Need help with scrounger?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

nettitude
208 Stars 51 Forks BSD 3-Clause "New" or "Revised" License 54 Commits 2 Opened issues

Description

Mobile application testing toolkit

Services available

!
?

Need anything else?

Contributors list

Description

Scrounger - a person who borrows from or lives off others.

There is no better description for this tool for two main reasons, the first is because this tool takes inspiration from many other tools that have already been published, the second reason is because it lives off mobile application's vulnerabilities.

asciicast

Why

Even though several other mobile application analysis tools have been developed, there is no one tool that can be used for both android and ios and can be called a "standard" must use on every mobile application assessment.

The idea behind Scrounger is to make a metasploit-like tool that will not do a pentesters work but help the pentester on his assessment by executing mundane tasks that need to be performed on all assessments.

The Difference

The main features Scrounger offers that others don't:

  • Works with Android and iOS
  • Metasploit-like console and modules
  • Offers a variaty of modules that can be run to give the pentester a starting point
  • Easily extendable

Inspiration / Thanks

Scrounger was inspired by other tools, a huge thanks to the developers of:

Technical

As a disclaimer, all identified findings by Scrounger should always be manually double checked.

When using modules that need an Android or iOS device, Scrounger needs a Rooted or Jailbroken device respectively.

Scrounger has been tested to work on iOS 11 and Android 8.1.

Scrounger has been built for python 2.7 only.

Install

git clone https://github.com/nettitude/scrounger.git
cd scrounger
bash setup.sh
pip install -r requirements.txt
python setup.py install

Development

git pull https://github.com/nettitude/scrounger.git
cd scrounger
bash setup.sh
pip install -r requirements.txt
python setup.py develop

Update

cd scrounger
git pull
python setup.py install --upgrade

Required Binaries

For Android Modules

For iOS Modules

iOS Binaries

  • Bundled Binaries:
    • dumpbackupflag
    • dumpfileprotection
    • dump_keychain
    • dump_log
    • listapps
  • Cydia Karen's Repository (https://cydia.angelxwind.net) (Optional):
    • AppSync Unified (Package: net.angelxwind.appsyncunified)
    • appinst (Package: com.linusyang.appinst)
  • Cydia Shmoo419's Repository (https://shmoo419.github.io/) (Optional):
    • uncrypt11 (Package: com.shmoo.uncrypt11)
    • gdb (Package: gdb71050)
  • Cydia Ichitaso's Repository (http://cydia.ichitaso.com/) (Optional):
    • clutch (Package: com.kjcracks.clutch2)

Install Scripts

Linux

# install iproxy lsusb
sudo apt-get install libimobiledevice usbutils

install jd-cli

if [ ! -x "$(which jd-cli)" ]; then curl -L -o /tmp/jdcli.zip https://github.com/kwart/jd-cmd/releases/download/jd-cmd-0.9.2.Final/jd-cli-0.9.2-dist.zip unzip /tmp/jdcli.zip /usr/local/share/jd-cli ln -s /usr/local/share/jd-cli/jd-cli /usr/local/bin/jd-cli ln -s /usr/local/share/jd-cli/jd-cli.jar /usr/local/bin/jd-cli.jar rm -rf /tmp/jdcli.zip fi

install apktool

if [ ! -x "$(which apktool)" ]; then mkdir /usr/local/share/apktool curl -L -o /usr/local/share/apktool/apktool https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/osx/apktool curl -L -o /usr/local/share/apktool/apktool.jar https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.3.3.jar chmod +x /usr/local/share/apktool /usr/local/share/apktool/apktool.jar ln -s /usr/local/share/apktool /usr/local/bin/apktool ln -s /usr/local/share/apktool.jar /usr/local/bin/apktool.jar fi

install dex2jar

if [ ! -x "$(which d2j-dex2jar)" ]; then curl -L -o /tmp/d2j.zip https://github.com/pxb1988/dex2jar/files/1867564/dex-tools-2.1-SNAPSHOT.zip unzip /tmp/d2j.zip -d /tmp/d2j dirname=$(ls --color=none /tmp/d2j) mv /tmp/d2j/$dirname /usr/local/share/d2j-dex2jar ln -s /usr/local/share/d2j-dex2jar/d2j-dex2jar.sh /usr/local/bin/d2j-dex2jar.sh ln -s /usr/local/share/d2j-dex2jar/d2j-apk-sign.sh /usr/local/bin/d2j-apk-sign.sh rm -rf /tmp/d2j.zip fi

if [ ! -x "$(which d2j-dex2jar)" ]; then ln -s /usr/local/bin/d2j-dex2jar.sh /usr/local/bin/d2j-dex2jar fi

install adb

if [ ! -x "$(which adb)" ]; then curl -L -o /tmp/platform-tools.zip https://dl.google.com/android/repository/platform-tools-latest-linux.zip unzip /tmp/platform-tools.zip -d /tmp/pt mv /tmp/pt/platform-tools /usr/local/share/ ln -s /usr/local/share/platform-tools/adb /usr/local/bin/adb ln -s /usr/local/share/platform-tools/fastboot /usr/local/bin/fastboot fi

install ldid

if [ ! -x "$(which ldid)" ]; then git clone https://github.com/daeken/ldid.git /tmp/ldid cd /tmp/ldid ./make.sh mv ldid /usr/local/bin/ cd /tmp rm -rf /tmp/ldid fi

install jtool

if [ ! -x "$(which jtool)" ]; then curl -L -o /tmp/jtool.tar http://www.newosxbook.com/tools/jtool.tar mkdir /tmp/jtool tar xvf /tmp/jtool.tar -C /tmp/jtool mv /tmp/jtool/jtool.ELF64 /usr/local/bin/jtool rm -rf /tmp/jtool.tar /tmp/jtool fi

install scrounger

git clone [email protected]:nettitude/scrounger.git cd scrounger pip install -r requirements.txt python setup.py install

MacOS

# install iproxy ldid lsusb
brew tap jlhonora/lsusb && brew install lsusb libimobiledevice ldid

install jd-cli

if [ ! -x "$(which jd-cli)" ]; then curl -L -o /tmp/jdcli.zip https://github.com/kwart/jd-cmd/releases/download/jd-cmd-0.9.2.Final/jd-cli-0.9.2-dist.zip unzip /tmp/jdcli.zip /usr/local/share/jd-cli ln -s /usr/local/share/jd-cli/jd-cli /usr/local/bin/jd-cli ln -s /usr/local/share/jd-cli/jd-cli.jar /usr/local/bin/jd-cli.jar rm -rf /tmp/jdcli.zip fi

install apktool

if [ ! -x "$(which apktool)" ]; then mkdir /usr/local/share/apktool curl -L -o /usr/local/share/apktool/apktool https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/osx/apktool curl -L -o /usr/local/share/apktool/apktool.jar https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.3.3.jar chmod +x /usr/local/share/apktool /usr/local/share/apktool/apktool.jar ln -s /usr/local/share/apktool /usr/local/bin/apktool ln -s /usr/local/share/apktool.jar /usr/local/bin/apktool.jar fi

install dex2jar

if [ ! -x "$(which d2j-dex2jar)" ]; then curl -L -o /tmp/d2j.zip https://github.com/pxb1988/dex2jar/files/1867564/dex-tools-2.1-SNAPSHOT.zip unzip /tmp/d2j.zip -d /tmp/d2j dirname=$(ls --color=none /tmp/d2j) mv /tmp/d2j/$dirname /usr/local/share/d2j-dex2jar ln -s /usr/local/share/d2j-dex2jar/d2j-dex2jar.sh /usr/local/bin/d2j-dex2jar.sh ln -s /usr/local/share/d2j-dex2jar/d2j-apk-sign.sh /usr/local/bin/d2j-apk-sign.sh rm -rf /tmp/d2j.zip fi

if [ ! -x "$(which d2j-dex2jar)" ]; then ln -s /usr/local/bin/d2j-dex2jar.sh /usr/local/bin/d2j-dex2jar fi

install adb

if [ ! -x "$(which adb)" ]; then curl -L -o /tmp/platform-tools.zip https://dl.google.com/android/repository/platform-tools-latest-darwin.zip unzip /tmp/platform-tools.zip -d /tmp/pt mv /tmp/pt/platform-tools /usr/local/share/ ln -s /usr/local/share/platform-tools/adb /usr/local/bin/adb ln -s /usr/local/share/platform-tools/fastboot /usr/local/bin/fastboot fi

install Xcode / command line tools

xcode-select --install

install scrounger

git clone [email protected]:nettitude/scrounger.git cd scrounger pip install -r requirements.txt python setup.py install

Adding Custom Modules

When installing the application a folder

~/.scrounger
will be created. Inside
~/.scrounger
will be a folder called
modules/custom
with the same structure as the default scrounger modules, e.g.,
analysis/android/module_name
.

To create a new custom module just add a new file with the module name you want and it will be included the next time you launch scrounger.

Example

Added the following module (

~/.scrounger/modules/custom/misc/test.py
):
from scrounger.core.module import BaseModule

class Module(BaseModule): meta = { "author": "RDC", "description": """Just a Test module""", "certainty": 100 }

options = [
    {
        "name": "output",
        "description": "local output directory",
        "required": False,
        "default": None
    },
]

def run(self):

    print("This is a print from the custom module")

    return {
        "print": "This will be print by scrounger's console."
    }

Execution

$ scrounger-console
Starting Scrounger console...

scrounger > list custom/misc

Module Certainty Author Description


custom/misc/test 100% RDC Just a Test module

scrounger > use custom/misc/test

scrounger custom/misc/test > options

Global Options:

Name    Value
----    -----
device
output  /tmp/scrounger-app

Module Options (custom/misc/test):

Name    Required  Description             Current Setting
----    --------  -----------             ---------------
output  False     local output directory  /tmp/scrounger-app

scrounger custom/misc/test > run This is a print from the custom module [+] This will be print by scrounger's console.

scrounger custom/misc/test >

Examples

Listing / Searching modules

$ scrounger-console
Starting Scrounger console...

> help

Documented commands (type help ):

add_device devices list print results set unset back help options quit run show use

> help list Lists all available modules

> list ios

Module Certainty Author Description


analysis/ios/app_transport_security 90% RDC Checks if there are any Application Transport Security misconfigurations analysis/ios/arc_support 90% RDC Checks if a binary was compiled with ARC support analysis/ios/backups 90% RDC Checks the application's files have the backup flag on analysis/ios/clipboard_access 75% RDC Checks if the application disables clipboard access analysis/ios/debugger_detection 75% RDC Checks if the application detects debuggers analysis/ios/excessive_permissions 90% RDC Checks if the application uses excessive permissions analysis/ios/file_protection 90% RDC Checks the application's files specific protection flags analysis/ios/full_analysis 100% RDC Runs all modules in analysis and writes a report into the output directory analysis/ios/insecure_channels 50% RDC Checks if the application uses insecure channels analysis/ios/insecure_function_calls 75% RDC Checks if the application uses insecure function calls analysis/ios/jailbreak_detection 60% RDC Checks if the application implements jailbreak detection analysis/ios/logs 60% RDC Checks if the application logs to syslog analysis/ios/passcode_detection 60% RDC Checks if the application checks for passcode being set analysis/ios/pie_support 100% RDC Checks if the application was compiled with PIE support analysis/ios/prepared_statements 60% RDC Checks if the application uses sqlite calls and if so checks if it also uses prepared statements analysis/ios/ssl_pinning 60% RDC Checks if the application implements SSL pinning analysis/ios/stack_smashing 90% RDC Checks if a binary was compiled stack smashing protections analysis/ios/third_party_keyboard 65% RDC Checks if an application checks of third party keyboards analysis/ios/unencrypted_communications 80% RDC Checks if the application implements communicates over unencrypted channels analysis/ios/unencrypted_keychain_data 70% RDC Checks if the application saves unencrypted data in the keychain analysis/ios/weak_crypto 60% RDC Checks if the application uses weak crypto analysis/ios/weak_random 50% RDC Checks if a binary uses weak random functions analysis/ios/weak_ssl_ciphers 50% RDC Checks if a binary uses weak SSL ciphers misc/ios/app/archs 100% RDC Gets the application's available architectures misc/ios/app/data 100% RDC Gets the application's data from the remote device misc/ios/app/entitlements 100% RDC Gets the application's entitlements misc/ios/app/flags 100% RDC Gets the application's compilation flags misc/ios/app/info 100% RDC Pulls the Info.plist info from the device misc/ios/app/start 100% RDC Launches an application on the remote device misc/ios/app/symbols 100% RDC Gets the application's symbols out of an installed application on the device misc/ios/class_dump 100% RDC Dumps the classes out of a decrypted binary misc/ios/decrypt_bin 100% RDC Decrypts and pulls a binary application misc/ios/install_binaries 100% RDC Installs iOS binaries required to run some checks misc/ios/keychain_dump 100% RDC Dumps contents from the connected device's keychain misc/ios/local/app/archs 100% RDC Gets the application's available architectures misc/ios/local/app/entitlements 100% RDC Gets the application's entitlements from a local binary and saves them to file misc/ios/local/app/flags 100% RDC Gets the application's compilation flags using local tools. Will look for otool and jtool in the PATH. misc/ios/local/app/info 100% RDC Pulls the Info.plist info from the unzipped IPA file and saves an XML file with it's contents to the output folder misc/ios/local/app/symbols 100% RDC Gets the application's symbols out of an installed application on the device misc/ios/local/class_dump 100% RDC Dumps the classes out of a decrypted binary misc/ios/pull_ipa 100% RDC Pulls the IPA file from a remote device misc/ios/unzip_ipa 100% RDC Unzips the IPA file into the output directory

Using Misc Module

$ scrounger-console
Starting Scrounger console...

> use misc/android/decompile_apk

misc/android/decompile_apk > options

Global Options:

Name   Value
----   -----
device
output /tmp/scrounger-app

Module Options (misc/android/decompile_apk):

Name   Required Description                Current Setting
----   -------- -----------                ---------------
output True     local output directory     /tmp/scrounger-app
apk    True     local path to the APK file

misc/android/decompile_apk > set output scrounger-demo-output

misc/android/decompile_apk > set apk ./a.apk

misc/android/decompile_apk > options

Global Options:

Name   Value
----   -----
device
output /tmp/scrounger-app

Module Options (misc/android/decompile_apk):

Name   Required Description                Current Setting
----   -------- -----------                ---------------
output True     local output directory     scrounger-demo-output
apk    True     local path to the APK file ./a.apk

misc/android/decompile_apk > run 2018-05-01 10:29:53 - decompile_apk : Creating decompilation directory 2018-05-01 10:29:53 - decompile_apk : Decompiling application 2018-05-01 10:29:59 - manifest : Checking for AndroidManifest.xml file 2018-05-01 10:29:59 - manifest : Creating manifest object [+] Application decompiled to scrounger-demo-output/com.eg.challengeapp.decompiled

Using results from other modules

misc/android/decompile_apk > show results

Results:

Name                             Value
----                             -----
com.eg.challengeapp_decompiled scrounger-demo-output/com.eg.challengeapp.decompiled

misc/android/decompile_apk > use analysis/android/permissions

analysis/android/permissions > options

Global Options:

Name   Value
----   -----
device
output /tmp/scrounger-app

Module Options (analysis/android/permissions):

Name           Required Description                                        Current Setting
----           -------- -----------                                        ---------------
decompiled_apk True     local folder containing the decompiled apk file
permissions    True     dangerous permissions to check for, seperated by ; android.permission.GET_TASKS;android.permission.BIND_DEVICE_ADMIN;android.permission.USE_CREDENTIALS;com.android.browser.permission.READ_HISTORY_BOOKMARKS;android.permission.PROCESS_OUTGOING_CA

analysis/android/permissions > print option permissions

Option Name: permissions Value: android.permission.GET_TASKS;android.permission.BIND_DEVICE_ADMIN;android.permission.USE_CREDENTIALS;com.android.browser.permission.READ_HISTORY_BOOKMARKS;android.permission.PROCESS_OUTGOING_CALLS;android.permission.READ_LOGS;android.permission.READ_SMS;android.permission.READ_CALL_LOG;android.permission.RECORD_AUDIO;android.permission.MANAGE_ACCOUNTS;android.permission.RECEIVE_SMS;android.permission.RECEIVE_MMS;android.permission.WRITE_CONTACTS;android.permission.DISABLE_KEYGUARD;android.permission.WRITE_SETTINGS;android.permission.WRITE_SOCIAL_STREAM;android.permission.WAKE_LOCK

analysis/android/permissions > set decompiled_apk result:com.eg.challengeapp_decompiled

analysis/android/permissions > options

Global Options:

Name   Value
----   -----
device
output /tmp/scrounger-app

Module Options (analysis/android/permissions):

Name           Required Description                                        Current Setting
----           -------- -----------                                        ---------------
decompiled_apk True     local folder containing the decompiled apk file    result:com.eg.challengeapp_decompiled
permissions    True     dangerous permissions to check for, seperated by ; android.permission.GET_TASKS;android.permission.BIND_DEVICE_ADMIN;android.permission.USE_CREDENTIALS;com.android.browser.permission.READ_HISTORY_BOOKMARKS;android.permission.PROCESS_OUTGOING_CA

analysis/android/permissions > run 2018-05-01 10:54:58 - manifest : Checking for AndroidManifest.xml file 2018-05-01 10:54:58 - manifest : Creating manifest object 2018-05-01 10:54:58 - permissions : Analysing application's manifest permissions [+] Analysis result: The Application Has Inadequate Permissions Report: True Details:

  • android.permission.READ_SMS

Using devices

$ scrounger-console
Starting Scrounger console...



> show devices

Added Devices:

Scrounger ID Device OS Identifier
------------ --------- ----------

> add_device android ios

> add_device android 00cd7e67ec57c127

> show devices

Added Devices:

Scrounger ID Device OS Identifier
------------ --------- ----------
1            android   00cd7e67ec57c127

> set global device 1

> options

Global Options:

Name   Value
----   -----
device 1
output /tmp/scrounger-app

> use misc/list_apps

misc/list_apps > options

Global Options:

Name   Value
----   -----
device 1
output /tmp/scrounger-app

Module Options (misc/list_apps):

Name   Required Description            Current Setting
----   -------- -----------            ---------------
output False    local output directory /tmp/scrounger-app
device True     the remote device      1

misc/list_apps > unset output

misc/list_apps > options

Global Options:

Name   Value
----   -----
device 1
output /tmp/scrounger-app

Module Options (misc/list_apps):

Name   Required Description            Current Setting
----   -------- -----------            ---------------
output False    local output directory
device True     the remote device      1

misc/list_apps > run [+] Applications installed on 00cd7e67ec57c127:

com.android.sharedstoragebackup com.android.providers.partnerbookmarks com.google.android.apps.maps com.google.android.partnersetup de.codenauts.hockeyapp ...

Command Line Help

$ scrounger --help
usage: scrounger [-h] [-m analysis/ios/module1;analysis/ios/module2]
                 [-a argument1=value1;argument1=value2;]
                 [-f /path/to/the/app.[apk|ipa]] [-d device_id] [-l] [-o]
                 [-p /path/to/full-analysis.json] [-V] [-D]


/ __| | (___ _ _ __ _ _ _ _ __ __ _ _ _ __ ___ \ / | '/ _ | | | | '_ \ / ` |/ _ \ '_| __) | (| | | () | || | | | | (| | / | |__/ _|| \/ _,|| ||_, |__|| / | |/

optional arguments: -h, --help show this help message and exit -m analysis/ios/module1;analysis/ios/module2, --modules analysis/ios/module1;analysis/ios/module2 modules to be run - seperated by ; - will be run in order -a argument1=value1;argument1=value2;, --arguments argument1=value1;argument1=value2; arguments for the modules to be run -f /path/to/the/app.[apk|ipa], --full-analysis /path/to/the/app.[apk|ipa] runs a full analysis on the application -d device_id, --device device_id device to be used by the modules -l, --list list available devices and modules -o, --options prints the required options for the selected modules -p /path/to/full-analysis.json, --print-results /path/to/full-analysis.json prints the results of a full analysis json file -V, --verbose prints more information when running the modules -D, --debug prints more information when running scrounger

Using the command line

$ scrounger -o -m "misc/android/decompile_apk"

Module Options (misc.android.decompile_apk):

Name   Required Description                Default
----   -------- -----------                -------
output True     local output directory     None
apk    True     local path to the APK file None

$ scrounger -m "misc/android/decompile_apk" -a "apk=./a.apk;output=./cli-demo" Excuting Module 0 2018-05-01 11:17:42 - decompile_apk : Creating decompilation directory 2018-05-01 11:17:42 - decompile_apk : Decompiling application 2018-05-01 11:17:46 - manifest : Checking for AndroidManifest.xml file 2018-05-01 11:17:46 - manifest : Creating manifest object [+] Application decompiled to ./cli-demo/com.eg.challengeapp.decompiled

TODO

  • Add init file that is run everytime scrounger-console is started
  • Fix session results saving when not strings

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.