📜 ⬆️ ⬇️

Mobile Lab on Android for penetration testing

"In one life, you are Thomas Anderson,
a programmer in a large reputable company.
Do you have health insurance,
You pay taxes
and more - helping the concierge take out the garbage.
Your other life is in computers
and here you are known as hacker Neo "

... (film The Matrix)


Attention ! All information in this article is provided for informational purposes only.
The article is not recommended for reading to those who are not familiar with such a concept as “full Root”.

In this article I will carry out approbation> thirty world hacktools, developed / ported under Android. Some tools are PRO-tools, “some toys”, and some require a custom kernel. Most applications request Root rights. The tools are offered to the end user under various cyber-licenses, this is good news (for informational purposes)! Some PRO-hacktools you will not find in the GP, and some, perhaps, "hear" for the first time. In any case, Android OS non-standardized and the same cross-compiled programs, under the same architecture, can "fly", require "crutches" or not work at all.

The transnational corporation Google, in addition to the user agreement and privacy policy and security, has: a Google Play agreement on the distribution of software products; center of rules for developers (including the satisfaction of complaints from puberty girls to the rudeness of the developer and inappropriate content); fight to developers of explicit hacktools, etc. Simply put, the monopolistic technical policy of the GP flows into political technique. And this alignment usually does not slow down tech-savvy users / developers of Android gadgets / applications in the endless search for Sibola.

Particularly clumsy, it is recommended not to show an increased interest in the tools described here. An ax, with which you prick a lug for kindling the furnace - these actions are characterized by law. The same ax in the hands of the executioner is already a crime and punishment. Some applications can be used for insidious purposes, and this in turn contradicts not only Google’s policy, Hacktools policy, but also the constitution of some countries - this is an ax in the hands of the executioner. For these compelling reasons, the author does not encourage white-gray hats to use “special” applications in their tract without reading at least local laws.

[Hacktools] application overview


NSA and their buddies are awake, and so are we. They drove ...

Headliner Hash Suite Droid


1) HSD - Cuban development under a liberal license. Prog for brute force hashes based on JohnTheRipper’s idea / source software, JTR - from legendary domestic Jesus cryptographer who keeps in the background - A. Peslyaka, who helped (discuss) developer Alain to bring HSD to mind.



The software works on Android 3 + ↑. The speed of brute force attacks, on a weak gadget for 4k rubles, gives a head start in the speed of selecting passwords ~ 40% higher than a PC with a CPU-2x Athlon 4800+. The average power device in its work, for example Redmi 4x, on some hashes also uses the GPU. In terms of performance in the speed of selection of passwords, Redmi 4x is not inferior to Intel 2x T6600.
The HSD application is energy intensive. And while the program is running, for example, on handicraft gadgets, the cracker needs to be attentive to the temperature conditions of the battery.

Alternative fork JTR. The official JTR software on Windows / Linux can crack 8 hashes, an advanced cracker for Linux - 265 hashes, and the Cuban HSD was developed and sharpened under 10 popular hashes. RE for HashSuiteDroid end user is not required, the interface was designed by a professional well and with soul.

The HSD application supports brute force attacks on the following types of hashing:
[LM; NTLM; MD5; SHA1; SHA256; SHA512; DCC/2; WPA-PSK; BCRYPT] [LM; NTLM; MD5; SHA1; SHA256; SHA512; DCC/2; WPA-PSK; BCRYPT] .

Options:

MD5 / SHA1 import by type as [any_name: 04bb67a1914803ff834a4a25355ad9f3].
The hacker has a flaw: the lack of a hybrid attack mode (mask attack). The developer convinces himself that his creation is not a password cracker (personal brute-force attack application), but software for auditing weak passwords (brute-database hashes), hence the general rules of attacking passwords, and the lack of a hybrid mask attack in the HSD. HSD paired with the Wordlist Generator application, this inconvenience is slightly eliminated, but not completely.
HSD - debugged, but not updated since the end of 2015 (to add support for new hashes / masks). The reason for the “temporary freezing of the project” is the weak popularity of the application (response from Cuba).



Wordlist generator


2) Wordlist Generator is an application for generating dictionaries according to specified rules. WG supports word generation by user pattern, digit, special character, Latin, prefix and suffix. The generation of words on a custom mask is absent.

Lucky Patcher


3) Lucky Patcher is a combine-application with a coherent Russified interface for crackers. Lucky Patcher can be hurt and revived (LP is at war with the GP and is still victorious), sow confusion and excite. The application is constantly updated and keeps up with the times.

Implemented support for the following features.




SSL Capture


4) SSL Capture is partly an open source project. Chinese development, analog and improved Packet Capture application. To disclose the source code in terms of https interception / analysis, dear Mr. Pu puts forward different requirements. At the moment, the requirement for partial disclosure of sources (in terms of https) is a delicate one: collect 1,000 stars for the SSL_Capture project on Github ...

Using this application, HTTP / HTTPS traffic of applications / browsers is captured and analyzed (high efficiency up to Android 7).

What is it for? The simplest use of an application is to snoop requests / responses from applications, and to study too intrusive projects (metrics / advertising, something worse), to send rascal requests to / etc / hosts (traffic blocking and addition to AdAway ). Or, for example, after analyzing an unknown .apk in Virustotal, check the traffic of applications downloaded from "unreliable sources". Or an example of a tougher: many had a situation when friends / relatives asked your gadget to enter the social network and so on. In this situation, using this application, you can remove all passwords / data of encrypted traffic of a target without pale. That is, incl. SSL capture, put a pin on the browser (so that the victim could not switch between applications, hide the “keep bell” certificate notifications, give the victim a phone ahead of the victim.

To study the Internet traffic of your applications, you may have used Owasp-zap (Burp suite / Fidler) on your PC, generated an ssl certificate, downloaded it on Android, received an error when installing the certificate, downloaded it from GP Root Sertificate manager and using it installed ssl-certificate, received “screeching and unwillingness” of browsers to process pages. They opened the Owap-zap, proxied the mobile connection through the PC and watched the application traffic on their LCD monitor.

With SSL Capture, the target object becomes simpler: mobile browsers do not get angry at the spoof certificate, applications do not. “Browser-software traffic” becomes available in decoded form for analysis and on Android (including gzip and graphics analysis). The application correctly / personally lays out all the logs. Txt in directories and subfolders, taking into account the name of the date and time - conveniently, what else to say.



Conclusion on SSLC: it is not necessary to adjust heavy artillery to check "Burger King and secret recording of your phone screen"

ANDRAX


5) ANDRAX is a Brazilian development, mobile platform for penetration testing (not emulation!), Developed specifically for Android smartphones under the liberal GPL + license (request / response on the license to the developer, since there is no mention of permissions anywhere) . What's under the hood of ANDRAX : a beautiful cli-terminal; programming environment for a dozen popular languages ​​- codeHACK IDE (with syntax highlighting and prompts); a cloud of different tools for a hacker (much less than in Kali Linux, damn! what a ridiculous comparison;)); and of course - bugs (for example, a non-work findmyhash, a loss of brute-force speed in JTR and Aircrack-ng applications). On the playing field, "Brazilian soccer player" behaves like a regular Linux distribution, but more powerful than a regular distribution!

The ANDRAX system requirements are impressive: ~ 5 + GB of modern ROM Android 5+, Busybox, SuperSu / Magisk (these are the Root rights management applications, not the default ones, supplied with some firmware).

The chat project in Telegram has already occupied most of the curious insurgents of the TV series Mr. Robot, the siege of the admin faces from all countries. In addition to the messenger, traces of the presence of the developer can be found on the same type of resources - dedicated to information security (including in the Openwall mailing letters).

The direction of the product, from development to support, is supervised by a “digital person”, without knowing fatigue, in one person. Therefore, comparing, while that raw ANDRAX VS NetHunter is incorrect, but you can argue on the topic of ANDRAX-Termux. To be honest, this platform has so far pushed and frightened. The fact that the developer is a genius I have less and less doubt (his public recognition in the subject of suicide and simultaneous enthusiasm for one person. Such imbalance is characteristic of such nuggets). But to develop and drag this project alone, I cannot believe it and there are reasons for that.

IMHO: to support life-like products like ANDRAX, they do not need a GP; The future of the project cannot be cloudless in the face of combat quad - Mr.Robot, but this development will surely choose its own audience in the world of mobile cracking.
And the ANDRAX developer phrases can be parsed into quotes:


“Do not be evil, but be a CRACKER!”
“We are security professionals, not pirates!”
“The future of hacking is mobile!”
"Only a California-sized meteorite can solve problem 3."
"Any Android smartphone without root-access belongs to the manufacturer, not the user"
"There are more than 50 developers, and I am one
"Listen here junk, the world is more than Debian, I program my distros, Linux and Android kernels on the PC for longer than you watch Mr.Robot."


And below is the update of the Andrax platform, which significantly added hacking tools.

reviewer on YouTube

Kali Linux NetHunter


6) Kali Linux NetHunter - the leader, the first PRO platform for penetration testing under Android. System Requirements KLN ~ as with ANDRAX (competitor platforms). The software is officially developed for Nexus and OnePlus, in fact it can be installed on any other devices (for full-fledged work in the NetHunter environment, on fuck-firmware, a solution to the problem with the kernel is required).



Intercepter-ng


7) Intercepter-ng Domestic development . Network sniffer, allowing you to pry surf users, intercept passwords from unencrypted traffic.

Successfully implements an ARP-spoofing attack. Carries out the interception and analysis of unencrypted network traffic of wifi clients. The dns-spoofing attack is claimed, but due to the development of IT security, today this attack is practically not relevant anywhere. The program is demanding on resources (Sslstrip), some time after starting the program, weak devices go to reboot.



Initially, the application was located in GP, ​​but then the political technique “got” to the developer and his code. Events later, dissatisfied with Google (with its punishment: removing the application from the GP), unleashed the siege of Soviet web hosting, where the Intercepter-ng project lives and develops successfully to this day.



tPacketCapture


8) tPacketCapture - Japanese development. The application captures (sniffs) the traffic saves in the format ".pcap". For a complete analysis of the harvest, you need a PC with tcpdump / xplico / wireshark software.

zANTI


9) zANTI - USA development. Combine application for network security.

Supported functionality:


zANTI is a free application from a commercial office, there is adequate support, the software is updated.



cSploit


10) cSploit rusted harvester application for pentester. Available integrated Metasploit RPCd; tools for MITM attacks. After installing / running / auto-updating, cSploit weighs ~ 300MB.

There is a warning on the official website that nightly assemblies may have problems, but so thats it! Attention! when the auto-update of the nightly build cSploit fails, the software works like a virus : it formats a flash drive, specifically tested the program for this behavior several times.

Declared functionality:


What works in fact:


All that is stated in cSploit a little higher, there was a place to be several thousand years ago. The software has not been updated since the middle of 2016. Metasploit RPCd is problematic and does not run on many modern gadgets. Most MITM tools are not working today. This is an example of which application should not be installed on your Android.



Kayra the Pentester Lite


11) Kayra the Pentester Lite Kayra is a Turkish development: a web application vulnerability scanner in penetration testing. It is able to scan “a wide range” of known vulnerabilities on websites. At the end of its scanning work, KtPL issues a non-robust log report.

Supported features:




Andro hackbar


12) Andro Hackbar Allah Akbar combine-application for pentester. Philippine development, created by enthusiasts impressed by the hackbar add-on for the FireFox browser.

Functional:




Droidbug SQLI Spyder


13) Droidbug SQLI Spyder - a scanner / web application scanner for SQL injection vulnerabilities; Xss attacks. In the DSS arsenal, a “encryption analyzer” [md5 / sha1 / sha256 / root13 base32-64] is declared, which operates in an astable mode.



DroidSQLi


14) DroidSQLi is an application for checking web sites for certain vulnerabilities to SQL injections.



Macchanger


15) Macchanger - an application for replacing the mac-address (device identifier on the internal network) of the wifi adapter. Regardless of Root rights or the manufacturer of the adapter, on some firmware there is no possibility of changing the mac-address. This “problem” of the BusyBox update, and sometimes the problem of those who compiled / compiled the fuck-firmware.



Arcai.com's NetCut


16) Arcai.com's NetCut is a very effective application for DoS attacks on all network users of a Wifi network, or denial of service to a specific network node, or adjustable clipping speed on specific Wifi hosts. It is possible to implement an attack on various network nodes (TV, smartphone, xbox) if you are connected to the same network. Support for monitor mode wifi-adapter from the attacker is not required.



LOIC


17) LOIC is an application for a DoS attack on a web server. Network Stress Testing: A site attack can be proxied to Orbot via Tor, but in this case, the likelihood of inadvertently “sticking your access through Tor servers” increases, and a not very explosive post-result can be obtained. Flood speed (server load speed) can be smoothly increased by increasing the size of the text field. With the same speed, the “http” attack method is more efficient, it brings down (including CPU overload) apache2 (personal VDS on Amazon) in less than a minute.

The developer has published all the source codes in the network, and promised to hide in the distant 2009, several years later he was noticed on Github-e.

I prefer, I will give an example of a successful DoS attack: Android on a web server from a local network.







WPS Wifi Checker Pro


18) WPS Wifi Checker Pro - Spanish development. An application for attacking a wifi router wifi network. The success of the attack depends on the exploited iron on the victim's side. In the case of a successful (quick) attack, a connection to the victim’s network occurs.



Hijacker


19) Hijacker is a GUI application (for testing penetration into wifi networks, paired with Nexmon and the patched kernel supports monitor mode of some internal wifi chips) Aircrack-ng, Airodump-ng, MDK3, Reaver. Software supports recording traffic in the format ".pcap"

Requirements: support by the OTG-mode device, custom kernel.

Nexmon


19.1) Nexmon is a platform for testing penetration into wifi networks, similar to Hijacker, adds / examines the possibility of translating internal Broadcom / Cypress chips into monitor mode.



Wifi password


20) Wifi password Wifi password - displays all passwords of wifi connections saved ever in the OS.

OsMoDroid


21) OsMoDroid is a Patriotic (RF) open source development, tracker application for active people. The application description (from the offsite ) is rather veiled:
“With OsMo, your family and friends will always know where you are,”
I think, there is not enough compound sentence / continuation
"But its minor functions allow you to remove the victim's ip."

Functional.
In OsMoDroid in one tap, you can generate a link, in one click - close it. Clicking on the link will display the victim's ip-address, user-agent / browser version for the attacker. When the attacker has the GPS receiver turned on, the victim will display a map with the cracker's location / movement in online mode, information about the charge of its battery will be displayed (in other words, the victim will be carried away by the information received). When the GPS is off (at the attacker) - the victim will only have information about the% battery charge and an empty map. Paired with the Fake GPS location application, you can collect the ip of your victims, replacing your real location within the globe with any dummy, and even generate a simple route.

The advantage of the application is the simplicity and plausible denial to seize the victim's ip-address.



Shodan


22) Shodan.apk - French open source development. The search engine application searches for devices connected to the network: ip cameras, network printers, routers, ATMs, rare earth metals , in order to hack them later, but this is work for the second stage and with other software. In the third phase, for example, after hacking an ip camera, you can use gDMSS lite to visualize your work.

For authorization in the application, an api-key is required, which can be obtained free of charge after registration in the search system Shodan.io (a search with such a key will be available with restrictions).



Anonymous Email


23) Anonymous Email is an Android email client for sending anonymous emails. The free version is provided to users with some restrictions: sending emails is available, without the possibility of receiving a response. A letter to the addressee is delivered without delay, the sender's address “noreply@anonymousemail.me” is indicated in the message header. The degree of anonymity of a person after sending a letter is a matter of faith. Alternative: Tor + temporary mailbox (sending / receiving letters) gives a higher degree of anonymity (faith in Tor).

Photo Exif Editor


24) Photo Exif Editor - this application allows you to forge various metadata of photos (Exif-data), or in one click to clear all the metadata of photos / albums.



Pixelknot


25) PixelKnot is a steganography application that allows you to hide the very presence of a secret message in a picture. After hiding a private message, the image to the addressee must be delivered as a “file” (for example, in instant messengers), otherwise the secret message cannot be recovered. The application was created by a reputable team with the world name Guardianproject, which develops software taking into account paranoid circumstances (including the development of “Orbot” their handiwork). Published a 0day vulnerability (found a 100% way to determine if a picture contains a secret message or not), the application has lost its meaning.


[MD5 ba46f040f21abc5135b3714b2740c982]

Orbot


26) Orbot is a proxy application bundled with Tor. Orbot allows application / browser traffic to “go” through Tor encrypted connections. Orbot, in conjunction with the browsers Orfox, Tor Browser, InBrowser allows you to maintain a high anonymity status and visit the darknet.

Inbrowser


27) InBrowser - USA development. A browser that successfully integrates with Tor. In browser testing, proof tests for anonymity, InBr. showed the best result among competitors: FirefoxFoxux browser; burst bullets dum-dum DuckDuckGo Privacy Browser.

In addition to adding a random string to the browser agent, and obfuscating the “Referer” header, InBr. It supports an interesting feature: selection / changing of a browser agent: Android-Iphone-iPad-Firefox-Chrome-IE (see screenshot). After changing the browser floorSuch a trick sites see in their logs a dummy device model. To support the status of an anonymous person, Java-scripts must be disabled in the browser. Regardless of the increased attempts at conspiracy, with Java enabled, the browser merges a unique imprint that is inherent in the current model of the gadget. If the canvas fingerprint can be reduced (by experience - changing the firmware), then webgl fingerprint is impossible (this is a separate article (draft) in terms of more than this).

From the privacy policy: “In the event of an InBrowser failure, we collect a crash log that contains limited information about the version of your application, your operating system, the configuration of your hardware, the device you are using, and some memory data” is quite acceptable today.



Openkeychain


28) OpenKeychain German development open source. Compatible with the standard Open pgp program that can work with encryption keys in full (with the exception of signatures). OK can be integrated into K-9 Mail . In this case, in letters by mail, you can transfer secret information, and before sending / reading a letter, the data is automatically encrypted / decrypted by the recipient / sender with a pgp key.

Root certificate manager


29) Root Certificate Manager - an application for manipulating Android device root certificates (export / import / delete certificate).

Hacker's Keyboard


30) Hacker's Keyboard is an excellent Android keyboard, flexible in settings, has arrows and a Tab key, which are necessary for working in Termux / ANDRAX / CLI / SSH. Klava sometimes disappears from GP .

Text Converter


31) Text Converter - this application can decode / encode text from / to base32 / 64; Ascii; Cyrillic from url and another two dozen types of encodings. The program works with barcode / QR codes, supports hashing in [MD5 / SHA1 / 256/384/512]. The hash droid hashes support twice as much.

Snoop snitch


32) SnoopSnitch is an open source app from the German research lab . SnoopSnitch is designed to test “Android security update” + test “mobile network security”.

To scan the device for vulnerabilities, you need to connect to the database on the Internet. At the end of the collection of information, and proof-test of the Android OS, the pentester is provided with a detailed report on the leakiness of the experimental device.



OONI Probe


33) OONI Probe is the development of the Tor project. The application calls itself an “open observatory of network interference”. Proof tests to the connected network will calculate the speed / quality of the line and notify the pentester about the presence / absence, including the possible degree of Internet censorship in the network. Also with the help of this application, you can discover new websites - dedicated to information security.



Network port database


34) IANA port database - British development. Application check: which port has any “official utility” and vice versa. The base is constantly maintained up to date. Analogue of the application, the command "less / etc / services" in GNU / Linux.



Network Scaner. Network Utilities. Landroid. Fing


35) Network Scaner. Network Utilities. Landroid . Fing Four combine harvesters with similar functionality.

Fast scan of the network (to the connected) for the presence of devices / intrusions (the ip / mac addresses and the names of device manufacturers are displayed).

* IP calculator. The calculation in dec / hex of the number of hosts on any subnet (.0 / 24 ... 5/32, etc.).
* Whois. Identification of the owner / company ip-address / domain name.
* DNS Lookup. Convert ip-domain name-ip. Analogue of the "nslookup" command in GNU / Linux.
* Traceroute. A utility utility designed to determine the route of packets in TCP / IP networks.
* Root Scaner. The utility for remote / local scanning of a specified range of ports of selected addresses (similar to nmap in the part of the scan, without the support of specific scripts).
* Netstat. Network monitoring utility (to connected).
* Ping. Ping a node on the network.
* Telnet. Network utility for remote terminal connection to PC.
* PublicIP. Check your public ip address / provider.
* SSL Check. Site verification: protocol version, certificate and certification authority.
* View arp-table (Landroid).
*Sniffer. До недавнего времени, в функционал входила сниффер-утилита, которая успешно записывала трафик, в том числе и запись трафика в режиме модема, в файл.pcap. По каким-то причинам разработчик урезал функционал и убрал упомянутую утилиту.



Total Commander


36) Total Commander is a file manager that can do a lot (similar to GhostCommander), including: connect to a PC (via SMB protocol); to the cloud (Google / Yandex / tp.); to a remote server to transfer files using a secure SFTP protocol.

As often happens: “A carpenter has his own gate of all is worse,” the lack of not only encryption, but also no protection against arp-spoofing. TC allows you to create a desktop shortcut with the parameters of any file in the Android OS. When creating a shortcut (/ proc / net / arp, choosing which application to use / icon for working with a file, for example QuickEdit ), an “application” will appear on the desktop. Tap in one click on the "arp-icon" allows you to check the arp-table and make sure that the boss is not attacked by a spoofing.

JuiceSSH


37) JuiceSSH is a mobile SSH client that allows you to connect to a remote server, such as Kali Linux (Amazon VDS $ 1 / year) and conduct full penetration testing from an Android device.



Reprint of his article - source
license Creative Commons Attribution ShareAlike 4.0.

Source: https://habr.com/ru/post/438308/

More articles: