mirror of
https://github.com/stulle123/kakaotalk_analysis.git
synced 2025-05-07 12:06:09 +00:00
Add more recon infos
This commit is contained in:
parent
c6056f0ff7
commit
b6236d8666
|
@ -49,6 +49,7 @@ Install required tools:
|
||||||
- Get [Burp Suite](https://portswigger.net/burp/communitydownload)
|
- Get [Burp Suite](https://portswigger.net/burp/communitydownload)
|
||||||
- `$ brew install apktool nuclei radare2 sqlite db-browser-for-sqlite`
|
- `$ brew install apktool nuclei radare2 sqlite db-browser-for-sqlite`
|
||||||
- `$ pip3 install --upgrade frida-tools objection`
|
- `$ pip3 install --upgrade frida-tools objection`
|
||||||
|
- Install [Kakaotalk for Windows](https://app-pc.kakaocdn.net/talk/win32/KakaoTalk_Setup.exe) via [wine and brew](https://wiki.winehq.org/MacOS)
|
||||||
|
|
||||||
### SSH
|
### SSH
|
||||||
|
|
||||||
|
|
40
RECON.md
40
RECON.md
|
@ -17,7 +17,15 @@
|
||||||
- [Malicious App](#malicious-third-party-app)
|
- [Malicious App](#malicious-third-party-app)
|
||||||
- [Operator-side Attacks](#operator-side-attacks)
|
- [Operator-side Attacks](#operator-side-attacks)
|
||||||
|
|
||||||
## General infos
|
## Related Work
|
||||||
|
|
||||||
|
- [Kakaotalk Messaging Architecture](https://kth.diva-portal.org/smash/get/diva2:1046438/FULLTEXT01.pdf#page=75)
|
||||||
|
- [User Registration and Login](https://kth.diva-portal.org/smash/get/diva2:1046438/FULLTEXT01.pdf#page=79)
|
||||||
|
- [LOCO protocol](https://kth.diva-portal.org/smash/get/diva2:1046438/FULLTEXT01.pdf#page=77)
|
||||||
|
- [Protocol flaws](https://kth.diva-portal.org/smash/get/diva2:1046438/FULLTEXT01.pdf#page=100)
|
||||||
|
- [App security flaws](https://kth.diva-portal.org/smash/get/diva2:1046438/FULLTEXT01.pdf#page=105)
|
||||||
|
|
||||||
|
## General App Infos
|
||||||
|
|
||||||
```
|
```
|
||||||
Package name: com.kakao.talk
|
Package name: com.kakao.talk
|
||||||
|
@ -81,6 +89,8 @@ voiceMode.xml
|
||||||
zzng.xml
|
zzng.xml
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Some values (e.g., OAuth tokens) in the Shared Preferences are encrypted with a static key which is derived from a hard-coded passphrase (can be found in class `SimpleCipher`).
|
||||||
|
|
||||||
**TO-DO**: Check Shared Prefs for sensitive information.
|
**TO-DO**: Check Shared Prefs for sensitive information.
|
||||||
|
|
||||||
Trace Shared Prefs usage with this [Frida script](https://github.com/m0bilesecurity/Frida-Mobile-Scripts/blob/master/Android/shared_preferences_monitor.js). See [example trace](./recon/frida_trace_shared_prefs.log).
|
Trace Shared Prefs usage with this [Frida script](https://github.com/m0bilesecurity/Frida-Mobile-Scripts/blob/master/Android/shared_preferences_monitor.js). See [example trace](./recon/frida_trace_shared_prefs.log).
|
||||||
|
@ -104,9 +114,9 @@ One can decrypt the contents of `KakaoTalk.db` and `KakaoTalk2.db` with this [sc
|
||||||
|
|
||||||
## Rest APIs
|
## Rest APIs
|
||||||
|
|
||||||
Java interfaces with interesting Rest APIs (interface names generated by `jadx`):
|
Most endpoints are HTTPS protected. Certs in the `assets/sdk` folder are used for certification pinning (see class `com.kakao.i.http.g.b`).
|
||||||
|
|
||||||
**TO-DO**: Add GET and POST requests. Use `sqlmap -r` to *fuzz* the Rest APIs.
|
Java interfaces with interesting Rest APIs (interface names generated by `jadx`): **TO-DO**: Add GET and POST requests. Use `sqlmap -r` to *fuzz* the Rest APIs.
|
||||||
|
|
||||||
Interesting classes:
|
Interesting classes:
|
||||||
```
|
```
|
||||||
|
@ -125,8 +135,12 @@ e31.ReAuthService
|
||||||
p360hh.AuthApi
|
p360hh.AuthApi
|
||||||
```
|
```
|
||||||
|
|
||||||
|
There are [Google API Keys](./recon/nuclei_keys_results.txt) which allow access to the Google Maps API. Unauthorized access might cost the company some money.
|
||||||
|
|
||||||
## WebViews
|
## WebViews
|
||||||
|
|
||||||
|
Cookies are encrypted with the hard-coded passphrase `KaKAOtalkForever`.
|
||||||
|
|
||||||
**TO-DO**: Check for interesting [WebViews](./recon/nuclei_android_results.txt).
|
**TO-DO**: Check for interesting [WebViews](./recon/nuclei_android_results.txt).
|
||||||
|
|
||||||
## Intents
|
## Intents
|
||||||
|
@ -319,6 +333,8 @@ Version: 3
|
||||||
|
|
||||||
### E2E
|
### E2E
|
||||||
|
|
||||||
|
E2E is opt-in only. Most people probably don’t use Secret Chat since `In a secret chatrooom, features including free calling, polls, events and chatroom album are currently not available`.
|
||||||
|
|
||||||
Main implementation in package `com.kakao.talk.secret` and the `LocoCipherHelper ` class.
|
Main implementation in package `com.kakao.talk.secret` and the `LocoCipherHelper ` class.
|
||||||
|
|
||||||
## Possible Attack Vectors
|
## Possible Attack Vectors
|
||||||
|
@ -326,11 +342,12 @@ Main implementation in package `com.kakao.talk.secret` and the `LocoCipherHelper
|
||||||
### Registration and Login
|
### Registration and Login
|
||||||
|
|
||||||
- Register an attacker's device to the victim's KakaoTalk account
|
- Register an attacker's device to the victim's KakaoTalk account
|
||||||
- Get victims account credentials (e.g., via a data dump on breached.vc)
|
- Get victims account credentials email/pw (e.g., via a data dump on breached.vc)
|
||||||
- Brute-force 4-digit pin
|
- Brute-force 4-digit pin
|
||||||
- During registration a pincode is sent via SMS (intercept with SS7 access)
|
- Intercept SMS during registration to get the pincode (e.g., via SS7 access)
|
||||||
- Register an attacker's device via flaws in the LOCO protocol (`CHECKIN` and `LOGINLIST` commands)
|
- Register an attacker's device via flaws in the LOCO protocol (`CHECKIN` and `LOGINLIST` commands?)
|
||||||
- Check out insecure REST API endpoints
|
- Check out insecure REST API endpoints for authorization flaws
|
||||||
|
- Code injection into insecure REST API endpoints
|
||||||
- QR Code login (`xm.a` and `vm.q` Java classes)
|
- QR Code login (`xm.a` and `vm.q` Java classes)
|
||||||
- `/talk/account/qrCodeLogin/info.json?id=eyJwcm90b2NvbCI6InYxIiwiY2hhbGxlbmdlIjoiNlB6MFMzdkRQMmlFUTZoRXh5YW5mWGtOelNHU0RRIn0=`
|
- `/talk/account/qrCodeLogin/info.json?id=eyJwcm90b2NvbCI6InYxIiwiY2hhbGxlbmdlIjoiNlB6MFMzdkRQMmlFUTZoRXh5YW5mWGtOelNHU0RRIn0=`
|
||||||
- `{"protocol":"v1","challenge":"6Pz0S3vDP2iEQ6hExyanfXkNzSGSDQ"}`
|
- `{"protocol":"v1","challenge":"6Pz0S3vDP2iEQ6hExyanfXkNzSGSDQ"}`
|
||||||
|
@ -357,20 +374,25 @@ Main implementation in package `com.kakao.talk.secret` and the `LocoCipherHelper
|
||||||
- [Owncloud CFB malleability bug](https://blog.hboeck.de/archives/880-Pwncloud-bad-crypto-in-the-Owncloud-encryption-module.html)
|
- [Owncloud CFB malleability bug](https://blog.hboeck.de/archives/880-Pwncloud-bad-crypto-in-the-Owncloud-encryption-module.html)
|
||||||
- Use the `LOGINLIST` command with `chatDatas`, `attachment` or `code` JSON fields to run code on the client app?
|
- Use the `LOGINLIST` command with `chatDatas`, `attachment` or `code` JSON fields to run code on the client app?
|
||||||
- Replay messages
|
- Replay messages
|
||||||
- Drop messages (maybe there's a way to fallback to unencrypted comms?)
|
- Drop messages
|
||||||
- Sniff plaintext LOCO packets (`CHECKIN` packet)
|
- Sniff plaintext LOCO packets (`CHECKIN` packet)
|
||||||
|
- Downgrade attacks (maybe there's a way to fallback to unencrypted comms?)
|
||||||
|
|
||||||
### Message Parsing ("Zero Click")
|
### Message Parsing ("Zero Click")
|
||||||
|
|
||||||
|
- **TODO**: Build Kakaotalk Python app
|
||||||
- Send a chat message to a victim to retrieve the E2E encryption key -> code injection
|
- Send a chat message to a victim to retrieve the E2E encryption key -> code injection
|
||||||
- URL rendering
|
- URL rendering
|
||||||
- Calendar invite rendering
|
- Calendar invite rendering
|
||||||
- Emojis
|
- Emojis
|
||||||
|
- Button rendering
|
||||||
|
- Intents
|
||||||
|
|
||||||
### Malicious third-party app
|
### Malicious third-party app
|
||||||
|
|
||||||
- Install a malcious app on the victim's device to retrieve the E2E key via IPC
|
- Install a malcious app on the victim's device to retrieve the E2E key via IPC
|
||||||
- Send malicious intents (code injection)
|
- Send malicious intents (code injection)
|
||||||
|
- Spoof the Kakaotalk app
|
||||||
|
|
||||||
### Operator-side Attacks
|
### Operator-side Attacks
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user