iPhone: MiTM-attack out of pocket

Greetings, colleagues!
A traditional device for carrying out an attack on a Wi-Fi network is probably a laptop. This is due to many factors: the ability to use "specific" modules Wi-Fi, the availability of the necessary software and sufficient computing power. Therefore, the “classic” way of an attacker is a person in a car with a laptop and an antenna sticking out of the window. But the development of mobile platforms does not stand still, and many operations have long been possible to perform "out of pocket."

Many of us use Apple devices on the iOS operating system. And it’s not a secret to anyone that iOS is essentially a representative of * nix-families with all the advantages that may arise from it, including the ability to use many classic pentest applications. Today I would like to talk about the tools for conducting the simplest classical Man in the Middle attack on Wi-Fi clients using the arp poisoning method.


Unfortunately, these manipulations are possible only on devices that are jailbreak . In this article, the jailbreak will be used to access third-party libraries and resources distributed only through alternative repositories.
')
To install the applications we will use Cydia . I will not be attached to any specific iOS, but these solutions work successfully on versions 4. * and 5. *. First of all, we need to install a packet capture library: libpcap . It is located in the base repository, and its installation should not cause problems. This library will allow us to use several popular products to intercept traffic.

I would like to remind you that to work with most programs you will need such a “must have” thing, like access to the device console. It can be implemented using OpenSSH from Cydia and a third-party client, for example, iSSH from the AppStore, or using a local Terminal application installed from the same Cydia. I also draw your attention to the fact that applications will require pre-installation of libraries to work with Berkeley DB from the standard repository.

The second mandatory step is to install the TheWorm repository, which contains the utilities we need. Additional information on the process of installing new repositories can be found here .

The most interesting of all tools presented on iOS for intercepting traffic is, in my opinion, the Ettercap utility, which is convenient and allows you to perform all operations directly from it. It is so popular that it is easy to find millions of examples for it. For clarity, even has a demo video . I would like to note that when applied in conjunction with a local Terminal, you will be forced to use only a text interface. In the case of using iSSH on an iOS device, full use of console graphics is possible, which is called using the ettercap -C command. The variety of functions available through it allows you to conduct a full-fledged attack and analyze traffic “on the spot”. The only drawback is the complexity of work in the console from a mobile device, but it is more than offset by a variety of possibilities.



Although, perhaps, you want to fully control the process of spoofing and interception? Then you will find a set of utilities included in the dsniff package. It includes the necessary arpspoof and dsniff for arp-poisoning attacks. If you are not familiar with these tools, then you should first read the manuals for use.
In my opinion, such a kit is most convenient for collecting pcap information on your mobile phone and then analyzing it on a PC using tools like NetworkMiner or Wireshark . To transfer information, you can use WinSCP , Fugu or any convenient tool for you. In general, this set of applications is sufficient and redundant to test the network for resistance to arp-poisoning.


The third and last tool I’d like to talk about is the pirni program. This is an interceptor designed specifically for iOS, which performs the classic functions of intercepting and analyzing packets: an attack on the ARP table of one or many hosts, collecting intercepted traffic and analyzing it through filters. It exists both as an open source version and as a paid graphic utility Pirni Pro. It is extremely easy to use and saves the final result in pcap format suitable for further analysis. The graphic version reduces the attack to a single button . In this version, there is a built-in traffic filter using RegEx, which allows you to monitor the result on the fly, and a minimal set of scanning settings. When using properly written regular expressions, test results will instantly appear on the screen of your device.



Summing up, I would like to say that now quite a lot of software is available for iOS that allows to carry out the simplest attacks on Wi-Fi networks. Perhaps it will be inappropriate use of the device, but such an application has the right to life.
Thanks for attention! I hope I told you something new.