Add more recon infos

README.md

@@ -49,6 +49,7 @@ Install required tools:
 - Get [Burp Suite](https://portswigger.net/burp/communitydownload)
 - `$ brew install apktool nuclei radare2 sqlite db-browser-for-sqlite`
 - `$ pip3 install --upgrade frida-tools objection`
+- Install [Kakaotalk for Windows](https://app-pc.kakaocdn.net/talk/win32/KakaoTalk_Setup.exe) via [wine and brew](https://wiki.winehq.org/MacOS)
 
 ### SSH
 

RECON.md

@@ -17,7 +17,15 @@
   - [Malicious App](#malicious-third-party-app)
   - [Operator-side Attacks](#operator-side-attacks)
 
-## General infos
+## Related Work
+
+- [Kakaotalk Messaging Architecture](https://kth.diva-portal.org/smash/get/diva2:1046438/FULLTEXT01.pdf#page=75)
+- [User Registration and Login](https://kth.diva-portal.org/smash/get/diva2:1046438/FULLTEXT01.pdf#page=79)
+- [LOCO protocol](https://kth.diva-portal.org/smash/get/diva2:1046438/FULLTEXT01.pdf#page=77)
+- [Protocol flaws](https://kth.diva-portal.org/smash/get/diva2:1046438/FULLTEXT01.pdf#page=100)
+- [App security flaws](https://kth.diva-portal.org/smash/get/diva2:1046438/FULLTEXT01.pdf#page=105)
+
+## General App Infos
 
 ```
 Package name: com.kakao.talk
@@ -81,6 +89,8 @@ voiceMode.xml
 zzng.xml
 ```
 
+Some values (e.g., OAuth tokens) in the Shared Preferences are encrypted with a static key which is derived from a hard-coded passphrase (can be found in class `SimpleCipher`).
+
 **TO-DO**: Check Shared Prefs for sensitive information.
 
 Trace Shared Prefs usage with this [Frida script](https://github.com/m0bilesecurity/Frida-Mobile-Scripts/blob/master/Android/shared_preferences_monitor.js). See [example trace](./recon/frida_trace_shared_prefs.log).
@@ -104,9 +114,9 @@ One can decrypt the contents of `KakaoTalk.db` and `KakaoTalk2.db` with this [sc
 
 ## Rest APIs
 
-Java interfaces with interesting Rest APIs (interface names generated by `jadx`):
+Most endpoints are HTTPS protected. Certs in the `assets/sdk` folder are used for certification pinning (see class `com.kakao.i.http.g.b`). 
 
-**TO-DO**: Add GET and POST requests. Use `sqlmap -r` to *fuzz* the Rest APIs.
+Java interfaces with interesting Rest APIs (interface names generated by `jadx`): **TO-DO**: Add GET and POST requests. Use `sqlmap -r` to *fuzz* the Rest APIs.
 
 Interesting classes:
 ```
@@ -125,8 +135,12 @@ e31.ReAuthService
 p360hh.AuthApi
 ```
 
+There are [Google API Keys](./recon/nuclei_keys_results.txt) which allow access to the Google Maps API. Unauthorized access might cost the company some money.
+
 ## WebViews
 
+Cookies are encrypted with the hard-coded passphrase `KaKAOtalkForever`.
+
 **TO-DO**: Check for interesting [WebViews](./recon/nuclei_android_results.txt).
 
 ## Intents
@@ -319,6 +333,8 @@ Version: 3
 
 ### E2E
 
+E2E is opt-in only. Most people probably don’t use Secret Chat since `In a secret chatrooom, features including free calling, polls, events and chatroom album are currently not available`.
+
 Main implementation in package `com.kakao.talk.secret` and the `LocoCipherHelper ` class.
 
 ## Possible Attack Vectors
@@ -326,11 +342,12 @@ Main implementation in package `com.kakao.talk.secret` and the `LocoCipherHelper
 ### Registration and Login
 
 - Register an attacker's device to the victim's KakaoTalk account
-    - Get victims account credentials (e.g., via a data dump on breached.vc)
+    - Get victims account credentials email/pw (e.g., via a data dump on breached.vc)
     - Brute-force 4-digit pin
-- During registration a pincode is sent via SMS (intercept with SS7 access)
-- Register an attacker's device via flaws in the LOCO protocol (`CHECKIN` and `LOGINLIST` commands)
-- Check out insecure REST API endpoints
+- Intercept SMS during registration to get the pincode (e.g., via SS7 access)
+- Register an attacker's device via flaws in the LOCO protocol (`CHECKIN` and `LOGINLIST` commands?)
+- Check out insecure REST API endpoints for authorization flaws
+- Code injection into insecure REST API endpoints
 - QR Code login (`xm.a` and `vm.q` Java classes)
 	- `/talk/account/qrCodeLogin/info.json?id=eyJwcm90b2NvbCI6InYxIiwiY2hhbGxlbmdlIjoiNlB6MFMzdkRQMmlFUTZoRXh5YW5mWGtOelNHU0RRIn0=`
 	- `{"protocol":"v1","challenge":"6Pz0S3vDP2iEQ6hExyanfXkNzSGSDQ"}`
@@ -357,20 +374,25 @@ Main implementation in package `com.kakao.talk.secret` and the `LocoCipherHelper
   - [Owncloud CFB malleability bug](https://blog.hboeck.de/archives/880-Pwncloud-bad-crypto-in-the-Owncloud-encryption-module.html)
   - Use the `LOGINLIST` command with `chatDatas`, `attachment` or `code` JSON fields to run code on the client app?
 - Replay messages
-- Drop messages (maybe there's a way to fallback to unencrypted comms?)
+- Drop messages
 - Sniff plaintext LOCO packets (`CHECKIN` packet)
+- Downgrade attacks (maybe there's a way to fallback to unencrypted comms?)
 
 ### Message Parsing ("Zero Click")
 
+- **TODO**: Build Kakaotalk Python app
 - Send a chat message to a victim to retrieve the E2E encryption key -> code injection
   - URL rendering
   - Calendar invite rendering
   - Emojis
+  - Button rendering
+  - Intents
 
 ### Malicious third-party app
 
 - Install a malcious app on the victim's device to retrieve the E2E key via IPC
-- Send malicious intents (code injection)
+  - Send malicious intents (code injection)
+  - Spoof the Kakaotalk app
 
 ### Operator-side Attacks