Learning zANTI2 for Android Pentesting: Dive into the world of advanced network penetration tests to survey and attack wireless networks using your Android device and zANTI2

Android uses a Linux core since it's a Linux-based OS. Since Linux is very flexible, we can do nice things to it, not in terms of changing live wallpapers, rather about permissions: root permissions, to be precise. Heard about them? Probably yes, as you're going to need these for pentests.

The fact that your Android device is rooted may actually be caused by an exploited vulnerability in the OS. If you've ever tried to root your device running Android 2.3 Gingerbread, you've probably heard about GingerBreak software. This application ran an exploit that tried to obtain root. When succeeded, the exploit then remounts the system as R/W and runs an installer script to do the job. Superuser binary is installed, along with the well-known superuser app, and it reboots the system. Boom, easy. Most one-click root apps work like this by exploiting a vulnerability that leads and provides better access to the system.

Besides root access, you'll need the Swiss knife of Unix, BusyBox.

BusyBox is a utility that combines all Unix utilities and commands that are not commonly used in Android (so they aren't there) and lets you install all of these in one package.

By typing busybox inside of the terminal you notice how many commands BusyBox features with. BusyBox installation is a necessity for us to run network attacks and perform penetration test on a network.

Since our little penetration application uses quite a few utilities available in BusyBox, be sure to have it fully installed on your Android. BusyBox can easily be installed from one of the BusyBox installers available in the Google Play store, just search for BusyBox and you should be good to go.

To avoid any problems, I recommend that you use the BusyBox application by Stephen (Stericson) developer; it works seamlessly. The following screenshot displays the BusyBox application's download screen:

One of the most advanced penetration testing tools for Android, the very well-known dSploit, was created a few years ago. It was capable of some crazy stuff. Here's the list of some of game changing features that really moved the Android penetration testing game forward:

These are just a few features that made dSploit an awesome tool. A few years later, the main developer of dSploit joined Zimperium, a company offering enterprise class protection for mobile/tablet devices against advanced mobile attacks. They made some really good tools, which include:

zIPS aims to protect your device as much as possible, alerts you when there's an attacker around trying to hijack your passwords, or just performs a TCP scan of your device. zIPS also automatically keeps you safe and protects against the attack. zConsole takes all the reports from zIPS or zANTI and shows them in a nice interface on your desktop. If you're interested in taking the network security to a higher level, you can protect yourself and order these tools on http://www.zimperium.com/.

And then, there's zANTI—the reason why you're here reading these lines.

As you can see, we have a few more things to explore. Starting with network tasks, the MAC Changer does what it says; it simply changes your MAC address. MAC addresses are identifiers of each node of a specific network. You've probably signed up to networks, in airports for example, which will let you use the Internet connection for only 30 minutes or so. After you reach the limit your MAC address gets banned from the network, thus you can't use it anymore.

Changing your MAC address might in some cases give you 30 more minutes for a quick browse through the net.

A certain company once used special trash bins to track people's movement around the city based on their MAC addresses. This is possible because your MAC address gets broadcasted even if you're not connected to any network.

Ever heard of the app, Pry-Fi?

Pry-Fi aims to make your device as safe as possible, changing your MAC address every once in a while. The app also comes with something known as a War mode, which makes your device appear like it's a dozen people. This, according to the author's words, will flood the tracking data with useless information and possibly reduce the tracking that is being done on an everyday basis. Pry-Fi randomizes your MAC address, following a pattern that still makes the trackers think you are a real person, but they will not encounter your MAC address again.

That said, if you're not feeling safe enough, definitely check this app out, it comes free and is available on Google Play Store.

Moving on to zTether. Ever shared your mobile data connection to your friends? Well, this little feature lets you play with them a bit.

zTether offers full tether control by executing the MITM type of attacks, including redirect, a replace images feature, download interception, and every other feature that zANTI has to offer. We'll be talking about the MITM attacks in Chapter 5, Attacking – MITM Style.

The next feature, coming with a pretty fancy name, is RouterPWN. RouterPWN is a web application that uses and exploits various vulnerabilities in devices such as routers, access points, or switches.

It allows you to run local or remote web exploits, allows offline exploitation, and runs smoothly even on a mobile web browser, making it a really interactive tool for lots of penetration stuff.

For example, RouterPWN is capable of converting SSID to wireless key (WEP) for Thomson SpeedTouch ST858 v6 models. So if your neighbor seems to use this kind of router, you might want to let him know his security status by doing some MITM magic on his network. RouterPWN is a great tool for security purposes, finding vulnerabilities in your network and making your network much more safe to use.

As seen in the preceding screenshot, RouterPWN opens in a nice mobile web, which makes it really practical and even easy to use. That said, clicking on this in the zANTI app opens the URL for you, letting you further interact with this awesome tool on the Web.

The next function is the so-called cloud reports. We will not be using cloud reports, since this requires zConsole. Let's move on.

The Wi-Fi monitor shows a list of all available Wi-Fi networks in range. There's also a nice implementation of scanner, which shows the intensity of each network.

You can see a little bookmark-like marker that changes color depending on network security—green for secured, red for open ones; showing us that it's not a good thing to leave our Wi-Fi routers accessible to anyone—and it really isn't; we'll get to that, don't worry, this is what the book is about.

Moving onto the next one, the HTTP server quickly creates an on-device HTTP server, letting you share folders/files through HTTP connections. This is useful for sharing files and the likes, but we won't be interested in this one in our penetration testing chapters.

Looks like we're done with the Network Tasks section, leaving the Usability section untouched. This section contains a not-so-descriptive tutorial that quickly introduces users to the interface. This is followed by the Contact Us button, which allows you to share your thoughts, feedback and problems if you have any.

Should we have a look at settings, or not? It's just settings. Let's move on!

Come back to the home screen. The text saying devices found on your network clearly suggests the list you're looking at is the list of devices that are currently connected to the Internet.

If you're not seeing anything, it might be because either nobody is connected (though you should always see your device, that's the one saying This Device) or because zANTI2 hasn't scanned for devices yet.

To perform a quick scan, go ahead and tap that little button next to search.

A tiny popup will appear; let's leave the Intrusive Scan option unselected for now and hit OK to start scanning. The length of time may vary, depending on the network and number of devices connected.

If your scan has finished already and you start scanning a fresh, old values will be replaced with the new ones. Therefore, if you just fired up zANTI2 after a little while, you might want to manually rescan to work with results that are up to date.

Yay! Network scan completed. If you're that type of guy, you can even tweet about your freshly-completed scan but that's completely up to you.

If you take a closer look, you'll probably see your router with an IP address, let's say 192.168.1.1. This is the default gateway and it's also the IP of the router you're most likely connected to.

Let's go ahead and click on one of your targets, the router, for example. A new window will pop up giving you further information about the target. The IP, MAC, Name of the target, and ports are included in the report.

Take a look at the Comments section. You see, the guys from Zimperium have thought about your great and open mind, leaving you the whole section free to express yourself. You can input words such as Hacked this bloke a week ago, this guy needs a rest. Will be back in two months!, and maybe some other types of useful stuff. Well, on a serious note, this section can be used to document and make notes of your progress.

Let's skip the middle section for now, but don't worry, we'll get back to it later.

Have a look at Nmap scan:

Nmap (Network Mapper) is an open source utility for network discovery and scanning, available not only for Linux but also Windows, when it comes to it. It supports a wide variety of scan types, including basic scan, ping scan, UDP scan, IP protocol scan, and many more. Since we'll be talking more about scans in the following chapters, let's just say Nmap is really a great utility with huge usability especially in network pentesting.

Yup, the Nmap scan was even featured in the Matrix Reloaded.

That said, let's finally move on to the middle section, which will lead us to operative and attack actions. Don't worry, we'll get to know Nmap much better in the following chapter; it's an amazing tool!

Operative actions are those kinds of actions where the device tries to interact or discover the target and investigate it a bit closer, whereas attack actions simply perform attacks on that target.

To explain operative actions more (scan, remote ports connection), you'll read about these two in the following chapters (Chapter 2, Scanning for Your Victim, and Chapter 3, Connecting to Open Ports). Just to briefly show you around, scan action performs a second scan, this time on the target only.

Scans, as mentioned earlier, are done using Nmap and are logged into the Nmap scan log afterwards.

Apart from having the opportunity to choose from a fine amount of scan types, including Ping scan, UDP scan, and others, you also can execute a script. You can run AUTH, BROADCAST, BRUTE, DNS, SSH, SLL, and many more types on the target, resulting in the scan-log output, where you'll be retrieving information from the target.

We shouldn't forget about a tiny feature called smart scanning, which automatically searches for exploitable vulnerabilities.

Moving to the port connection, this is one very interesting feature. zANTI2 lets you choose one of the available ports and establishes a connection to it.

We will, again, learn about this particular feature and its usability in Chapter 3, Connecting to Open Ports; it needs to be a bit further explained and investigated.

Let's have a look at attack actions, starting with password complexity audit.

The password complexity audit feature checks and eventually tries to crack access passwords for available services (SSH, for example) using available dictionaries in the app.

To crack an access password, you'll ideally need some dictionaries to crack from. The developers made it easy, leaving five preloaded dictionaries directly in the app. You can also perform a brute-force attack without using a dictionary, but this might not always be the best option. You'll see why in Chapter 3, Connecting to Open Ports.

Starting with a small dictionary, this one's for the shortest possible passwords. This logically takes the least amount of time; thanks to having the lowest combination of words. On the other hand, a huge dictionary contains a way greater amount of words. This will increase the probability of finding and cracking the access password, but the whole process will take way more time.

While dictionary attacks work by searching for possible words listed in the dictionary provided by the user, incremental is a brute-force attack. This kind of attack seems to be the simplest one. Simply put, it tries password combinations over and over again, until finally it gets the right one.

Logically, attempting to crack a password without using any dictionaries is the most time-demanding process because the possible combinations are generated using your phone's processor, instead of trying predefined words from a dictionary.

In case you wondered, this is how the cracked password message looks. Not the safest password now, is it?

Right below the password cracker is the well-known MITM, which is one of the spiciest features of the whole zANTI2 app. Hijacking accounts, passwords, replacing images, injecting custom JavaScript, and much more—this all is done using the Man-In-The-Middle attack. Amazing! Isn't it?

More about MITM, how it works and functions to come in Chapter 5, Attacking – MITM Style, (the last chapter, ending it in style.)

The last two options in attack actions are the vulnerability checks. zANTI2 currently offers checking of ShellShock and SSL Poodle.