Closed shiham101 closed 7 years ago
marco-lancini
commented
7 years ago In order to debug this issue, we require more information.
Ensure VERBOSE and DEBUG mode are enabled, this will provide us with more detailed needle logs:
[needle] > set VERBOSE True
VERBOSE => True
[needle] > set DEBUG True
DEBUG => TrueOnce you have this information, please attach the log files (starting from when you type python needle.py) to this thread and we can assist further.
shiham101
commented
7 years ago Is there only one ssh session to the iphone ?
AFTER I successful login iphone ssh shell ,logout the shell then run binarny/info/metadata
[!] SSH Session appears to have died! again
HanssWangMacBook-Air:needle hansswang$ sudo python needle.py
__ _ _______ _______ ______ _______
| \ | |______ |______ | \ | |______
| \_| |______ |______ |_____/ |_____ |______
Needle v1.1.0 [mwr.to/needle]
[MWR InfoSecurity (@MWRLabs) - Marco Lancini (@LanciniMarco)]
[needle] > set AGENT_PORT 4466
AGENT_PORT => 4466
[needle] > shell
[*] Spawning a shell...
[*] Checking connection with device...
[V] Connection not present, creating a new instance
[V] [AGENT] Connecting to agent (127.0.0.1:4466)...
[+] [AGENT] Successfully connected to agent (127.0.0.1:4466)...
[V] [SSH] Connecting (127.0.0.1:2222)...
[+] [SSH] Connected (127.0.0.1:2222)
Warning: Permanently added '[127.0.0.1]:2222' (ECDSA) to the list of known hosts.
wangpeiyude-iPhone:~ root# logout
Connection to 127.0.0.1 closed.
[needle] > use binary/info/metadata
[needle][metadata] > run
[?] Attention! The folder chosen to store local output is not empty: /Users/hansswang/.needle/output
[?] Do you want to back it up first?
[?] Y: the content will be archived in a different location, then the folder will be emptied
[?] N: no action will be taken (destination files might be overwritten in case of filename clash)
[y/n]: Y
[V] Archiving local output folder: /Users/hansswang/.needle/output --> /Users/hansswang/.needle/backup/needle-output_2017-05-12-09:15:35
[*] Checking connection with device...
[+] Already connected to: 127.0.0.1
[!] SSH Session appears to have died!
[V] [SSH] Disconnecting...
[V] [AGENT] Disconnecting from agent...
[?] Reconnecting to device...
[V] [AGENT] Connecting to agent (127.0.0.1:4466)...
[+] [AGENT] Successfully connected to agent (127.0.0.1:4466)...
2017-05-12 09:15:38,823| ERROR | Secsh channel 0 open FAILED: : Connect failed
2017-05-12 09:15:38,829| ERROR | Could not establish connection from ('127.0.0.1', 4466) to remote side of the tunnel
[!] SSH Session appears to have died!
[V] [SSH] Disconnecting...
[V] [AGENT] Disconnecting from agent...
[?] Reconnecting to device...
[V] [AGENT] Connecting to agent (127.0.0.1:4466)...
[+] [AGENT] Successfully connected to agent (127.0.0.1:4466)...
2017-05-12 09:15:41,170| ERROR | Secsh channel 0 open FAILED: : Connect failed
2017-05-12 09:15:41,171| ERROR | Could not establish connection from ('127.0.0.1', 4466) to remote side of the tunnel
[!] SSH Session appears to have died!
[V] [SSH] Disconnecting...
[V] [AGENT] Disconnecting from agent...
[?] Reconnecting to device...
[V] [AGENT] Connecting to agent (127.0.0.1:4466)...
[+] [AGENT] Successfully connected to agent (127.0.0.1:4466)...
2017-05-12 09:15:43,511| ERROR | Secsh channel 0 open FAILED: : Connect failed
2017-05-12 09:15:43,512| ERROR | Could not establish connection from ('127.0.0.1', 4466) to remote side of the tunnel
[!] SSH Session appears to have died!
[V] [SSH] Disconnecting...
[V] [AGENT] Disconnecting from agent...
[?] Reconnecting to device...
[V] [AGENT] Connecting to agent (127.0.0.1:4466)...
[+] [AGENT] Successfully connected to agent (127.0.0.1:4466)...
2017-05-12 09:15:45,860| ERROR | Secsh channel 0 open FAILED: : Connect failed
2017-05-12 09:15:45,861| ERROR | Could not establish connection from ('127.0.0.1', 4466) to remote side of the tunnel
[!] SSH Session appears to have died!
[V] [SSH] Disconnecting...
[V] [AGENT] Disconnecting from agent...
[?] Reconnecting to device...
[V] [AGENT] Connecting to agent (127.0.0.1:4466)...
[+] [AGENT] Successfully connected to agent (127.0.0.1:4466)...
2017-05-12 09:15:48,207| ERROR | Secsh channel 0 open FAILED: : Connect failed
2017-05-12 09:15:48,208| ERROR | Could not establish connection from ('127.0.0.1', 4466) to remote side of the tunnel
[!] SSH Session appears to have died!
[V] [SSH] Disconnecting...
[V] [AGENT] Disconnecting from agent...
[?] Reconnecting to device...
[V] [AGENT] Connecting to agent (127.0.0.1:4466)...
[+] [AGENT] Successfully connected to agent (127.0.0.1:4466)...
2017-05-12 09:15:50,549| ERROR | Secsh channel 0 open FAILED: : Connect failed
2017-05-12 09:15:50,550| ERROR | Could not establish connection from ('127.0.0.1', 4466) to remote side of the tunnel
[!] SSH Session appears to have died!
[V] [SSH] Disconnecting...
[V] [AGENT] Disconnecting from agent...
[?] Reconnecting to device...
[V] [AGENT] Connecting to agent (127.0.0.1:4466)...
[+] [AGENT] Successfully connected to agent (127.0.0.1:4466)...
2017-05-12 09:15:52,903| ERROR | Secsh channel 0 open FAILED: : Connect failed
2017-05-12 09:15:52,908| ERROR | Could not establish connection from ('127.0.0.1', 4466) to remote side of the tunnel
[!] SSH Session appears to have died!
[V] [SSH] Disconnecting...
[V] [AGENT] Disconnecting from agent...
[?] Reconnecting to device...
[V] [AGENT] Connecting to agent (127.0.0.1:4466)...
[+] [AGENT] Successfully connected to agent (127.0.0.1:4466)...
2017-05-12 09:15:55,250| ERROR | Secsh channel 0 open FAILED: : Connect failed
2017-05-12 09:15:55,250| ERROR | Could not establish connection from ('127.0.0.1', 4466) to remote side of the tunnel
[!] SSH Session appears to have died!
[V] [SSH] Disconnecting...
[V] [AGENT] Disconnecting from agent...
[?] Reconnecting to device...
[V] [AGENT] Connecting to agent (127.0.0.1:4466)...
[+] [AGENT] Successfully connected to agent (127.0.0.1:4466)...
2017-05-12 09:15:57,586| ERROR | Secsh channel 0 open FAILED: : Connect failed
2017-05-12 09:15:57,587| ERROR | Could not establish connection from ('127.0.0.1', 4466) to remote side of the tunnel
[!] SSH Session appears to have died!
[V] [SSH] Disconnecting...
[V] [AGENT] Disconnecting from agent...
[?] Reconnecting to device...
[V] [AGENT] Connecting to agent (127.0.0.1:4466)...
[+] [AGENT] Successfully connected to agent (127.0.0.1:4466)...
2017-05-12 09:15:59,945| ERROR | Secsh channel 0 open FAILED: : Connect failed
2017-05-12 09:15:59,945| ERROR | Could not establish connection from ('127.0.0.1', 4466) to remote side of the tunnel
[!] SSH Session appears to have died!
[V] [SSH] Disconnecting...
[V] [AGENT] Disconnecting from agent...
[?] Reconnecting to device...
[V] [AGENT] Connecting to agent (127.0.0.1:4466)...
[+] [AGENT] Successfully connected to agent (127.0.0.1:4466)...
2017-05-12 09:16:02,291| ERROR | Secsh channel 0 open FAILED: : Connect failed
2017-05-12 09:16:02,292| ERROR | Could not establish connection from ('127.0.0.1', 4466) to remote side of the tunnel
[!] SSH Session appears to have died!
[V] [SSH] Disconnecting...
[V] [AGENT] Disconnecting from agent...
[?] Reconnecting to device...
[V] [AGENT] Connecting to agent (127.0.0.1:4466)...
[+] [AGENT] Successfully connected to agent (127.0.0.1:4466)...
2017-05-12 09:16:04,635| ERROR | Secsh channel 0 open FAILED: : Connect failed
2017-05-12 09:16:04,636| ERROR | Could not establish connection from ('127.0.0.1', 4466) to remote side of the tunnel
[!] SSH Session appears to have died!
[V] [SSH] Disconnecting...
[V] [AGENT] Disconnecting from agent...
[?] Reconnecting to device...
^C
[needle][metadata] > shell
[*] Spawning a shell...
[*] Checking connection with device...
[+] Already connected to: 127.0.0.1
ssh: connect to host 127.0.0.1 port 2222: Connection refused
[needle][metadata] > do you still have the agent on the foreground?
shiham101
commented
7 years ago Nope.
#[needle] > set DEBUG True
DEBUG => True
[needle] > shell
[*] Spawning a shell...
[*] Checking connection with device...
[V] Connection not present, creating a new instance
[D] Setting up USB port forwarding on port 2222
[D] [LOCAL CMD] Local Subprocess Command: /Users/hansswang/Pentest/needle-develop/needle/libs/usbmuxd/tcprelay.py -t 22:2222
[D] [AGENT] Setting up port forwarding on port 4444
[V] [AGENT] Connecting to agent (127.0.0.1:4444)...
[+] [AGENT] Successfully connected to agent (127.0.0.1:4444)...
[D] [AGENT] Executing command: os_version
[D] [AGENT] Parsing result
[V] [SSH] Connecting (127.0.0.1:2222)...
[+] [SSH] Connected (127.0.0.1:2222)
[D] [LOCAL CMD] Local Interactive Command: sshpass -p "alpine" ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 2222 root@127.0.0.1
Warning: Permanently added '[127.0.0.1]:2222' (ECDSA) to the list of known hosts.
wangpeiyude-iPhone:~ root# logout
Connection to 127.0.0.1 closed.
[needle] > use binary/info/metadata
[needle][metadata] > run
[D] Setup local output folder: /Users/hansswang/.needle/output
[?] Attention! The folder chosen to store local output is not empty: /Users/hansswang/.needle/output
[?] Do you want to back it up first?
[?] Y: the content will be archived in a different location, then the folder will be emptied
[?] N: no action will be taken (destination files might be overwritten in case of filename clash)
[y/n]:
[D] Setting up issue's database...
[D] [DB] QUERY: CREATE TABLE IF NOT EXISTS issues (app TEXT, module TEXT, name TEXT, content TEXT, confidence TEXT, outfile TEXT)
[*] Checking connection with device...
[+] Already connected to: 127.0.0.1
[D] Creating temp folder: /var/root/needle/
[D] [REMOTE CMD] Remote Command: if [ -d /var/root/needle/ ]; then echo "yes"; else echo "no" ; fi
[D] [AGENT] Executing command: os_version
[D] [AGENT] Parsing result
[*] Target app not selected. Launching wizard...
[D] [AGENT] Executing command: list_apps
[D] [AGENT] Parsing result
[+] Apps found:
0 - tw.com.bonuswinner.mj16tw
1 - com.trendmicro.mobile.iOS.iTMMSAPN
2 - com.fubonlife.ProdMobileC
3 - com.mixerbox.QR
4 - com.apple.Numbers
5 - gogolook.whoscall
6 - com.kthcorp.helloworld
7 - com.apple.Keynote
8 - com.apple.Pages
9 - com.apple.itunesu
10 - com.apple.mobilegarageband
11 - hk.itools.apper
12 - com.apple.iMovie
13 - kim.cracksby.yalu102
[>][QUESTION] Please select a number: 0
[+] Target app: tw.com.bonuswinner.mj16tw
[*] Retrieving app's metadata...
/private/var/containers/Bundle/Application/4617853D-8443-498B-8AC0-CCC851CF1E73/MJ16TW.app/Info.plist
[D] Copying the plist to temp: /private/var/containers/Bundle/Application/4617853D-8443-498B-8AC0-CCC851CF1E73/MJ16TW.app/Info.plist -> /Users/hansswang/.needle/tmp/plist
[*] Pulling: /private/var/containers/Bundle/Application/4617853D-8443-498B-8AC0-CCC851CF1E73/MJ16TW.app/Info.plist -> /Users/hansswang/.needle/tmp/plist
[D] Downloading: "/private/var/containers/Bundle/Application/4617853D-8443-498B-8AC0-CCC851CF1E73/MJ16TW.app/Info.plist" -> /Users/hansswang/.needle/tmp/plist
[D] [LOCAL CMD] Local Command: sshpass -p "alpine" scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -P 2222 root@127.0.0.1:"/private/var/containers/Bundle/Application/4617853D-8443-498B-8AC0-CCC851CF1E73/MJ16TW.app/Info.plist" /Users/hansswang/.needle/tmp/plist
------------------------------------------------------------
Traceback (most recent call last):
File "/Users/hansswang/Pentest/needle-develop/needle/core/framework/module.py", line 111, in do_run
pre = self.module_pre()
File "/Users/hansswang/Pentest/needle-develop/needle/core/framework/module.py", line 147, in module_pre
if self.app_check() is None: return None
File "/Users/hansswang/Pentest/needle-develop/needle/core/framework/framework.py", line 690, in app_check
self.APP_METADATA = Framework.APP_METADATA = self.device.app.get_metadata(app)
File "/Users/hansswang/Pentest/needle-develop/needle/core/device/app.py", line 19, in get_metadata
return self._retrieve_metadata()
File "/Users/hansswang/Pentest/needle-develop/needle/core/device/app.py", line 31, in _retrieve_metadata
plist_info = self._device.remote_op.parse_plist(plist_info_path)
File "/Users/hansswang/Pentest/needle-develop/needle/core/device/remote_operations.py", line 219, in parse_plist
content = Utils.plist_read_from_file(plist_copy)
File "/Users/hansswang/Pentest/needle-develop/needle/core/utils/utils.py", line 155, in plist_read_from_file
plist = biplist.readPlist(path)
File "/usr/local/lib/python2.7/site-packages/biplist/__init__.py", line 122, in readPlist
pathOrFile = open(pathOrFile, 'rb')
IOError: [Errno 2] No such file or directory: '/Users/hansswang/.needle/tmp/plist'
------------------------------------------------------------
[!] IOError: [Errno 2] No such file or directory: '/Users/hansswang/.needle/tmp/plist'try to leave the agent in the foreground please
shiham101
commented
7 years ago 
marco-lancini
commented
7 years ago hi @shiham101, I meant the agent on the device
marco-lancini
commented
7 years ago can you also try to run this command (outside needle):
sshpass -p "alpine" scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -P 2222 root@127.0.0.1:"/private/var/containers/Bundle/Application/4617853D-8443-498B-8AC0-CCC851CF1E73/MJ16TW.app/Info.plist" /Users/hansswang/.needle/tmp/plist
I think the problem here is that you miss the scp package on your device. Please refer to the wiki for instructions on how to install dependencies on the device
JoelPagliuca
commented
7 years ago I have just run into the same problem, I've installed the dependencies listed in your documentation (Cydia and Apt 0.7 Strict) @marco-lancini are there any other Cydia packages you may have left out?
I ran the above command and get -sh: scp: command not found
marco-lancini
commented
7 years ago Hi @JoelPagliuca, the dependencies are pre-requisites that needs to be already installed for needle to start. All the other dependencies can automatically be installed by needle with the dependency_installer module: https://github.com/mwrlabs/needle/wiki/Quick-Start-Guide#device-dependencies
JoelPagliuca
commented
7 years ago Working perfectly @marco-lancini, thank you heaps for the support, maybe worth making that section more obvious for spuds like me?
marco-lancini
commented
7 years ago @JoelPagliuca, good idea. I modified the Installation Guide accordingly
Issue
No such file or directory: '/.needle/tmp/plist'
Expected behaviour
use binary/info/metadata
Actual behaviour
[!] IOError: [Errno 2] No such file or directory: '/Users/hansswang/.needle/tmp/plist'
Steps to reproduce
1.use binary/info/metadata 2.run
needle error logs
Environment
Workstation Operating System
mac 10.12.4
Python Version
Python 2.7.10
Python Packages (
pip freeze)beautifulsoup4==4.3.2 biplist==1.0.2 capstone==2.1 cffi==1.6.0 chardet==2.3.0 colorama==0.3.9 cryptography==1.2.1 drozer==2.3.4 ecdsa==0.13 enum34==1.1.4 frida==10.0.3 idna==2.1 ipaddress==1.0.16 ipython==1.1.0 lxml==3.4.4 Mako==1.0.1 MarkupSafe==0.23 mercurial==3.8.3 paramiko==2.1.2 pbr==1.9.1 poster==0.8.1 prompt-toolkit==1.0.14 protobuf==2.4.1 psutil==3.1.1 pwntools==2.2 pyasn1==0.1.9 pycparser==2.14 pycrypto==2.7a1 pyelftools==0.23 Pygments==2.2.0 PyInstaller==2.1 pyOpenSSL==0.13 pyserial==2.7 python-dateutil==2.4.2 python-gcm==0.2 readline==6.2.4.1 requests==2.7.0 ROPGadget==5.4 shodan==1.3.3 six==1.10.0 sshtunnel==0.1.2 stevedore==1.12.0 Twisted==10.2.0 vboxapi==1.0 virtualenv==15.0.1 virtualenv-clone==0.2.6 virtualenvwrapper==4.7.1 volatility==2.3.1 wafw00f==0.9.3 wcwidth==0.1.7 yara-python==3.3.0
Device iOS Version
10.2