diff --git a/README.md b/README.md index 8a8ab25..c2d40fd 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,14 @@ # Kakaotalk Analysis +- [Setup](#setup) + - [SSH](#ssh) + - [Setup Burp Suite](#configure-emulator-to-work-with-burp-suite) + - [Setup Frida](#setup-frida-to-disable-certificate-pinning) + - [Kakaotalk Login](#kakaotalk-account-setup) + - [Tools to try](#tools-to-play-with) +- [Misc Commands](#misc-commands) +- [Resources](#resources) + ## Setup Prepare your `~/.bashrc` or `~/.zshrc`: @@ -122,7 +131,7 @@ peterplan fMcz2Jtr ``` - In the KakaoTalk app, login with your email address: - - When prompted add your phone number + - When prompted add your phone number. You'll receive a SMS with a pin number. - **Optional**: you may have to send a SMS including a base64 string (e.g., `KakaoTalk HgAAABIwAGgAQGQAAAAAAjEABwAAADE1Mjc2MAAA`) to a KakaoTalk phone number (you won't receive any SMS response back). After that, you need to tap/click the `Check verification` button in the app and the registration process should be completed. image @@ -164,16 +173,9 @@ adb shell dumpsys package | grep -Eo $(printf "^[[:space:]]+[0-9a-f]+[[:space:]] adb shell am start -a android.settings.SETTINGS ``` -## Possible E2E Attack Vectors - -- Register an attacker's device to the victim's KakaoTalk account -- MITM the protocol on the wire -- Operator-side MITM (e.g., by changing public keys) -- Tamper with the ciphertext on the wire -> code injection -- Send a chat message to a victim to retrieve the E2E encryption key -> code injection -- Install a malcious app on the victim's device to retrieve the E2E key via IPC - ## Resources +Third-party Kakaotalk clients: + - https://github.com/KiwiTalk/KiwiTalk - https://github.com/jhleekr/kakao.py diff --git a/RECON.md b/RECON.md index 82c0c79..e626c85 100644 --- a/RECON.md +++ b/RECON.md @@ -9,6 +9,13 @@ - [Open-Source Libs](#open-source-libs) - [Crypto](#crypto) - [E2E](#e2e) +- [Possible Vectors](#possible-attack-vectors) + - [Registration and Login](#registration-and-login) + - [Cloud](#cloud) + - [LOCO Protocol Attackss](#loco-protocol-attacks) + - [Message Parsing](#message-parsing-zero-click) + - [Malicious App](#malicious-third-party-app) + - [Operator-side Attacks](#operator-side-attacks) ## General infos @@ -101,6 +108,7 @@ Java interfaces with interesting Rest APIs (interface names generated by `jadx`) **TO-DO**: Add GET and POST requests. Use `sqlmap -r` to *fuzz* the Rest APIs. +Interesting classes: ``` com.kakao.p129i.appserver.AppApi com.kakao.talk.net.retrofit.BackupRestoreService @@ -312,3 +320,58 @@ Version: 3 ### E2E Main implementation in package `com.kakao.talk.secret` and the `LocoCipherHelper ` class. + +## Possible Attack Vectors + +### Registration and Login + +- Register an attacker's device to the victim's KakaoTalk account + - Get victims account credentials (e.g., via a data dump on breached.vc) + - Brute-force 4-digit pin +- During registration a pincode is sent via SMS (intercept with SS7 access) +- Register an attacker's device via flaws in the LOCO protocol (`CHECKIN` and `LOGINLIST` commands) +- Check out insecure REST API endpoints +- QR Code login (`xm.a` and `vm.q` Java classes) + - `/talk/account/qrCodeLogin/info.json?id=eyJwcm90b2NvbCI6InYxIiwiY2hhbGxlbmdlIjoiNlB6MFMzdkRQMmlFUTZoRXh5YW5mWGtOelNHU0RRIn0=` + - `{"protocol":"v1","challenge":"6Pz0S3vDP2iEQ6hExyanfXkNzSGSDQ"}` + - `m.w.R1` method computes a MAC of the challenge + - The OAuth Refresh Token seems to be the MAC key + - How to obtain them? How are they generated? How long do they live? + - `ym.a` class builds the POST request + - API endpoints in interface `e31.j` + +### Cloud + +- Cloud back-up (weak password) + - Secret Chat messages won’t be stored +- Tamper with plaintext asset downloads via HTTP (parser attacks on the client possible?) + +### LOCO Protocol Attacks + +- Spoof victim (`CHECKIN` packet) + - Spoof victim’s device ID (**TODO**: How is it generated?) +- Spoof KakaoTalk server + - Send the attacker’s public key to the victim (maybe there’s a LOCO command for updating RSA public keys on the client?) + - MITM traffic +- Tamper messages (CFB malleability —> [Efail](https://jaads.de/Bachelorthesis/Bachelorthesis_Jan_Arends.pdf)) + - [Owncloud CFB malleability bug](https://blog.hboeck.de/archives/880-Pwncloud-bad-crypto-in-the-Owncloud-encryption-module.html) + - Use the `LOGINLIST` command with `chatDatas`, `attachment` or `code` JSON fields to run code on the client app? +- Replay messages +- Drop messages (maybe there's a way to fallback to unencrypted comms?) +- Sniff plaintext LOCO packets (`CHECKIN` packet) + +### Message Parsing ("Zero Click") + +- Send a chat message to a victim to retrieve the E2E encryption key -> code injection + - URL rendering + - Calendar invite rendering + - Emojis + +### Malicious third-party app + +- Install a malcious app on the victim's device to retrieve the E2E key via IPC +- Send malicious intents (code injection) + +### Operator-side Attacks + +- Operator-side MITM (e.g., by changing public keys) \ No newline at end of file