Installing the Metasploit Framework on the iPad

The iPad is hailed by Apple to be a "Magical and revolutionary" device. Whether or not that is true is a fact in heavy debate. Personally, I don't think so. But it IS a very interesting platform for penetration testing.

With the release of the Spirit userland Jailbreak, the iPad is now a more versatile platform for development and research. Using the Cydia APT repository system (which uses Debian-style APT packages ported specifically to the iPhone OS), it is now possible to install packages which vastly increase the extensibility of the iPad. Already there are multiple security applications ported to the iPhone OS platform, and with the addition of the Gnu compiler and kernel headers, it is possible to natively compile even more.

Pentesting on iDevices is nothing new. Thomas Wilhelm (aka Hacker Junkie) gave a talk at Defcon 17 about using the iPod Touch as a pentesting platform. We'll attempt to look at expanding upon his work and applying it toward the iPad. This writing assumes you have already made the requisite SHSH blob backups, either using FW Umbrella or by jailbreaking and granting Saurik's Cydia apt access to request the blobs on your behalf. If you haven't already done so, consider doing it as soon as possible, as it is likely that Apple will release a patched firmware soon which will prevent jailbreaking, and in doing so will cease signing the 3.2 firmware. When that happens, users will no longer be able to downgrade to 3.2 unless they have SHSH blobs on file somewhere. To find out how to do this, Google for more information.

Once you've run the Spirit jailbreak and have Cydia installed on your iPad, and have not enabled any filters. When you first configure Cydia, an option will be presented to offer different levels of packages. The general filter level is to not include any development or command line packages. Since we're all grown ups, we can select the "developer" model (no filters). Browse to the packages tab and select the "Security" category. This category contains several applications that are of interest to a penetration tester. Most notably are the nmap port scanner and the Metasploit framework. For the uninitiated, the Metasploit Framework (MSF) is a penetration and exploitation framework based on the ground breaking work of H D Moore and a team of extremely bright developers. It is still, as of this writing, the largest Ruby project ever created.

Installing MSF or nmap is straight forward. Touch the package name, then touch "install". Cydia will then download the MSF and/or nmap packages and dependancies and install them. When completed, click the button to return to Cydia.

Unfortunately the Mobile Terminal package, which provides shell access to the iPhone filesystem, is not yet functional on the iPad. To work around this, we need an SSH application for iPad and we need to install OpenSSH. I prefer iSSH, it's a universal app for iPhone/iTouch/iPad and is relatively inexpensve at $4.99. Install that application, then launch Cydia and search for and install the OpenSSH server package. WARNING! After installing the OpenSSH package, change the password! Several notable worms have been written which exploit the default root password for iDevices ("alpine") and failing to change your password can result in your device getting owned. Consider yourself warned.

After OpenSSH has been installed, close Cydia and launch iSSH. Create a connection to your iPad's localhost on IP Log in as the "root" user and connect with your new password, or with the alpine password. If you use the default password, your very next step should be to change the password. To do so, type the "passwd" command at the command line, and you will then be prompted for your new password. You'll use that password to connect henceforth. Assuming all went well and you're connected, you can now launch metasploit. To do so, type "ruby msfconsole" and, after a moment, you'll be presented with the MSF console. Alternately, you *should* be able to just type "msfconsole". However, when I did this I was presented with an environment variable error that it could not find "/usr/bin/env ruby". I manually edited the msfconsole script to change the first line to #!/usr/bin/ruby" which seemed to fix it. HD Moore tells me that this should not be necessary, so your mileage may vary.

After that, you're on your own. We look forward to hearing about other neat things you've managed to make the iPad do. If you've got any questions/comments/etc, feel free to contact us via the "Contact Us" page.

DISCLAIMER: Jailbreaking your iPad is a violation of the Apple End User License Agreement and could result in Bad Things(™) happening to your iPad, and might even get you in trouble with the law. We assume no responsibility. You've been warned.