iOS Packet Sniffing

Toghether with Pown.js we are bringing some pretty awesome features such as an extended PCAP library for Node, a version of Responder.py, captha bruteforcer, proxies and other useful tools. In this quick tutorial we will show you how easy it is do security research on iOS applications using Pown.js NOW and our own HTTPView. This technique can be also used to debug applications with minimal effort.

On Mac OS X it is relatively easy to sniff traffic of any iOS devices using a tool called rvictl, which stands for Remote Virtual Interface Tool. In order to start sniffing, we need first of all to get your device UDID which can be found either via iTunes or the command line like this:

$ instruments -s devices

Make sure that your iOS device is plugged otherwise you will only get a list of the simulators which come with your version of XCode. Once you have the UDID, we can setup a new network interface using the rvictl command like this:

$ rvictl -s $UDID

This command will create a PKTAP interface called rvi0, which we can use to sniff the traffic. Now we can start tcpdump, wireshark or whatever tool you may have in mind but in this tutorial we would like to show you a better way by combining both pown-now and HTTPView to get some interesting results.

First, make sure you have the latest version of Pown.js installed

$ npm install -g pown

Now let's start sniffing HTTP traffic via HTTPView. We need to invoke the pown now tool on the rvi0 interface with an option to kickstart HTTPView via the established WebSocket.

$ pown now -a httpview rvi0

This command will setup a WebSocket on localhost and subsequently start HTTPView pre-configured to read the socket inside your browser. This is useful because HTTPView is pretty advance when it comes to directing HTTP traffic so you don't need to read all the encoding and breakdown the structure of the HTTP requests and responses all in your head.

Relatively ease we can start sniffing and directing the iOS News app which as you can see is 100% unencrypted, which makes it an interesting target from pranks to other types of attacks such as for example utilising a WebKit exploit.