This page will explain the different features of the Advanced tab.
NowSecure Workstation’s Advanced tab is the only tab that performs no automated testing. The Advanced tab allows the analyst to dive deeper into their assessments giving them access to additional shells, which includes the arsenal of tools included in the Santoku Linux distro, while giving them the reporting capabilities included in NowSecure Workstation. Maybe your team uses NMAP to perform some baseline server tests on their endpoints and want to include that in your report, or maybe you want to access Androguard to confirm some information about your app. The Advanced tab has these capabilities.
Under the Advanced tab, the user has the option to launch a Linux shell, a remote ADB shell (Android) or Cycript shell (iOS) in order to run additional code analysis on the application. You can also run an additional Network Capture in the Advanced tab.
If any items of interest are displayed within the shell, the user can select the specific text, then select Copy, and then Output using the buttons at the top of the window to then create an output in your project.
Any output created under the “Shell” tab will be placed within the “Code” folder in the workspace on the left.
Our Linux Shell gives you access to the Ubuntu terminal session. When you first access the Linux Shell, you’re dropped in a file directory that contains all the artifacts that were previously generated during your testing. This can be useful if you’ve created scripts that require the use of a pcap or other artifacts that were previously generated. We give you full reign over what you do in the Linux Shell. We only ask that if there’s something you’d wish could be done in Workstation, let us know. We look forward to adding new features important to our users.
Workstation allows you to quickly run any linux command and command-line applications on the Santoku Operating System by using the Linux Shell.
The shell will automatically start in the assessment directory where all of the Workstation artifacts for that specific assessment are stored.
Depending on the platform tested, the user has the option to launch a remote adb shell (Android) or Cycript shell (iOS) in order to run additional code analysis on the application.
Make sure the application you are testing is running in the foreground on your iOS device before launching the Cycript shell.
Did you know? On iOS, you have access to a Cycript shell by default. But if you press
D inside that shell, you will also have full access to your iPhone filesystem.
Cycript Shell does NOT currently support iOS 11+ devices.
Cycript Shell currently only supports iOS 9.x.x and iOS 10.x.x devices.
Our iOS Advanced tab replaces the ADB Shell and Androguard Shell with a Cycript Shell. Cycript allows you to hook into running processes and obtain more information about your app during runtime. We include some basic functions to get you started.
Keep in mind, depending on how the app was developed some of these functions may not work. This could be an indication that the app performs certain actions differently, or has protections built in to prevent these hooks from being perform.
The Application Delegate is an object which receives notifications when the UIApplication object reaches certain states. The appDelegate will store your AppDelegate location for future use.
The root view controller provides the content view of the window. rootViewControllerUI will store the location of the low level UIViewController for future use.
printIvars will return the instant variables associated with a variable
printMethods function will print methods from an entered class.
subviews function show you the subviews of a view you’ve selected.
Our TouchID Bypass function attempts to bypass TouchID authentication that leverages the LocalAuthentication framework in an app.
Here are some helpful resources to help you expand your knowledge of Cycript.
For those working on an Android assessment, the Android Debug Bridge (adb) Shell gives you full access to the Android shell on your Android device. From here you can run shell commands directly on your device. One common use case we see this being used for is to determine if an app is storing data on the SDCARD. Simply use the adb shell command, followed by the command cd /sdcard and you’ll be able to navigate the the directory. When you’ve found something interesting, simply highlight it and click Output to generate an Output to include in the final report. Additional notes and details can be included with each Output generated.
Our Androguard shells give you access to one of the leading Static Analysis tools for Android apps. Using Androguard, you can reverse engineer your APK and learn more about how your app works internally. While starting off in Androguard can be daunting, we’ve added some pre-built functions to get you started.
This function is the first function you’ll be wanting to run on your app and should be run before running any other of the pre-built functions. By selecting, we automatically select the APK pulled during the static analysis, and do some basic initial setup for your future function use. Be aware, there is no immediate feedback that the process is running. When it completes (several minutes), you’ll see the step number increment from 1 to 2.
The Strings functions returns all the strings found in the app. The output from this functions can be very large.
APK Details function is going to give you a roadmap of what your app does. You’ll see what files are stored in your app, permissions, activities, and other information to help your analysis.
APK Package will give you the package name.
APK Files gives us a list of files in store in the APK.
crc32 will give you the list of files stored in the APK along with their cyclic redundancy check (CRC) hashes.
Target SDK will return what Android SDK level was used to create the app.
Permissions will give us a list of permissions requested by the app.
Permission Methods Calls
Permission methods calls will give you the full list of methods calling those permissions.
Dynamic code gives us a list of methods that are loading code dynamically.
Native Methods will show the native methods used by the app.
Reflection code will you show you methods that are leveraging reflection.
Here are some helpful resources to help you expand your knowledge of Androguard.
The analyst is also able to initiate a packet capture using the “PCAP” tab at any time during the analysis without having to return to the Setup tab and repeat the data population process.
Upon completion of the PCAP capture in this tab, a “.pcap” file will be created within the “Network > Artifacts” folder in the workspace on the left.
Fsmon is an open source tool that you can use to monitor filesystem on mobile OS including iOS, OS X, Android, FirefoxOS and Linux. The tool retrieves file system events from a specific directory and shows them in colorful format or in JSON. It is possible to filter the events happening from a specific program name or process id (PID).
Some of the features are: