From the Internet, you can collect many articles about Hacking under the ARM platform (mainly based on ARM+Android), most of which are articles about how to install Kali Nethunter on Android phones, and of course there are some articles about installing Andrax on Android. These articles simply introduce how to build a mobile device platform that can be used for Hacking, but do not describe in detail how to use such devices to implement Hacking in real scenarios. This article will introduce the content of Hacking under the Android mobile platform.
Most of the current Android devices are touch screens, which can only be operated through a soft keyboard, but many Hacking tools are based on character interfaces. From the actual use situation, the choice of equipment cannot be limited to Android phones or tablets, otherwise you can hardly complete the desired operation in a real scene. In terms of equipment selection, based on actual experience, the following suggestions are given:
The choice of a laptop is best to be light and easy to carry. Of course, you must also consider the battery and the power adapter (charger and cord), especially in the case of frequent operation. It is not recommended to choose xPad (all kinds of Pads), whether it is iPad, Samsung’s Note, or Google’s Pad, it is limited by the soft keyboard, which is really inconvenient to operate.
2. Android devices
First of all, to transform Android into a Hacking device, you must be able to root the phone, so you need to exclude the phones of Huawei, ZTE, Nokia and other brands. Furthermore, root software and Hacking platform software also have certain requirements for equipment. For example, Kali Nethunter supports Google and OnePlus mobile phones particularly well. Also, some Android phones do not support OTG or some network card driver software is reduced, so do not choose this type of phone. Therefore, the recommended Android devices are Google series phones and platforms, OnePlus phones (OnePlus 3t and previous phones are not OTG, and the entire series does not support external USB wireless network cards)
A) To build an Android device into a mobile smart “intrusion” terminal, rooting the device is an essential key step. As for the device rooting methods, it is recommended to flash in magisk to root. SuperU is not compatible with Android7.0 and subsequent versions. Apply again.
B) Kali Nethunter and Andrax are necessary systems for building intelligent “intrusion” terminals. The basic principle is to install a chroot toolkit, so that various open source Hacking tools can be run with root user authority through chroot. In fact, we can build such a toolkit by ourselves. Of course, collecting and completing software package integration is a huge workload. About the installation and deployment of the first two toolkits, you can use Google to search. Regarding Kali, it is not recommended to flash and install. Regarding Andrax, it is recommended to manually download andraxcore.tar.xz and then install it yourself. These are all experiences.
C) The biggest feature of Android devices is their portability, but just like this, its human-computer interaction and peripheral device support are relatively simple. In order to maximize its characteristics, it can be equipped with some enhanced equipment to make it even more powerful:
——WiFi network card: including the network card that can monitor through the air interface and the ordinary WiFi network card
——OTG to interface: so that the phone can support multiple external devices at the same time
——Bluetooth keyboard: If you don’t have a laptop as an interactive means and you must directly operate the Android device, then a Bluetooth keyboard is almost a perfect solution. Of course, the user experience is still not as good as the laptop.
0x02: Software platform
1. The choice of Android system
For Android system selection, if it is a Google series device, it is recommended to choose the original AOSP system. If you have ever flashed other systems, it is recommended to flash the latest system of the device provided by the official website, and then install the Hacking software system. If it is a OnePlus series phone, try to choose a device after Oneplus 3/3t (the previous device does not support OTG), and use the raw OnePlus system on the system. Of course, you can also try to flash LineageOS. As for other devices and other third-party ROMs, I don’t have time to test, so I can’t give better suggestions.
The reason why the raw system is recommended is that the raw Android system has the best device compatibility and can support more USB wireless network cards, so that wireless intrusions based on Android devices can be completed. If you choose a network card, it is recommended to refer to the FAQ on the aircrack-ng official website, which explains how to choose a wireless network card.
2. Penetration testing platform
At present, there are many Linux emulators that can run on Android devices, such as Anlinux. However, there are still relatively few integrated Linux systems that can gather various powerful tools. However, based on the popularity of the community and the evaluation of the tools, Kali Nethunter and Andrax should be regarded as the best.
This is a product launched by the Offensive Security community. It is based on the Kali Linux system. In general, it has complete community support and strong device support, but there is still a lack of effort and experimentation in software integration. Kali Nethunter can be installed by flashing, or you can install the Kali Nethunter APP first, and then download and install it slowly. Of course, to use Kali Nethunter normally, ROOT is necessary! ! !
Andrax has another name, Nethunter Killer (NH-Killer), which is indeed a Hacking platform that can compete with Kali Nethunter. The decompressed application software occupies nearly 15GB of storage space (Kali Nethunter is about 10GB). In terms of tool integrity and experience (great hacking experience), Andrax should be able to attract most Kali fans, but due to the late start of the entire project, the immature community, and the crude support, Andrax can be used as an experiment .
termux: The main function is to directly access the entire system with the root user authority of the device, such as manually decompressing the software packages of Kali Nethunter and Andrax.
sshdroid: The main function is to run the SSH server with the authority of the root user of the device (note: not the root user of the simulator), so that the entire device can be controlled remotely through SSH.
Busybox: This is one of the most familiar tools, integrating a large number of Linux commands.
Note: Whether it is Kali Nethunter or Andrax, its programs are run through chroot, so its users (whether the default normal user or root user) are only users in the emulator and cannot fully control the device, such as accessing the root of the device table of Contents.
0x03: actual operation
Intrusion based on Android devices is more done in this scenario: Limited by the location of the WiFi router and signal strength restrictions, Android devices usually have to be placed in a specific position in a specific “posture”. In this way, it will be uncomfortable to directly operate the Android device, or even impossible to operate. For example, if the phone is lying down and has a signal, the WiFi will be disconnected when the phone is picked up. Considering various situations and actual operation experience, the following methods can be adopted:
1. SSH remote control
“Kali Services” in Kali Nethunter provides the SSH opening function, and it can even be set to self-start (start when Kali is started), so that Kali can be directly operated by remote control.
In Andrax, remote control based on SSH and VNC can also be realized. However, in Andrax, you need to manually turn on the SSH service yourself. For example, “sudo service ssh start”, the default password is andrax. Of course, both the Andrax default account and root account passwords can be changed. As for Kali Nethunter, it provides the “Kali Service” function. Start SSH directly through the GUI and set it to start automatically after booting (to be precise, after opening Kali Nethunter, start by itself).
2. WiFi relay
As mentioned earlier, due to the limitation of the AP or its own location, the Android attack device may have to be placed in a “specific posture” in a “specific position”, which makes it difficult to operate directly, or even connect directly to the Android attack device via SSH. . In order to solve this problem, you can directly introduce a WiFi relay on your computer and Android attack device, which means that Android and your device join the same intermediate WiFi network, which can solve the signal problem and introduce a layer of network isolation. . Because Android generally does not support external USB wireless network cards, it is difficult to introduce WiFi relay through USB network cards, but network relay can be realized through Bluetooth. But the penetration of Bluetooth to obstacles is worse. Personally, I am still trying to solve this problem. Bluetooth network is currently a tolerable solution.
3. Bluetooth keyboard
If the device that can be carried is limited, then the Bluetooth keyboard will be a very good choice, after all, almost all Android phones have their own Bluetooth function. From the actual use effect, the Bluetooth keyboard is not as good as the SSH remote control experience, but Android can still support some common shortcut keys, such as switching tasks and displaying the desktop, which can facilitate switching between multiple shell windows and improve work efficiency. Of course, the most important thing is not to easily change the position and orientation of the mobile phone to ensure that the WiFi signal can continue to drop.
4. Shell script
Entering Linux commands and various shortcut keys quickly and conveniently on a 5-6 inch screen, and even frequently switching terminal windows (Tab), this experience is very bad, even if the Andrax is using zsh by default. After many trial and error, I chose to make a few simple shell scripts to improve ease of use and operation speed. In fact, the content of the script is very simple. Of course, no parameter checks and conditional judgments are done. After all, this is just an experiment.
Script file 1.sh, set the USB network card used for packet capture to promiscuous mode
#!/bin/bash airmon-ng start wlan1
Script file 2.sh, enable packet capture mode, monitor and record air interface data
#!/bin/bash airodump-ng wlan1mon
Script file 3.sh, monitor WiFi data on the designated channel, among which: parameter 1 ($1) represents the channel number, parameter 2 ($2) represents the BSSID of the AP, and parameter 3 ($3) represents the name of the stored capture file
#!/bin/bash airodump-ng --ivs -c $1 --bssid $2 -w ./$3 wlan1mon
The script file 4.sh executes a deauth attack between the AP and the Station, forcing the Station to re-establish a WiFi connection with the AP, thereby grabbing the handshake packet in the process. The parameter 1 indicates the number of deauth packets sent, and the parameter 2 indicates the AP’s BSSID, parameter 3 represents the BSSID of Staton.
#!/bin/bash aireplay-ng -0 $1 -a $2 -c $3 wlan1mon
These script files are very simple and do not have compliance checks such as parameter checks; in addition, there is room for further automation of the above operations. If you have time, you can write one or several scripts to realize an almost automatic WiFi handshake packet capture script.
Penetration based on Android devices is more used in IoT scenarios, which is the biggest difference from traditional Hacking. To enter the IoT network, a monitoring WiFi network card is essential. Of course, the rest is almost the same as traditional penetration testing.
1. WiFi network card
The choice of WiFi network card should be considered a big problem. I searched through google and found that it is basically Kali Linux running in VM or physical machine (note: it is not Kali Nethunter, although it is called Kali, but the name is different, the supported hardware architecture is different, and the integrated network card driver is also different ). If you only use WiFi network card on Kali Nethunter, it is recommended to read the official post first, and don’t go to Amazon to buy “Kali-supported WiFi network card”. Regarding the standard of network card selection, the official website of aircrack-ng gives a simple reference: What is the best wireless card to buy ? Of course, aircrack-ng also gives a reference: Is My Wireless Card Compatible?
The most important parameter of the WiFi network card is: the model of the chip!
2. Tool software
Wireless cracking tool
Aircrack-ng: This is the standard configuration for WiFi cracking. As for other online cracking software and apps, it is not recommended. One is that there is not so much time in a certain IoT network, and the online cracking of APP is not very cost-effective for Android devices, and the time and power costs are high. Of course, you can also use the WiFixx key to help obtain the WiFi password, which will be introduced later.
Password cracking tool
Including online cracking and ciphertext cracking.
Information gathering tools
Network scanning tool
WEB penetration testing tool
Many IoT devices such as WiFi routers, etc. provide WEB services, so doing such a web penetration test is essential.
In fact, it can be seen from the above tools that there is a close connection between Android-based penetration testing and traditional penetration testing, and of course the differences are also obvious. The above software packages provide rich software support in both Kali Nethunter and Andrax. It can be said that all commonly used software is included. You can even regard the mobile phone with Kali and Andrax as the front-end “bastion machine” for penetration testing. The backend only needs a low-profile laptop capable of running tools such as CMD or Putty.
0x05: Let’s Hacking
I use my home network to do a test and do a relatively complete case analysis to sort out the possibility of IoT intrusion based on Android devices.
1. WiFi cracking
There are three main methods of WiFi cracking: 1. Grab and crack the WiFi handshake packet. This method needs to grasp the attack time (for example, if your neighbor is not at home at night, then you grab his WiFi handshake packet at night It’s unlikely), and the distance between you and your neighbor’s WiFi router (if you both live in a villa and the two houses are separated by a few hundred meters, then you don’t want to catch his WiFi at home Handshake package). Second, use Reaver software to crack WiFi, the principle can refer to the article, but considering the router WPS frequency limit, coupled with the loss of mobile phone power, this method is not very feasible. Third, you can use APPs such as “WiFiXX Key” to help you find a shortcut to enter the IoT network. As for how to view the WiFi password saved by this type of APP, you can refer to related articles. It is worth noting that the path where the WiFi password is saved in different Android versions It is different from the file.
Specific to my home, I used the step of WiFi cracking as verification. By the way, I took a look with the “WiFiXX key”. My home WiFi was not leaked, and the neighbors around me were also very cautious.
#STEP-0: I chose to use Andrax with zsh as the attack platform
#STEP-1: Modify the network card to monitor mode
#STEP-2: Enter monitoring mode
#STEP-3: Monitor specific APs, try to find out the Station communicating with them, and implement deauth attacks.
#STEP-4: Implement deauth attacks against the selected AP and its Station. You can choose different numbers of deauth packets for repeated attempts.
I have designed a WiFi cracking library that can speed up cracking commonly used weak passwords to a certain extent. The WiFi cracking library is an important foundation for accelerating WiFi password cracking, but it also requires appropriate password cracking strategies and hardware devices that meet certain configurations.
The establishment of a dictionary database is a long-term accumulation process. On the one hand, you need to observe and think by yourself. On the other hand, you can also use some good libraries, such as many on the weakpass website.
A) Nmap scan: scan the ports opened by the gateway; scan the surviving hosts in the network segment.
B) Traditional port scanning, vulnerability scanning, brute force cracking and other operations can be implemented for different hosts/devices. There are too many good articles in this area.
C) For some IoT devices, you can find some tools on the Internet or on Github, including the aforementioned Hikpwn that specifically scans Hikvision devices and routersploit that invades routing devices.
D) The final effects that can be achieved include but are not limited to: gateway device control, DNS hijacking, JS hanging, man-in-the-middle attacks, remote code attacks, brute force cracking, etc.