Objeción Cheat Sheet
"Clase de la hoja" id="copy-btn" class="copy-btn" onclick="copyAllCommands()" Copiar todos los comandos id="pdf-btn" class="pdf-btn" onclick="generatePDF()" Generar PDF seleccionado/button ■/div titulada
Sinopsis
Objeción es un kit de herramientas de exploración móvil de tiempo de ejecución construido en la parte superior de Frida, diseñado para proporcionar a investigadores de seguridad y testadores de penetración capacidades integrales para analizar y manipular aplicaciones móviles durante el tiempo de ejecución. Desarrollado por Leon Jacobs, Objection sirve como una poderosa interfaz para las capacidades de instrumentación dinámica de Frida, ofreciendo una interfaz de línea de comandos fácil de usar para realizar evaluaciones complejas de seguridad de aplicaciones móviles. La herramienta soporta tanto las plataformas iOS como Android, lo que lo convierte en un componente esencial de cualquier arsenal de pruebas de seguridad móvil.
La fuerza principal de la Objeción reside en su capacidad de realizar la manipulación de tiempo de ejecución de aplicaciones móviles sin requerir acceso a código fuente o recompilación de aplicaciones. Al aprovechar el motor de instrumentación de Frida, la Objeción puede conectarse a las funciones de aplicación, modificar el comportamiento, evitar los controles de seguridad y extraer información confidencial de las aplicaciones en ejecución. Esta capacidad lo hace particularmente valioso para los escenarios de pruebas de seguridad de caja negra donde los enfoques de análisis estáticos tradicionales son insuficientes o poco prácticos.
Objeción proporciona un conjunto completo de características, incluyendo bypass de fijación SSL, bypass de detección root/jailbreak, exploración del sistema de archivos, manipulación de memoria y conexión de método. La arquitectura modular de la herramienta permite una fácil extensión y personalización, mientras que su estructura de comando intuitiva hace que sea accesible tanto para los profesionales de seguridad novicios como experimentados. Objeción representa un avance significativo en las pruebas de seguridad de aplicaciones móviles, proporcionando capacidades que antes sólo estaban disponibles a través de complejos scripts personalizados de Frida.
Instalación
Instalación de paquetes Python
Instalar la Objeción vía Python administrador de paquetes:
# Install via pip
pip3 install objection
# Install specific version
pip3 install objection==1.11.0
# Install with development dependencies
pip3 install objection[dev]
# Upgrade to latest version
pip3 install --upgrade objection
# Install from source
git clone https://github.com/sensepost/objection.git
cd objection
pip3 install .
Frida Instalación
Instalación de dependencias de Frida:
# Install Frida tools
pip3 install frida-tools
# Install Frida for Python
pip3 install frida
# Verify Frida installation
frida --version
# Install Frida server for Android
wget https://github.com/frida/frida/releases/latest/download/frida-server-android-arm64
adb push frida-server-android-arm64 /data/local/tmp/frida-server
adb shell chmod 755 /data/local/tmp/frida-server
Configuración de dispositivos
Configuración de dispositivos objetivos:
# Android device setup
adb devices
adb root
adb shell /data/local/tmp/frida-server &
# iOS device setup (jailbroken)
ssh root@ios-device
apt-get install frida
frida-server &
# Verify device connectivity
frida-ps -U
Uso básico
App Discovery
Descubrir y enumerar aplicaciones:
# List running applications
objection -g com.example.app explore
# List installed applications
frida-ps -Ua
# List running processes
frida-ps -U
# Get application information
objection -g com.example.app explore -c "env"
# List application activities (Android)
objection -g com.example.app explore -c "android hooking list activities"
Exploración básica
Comandos básicos de exploración de aplicaciones:
# Start Objection session
objection -g com.example.app explore
# Get environment information
env
# List loaded classes
android hooking list classes
# List class methods
android hooking list class_methods com.example.MainActivity
# Search for classes
android hooking search classes keyword
# Search for methods
android hooking search methods keyword
Operaciones del sistema de archivos
Exploración y manipulación del sistema de archivos:
# List files in application directory
ls
# Change directory
cd /data/data/com.example.app
# Download file from device
file download /data/data/com.example.app/databases/app.db ./app.db
# Upload file to device
file upload ./payload.txt /data/data/com.example.app/files/payload.txt
# Show file contents
cat /data/data/com.example.app/shared_prefs/settings.xml
# Find files by name
find /data/data/com.example.app -name "*.db"
Características avanzadas
SSL Pinning Bypass
Pasando el certificado SSL pinning:
# Disable SSL pinning (Android)
android sslpinning disable
# Disable SSL pinning (iOS)
ios sslpinning disable
# Monitor SSL pinning attempts
android sslpinning monitor
# Custom SSL pinning bypass
android hooking set return_value com.example.SSLPinning.verify true
Root/Jailbreak Detection Bypass
Detección de raíz y ruptura de la cárcel:
# Disable root detection (Android)
android root disable
# Disable jailbreak detection (iOS)
ios jailbreak disable
# Monitor root detection attempts
android root monitor
# Simulate non-rooted environment
android root simulate
# Hook specific root detection methods
android hooking set return_value com.example.RootDetection.isRooted false
Método Hooking
Hooking y manipulación de métodos de aplicación:
# Hook method and monitor calls
android hooking watch class com.example.MainActivity
# Hook specific method
android hooking watch class_method com.example.MainActivity.onCreate
# Set method return value
android hooking set return_value com.example.Security.isValid true
# Generate method hook template
android hooking generate simple com.example.MainActivity.login
# Hook constructor
android hooking watch class_method com.example.User.$init
Operaciones de memoria
Exploración y manipulación de memoria:
# Dump memory regions
memory dump all
# Dump specific memory region
memory dump 0x12345678 1024
# Search memory for patterns
memory search "password"
# Search memory for specific bytes
memory search --pattern "41 42 43 44"
# List memory regions
memory list
# Write to memory
memory write 0x12345678 "new_value"
Keystore y Cryptography
Keystore y operaciones criptográficas:
# List keystore entries (Android)
android keystore list
# Dump keystore entry
android keystore detail alias_name
# Monitor cryptographic operations
android crypto monitor
# Hook encryption/decryption methods
android hooking watch class javax.crypto.Cipher
# Bypass certificate validation
android sslpinning disable --quiet
Características de plataforma-específico
Android-Specific Commands
Funcionalidad específica para Android:
# List activities
android hooking list activities
# List services
android hooking list services
# List broadcast receivers
android hooking list receivers
# Start activity
android intent launch_activity com.example.MainActivity
# Send broadcast intent
android intent send_broadcast --action com.example.ACTION
# Monitor intents
android intent monitor
# Dump application heap
android heap dump
# Search heap for objects
android heap search instances com.example.User
iOS-Specific Commands
Funcionalidad específica para iOS:
# List bundles
ios bundles list
# List classes in bundle
ios hooking list classes
# Monitor pasteboard
ios pasteboard monitor
# Dump keychain
ios keychain dump
# Monitor URL schemes
ios url_scheme monitor
# Hook Objective-C methods
ios hooking watch method "-[ViewController viewDidLoad]"
# List frameworks
ios bundles list_frameworks
# Monitor file operations
ios file monitor
Scripts de automatización
Evaluación automatizada
#!/usr/bin/env python3
# Objection automated assessment script
import subprocess
import json
import time
class ObjectionAutomation:
def __init__(self, package_name):
self.package_name = package_name
self.session = None
def start_session(self):
"""Start Objection session"""
cmd = f"objection -g \\\\{self.package_name\\\\} explore"
self.session = subprocess.Popen(
cmd.split(),
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
text=True
)
time.sleep(2)
def execute_command(self, command):
"""Execute command in Objection session"""
if self.session:
self.session.stdin.write(f"\\\\{command\\\\}\n")
self.session.stdin.flush()
time.sleep(1)
def run_security_assessment(self):
"""Run comprehensive security assessment"""
commands = [
"env",
"android sslpinning disable",
"android root disable",
"android hooking list activities",
"android hooking list services",
"android keystore list",
"memory dump all",
"file download /data/data/\\\\{\\\\}/databases/ ./databases/".format(self.package_name),
"android intent monitor"
]
for cmd in commands:
print(f"Executing: \\\\{cmd\\\\}")
self.execute_command(cmd)
time.sleep(2)
def close_session(self):
"""Close Objection session"""
if self.session:
self.execute_command("exit")
self.session.terminate()
# Usage
if __name__ == "__main__":
automation = ObjectionAutomation("com.example.app")
automation.start_session()
automation.run_security_assessment()
automation.close_session()
Procesamiento de lotes
#!/bin/bash
# Objection batch processing script
PACKAGE_LIST="packages.txt"
OUTPUT_DIR="objection_results"
mkdir -p $OUTPUT_DIR
while IFS= read -r package; do
echo "Processing package: $package"
# Create package-specific directory
mkdir -p "$OUTPUT_DIR/$package"
# Run Objection commands
objection -g $package explore -c "env" > "$OUTPUT_DIR/$package/env.txt"
objection -g $package explore -c "android hooking list activities" > "$OUTPUT_DIR/$package/activities.txt"
objection -g $package explore -c "android hooking list services" > "$OUTPUT_DIR/$package/services.txt"
objection -g $package explore -c "android keystore list" > "$OUTPUT_DIR/$package/keystore.txt"
# Disable security controls
objection -g $package explore -c "android sslpinning disable"
objection -g $package explore -c "android root disable"
echo "Completed processing: $package"
sleep 5
done < "$PACKAGE_LIST"
echo "Batch processing completed"
Generador de gancho personalizado
#!/usr/bin/env python3
# Custom Objection hook generator
import json
class HookGenerator:
def __init__(self):
self.hooks = []
def generate_method_hook(self, class_name, method_name, return_value=None):
"""Generate method hook"""
hook = \\\\{
"type": "method_hook",
"class": class_name,
"method": method_name,
"action": "monitor"
\\\\}
if return_value:
hook["return_value"] = return_value
hook["action"] = "modify"
self.hooks.append(hook)
return hook
def generate_class_hook(self, class_name):
"""Generate class hook"""
hook = \\\\{
"type": "class_hook",
"class": class_name,
"action": "monitor_all"
\\\\}
self.hooks.append(hook)
return hook
def generate_objection_script(self):
"""Generate Objection script from hooks"""
script_lines = []
for hook in self.hooks:
if hook["type"] == "method_hook":
if hook["action"] == "monitor":
script_lines.append(f"android hooking watch class_method \\\\{hook['class']\\\\}.\\\\{hook['method']\\\\}")
elif hook["action"] == "modify":
script_lines.append(f"android hooking set return_value \\\\{hook['class']\\\\}.\\\\{hook['method']\\\\} \\\\{hook['return_value']\\\\}")
elif hook["type"] == "class_hook":
script_lines.append(f"android hooking watch class \\\\{hook['class']\\\\}")
return "\n".join(script_lines)
def save_script(self, filename):
"""Save generated script to file"""
script = self.generate_objection_script()
with open(filename, 'w') as f:
f.write(script)
# Usage example
generator = HookGenerator()
generator.generate_method_hook("com.example.Security", "isValid", "true")
generator.generate_method_hook("com.example.Auth", "checkPassword", "true")
generator.generate_class_hook("com.example.Crypto")
script = generator.generate_objection_script()
print(script)
Ejemplos de integración
Frida Script Integration
// Custom Frida script for Objection
Java.perform(function() \\\\{
// Hook login method
var MainActivity = Java.use("com.example.MainActivity");
MainActivity.login.implementation = function(username, password) \\\\{
console.log("[+] Login attempt:");
console.log(" Username: " + username);
console.log(" Password: " + password);
// Call original method
var result = this.login(username, password);
console.log(" Result: " + result);
return result;
\\\\};
// Hook encryption method
var CryptoUtils = Java.use("com.example.CryptoUtils");
CryptoUtils.encrypt.implementation = function(data) \\\\{
console.log("[+] Encryption called with: " + data);
// Return plaintext instead of encrypted data
return data;
\\\\};
\\\\});
Burp Suite Integration
#!/usr/bin/env python3
# Burp Suite and Objection integration
import requests
import subprocess
import time
class BurpObjectionIntegration:
def __init__(self, burp_proxy, package_name):
self.burp_proxy = burp_proxy
self.package_name = package_name
self.session = requests.Session()
self.session.proxies = \\\\{'http': burp_proxy, 'https': burp_proxy\\\\}
self.session.verify = False
def setup_objection(self):
"""Setup Objection with SSL pinning bypass"""
commands = [
f"objection -g \\\\{self.package_name\\\\} explore",
"android sslpinning disable",
"android root disable"
]
for cmd in commands:
subprocess.run(cmd.split())
time.sleep(2)
def test_endpoints(self, endpoints):
"""Test endpoints through Burp proxy"""
for endpoint in endpoints:
try:
response = self.session.get(endpoint)
print(f"Endpoint: \\\\{endpoint\\\\} - Status: \\\\{response.status_code\\\\}")
except Exception as e:
print(f"Error testing \\\\{endpoint\\\\}: \\\\{e\\\\}")
# Usage
integration = BurpObjectionIntegration("http://127.0.0.1:8080", "com.example.app")
integration.setup_objection()
integration.test_endpoints(["https://api.example.com/login", "https://api.example.com/data"])
OWASP ZAP Integración
#!/usr/bin/env python3
# OWASP ZAP and Objection integration
from zapv2 import ZAPv2
import subprocess
import time
class ZAPObjectionIntegration:
def __init__(self, zap_proxy, package_name):
self.zap = ZAPv2(proxies=\\\\{'http': zap_proxy, 'https': zap_proxy\\\\})
self.package_name = package_name
def setup_mobile_testing(self):
"""Setup mobile testing environment"""
# Start Objection
subprocess.Popen([
"objection", "-g", self.package_name, "explore",
"-c", "android sslpinning disable"
])
time.sleep(5)
# Configure ZAP for mobile testing
self.zap.core.set_option_use_proxy_chain(True)
self.zap.core.set_option_proxy_chain_name("127.0.0.1")
self.zap.core.set_option_proxy_chain_port(8080)
def run_active_scan(self, target_url):
"""Run active scan against mobile app endpoints"""
# Spider the application
scan_id = self.zap.spider.scan(target_url)
# Wait for spider to complete
while int(self.zap.spider.status(scan_id)) < 100:
time.sleep(1)
# Run active scan
scan_id = self.zap.ascan.scan(target_url)
# Wait for scan to complete
while int(self.zap.ascan.status(scan_id)) < 100:
time.sleep(1)
# Get results
alerts = self.zap.core.alerts()
return alerts
# Usage
integration = ZAPObjectionIntegration("http://127.0.0.1:8080", "com.example.app")
integration.setup_mobile_testing()
alerts = integration.run_active_scan("https://api.example.com")
Solución de problemas
Cuestiones de conexión
# Check Frida server status
adb shell ps|grep frida-server
# Restart Frida server
adb shell killall frida-server
adb shell /data/local/tmp/frida-server &
# Check device connectivity
frida-ps -U
# Test Objection connection
objection -g com.android.settings explore -c "env"
# Debug connection issues
objection -g com.example.app explore --debug
Cuestiones de aplicación
# Check if application is running
adb shell ps|grep com.example.app
# Start application
adb shell am start -n com.example.app/.MainActivity
# Check application permissions
adb shell dumpsys package com.example.app|grep permission
# Clear application data
adb shell pm clear com.example.app
# Reinstall application
adb uninstall com.example.app
adb install app.apk
Cuestiones de ejecución
# Monitor device resources
adb shell top
# Check memory usage
adb shell dumpsys meminfo com.example.app
# Monitor CPU usage
adb shell dumpsys cpuinfo
# Check storage space
adb shell df
# Optimize Frida performance
frida-server -l 0.0.0.0:27042
Consideraciones de seguridad
Seguridad operacional
** Seguridad del dispositivo** - Utilice dispositivos de prueba dedicados - Implementar el aislamiento del dispositivo - Actualizaciones periódicas de seguridad - Monitor for malware - Almacenamiento de datos seguro
Seguridad de red: - Utilice VPN para pruebas remotas - Implementar el cifrado de tráfico - Supervisar la actividad de red - Configuraciones proxy seguras - Auditorías periódicas de la red
Consideraciones jurídicas y éticas
Authorized Testing Only: - Obtener la autorización adecuada - Definir el alcance de las pruebas - Documentar todas las actividades - Seguir la divulgación responsable - Respetar los derechos de privacidad
Las mejores prácticas: - Uso en entornos controlados - Evaluaciones periódicas de seguridad - Implementar medidas de rehabilitación - Monitor para uso no autorizado - Mantener las rutas de auditoría