenen Sicherheitsexperten zugänglich macht. Objection stellt eine signifikante Weiterentwicklung der mobilen Anwendungssicherheitstests dar, die bisher nur über komplexe benutzerdefinierte Frida-Skripte verfügbar waren.
Installation¶
Python Paket Installation¶
Objektion installieren Python Paketmanager:
```bash
Install via pip¶
pip3 install objection
Install specific version¶
pip3 install objection==1.11.0
Install with development dependencies¶
pip3 install objection[dev]
Upgrade to latest version¶
pip3 install --upgrade objection
Install from source¶
git clone https://github.com/sensepost/objection.git cd objection pip3 install . ```_
Frida Installation¶
Installieren von Abhängigkeiten von Frida:
```bash
Install Frida tools¶
pip3 install frida-tools
Install Frida for Python¶
pip3 install frida
Verify Frida installation¶
frida --version
Install Frida server for Android¶
wget https://github.com/frida/frida/releases/latest/download/frida-server-android-arm64 adb push frida-server-android-arm64 /data/local/tmp/frida-server adb shell chmod 755 /data/local/tmp/frida-server ```_
Einrichtung des Geräts¶
Zielgeräte einrichten:
```bash
Android device setup¶
adb devices adb root adb shell /data/local/tmp/frida-server &
iOS device setup (jailbroken)¶
ssh root@ios-device apt-get install frida frida-server &
Verify device connectivity¶
frida-ps -U ```_
Basisnutzung¶
Anwendungsentdeckung¶
Discovering und Listing Anwendungen:
```bash
List running applications¶
objection -g com.example.app explore
List installed applications¶
frida-ps -Ua
List running processes¶
frida-ps -U
Get application information¶
objection -g com.example.app explore -c "env"
List application activities (Android)¶
objection -g com.example.app explore -c "android hooking list activities" ```_
Grundlagenforschung¶
Grundlegende Anwendungsexplorationsbefehle:
```bash
Start Objection session¶
objection -g com.example.app explore
Get environment information¶
env
List loaded classes¶
android hooking list classes
List class methods¶
android hooking list class_methods com.example.MainActivity
Search for classes¶
android hooking search classes keyword
Search for methods¶
android hooking search methods keyword ```_
Dateisystem Operationen¶
Dateisystem Exploration und Manipulation:
```bash
List files in application directory¶
ls
Change directory¶
cd /data/data/com.example.app
Download file from device¶
file download /data/data/com.example.app/databases/app.db ./app.db
Upload file to device¶
file upload ./payload.txt /data/data/com.example.app/files/payload.txt
Show file contents¶
cat /data/data/com.example.app/shared_prefs/settings.xml
Find files by name¶
find /data/data/com.example.app -name "*.db" ```_
Erweiterte Funktionen¶
SSL Pinning Bypass¶
Bypass SSL-Zertifikat Pinning:
```bash
Disable SSL pinning (Android)¶
android sslpinning disable
Disable SSL pinning (iOS)¶
ios sslpinning disable
Monitor SSL pinning attempts¶
android sslpinning monitor
Custom SSL pinning bypass¶
android hooking set return_value com.example.SSLPinning.verify true ```_
Root/Jailbreak Erkennung Bypass¶
Umgehung der Wurzel- und Jailbreak-Erkennung:
```bash
Disable root detection (Android)¶
android root disable
Disable jailbreak detection (iOS)¶
ios jailbreak disable
Monitor root detection attempts¶
android root monitor
Simulate non-rooted environment¶
android root simulate
Hook specific root detection methods¶
android hooking set return_value com.example.RootDetection.isRooted false ```_
Methode Haken¶
Hooking und Manipulation von Anwendungsmethoden:
```bash
Hook method and monitor calls¶
android hooking watch class com.example.MainActivity
Hook specific method¶
android hooking watch class_method com.example.MainActivity.onCreate
Set method return value¶
android hooking set return_value com.example.Security.isValid true
Generate method hook template¶
android hooking generate simple com.example.MainActivity.login
Hook constructor¶
android hooking watch class_method com.example.User.$init ```_
Speicherbetrieb¶
Erinnerungsexploration und Manipulation:
```bash
Dump memory regions¶
memory dump all
Dump specific memory region¶
memory dump 0x12345678 1024
Search memory for patterns¶
memory search "password"
Search memory for specific bytes¶
memory search --pattern "41 42 43 44"
List memory regions¶
memory list
Write to memory¶
memory write 0x12345678 "new_value" ```_
Schlüsselspeicher und Kryptographie¶
Schlüsselspeicher und kryptographische Operationen:
```bash
List keystore entries (Android)¶
android keystore list
Dump keystore entry¶
android keystore detail alias_name
Monitor cryptographic operations¶
android crypto monitor
Hook encryption/decryption methods¶
android hooking watch class javax.crypto.Cipher
Bypass certificate validation¶
android sslpinning disable --quiet ```_
Platform-Specific Features¶
Android-Specific Kommandos¶
Android-spezifische Funktionalität:
```bash
List activities¶
android hooking list activities
List services¶
android hooking list services
List broadcast receivers¶
android hooking list receivers
Start activity¶
android intent launch_activity com.example.MainActivity
Send broadcast intent¶
android intent send_broadcast --action com.example.ACTION
Monitor intents¶
android intent monitor
Dump application heap¶
android heap dump
Search heap for objects¶
android heap search instances com.example.User ```_
iOS-spezifische Befehle¶
iOS-spezifische Funktionalität:
```bash
List bundles¶
ios bundles list
List classes in bundle¶
ios hooking list classes
Monitor pasteboard¶
ios pasteboard monitor
Dump keychain¶
ios keychain dump
Monitor URL schemes¶
ios url_scheme monitor
Hook Objective-C methods¶
ios hooking watch method "-[ViewController viewDidLoad]"
List frameworks¶
ios bundles list_frameworks
Monitor file operations¶
ios file monitor ```_
Automatisierungsskripte¶
Automatisierte Bewertung¶
```python
!/usr/bin/env python3¶
Objection automated assessment script¶
import subprocess import json import time
class ObjectionAutomation: def init(self, package_name): self.package_name = package_name self.session = None
def start_session(self):
"""Start Objection session"""
cmd = f"objection -g \\\\{self.package_name\\\\} explore"
self.session = subprocess.Popen(
cmd.split(),
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
text=True
)
time.sleep(2)
def execute_command(self, command):
"""Execute command in Objection session"""
if self.session:
self.session.stdin.write(f"\\\\{command\\\\}\n")
self.session.stdin.flush()
time.sleep(1)
def run_security_assessment(self):
"""Run comprehensive security assessment"""
commands = [
"env",
"android sslpinning disable",
"android root disable",
"android hooking list activities",
"android hooking list services",
"android keystore list",
"memory dump all",
"file download /data/data/\\\\{\\\\}/databases/ ./databases/".format(self.package_name),
"android intent monitor"
]
for cmd in commands:
print(f"Executing: \\\\{cmd\\\\}")
self.execute_command(cmd)
time.sleep(2)
def close_session(self):
"""Close Objection session"""
if self.session:
self.execute_command("exit")
self.session.terminate()
Usage¶
if name == "main": automation = ObjectionAutomation("com.example.app") automation.start_session() automation.run_security_assessment() automation.close_session() ```_
Batch Processing¶
```bash
!/bin/bash¶
Objection batch processing script¶
PACKAGE_LIST="packages.txt" OUTPUT_DIR="objection_results"
mkdir -p $OUTPUT_DIR
while IFS= read -r package; do echo "Processing package: $package"
# Create package-specific directory
mkdir -p "$OUTPUT_DIR/$package"
# Run Objection commands
objection -g $package explore -c "env" > "$OUTPUT_DIR/$package/env.txt"
objection -g $package explore -c "android hooking list activities" > "$OUTPUT_DIR/$package/activities.txt"
objection -g $package explore -c "android hooking list services" > "$OUTPUT_DIR/$package/services.txt"
objection -g $package explore -c "android keystore list" > "$OUTPUT_DIR/$package/keystore.txt"
# Disable security controls
objection -g $package explore -c "android sslpinning disable"
objection -g $package explore -c "android root disable"
echo "Completed processing: $package"
sleep 5
done < "$PACKAGE_LIST"
echo "Batch processing completed" ```_
Benutzerdefinierte Haken Generator¶
```python
!/usr/bin/env python3¶
Custom Objection hook generator¶
import json
class HookGenerator: def init(self): self.hooks = []
def generate_method_hook(self, class_name, method_name, return_value=None):
"""Generate method hook"""
hook = \\\\{
"type": "method_hook",
"class": class_name,
"method": method_name,
"action": "monitor"
\\\\}
if return_value:
hook["return_value"] = return_value
hook["action"] = "modify"
self.hooks.append(hook)
return hook
def generate_class_hook(self, class_name):
"""Generate class hook"""
hook = \\\\{
"type": "class_hook",
"class": class_name,
"action": "monitor_all"
\\\\}
self.hooks.append(hook)
return hook
def generate_objection_script(self):
"""Generate Objection script from hooks"""
script_lines = []
for hook in self.hooks:
if hook["type"] == "method_hook":
if hook["action"] == "monitor":
script_lines.append(f"android hooking watch class_method \\\\{hook['class']\\\\}.\\\\{hook['method']\\\\}")
elif hook["action"] == "modify":
script_lines.append(f"android hooking set return_value \\\\{hook['class']\\\\}.\\\\{hook['method']\\\\} \\\\{hook['return_value']\\\\}")
elif hook["type"] == "class_hook":
script_lines.append(f"android hooking watch class \\\\{hook['class']\\\\}")
return "\n".join(script_lines)
def save_script(self, filename):
"""Save generated script to file"""
script = self.generate_objection_script()
with open(filename, 'w') as f:
f.write(script)
Usage example¶
generator = HookGenerator() generator.generate_method_hook("com.example.Security", "isValid", "true") generator.generate_method_hook("com.example.Auth", "checkPassword", "true") generator.generate_class_hook("com.example.Crypto")
script = generator.generate_objection_script() print(script) ```_
Integrationsbeispiele¶
Frida Script Integration¶
```javascript // Custom Frida script for Objection Java.perform(function() \\{ // Hook login method var MainActivity = Java.use("com.example.MainActivity");
MainActivity.login.implementation = function(username, password) \\\\{
console.log("[+] Login attempt:");
console.log(" Username: " + username);
console.log(" Password: " + password);
// Call original method
var result = this.login(username, password);
console.log(" Result: " + result);
return result;
\\\\};
// Hook encryption method
var CryptoUtils = Java.use("com.example.CryptoUtils");
CryptoUtils.encrypt.implementation = function(data) \\\\{
console.log("[+] Encryption called with: " + data);
// Return plaintext instead of encrypted data
return data;
\\\\};
\\}); ```_
Integration von Burp Suite¶
```python
!/usr/bin/env python3¶
Burp Suite and Objection integration¶
import requests import subprocess import time
class BurpObjectionIntegration: def init(self, burp_proxy, package_name): self.burp_proxy = burp_proxy self.package_name = package_name self.session = requests.Session() self.session.proxies = \\{'http': burp_proxy, 'https': burp_proxy\\} self.session.verify = False
def setup_objection(self):
"""Setup Objection with SSL pinning bypass"""
commands = [
f"objection -g \\\\{self.package_name\\\\} explore",
"android sslpinning disable",
"android root disable"
]
for cmd in commands:
subprocess.run(cmd.split())
time.sleep(2)
def test_endpoints(self, endpoints):
"""Test endpoints through Burp proxy"""
for endpoint in endpoints:
try:
response = self.session.get(endpoint)
print(f"Endpoint: \\\\{endpoint\\\\} - Status: \\\\{response.status_code\\\\}")
except Exception as e:
print(f"Error testing \\\\{endpoint\\\\}: \\\\{e\\\\}")
Usage¶
integration = BurpObjectionIntegration("http://127.0.0.1:8080", "com.example.app") integration.setup_objection() integration.test_endpoints(["https://api.example.com/login", "https://api.example.com/data"]) ```_
OWASP ZAP Integration¶
```python
!/usr/bin/env python3¶
OWASP ZAP and Objection integration¶
from zapv2 import ZAPv2 import subprocess import time
class ZAPObjectionIntegration: def init(self, zap_proxy, package_name): self.zap = ZAPv2(proxies=\\{'http': zap_proxy, 'https': zap_proxy\\}) self.package_name = package_name
def setup_mobile_testing(self):
"""Setup mobile testing environment"""
# Start Objection
subprocess.Popen([
"objection", "-g", self.package_name, "explore",
"-c", "android sslpinning disable"
])
time.sleep(5)
# Configure ZAP for mobile testing
self.zap.core.set_option_use_proxy_chain(True)
self.zap.core.set_option_proxy_chain_name("127.0.0.1")
self.zap.core.set_option_proxy_chain_port(8080)
def run_active_scan(self, target_url):
"""Run active scan against mobile app endpoints"""
# Spider the application
scan_id = self.zap.spider.scan(target_url)
# Wait for spider to complete
while int(self.zap.spider.status(scan_id)) < 100:
time.sleep(1)
# Run active scan
scan_id = self.zap.ascan.scan(target_url)
# Wait for scan to complete
while int(self.zap.ascan.status(scan_id)) < 100:
time.sleep(1)
# Get results
alerts = self.zap.core.alerts()
return alerts
Usage¶
integration = ZAPObjectionIntegration("http://127.0.0.1:8080", "com.example.app") integration.setup_mobile_testing() alerts = integration.run_active_scan("https://api.example.com") ```_
Fehlerbehebung¶
Verbindungsprobleme¶
```bash
Check Frida server status¶
adb shell ps|grep frida-server
Restart Frida server¶
adb shell killall frida-server adb shell /data/local/tmp/frida-server &
Check device connectivity¶
frida-ps -U
Test Objection connection¶
objection -g com.android.settings explore -c "env"
Debug connection issues¶
objection -g com.example.app explore --debug ```_
Bewerbungsfragen¶
```bash
Check if application is running¶
adb shell ps|grep com.example.app
Start application¶
adb shell am start -n com.example.app/.MainActivity
Check application permissions¶
adb shell dumpsys package com.example.app|grep permission
Clear application data¶
adb shell pm clear com.example.app
Reinstall application¶
adb uninstall com.example.app adb install app.apk ```_
Leistungsfragen¶
```bash
Monitor device resources¶
adb shell top
Check memory usage¶
adb shell dumpsys meminfo com.example.app
Monitor CPU usage¶
adb shell dumpsys cpuinfo
Check storage space¶
adb shell df
Optimize Frida performance¶
frida-server -l 0.0.0.0:27042 ```_
Sicherheitsüberlegungen¶
Operationelle Sicherheit¶
Gerätesicherheit: - Verwenden Sie spezielle Testgeräte - Implementierung der Geräteisolation - Regelmäßige Sicherheitsupdates - Monitor für Malware - Sichere Datenspeicherung
Netzwerksicherheit: - Verwenden Sie VPN für Ferntests - Implementierung der Verkehrsverschlüsselung - Netzwerkaktivität überwachen - Sichere Proxykonfigurationen - Regelmäßige Netzprüfungen
Rechtliche und ethische Überlegungen¶
Authorized Testing Only: - ordnungsgemäße Genehmigung erhalten - Testbereich definieren - Alle Aktivitäten - Verantwortliche Offenlegung - Datenschutzrechte achten
Beste Praktiken: - Verwendung in kontrollierten Umgebungen - Regelmäßige Sicherheitsbewertungen - Durchführung von Sanierungsmaßnahmen - Monitor für unbefugte Nutzung - Bewahren Sie Audit-Strecken