Steps Toward Weaponizing the Android Platform
by zitstif on May.11, 2013, under Posts
(4/16/2015) – NOTE: THIS SOLUTION HAS BEEN KIND OF SUPERSEDED BY https://www.kali.org/kali-linux-nethunter/ , if nethunter doesn’t work for you then continue on with this post:
The mobile and tablet market have been flooded by millions upon millions of Android based devices. I wonder if Ken Thompson or Dennis Ritchie would have ever imagined that their invention from nearly 44 years ago would have influenced the likes of the Linux kernel, Google, Apple, and beyond. We are now in a sea of Unix-like devices that now can easily fit in individuals pockets, which have multiple core processing power and can easily access SCADA systems with a few keystrokes. It has never been a better time for pocket sized penetration testing devices.
In this article I will be covering ways that one can turn their Android based device into a powerful pocket sized penetration testing tool. If you’re looking to do wireless sniffing or packet injection with your Android based device, this article will be of little help. (If interested please see this, this, this, this, and this.) To do so, one needs a specific Android device that supports OTG, with a custom ROM, and you’ll most likely need an external USB wireless adapter. (Honestly, if you’re looking for a device for cracking WEP keys without any external USB wireless adapters, then I highly still recommend the Nokia N900.)
(NOTE: If you’re strictly looking to do wireless sniffing, there is AndroidPCAP which I have tested with my Nexus 7 and a RTL8187 based wireless USB adapter.)
Firstly, before progressing on towards the weaponizing of your Android device, please take the time to back up any vital information. Have a look at this. Reason being, is that you’ll need to root your Android based device. Depending on your device and the method of rooting, rooting your device and unlocking the bootloader can wipe your device.
Setting up Kali Linux ARM Chroot on your rooted Android based device that has about 6GB of free space
1.) Install BusyBox
2.) Install Terminal Emulator
3.) I created a Kali Linux ARM IMG that one can easily mount and it can be downloaded here:
http://goo.gl/qmGle
https://archive.org/details/Kali.nogui.armel.zitstif.chroot.482013
kali.nogui.armel.zitstif.chroot.482013.7z
md5: d60c5a52bcea35834daecb860bd8a5c7
sha1: f62c2633d214de9edad1842c9209f443bcea385d
kali.img
MD5: be61799f8eb2d98ff8874daaf572a1d5
SHA-1: f9c6a820349530350bbb902d17ae6b4a5173937c
NOTE: This image gives you about 2GB of free space in the environment to play with so use with care.
4.) Extract the 7z file and make sure that there’s a folder in this following location: /sdcard/kali
5.) In this folder you should have shell script named ‘kali’ and the ‘kali.img’ image file.
6.) To mount the kali.img file as root do this: sh /sdcard/kali/kali
Optional: If you want Terminal Emulator to open up and go directly to the chroot environment do as follows:
1.) Open up Terminal Emulator
2.) Go to preferences
3.) Tap on Initial Command
4.) Enter this: su -c “cd /sdcard/kali && sh kali”
Now if you tap on Terminal Emulator, you’ll go directly to your Kali chroot environment. If you want to leave the environment and back to the Android command line, simply type exit.
Optional: If you want to access files from /sdcard/ from your Kali chroot envrionment, one way is to have an Openssh server on your Android device that listens on all interfaces. Then under your chroot envrionment do: mkdir /media/sdcard/ and then connect to your ssh server on your loopback interface to store the ssh key. Then you could use a script like this in your chroot environment (or even edit your .bashrc file to run it automatically):
http://zitstif.no-ip.org/mountsdcard.py #You’ll need to edit the username and password appropriately for your situation.
I should warn you that this Kali image is not setup with the idea of using a window manager or really any GUI tools. In my humble opinion to take advantage of Kali Linux, you don’t need a GUI. Using the terminal to access tools like nmap, netcat, w3af_console, sqlmap, xsser, and metasploit will be sufficient to get one started on their penetration test.
Once you’re in the Kali Linux chroot environment, please do the following:
apt-get update && apt-get upgrade && msfupdate
In addition to setting up the Kali Linux chroot environment, here are a list of other tools and a quick description of each that I recommend you to install:
2X Client – Remote desktop client
AndFTP – ftp/sftp client
androidVNC – vnc viewer client
AndSMB – Android Samba client
AnyTAG NFC Launcher – Automate your phone by scanning NFC tags
APG – OpenGPG for Android
CardTest – Test your NFC enabled credit cards
Checksum – basically a GUI tool for md5sum and shasum tools
ConnectBot – powerful ssh client
DNS Lookup – perform DNS and WHOIS lookups
Dolphin Browser – a browser that easily allows you to change your UserAgent
DroidSQLi – automated MySQL injection tool
dSploit – Android Network Penetration Suite
Electronic Pickpocket – wirelessly read NFC enabled cards
Exif Viewer – shows exif data from photos and can remove this information
Fast notepad – simple but useful notepad application
Find My Router’s Password – title explains it all (mostly for default passwords)
Fing – very similar to Look@LAN tool for Windows
Goomanager – see link for more information
Hacker’s Keyboard – Miss the easily accessible CTRL key? This app is for you
HashPass – translate text into hashes
Hex Editor – a very usable hex editor for Android
inSSIDer – wireless network scanner
intercepter-NG – multi-function network tool, sniffer, cookie intercepter, arp poisoner
IP info Detective – find out all sorts of info on an IP address
IP Webcam – turn your Android device into an IP security camera
Network Signal Info – basically a graphical tool for iwconfig
NFC Reader – used for reading various NFC technologies including some keycards
NFC ReTAG – Re-use/recycle write protected NFC Tags such as hotel key-cards, access badges, etc
NFC TagInfo -another NFC reader
OpenVPN Connect – open vpn client
Orbot – tor on Android
Packet Injection – poorman’s GUI version of scapy
ProxyDroid – use your socks5 proxy with this application
Root Browser – great file manager for Android
Routerpwn – test how secure your router is
SandroProxy – kind of like Webscarab
Secret Letter – a poorman’s stegonagraphy tool
SSHDroid – openssh server for android
Supersu – manage what programs access root functions
Teamviewer – remotely control Windows, OSX, and Linux based systems
Terminal Emulator – no explanation needed
tPacketCapture – packet sniffer that doesn’t require root
VirusTotal Uploader – test your malicious payloads
Voodoo OTA RootKeeper – maintain root access even after updates
Wifi File Transfer – access files on your phone from a web browser via an http server
WifiFinder – simple wireless scanner
WiGLE Wifi wardriving – wardriving/warwalking application
Of course this is probably not complete, but I believe this is a very good suite of tools to get one started. If you can think of any more tools or if you have any suggestions, please feel free to leave a comment below.
September 1st, 2013 on 2:21 am
Hi there. Yours is a very nice and detailed post. However, i keep getting a “ioctl LOOP_SET_FD failed: Device or resource busy” error after launching the script. Tried on a Samsung Galaxy S2 equipped with CyanogenMod 10.1-20130813-NIGHTLY-i9100 (Android 4.2.2). Any clues?
September 3rd, 2013 on 1:33 pm
You’ll have to edit the mounting shell script ‘kali’ Try using a different loop location. Look at this script for ideas:
http://pastebin.com/8gstgtjF
Also, look at this:
http://superuser.com/questions/567044/ioctl-loop-set-fd-failed-device-or-resource-busy
January 12th, 2014 on 2:55 pm
can i install it without a wifi connwction.i downloaded the image from my computer and put it on may internal memory
January 14th, 2014 on 1:39 pm
Yes, you can do it that way. Make sure this exists though: /sdcard/kali with the appropriate files inside this directory. You could also customize it to your liking as well.
May 30th, 2014 on 12:50 am
PLEASE SIR I REALLY NEED YOU AS A MENTOR,I WOULD LIKE TO CONTACT YOU VIA EMAIL…is it possible??
June 17th, 2014 on 2:12 pm
hi sir
can i ask you something?
how could i get a complete gui interface with this pentest OS
cause i was able to acess a gui interface on backtrack 5 on my samsung galaxy s2 but now i cant get it
any way i was using android vnc to do that
any help sir please
sorry for my bad english
June 17th, 2014 on 11:33 pm
You will have to install the GUI components such as Gnome, Xfce, or KDE. I left these out due to their size. The vFat file system has a limited file size of about 4 GB. Feel free to install them if you would like but I warn that you may run out of disk space in your chroot environment.
August 1st, 2014 on 3:28 am
Hi, I followed ur instructions but cannot get the vnc started it says ” vnc connection failed! locahost/127.0.0.1:5901-connection refused. What is the password ?
Thanks
August 3rd, 2014 on 10:24 pm
I didn’t install vnc server or any window/GUI system. Which means that if you try running it and then connecting to it via a vnc client it won’t work. You’ll need to install a window management system and vncserver. However, I can’t recommend doing this because exFAT has file size limitations and you may run out of space with this image.
August 5th, 2014 on 8:19 am
Do you know how to use dsploit in monitor mouse or how to use the external USB as main in the android? ( I mean like wlan0 and wlan1 considering 0 as the internal and 1 as the external).
He is only getting the internal one and I would like it to pick my awus36h (wlan1) or tplink instead…
August 7th, 2014 on 12:08 am
Fernando, have a look into this:
https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=pwnpad%20community%20edition
For an external wireless adapter to work your Android based device will need to support OTG (push 5 volts through a microusb connection).
Pertaining to your dsploit issue, I would contact EvilSocket:
https://github.com/evilsocket
August 9th, 2014 on 11:15 pm
Hello, very nice tutorial. I have a problem if you could help me, i bought a tenda w311m adapter and i tried installing it and i can’t.In the terminal i type lsusb and it gives me unable to initialize libusb -99 i connect via OTG a memory stick and it doesen’t find it.I rly don’t know what to do. Please could you help me ? thank you so much.
August 12th, 2014 on 12:10 am
Take a look at:
https://superuser.com/questions/698007/lsusb-unable-to-initialize-libusb-99
August 23rd, 2014 on 12:42 am
Hello, I need your help. I have downloaded the Kali Linux img and using it in my PC. Can I use the same img for android also or I’ll have to download this version which you have mentioned. If I can use the same img which I used to install in my PC, then I’ll have to follow the same steps which you have mentioned here or I’ll have to use some other steps. Kindly help me with the detailed solutions. I really want to use Kali in my Android. I have already rooted my device.
August 26th, 2014 on 12:20 am
You will need to download the mentioned version or build your own using Linux installer. (Granted there may be another way but I haven’t looked into it). Chances are, you can’t use the Kali Linux img from your PC because your PC is most likely x86 or x64. For a majority of Android based devices you will need an ARM version.
Look at this: http://www.brighthub.com/computing/hardware/articles/107133.aspx
I hope I have pointed you in the right direction.
October 21st, 2014 on 4:28 am
could you please give a video demo
October 21st, 2014 on 9:50 pm
(I’m making an assumption that you may need a video demo and/or tutorial getting the chroot environment running/setup.)
For the this part, look at some of these videos:
https://www.youtube.com/results?search_query=chroot+backtrack+5+android
But instead of using a Backtrack 5 img file, you would be using the Kali Linux img file that I’ve provided by using hosting on archive.org.
February 24th, 2015 on 5:48 pm
Forgive my ignorance (and the necroing of a thread that’s several months old), but I was under the impression that one of the best tools for pentesting wifi networks was aircrack-ng, which actually comes with a full desktop install of Kali. Is there a reason you left it out? Is it something that only works on certain hardware configurations? And given that, what might an alternative be?
February 24th, 2015 on 6:16 pm
I left aircrack out due to the fact that most Android based phones don’t easily support monitor mode or packet injection using the internal wireless interface. Alternatively, if your phone supports OTG you can use an external USB wireless adapter to achieve monitor mode and packet injection. At this point if you want to use aircrack to the full extent on an Android based phone please see:
http://zitstif.no-ip.org/?p=1023
Now if the Android hardware platform wasn’t diverse like the Nokia N900 hardware platform, in my humble opinion someone would’ve developed software to enable monitor mode and packet injection on Android based devices without an external wireless device being needed a while ago. But there are oodles of manufactures making Android based devices with different chipset based wireless interfaces.
April 16th, 2015 on 1:26 am
How did you compile a custom image any tutorial to do so even I wanted to build a img file and one more issue I tried booting a linux arm image through this script it was kali only but couldn’t attach the loop device to it can you help me?
April 16th, 2015 on 9:21 pm
Have a look at this:
https://www.kali.org/tutorials/kali-linux-android-linux-deploy/
That’s what I used to build the kali.img file.
February 14th, 2016 on 3:47 pm
cant update my kali….since I cant see my source list please help
February 15th, 2016 on 10:45 pm
Your sources.list file would be located in the chroot environment (so inside kali.img) at /etc/apt/sources.list.
June 12th, 2016 on 10:36 am
Hello, can you explain a bit more in detail how to “to access files from /sdcard/ from your Kali chroot envrionment” because i wanted to replace sources.list so i can update 🙁