Advanced

This page will explain the different features of the Advanced tab.

Lab Workstation’s Advanced tab is the only tab that performs no automated testing. The Advanced tab allows the analyst to dive deeper into their assessments giving them access to additional shells, which includes the arsenal of tools included in the Santoku Linux distro, while giving them the reporting capabilities included in Lab Workstation. Maybe your team uses NMAP to perform some baseline server tests on their endpoints and want to include that in your report, or maybe you want to access Androguard to confirm some information about your app. The Advanced tab has these capabilities.

Under the Advanced tab, the user has the option to launch a Linux shell, a remote ADB shell (Android) or Cycript shell (iOS) in order to run additional code analysis on the application. You can also run an additional Network Capture in the Advanced tab.

If any items of interest are displayed within the shell, the user can select the specific text, then select Copy, and then Output using the buttons at the top of the window to then create an output in your project.

Any output created under the “Shell” tab will be placed within the “Code” folder in the workspace on the left.

Linux Shell

Our Linux Shell gives you access to the Ubuntu terminal session. When you first access the Linux Shell, you’re dropped in a file directory that contains all the artifacts that were previously generated during your testing. This can be useful if you’ve created scripts that require the use of a pcap or other artifacts that were previously generated. We give you full reign over what you do in the Linux Shell. We only ask that if there’s something you’d wish could be done in Workstation, let us know. We look forward to adding new features important to our users.

Workstation allows you to quickly run any linux command and command-line applications on the Santoku Operating System by using the Linux Shell.

Linux Shell

The shell will automatically start in the assessment directory where all of the Workstation artifacts for that specific assessment are stored.

Device Console Shell

Depending on the platform tested, the user has the option to launch a remote adb shell (Android) or Cycript shell (iOS) in order to run additional code analysis on the application.

Make sure the application you are testing is running in the foreground on your iOS device before launching the Cycript shell.

Device Console Shell

Any output created under the “Shell” tab will be placed within the “Code” folder in the workspace on the left.

Did you know? On iOS, you have access to a Cycript shell by default. But if you press Ctrl + D inside that shell, you will also have full access to your iPhone filesystem.

Cycript Shell

Our iOS Advanced tab replaces the ADB Shell and Androguard Shell with a Cycript Shell. Cycript allows you to hook into running processes and obtain more information about your app during runtime. We include some basic functions to get you started.

Keep in mind, depending on how the app was developed some of these functions may not work. This could be an indication that the app performs certain actions differently, or has protections built in to prevent these hooks from being perform.

appDelegate

The Application Delegate is an object which receives notifications when the UIApplication object reaches certain states. The appDelegate will store your AppDelegate location for future use.

rootViewControllerUI

The root view controller provides the content view of the window. rootViewControllerUI will store the location of the low level UIViewController for future use.

printIvars

printIvars will return the instant variables associated with a variable

printMethods

printMethods function will print methods from an entered class.

subviews

subviews function show you the subviews of a view you’ve selected.

TouchID Bypass

Our TouchID Bypass function attempts to bypass TouchID authentication that leverages the LocalAuthentication framework in an app.

Cycript Resources

Here are some helpful resources to help you expand your knowledge of Cycript.

ADB Shell

For those working on an Android assessment, the Android Debug Bridge (adb) Shell gives you full access to the Android shell on your Android device. From here you can run shell commands directly on your device. One common use case we see this being used for is to determine if an app is storing data on the SDCARD. Simply use the adb shell command, followed by the command cd /sdcard and you’ll be able to navigate the the directory. When you’ve found something interesting, simply highlight it and click Output to generate an Output to include in the final report. Additional notes and details can be included with each Output generated.

ADB Shell

Androguard Shell

Our Androguard shells give you access to one of the leading Static Analysis tools for Android apps. Using Androguard, you can reverse engineer your APK and learn more about how your app works internally. While starting off in Androguard can be daunting, we’ve added some pre-built functions to get you started.

Analyze APK

This function is the first function you’ll be wanting to run on your app and should be run before running any other of the pre-built functions. By selecting, we automatically select the APK pulled during the static analysis, and do some basic initial setup for your future function use. Be aware, there is no immediate feedback that the process is running. When it completes (several minutes), you’ll see the step number increment from 1 to 2.

Analyze APK

Strings

The Strings functions returns all the strings found in the app. The output from this functions can be very large.

APK Details

APK Details function is going to give you a roadmap of what your app does. You’ll see what files are stored in your app, permissions, activities, and other information to help your analysis.

APK Details

APK Package

APK Package will give you the package name.

APK Package

APK Files

APK Files gives us a list of files in store in the APK.

APK Files

Files crc32

crc32 will give you the list of files stored in the APK along with their cyclic redundancy check (CRC) hashes.

Files crc32

Target SDK

Target SDK will return what Android SDK level was used to create the app.

Target SDK

Permissions

Permissions will give us a list of permissions requested by the app.

Permissions

Permission Methods Calls

Permission methods calls will give you the full list of methods calling those permissions.

Permission Method Calls

Dynamic Code

Dynamic code gives us a list of methods that are loading code dynamically.

Dynamic Code

Native Methods

Native Methods will show the native methods used by the app.

Native Methods

Reflection Code

Reflection code will you show you methods that are leveraging reflection.

Reflection Code

Androguard Resources

Here are some helpful resources to help you expand your knowledge of Androguard.

Network Capture (PCAP)

The analyst is also able to initiate a packet capture using the “PCAP” tab at any time during the analysis without having to return to the Setup tab and repeat the data population process.

Upon completion of the PCAP capture in this tab, a “.pcap” file will be created within the “Network > Artifacts” folder in the workspace on the left.