hkm
February 23rd, 2008, 07:52 PM
As you probably know there are some issues with OpenSSH in 1.1.3:
-you cant easily change the default password,
-the icon does not appear in the springboard,
-sometimes you cant uninstall OpenSSH via Installer.
The iphone automatically connects to known networks and since most OpenSSH instalation have default password this leaves a possible attack scenario.
-
[Accesing Iphones with OpenSSH default password]
1) Using airodump we can see the Known Networks that the Iphone automatically connects to.
http://www.hakim.ws/iphonehack/1.jpg
2) Using the Evil Twin / Fake Access Point technique we can make the Iphone connect to us.
http://www.hakim.ws/iphonehack/2.jpg
3) With any sniffer o from the routers interface we can know its IP.
http://www.hakim.ws/iphonehack/3.jpg
4) We connect with any SSH client and use the default account root:alpine
http://www.hakim.ws/iphonehack/4.jpg
Some interesting files:
Fotos: /private/var/mobile/Media/DCIM/100APPLE
See some emails: cat /private/var/mobile/Library/Mail/Envelope\ Index
Plaintext Notes: cat /private/var/mobile/Library/Notes/notes.db
Apollos Plaintext IM passwords: cat /private/var/mobile/Library/Preferences/*MSN.plist
hosts file: /private/var/mobile/Library/Preferences/hosts
SMS: /private/var/mobile/Library/SMS
Contacts: /private/var/mobile/Library/AddressBook
Limitation of the attack:
-You must have default password,
-You must have prefered/known networks and they must be open auth,
-When phone is autolocked WiFi is off so there is little time for the script to work xD
-
[Changing the default password]
You can use one of the following methods, first one worked for me:
[cypt(3) and vi /etc/master.passwd]
Go to http://javascript.internet.com/passwords/unix-crypt(3)-encryption.html
Type your password then click "Encrypt password" and use the salt "/s".
Edit /etc/master.passwd with vi to change password.
[SSH-pass.app]
Run http://winandmac.com/files/SSH-pass.zip and then you can change the password.
hkm
-you cant easily change the default password,
-the icon does not appear in the springboard,
-sometimes you cant uninstall OpenSSH via Installer.
The iphone automatically connects to known networks and since most OpenSSH instalation have default password this leaves a possible attack scenario.
-
[Accesing Iphones with OpenSSH default password]
1) Using airodump we can see the Known Networks that the Iphone automatically connects to.
http://www.hakim.ws/iphonehack/1.jpg
2) Using the Evil Twin / Fake Access Point technique we can make the Iphone connect to us.
http://www.hakim.ws/iphonehack/2.jpg
3) With any sniffer o from the routers interface we can know its IP.
http://www.hakim.ws/iphonehack/3.jpg
4) We connect with any SSH client and use the default account root:alpine
http://www.hakim.ws/iphonehack/4.jpg
Some interesting files:
Fotos: /private/var/mobile/Media/DCIM/100APPLE
See some emails: cat /private/var/mobile/Library/Mail/Envelope\ Index
Plaintext Notes: cat /private/var/mobile/Library/Notes/notes.db
Apollos Plaintext IM passwords: cat /private/var/mobile/Library/Preferences/*MSN.plist
hosts file: /private/var/mobile/Library/Preferences/hosts
SMS: /private/var/mobile/Library/SMS
Contacts: /private/var/mobile/Library/AddressBook
Limitation of the attack:
-You must have default password,
-You must have prefered/known networks and they must be open auth,
-When phone is autolocked WiFi is off so there is little time for the script to work xD
-
[Changing the default password]
You can use one of the following methods, first one worked for me:
[cypt(3) and vi /etc/master.passwd]
Go to http://javascript.internet.com/passwords/unix-crypt(3)-encryption.html
Type your password then click "Encrypt password" and use the salt "/s".
Edit /etc/master.passwd with vi to change password.
[SSH-pass.app]
Run http://winandmac.com/files/SSH-pass.zip and then you can change the password.
hkm