mirror of
https://github.com/stulle123/kakaotalk_analysis.git
synced 2024-10-04 15:12:31 +00:00
Update write-up
This commit is contained in:
stulle123
parent
eb549efe0b
commit
c6056f0ff7
22
README.md
22
README.md
|
|
@ -1,5 +1,14 @@
|
|||
# Kakaotalk Analysis
|
||||
|
||||
- [Setup](#setup)
|
||||
- [SSH](#ssh)
|
||||
- [Setup Burp Suite](#configure-emulator-to-work-with-burp-suite)
|
||||
- [Setup Frida](#setup-frida-to-disable-certificate-pinning)
|
||||
- [Kakaotalk Login](#kakaotalk-account-setup)
|
||||
- [Tools to try](#tools-to-play-with)
|
||||
- [Misc Commands](#misc-commands)
|
||||
- [Resources](#resources)
|
||||
|
||||
## Setup
|
||||
|
||||
Prepare your `~/.bashrc` or `~/.zshrc`:
|
||||
|
|
@ -122,7 +131,7 @@ peterplan
|
|||
fMcz2Jtr
|
||||
```
|
||||
- In the KakaoTalk app, login with your email address:
|
||||
- When prompted add your phone number
|
||||
- When prompted add your phone number. You'll receive a SMS with a pin number.
|
||||
- **Optional**: you may have to send a SMS including a base64 string (e.g., `KakaoTalk HgAAABIwAGgAQGQAAAAAAjEABwAAADE1Mjc2MAAA`) to a KakaoTalk phone number (you won't receive any SMS response back). After that, you need to tap/click the `Check verification` button in the app and the registration process should be completed.
|
||||
|
||||
<img width="318" alt="image" src="https://user-images.githubusercontent.com/14765446/233626988-8bf6be98-c855-4f29-99cb-77d2d44dcb60.png">
|
||||
|
|
@ -164,16 +173,9 @@ adb shell dumpsys package | grep -Eo $(printf "^[[:space:]]+[0-9a-f]+[[:space:]]
|
|||
adb shell am start -a android.settings.SETTINGS
|
||||
```
|
||||
|
||||
## Possible E2E Attack Vectors
|
||||
|
||||
- Register an attacker's device to the victim's KakaoTalk account
|
||||
- MITM the protocol on the wire
|
||||
- Operator-side MITM (e.g., by changing public keys)
|
||||
- Tamper with the ciphertext on the wire -> code injection
|
||||
- Send a chat message to a victim to retrieve the E2E encryption key -> code injection
|
||||
- Install a malcious app on the victim's device to retrieve the E2E key via IPC
|
||||
|
||||
## Resources
|
||||
|
||||
Third-party Kakaotalk clients:
|
||||
|
||||
- https://github.com/KiwiTalk/KiwiTalk
|
||||
- https://github.com/jhleekr/kakao.py
|
||||
|
|
|
|||
63
RECON.md
63
RECON.md
|
|
@ -9,6 +9,13 @@
|
|||
- [Open-Source Libs](#open-source-libs)
|
||||
- [Crypto](#crypto)
|
||||
- [E2E](#e2e)
|
||||
- [Possible Vectors](#possible-attack-vectors)
|
||||
- [Registration and Login](#registration-and-login)
|
||||
- [Cloud](#cloud)
|
||||
- [LOCO Protocol Attackss](#loco-protocol-attacks)
|
||||
- [Message Parsing](#message-parsing-zero-click)
|
||||
- [Malicious App](#malicious-third-party-app)
|
||||
- [Operator-side Attacks](#operator-side-attacks)
|
||||
|
||||
## General infos
|
||||
|
||||
|
|
@ -101,6 +108,7 @@ Java interfaces with interesting Rest APIs (interface names generated by `jadx`)
|
|||
|
||||
**TO-DO**: Add GET and POST requests. Use `sqlmap -r` to *fuzz* the Rest APIs.
|
||||
|
||||
Interesting classes:
|
||||
```
|
||||
com.kakao.p129i.appserver.AppApi
|
||||
com.kakao.talk.net.retrofit.BackupRestoreService
|
||||
|
|
@ -312,3 +320,58 @@ Version: 3
|
|||
### E2E
|
||||
|
||||
Main implementation in package `com.kakao.talk.secret` and the `LocoCipherHelper ` class.
|
||||
|
||||
## Possible Attack Vectors
|
||||
|
||||
### Registration and Login
|
||||
|
||||
- Register an attacker's device to the victim's KakaoTalk account
|
||||
- Get victims account credentials (e.g., via a data dump on breached.vc)
|
||||
- Brute-force 4-digit pin
|
||||
- During registration a pincode is sent via SMS (intercept with SS7 access)
|
||||
- Register an attacker's device via flaws in the LOCO protocol (`CHECKIN` and `LOGINLIST` commands)
|
||||
- Check out insecure REST API endpoints
|
||||
- QR Code login (`xm.a` and `vm.q` Java classes)
|
||||
- `/talk/account/qrCodeLogin/info.json?id=eyJwcm90b2NvbCI6InYxIiwiY2hhbGxlbmdlIjoiNlB6MFMzdkRQMmlFUTZoRXh5YW5mWGtOelNHU0RRIn0=`
|
||||
- `{"protocol":"v1","challenge":"6Pz0S3vDP2iEQ6hExyanfXkNzSGSDQ"}`
|
||||
- `m.w.R1` method computes a MAC of the challenge
|
||||
- The OAuth Refresh Token seems to be the MAC key
|
||||
- How to obtain them? How are they generated? How long do they live?
|
||||
- `ym.a` class builds the POST request
|
||||
- API endpoints in interface `e31.j`
|
||||
|
||||
### Cloud
|
||||
|
||||
- Cloud back-up (weak password)
|
||||
- Secret Chat messages won’t be stored
|
||||
- Tamper with plaintext asset downloads via HTTP (parser attacks on the client possible?)
|
||||
|
||||
### LOCO Protocol Attacks
|
||||
|
||||
- Spoof victim (`CHECKIN` packet)
|
||||
- Spoof victim’s device ID (**TODO**: How is it generated?)
|
||||
- Spoof KakaoTalk server
|
||||
- Send the attacker’s public key to the victim (maybe there’s a LOCO command for updating RSA public keys on the client?)
|
||||
- MITM traffic
|
||||
- Tamper messages (CFB malleability —> [Efail](https://jaads.de/Bachelorthesis/Bachelorthesis_Jan_Arends.pdf))
|
||||
- [Owncloud CFB malleability bug](https://blog.hboeck.de/archives/880-Pwncloud-bad-crypto-in-the-Owncloud-encryption-module.html)
|
||||
- Use the `LOGINLIST` command with `chatDatas`, `attachment` or `code` JSON fields to run code on the client app?
|
||||
- Replay messages
|
||||
- Drop messages (maybe there's a way to fallback to unencrypted comms?)
|
||||
- Sniff plaintext LOCO packets (`CHECKIN` packet)
|
||||
|
||||
### Message Parsing ("Zero Click")
|
||||
|
||||
- Send a chat message to a victim to retrieve the E2E encryption key -> code injection
|
||||
- URL rendering
|
||||
- Calendar invite rendering
|
||||
- Emojis
|
||||
|
||||
### Malicious third-party app
|
||||
|
||||
- Install a malcious app on the victim's device to retrieve the E2E key via IPC
|
||||
- Send malicious intents (code injection)
|
||||
|
||||
### Operator-side Attacks
|
||||
|
||||
- Operator-side MITM (e.g., by changing public keys)
|
||||
Loading…
Reference in New Issue
Block a user