Hands-On Penetration Testing with Kali NetHunter

Chapter 1. Introduction to Kali NetHunter

Hacking is an interesting topic of discussion for lots of people, whether they work in the field of cybersecurity or are simply interested in learning the details of how it’s done. Often, TV shows and movies incorporate hackers into the plot. Some TV shows, fictional or non-fictional, are solely based on hacking, notable one being Mr. Robot. In the show, a young man orchestrates and executes various cyberattacks on multiple organizations using real-world techniques.

Many TV shows and movies often show a hacker using a mobile or other handheld devices to infiltrate a target network. This begs the question: is hacking from a mobile device, such as a phone, possible? The answer to this question is yes. We are surrounded by so much technology and so many smart devices. Imagine using your smart device to test a network or system for vulnerabilities and perhaps exploit it; this would definitely be very cool.

In this chapter, we will be covering the following topics:

Introducing Kali NetHunter
The Android platform and Security model
Installing Kali NetHunter

What is Kali NetHunter?

To begin this section, let’s a take a walk through the history and evolution of the most popular penetration-testing Linux distribution, Kali Linux. Before the ever-popular Kali Linux, there was its predecessor, known asBacktrack. Backtrack was created by two merger companies,Auditor Security CollectionandWhax, back in 2006. The Backtrack operating system was in the form of a live CD and live USB bootable media, which allows a penetration tester, systems administrator, or hacker to use any computer that supported booting from CD/DVD and/or USB drives. Since Backtrack is a Linux-based operating system,live bootsimply made any computer into a hacker’s machine on the network.

In 2011, Backtrack evolved into its latest version, known as Backtrack 5. At this time, Backtrack included many tools and utilities that helped penetration testers to do their jobs.

Some of the tools within Backtrack 5 include the following:

Metasploit: A famous exploit development framework created by Rapid7 (www.rapid7.com).
SAINT: A renowned vulnerability-assessment tool developed by SAINT Corporation (www.saintcorporation.com).
Maltego: An information-gathering tool created by Paterva (www.paterva.com), which takes advantage of data-mining techniques using various resources on the internet.

In 2013, the Backtrack distribution went through a major change; all support had ended while evolving into the Kali Linux penetration-testing Linux distro we all know today. The creators of Kali Linux, Offensive Security (www.offensive-security.com), completely redesigned Backtrack from the ground up, making it Debian-based. The Kali Linux penetration-testing platform comes with over 600 pre-installed tools that can assist penetration testers, security engineers, or forensics personnel in their duties.

Kali Linux was originally designed to run on computer systems similarly to its predecessor, whether Live Boot (CD/DVD or USB) or installed on the local hard disk drive. In 2014, Offensive Security, the creators of Kali Linux, released Kali NetHunter. This platform was released for Android-based devices, which opened up greater opportunities for penetration testers around the world by removing the restriction of using a desktop or laptop computer to test target systems and networks.

Kali NetHunter allows penetration testers to simply walk around with an Android-based device, such as a smartphone or a tablet. Imagine how awesome it would be to be assigned a security audit on a client's systems, specifically their wireless and internal network, and all you need to carry out the audit is a smartphone.

An example scenario for using NetHunter for penetration testing is auditing wireless security and testing the security for any bring-your-own-device (BYOD) policies within an organization’s network. Being able to conduct penetration testing through a handheld device is important as wireless security configurations have the most security vulnerabilities for a network.

At times, a technician may deploy a wireless router or an access point (AP) on a network while leaving the default configurations, which included default or factory-assigned passwords. During the course of this book, we will take a look at various methodologies for performing a penetration test using Kali NetHunter and how to utilize the arsenal of tools that are available to execute a successful penetration test against a network and system.

Tools within Kali NetHunter

The Kali NetHunter platform has additional resources not available in Kali Linux. These additional resources are powerful tools in the hands of a focused penetration tester.

MAC Changer

The name of this utility says it all: it can change the media access control (MAC) address of a device's network interface card (NIC) to either a randomized value or a specific address defined by the tester. The MAC Changer on Kali NetHunter has an additional capability of changing the device’s hostname. This can be a very useful feature that can aid a penetration tester in a social-engineering attack:

The MITM framework

A man-in-the-middle (MITM) framework of tools and utilities is used when performing all MITM attacks on a network. A MITM attack is when a hacker sits between the victim and another device, such as the default gateway to the internet. The intention of the attack is to intercept all traffic along the path. Looking at the following diagram, all traffic from the PC that is intended to go to the internet which is supposed to be sent directly to the router (default gateway) is indicated by the top arrow. However, with an attacker on the network, they are able to trick the victim's PC into thinking the attacker's machine is now the router (default gateway) and tricking the router into believing the attacker's machine is the PC:

It’s a penetration tester’s powerhouse. Some of its features are key-logging, address resolution protocol (ARP) cache poisoning attacks, spoofing, and SSL stripping attacks using the SSLStip+ feature. The following is the main window of the MITM framework on NetHunter:

Swiping across on the right, you'll encounter another section, Spoof Settings, which will allow a penetration tester to easily execute an MITM attack on a network:

HID attacks

A Human Interface Device (HID) attack converts a Kali NetHunter device, such as a smartphone with on-the-go (OTG) support, into a pre-programmed keyboard. If a penetration tester uses an OTG cable to create a physical connection between the Kali NetHunter device and a target computer, NetHunter has the capabilities of creating an attack vector. The vector uses a combination of the phone’s hardware and software to create a pre-programmed keyboard. The purpose of the pre-programmed keyboard is to inject script attacks into the target system.

Note

According to the official documentation on Kali NetHunter, USB HID attacks are only available on Teensy devices. Teensy devices can be found at https://www.pjrc.com/teensy/.

DuckHunter HID

The USB Rubber Ducky was created by the team at Hak5 (www.hak5.org). It was intended to inject payloads of over 1,000 words per minute into the target device. Kali NetHunter allows a penetration tester to write custom or use existing ducky scripts and simply use the DuckHunter HID attack features to convert ducky scripts into the NetHunter HID attack format.

Note

To create payloads for the USB Rubber Ducky, please visit https://ducktoolkit.com/ for more information.

Kali NetHunter supports the conversion of USB Rubber Ducky scripts in the NetHunter’s HID attacks. What is the USB Rubber Ducky? The USB Rubber Ducky is a keystroke-injection hardware-based tool that looks like a USB flash drive.

The following is a picture of a USB Rubber Ducky. As we can see, the ducky has a motherboard with a removable microSD memory card. The USB rubber ducky receives power when it's inserted into a USB port on a computer. Upon receiving power, the firmware on the ducky's motherboard checks for any payload that may be residing on the microSD memory card. Regular USB thumb drives do not support modular form factor, so a USB thumb drive does not allow a user to expand or replace the flash storage with a microSD card:

BadUSB MITM attacks

By now, you've probably noticed that there are some amazing HID- and USB-based attacks on the Kali NetHunter platform. The BadUSB MITM Attack allows a penetration tester to simply use an OTG cable to create a physical connection between a victim's computer and the NetHunter device. Once a connection has been established, all network traffic leaving the victim computer will be sent to the NetHunter device:

This type of attack is called a man-in-the-middle (MITM) attack as the NetHunter device implants itself between the victim's computer and the internet or any other network it is transmitting data on.

The MANA Wireless Toolkit

Even if you are starting out in penetration testing, you've probably heard about a wireless security auditing framework called Aircrack-ng. The features of MANA Wireless Toolkit on Kali NetHunter are similar to those of Aircrack-ng. MANA can create an evil-twin access point and perform an MITM attack.

Note

An evil twin is an unauthorized AP implanted in an organization by a hacker. The goal is to trick unaware employees into establishing a connection and transferring sensitive information across the network. Using an evil twin, a hacker will be able to intercept and reroute users' traffic easily.

This tool allows a penetration tester to configure the following when creating an evil twin:

Basic Service Set Identifier (BSSID): The BSSID is the media access control (MAC) of the wireless router or the AP.
Service Set Identifier (SSID): The SSID is the name of the wireless network as seen by laptops, smartphones, tablets, and so on.
Channel: The channel is also known as a wireless band on the spectrum.

Software defined radio

The Software defined radio (SDR) feature allows the penetration tester to combine the use of a HackRF device (a physical component) and the Kali NetHunter Android device using various wireless radio frequencies and space. SDR hacking allows a malicious user to listen on radio frequencies, allowing them to intercept police scanners, aircraft radio transmissions, and so on.

Network Mapper

A penetration tester's toolkit wouldn't be complete without the popular network-scanning tool Network Mapper (Nmap). This is known as the king of network scanners as it does way more than typical network scanners. Scanning allows a penetration tester to profile a target, it helps to identify the operating system as well as open and closed ports, detect vulnerabilities, determine the service versions of running applications, and a lot more.

The following are the options provided using the Nmap Scan menu on the NetHunter app:

NMap has quite a few benefits:

Can determine the target’s operating system
Detects TCP and UDP ports
Detects service versions by performing banner-grabbing
Detects a target device's vulnerability to various exploits and malware
Can use decoy features to reduce the chances of detection

The Metasploit Payload Generator

One of the most challenging phases in penetration testing is the Exploitation or the Gain Access phase. Sometimes a penetration tester may use an existing exploit within the Metasploit Framework (MSF); however, if the target system is patched to prevent such an attack, the exploit will most likely fail. Within the MSF is the msfvenom payload-generator utility, which allows a penetration tester to create customized payloads.

The Metasploit Payload Generator allows a penetration tester to easily create payloads using the following options:

Output type such as ASP, Bash (.sh), PHP, Powershell (.ps1), Python (.py), Windows (.exe), and so on. This feature allows a payload to be crafted for a specific platform.
Set both the IP address and Port number.
Payload options can be the default MSF format or the command prompt (CMD).

The following is the interface for the Metasploit Payload Generator on Kali NetHunter, we can see the various options available to us and how simple it is to create a payload using this application. Upon completion, the payload can be sent to our local storage on our Android device or to an HTTP address:

The created payloads can be in the following form:

Reverse or Bind: The victim's terminal (shell) is sent back to the attacker when compromised, this is known as a reverse connection. A bind shell happens when an attacker successfully compromises a target system, a shell it automatically obtains.

Staged or stageless: In a stage payload, the exploitation happens in stages. The attack sends an initial payload to the target system; once compromised, the remainder of the payload is downloaded onto the victim's system. In a stageless payload, a single payload is crafted with all of its functions and is sent to the potential victim.

Searchsploit

A penetration tester may sometimes require a known, working exploit to attack a specific vulnerability on a target system. Exploit-DB (www.exploit-db.com) is a popular exploit repository maintained by the team at Offensive Security (www.offensive-security.com). Exploit-DB contains many exploits developed and tested by its community, including penetration testers and vulnerability researchers in cybersecurity.

The searchsploit tool allows a penetration tester to simply search and download exploits directly onto their Kali NetHunter device. The tool queries the Exploit-DB official repository for any search parameters entered by the user. Once the exploit has been downloaded, the penetration tester can deliver the payload as is or customize it to suit the target:

Note

The full manual on SearchSploit can be found at https://www.exploit-db.com/searchsploit.

The Android platform and security model

Android is a popular mobile operating system that is based on a modified version of Linux. Another benefit is being open source, which gives developers and enthusiasts the opportunity to create custom applications and modifications on Android. Being Linux-based has many benefits, such as running various Linux-based tools and utilities.

At that time, there were many competitors in the market, some of these were Hewlett-Packard (HP) who used the WebOS operating system on their devices, Apple’s iOS, Microsoft’s Windows Phone operating system, Blackberry’s Research in Motion (RIM) operating system and Symbian OS which was used on some first generation phone manufacturers such as Nokia.

The Android architecture

Like all operating systems, Android's architecture can be viewed in layers, which include all the components of the architecture, as we can see here:

The Application layer

The Application layer contains the applications of the mobile device. These applications include the browser, dialer, contacts, clock, and alarm, which are usually displayed on the home screen.

The Application Framework Layer

The Application Framework layer allows Android-based applications, such as the dialer, to interface with the application framework, which in turn manages the basic mobile functions for resource and voice-call management.

The following components reside within the application framework of the Android operating system:

Package Manager: Keeps tracks of currently-installed Android-based applications.
Activity Manager: Handles the life cycle of all the running applications on the device.
Content Provider: Allows the sharing of data between applications.
Telephony Manager: Responsible for establishing, maintaining, and terminating calls on the device.
Location Manager: Manages location features such as Global Positioning System (GPS).
Resource Manager: Responsible for the type of resources used in an application on the device.
Notification Manager: Displays notifications and alerts on the device’s screen.
Java API Framework: Allows developers to create applications written using the Java programming language. The frameworks allows the Android operating system to execute these applications.

Android Libraries

Android uses a native library written in C and C++, which is responsible for handling various data types in the mobile operating system.

Here are some of the libraries it uses:

Media Framework: Responsible for providing various types of media codecs that allow both recording and playback of all media types, such as MP3 and WAV.
SQLite: A database that is used in Android-based devices for data storage.
OpenGL/ES & SGL: Handles the rendering of computer graphics both in 2D and 3D on the device’s screen.
WebKit: Responsible for displaying web pages by using the web browser’s engine.

Android Runtime

Android Runtime (ART) allows each individual app to execute within its own process and instance, just like virtual machines on a desktop. ART is designed to run these "virtual instances/machies" on low-memory devices such as smartphones and tablets.

Kernel

Most importantly, we must not forget about the brain behind the Android operating system, the kernel, which is responsible for interfacing with the hardware components of the handheld device. Android is based on the current longterm-support kernel of the Linux operating system. During the development of Android, the Linux kernel was modified to better fit the needs and functions of a mobile operating system. One of the modifications on the kernel prevents a user from installing original Linux packages on the Android platform.

The Android security model

To better understand Android's security posture, we are going to take a look into the security model behind Android. We'll look at how Google and the Android team take the extra steps needed to protect the ecosystem of Android devices and their users.

Securing an open source operating system has its challenges, and Android uses a multi-layered security system to protect its users and the platform. Each Android device usually has a set of security services provided by Google, let's look at some of them.

Android Device Manager

Android Device Manager is both a web application and mobile app that can be used to track your Android smartphone or tablet. It can play a sound, secure the device by remotely applying a lock screen, remotely sign out your Android device from your Google account, display a message on the lock screen, and remotely erase the device if stolen.

To access the features of Android Device Manager, simply visit the Google Play Store either on your computer or use the Google Play app on your smart device and search for Android Device Manager or Google Find My Device, as shown in the following screenshot:

Once logged in, you’ll see all the features available:

SafetyNet

SafetyNet protects Android-based devices from security threats, such as malicious URLs, any potentially harmful apps, and malware infections, as well as detecting whether the device is rooted. It protects users by continuously monitoring applications and services for any threats on the device.

Verify applications

The Android operating system can detect when harmful applications run on the device or attempt to install themselves on the device. This feature will either notify the user or automatically prevent the application from executing on the device. This feature utilizes the functions of Google Play Protect, which periodically scan the applications currently installed on a device and those that a user is attempting to install for any signs of being malicious. This feature exists within Android's operating system security.

Google continuously monitors applications; if an application is detected to be malicious, a notification is presented on the screen of the Android device that encourages the user to uninstall it. This ensures the security and privacy of Android users are maintained.

Application services

The Application service allows Android-based applications that are locally installed on the device to utilize cloud-based services and features. An example of a cloud-based service and feature is the data backup. An example of Application services is the Backup and Reset feature within the Settings menu of an Android Device. With the permission of the user, Android can back up its settings to a Google Device automatically, so in the event of a factory reset on a device, the configurations can be restored easily. Additionally, the Application services always have many Android apps to support cloud backup and restore functionality.

Android updates

This feature is responsible for checking and retrieving Android updates for new software versions. These updates are usually created by the Android development teams. Smartphone manufacturers can modify the updates to suit their devices and deliver it to various devices using over-the-air (OTA) updates or post it on their support pages, which will allow users to manually download and update their device.

Updates are very important for a device's security. Updates are usually rolled out to add new features and fix any security vulnerabilities on an operating system. Android has security specific updates that are modular, therefore providing smartphone manufacturers with the flexibility to push security updates much faster while taking more developmental time over updates that aren't as high a priority.

The Google Play Store

The Google Play Store is the official Application (apps) store for Android devices. The Google Play service provides licensing verification for purchased applications via the Google Play Store and performs continuous security scanning for malicious applications.

Google Play Protect

Google Play Protect is a mobile threat-protection service created by Google for Android. This service consists of built-in malware protections that use machine leaning techniques and algorithms designed by Google.

The following is a screenshot of the Google Play Protect screen on an Android smartphone; it displays two features that can be manually enabled or disabled by the user:

As we can see, Google Play Protect will periodically scan the local device for potentially harmful applications and threats. Therefore, user intervention is not needed – the process is automated for us.

Installing NetHunter

Kali NetHunter was originally created for Google Nexus devices such as the Nexus 4 and Nexus 5 smartphones and the Nexus 7 and Nexus 10 tablets. It was later expanded to the OnePlus One smartphone, which Offensive Security stated is the preferred phone form factor NetHunter device. As of this writing, Kali NetHunter is supported on a variety of devices from various manufacturers, such as Google, OnePlus, Samsung, LG, HTC, and Sony. Let's look at how to install Kali NetHunter on an Android device (before installing Kali NetHunter on your device, whether it’s a smartphone or tablet, please check the list of supported devices at https://www.offensive-security.com/kali-linux-nethunter-download/ or the list of supported devices and ROMs at the Offensive Security Kali NetHunter GitHub repository at https://github.com/offensive-security/kali-nethunter/wiki):

Download an official release of Kali NetHunter for your device from https://www.offensive-security.com/kali-linux-nethunter-download. The downloaded file should be zipped. Ensure you verify the hash values before proceeding. If the hash value does not match, do not use it. If you would like to create a custom build of Kali NetHunter, please see the Building Kali NetHunter for a specific device section.
Unlock your Android device. When installing Kali NetHunter on an Android device, the installation takes place on top of the Android operating system. Please ensure the necessary Android drivers are installed and configured on your computer prior to executing the following steps. To do this, ensure you have a copy of Android Studioinstalled on your computer. This software can be found athttps://developer.android.com/studio. Android Studio will ensure the device drivers are properly installed and are compatible.

Set your device to Developer mode. Navigate to Settings | About and tap on the Build number a few times until you see a notification that says that the developer mode has been enabled.
Go to Settings | Developer optionsand enable both theAdvanced rebootand Android Debuggingoptions:

Root your device (applicable to Nexus and OnePlus). If you’re using a Nexusdevice, you can use theNexus Root Toolkit (http://www.wugfresh.com/nrt/). The root toolkit is anall-in-onetool for installing device drivers, unlocking you device bootloader, and installing a custom recovery such asTeam Win Recovery Project (TWRP):

Select the Initial Setup option, Full Driver Installation Guide, and follow the installer wizard.
Unlock the bootloader if your device is not unlocked. This process will wipe your entire device. Please be sure to create a backup of your device before executing this step.

Let's root your Android device. Click on Root. If you’re using a Nexus, you'll see a checkbox on the screen next to Custom Recovery, ensure you unselect it.

Your device will reboot automatically. To verify your device has been rooted successfully, you should see within your device’s menu a new icon/app named SuperSU. Opening the app will verify the status of your device, whether root access is granted or not.

Note

For OnePlus devices, there is specific rooting tool made just for this device, it's known as Bacon Root Toolkit (http://www.wugfresh.com/brt/). Additionally, the team at Offensive Security has provided a detailed procedure on installing Kali NetHunter using Windows and Linux. The guide can be found at https://github.com/offensive-security/kali-nethunter/wiki/Windows-install. If you’re using Linux, please visit https://github.com/offensive-security/nethunter-LRT.

Go to the Google Play store and install the BusyBox application:

Install the TWRP Manager app. You can also install TWRP using a downloadable APK from https://twrp.me

Once both applications are installed, open each to ensure they are functioning fine. If superuser permission is required, simply select grant or allow.

Copy the Kali NetHunter image and paste it in the root directory of the device. It’s time to install the custom recovery.
Open the TWRP Manager app and select the Recovery Version to Install option. To begin the installation, click on Install Recovery.
Reboot the device from the options provided:

Click on Install and select the Kali NetHunter image ZIP file within the directory. At this point, the custom recovery will flash Kali NetHunter onto your device and reboot automatically.

Building Kali NetHunter for a specific device (optional)

Many smartphone manufacturers, such as OnePlus, Samsung, Google, and LG, produce a variety of phones every year. You may be wondering, Do I need to purchase another Android-based smartphone to host the Kali NetHunter platform? The answer is simple: you do not. One of the benefits provided to us is the ability to build a custom version of NetHunter for our Android device. In step 3, you'll be able to choose the type of device and the version of Android your smartphone is currently running; this is to ensure the output file is compatible with your Android phone.

If you would like to build your own Kali NetHunter image from the official GitHub repository, use the following steps:

Download the repository using the git clone https://github.com/offensive-security/kali-nethunter command:

Ensure you change the directory to the new folder using the cd kali-nethunter/nethunter-installer command. Next, run the ./bootstrap.sh command on the Terminal. There will be an interactive prompt that asks some questions before it attempts to download any of the device's folders on your system:

Use the python build.py –h command to view the options available for building a custom Kali NetHunter image for your device:

To build an image, we can use the python build.py -d <device> --<android version> syntax.

If you want to build Kali NetHunter for a Nexus 7 (2013) device running Android Kitkat, you can use the python build.py –d flo –kitkat command.

When the build is complete, the output will be a .zip file that is stored in the nethunter-installer directory. Simply copy the .zip file into the root folder of your Android device as it will be required to move into Kali NetHunter.