brew install ca-certificates
brew install [email protected]
brew install ldid
brew install usbmuxd
brew install libimobiledevice
越狱工具(对iOS设备进行越狱)
使用checkra1n越狱
https://checkra.in/releases/
https://www.jianshu.com/p/8beb21bcdae7
使用unc0ver越狱
https://unc0ver.dev/
https://www.jianshu.com/p/5f2d33ba2fb5
主流的越狱工具一般是半完美越狱,iOS设备重启后Cydia会闪退打不开,需要重新操作越狱流程
https://palera.in/
https://github.com/palera1n/palera1
https://github.com/palera1n/palera1n/releases
https://theos.dev/docs/installation-ios
https://github.com/AloneMonkey/MonkeyDev/wiki/%E5%AE%89%E8%A3%85
iOS越狱后的ssh连接手机
ssh root@127.0.0.1
#iproxy-通过USB使用SSH连接iOS设备
iproxy 9999 22 #端口转发
ssh -p 9999 [email protected]127.0.0.1
frida安装
https://build.frida.re
#在cydia中添加frida源
#cydia中搜索frida,根据iOS设备版本安装对应的frida服务端
#Windows10电脑安装frida(特别注意frida版本要与手机中的frida版本保持一致)
https://github.com/frida/frida
https://github.com/frida/frida/releases
Filza File Manager安装,越狱设备的文件管理器Cydia源
http://tigisoftware.com/cydia/
#TIGI Software ---> 全部工具 ---> Filza File Manager 64-bit
frida-ios-dump砸壳工具
git clone https://github.com/AloneMonkey/frida-ios-dump.git
cd frida-ios-dump
python -m pip install -r requirements.txt --upgrade
dump.py -l
frida-ps -U
python dump.py -H 127.0.0.1 -p 9999 -u root -P alpine <app_name>
查看iOS手机是否越狱
whoami
iOS App应用本地存储位置
/private/var/containers/Bundle/Application
越狱插件路径
/Applications/
正常安装路径
/private/var/mobile/Containers/Data/Application/
安装iOS安装包
ideviceinstaller -i ***..ipa
iOS查看系统日志
idevicesyslog
iOS查看当前已连接的设备的UUID
idevice_id -l
iOS截图
idevicescreenshot
iOS查看设备信息
ideviceinfo
ideviceinfo -u [udid] -k DeviceName #指定设备,获取设备名称:iPhone6s
idevicename -u [udid] #指定设备,获取设备名称:iPhone6s
ideviceinfo -u [udid] -k ProductVersion #指定设备,获取设备版本:10.3.1
ideviceinfo -u [udid] -k ProductType #指定设备,获取设备类型:iPhone8,1
ideviceinfo -u [udid] -k ProductName #指定设备,获取设备系统名称:iPhone OS
iOS获取app列表和信息
ideviceinstaller -l
iOS获取设备时间
idevicedate
iOS重启设备
idevicediagnostics restart
iOS关机
idevicediagnostics shutdown
iOS休眠
idevicediagnostics sleep
iOS安装SSL Kill Switch 2以突破或绕过SSL Pinning、Certificate Pinning,解决Charles、Fiddler等网络代理工具开启SSL Proxying后HTTPS抓包,用于禁用iOS上的SSL/TLS的证书校验机制,以便能抓取到明文的数据包
https://github.com/nabla-c0d3/ssl-kill-switch2
https://github.com/nabla-c0d3/ssl-kill-switch2/releases
scp -P 9999 com.nablac0d3.sslkillswitch2_0.14.deb [email protected]127.0.0.1:/tmp
dpkg -i com.nablac0d3.sslkillswitch2_0.14.deb
killall -HUP SpringBoard
#打开iOS设置,下滑找到SSL Kill Switch 2,确认Disable Certificate Validation已开启
FLEXLoader动态加载FLEX的越狱插件
https://github.com/FLEXTool/FLEX
https://github.com/FLEXTool/FLEX/releases
https://cloud.tencent.com/developer/article/1873827
Zorro安装,Zorro是一款基于iOS端的参数修改工具
#添加软件源
apt.jituvip.com
#极兔软件源 ---> 佐罗Zorro ---> 安装6.6.1
iOS平台上轻松跟踪类、函数和修改方法的返回值
https://github.com/noobpk/frida-ios-hook
https://github.com/noobpk/frida-ios-hook/releases
iOS安全测试框架
https://github.com/WithSecureLabs/needle
https://github.com/WithSecureLabs/needle/releases
Frida Scripts
https://github.com/interference-security/frida-scripts
https://github.com/interference-security/frida-scripts/tree/master/iOS
AppMon是监测和修改本地MacOS、iOS、Android系统API的自动化框架
git clone https://github.com/dpnishant/appmon
cd appmon && git checkout LISTEN_MODE
python appmon.py -mode listen
curl "http://127.0.0.1:5000/connect/?a=Gadget&spawn=0&p=iossim&s=scripts/iOS&ls=0&report=test"
推荐阅读