A few years ago, nobody really knew how far hacking could go, and hijacking a Facebook session was a piece of cake. Nobody cared much about HTTPS, personal data was easily exposed, and security was overall poor. People at the mall could be seen browsing the Web, exposing their personal information, ready to get their data stolen. Internet banking was almost bleeding edge; you could hijack a password and nobody would know. The boss at his office is looking for a brand new car he's going to buy from the money he got from his employees, thinking nobody will notice, though the whole squad is hijacking through an unprotected protocol seeing what the boss is up to. That might be a fun thing to do, but in fact, this can get very serious in some ways.
In this chapter, we'll:
Talk about what goes into penetration testing
Learn how zANTI2 fits in the picture
Learn what is required to perform penetration tests
Go through the zANTI interface and run through its basic functions
A penetration test (or pentest, if you wish to call it that), is some sort of intrusion, or attack, that is intended to uncover weakness, security issues or vulnerability of a local network, for instance.
In this book, we will focus on Android penetration tests. We won't be focusing on these tests for exploiting Android vulnerabilities and proving insufficient security in the system, but on those network tests that are done using an Android device. As you might know, there is a whole bunch of network penetration tools for Linux-powered operating systems, including Kali Linux (formerly BackTrack) and there's a good amount of Android tools as well.
Here's a screenshot from DroidSheep, a very popular app in the past for its simple user interface and high functionality, though it was capable of only one feature—session hijacks. The app didn't have a fully working SSL strip, but we'll get to that. Actually, there was no big need for SSL back then. Most of the protocols were HTTP and open for hijacks.
This finally gets us to penetration tests and mainly, their role in networking, OS, security and basically anywhere else. If it weren't for penetration tests, there would be massive attacks due to unpatched vulnerabilities, exploited security holes, and stolen data, from hackers who just were smart enough to find and exploit some random vulnerability in the system.
That said, we need penetration tests, period.
Android uses a Linux core since it's a Linux-based OS. Since Linux is very flexible, we can do nice things to it, not in terms of changing live wallpapers, rather about permissions: root permissions, to be precise. Heard about them? Probably yes, as you're going to need these for pentests.
The fact that your Android device is rooted may actually be caused by an exploited vulnerability in the OS. If you've ever tried to root your device running Android 2.3 Gingerbread, you've probably heard about GingerBreak software. This application ran an exploit that tried to obtain root. When succeeded, the exploit then remounts the system as R/W and runs an installer script to do the job. Superuser binary is installed, along with the well-known superuser app, and it reboots the system. Boom, easy. Most one-click root apps work like this by exploiting a vulnerability that leads and provides better access to the system.
Besides root access, you'll need the Swiss knife of Unix, BusyBox.
BusyBox is a utility that combines all Unix utilities and commands that are not commonly used in Android (so they aren't there) and lets you install all of these in one package.
By typing busybox inside of the terminal you notice how many commands BusyBox features with. BusyBox installation is a necessity for us to run network attacks and perform penetration test on a network.
Since our little penetration application uses quite a few utilities available in BusyBox, be sure to have it fully installed on your Android. BusyBox can easily be installed from one of the BusyBox installers available in the Google Play store, just search for BusyBox and you should be good to go.
To avoid any problems, I recommend that you use the BusyBox application by Stephen (Stericson) developer; it works seamlessly. The following screenshot displays the BusyBox application's download screen:
One of the most advanced penetration testing tools for Android, the very well-known dSploit, was created a few years ago. It was capable of some crazy stuff. Here's the list of some of game changing features that really moved the Android penetration testing game forward:
Inspector (inspects the target, specifies OS, and more)
The vulnerability finder
The login cracker
Man-in-the-middle attacks, including redirect, image/video replacement, JavaScript Injector or custom filter that changes text values on the Web
These are just a few features that made dSploit an awesome tool. A few years later, the main developer of dSploit joined Zimperium, a company offering enterprise class protection for mobile/tablet devices against advanced mobile attacks. They made some really good tools, which include:
zIPS
zConsole
zANTI
zIPS aims to protect your device as much as possible, alerts you when there's an attacker around trying to hijack your passwords, or just performs a TCP scan of your device. zIPS also automatically keeps you safe and protects against the attack. zConsole takes all the reports from zIPS or zANTI and shows them in a nice interface on your desktop. If you're interested in taking the network security to a higher level, you can protect yourself and order these tools on http://www.zimperium.com/.
And then, there's zANTI—the reason why you're here reading these lines.
Alright, now on to zANTI2. If you've ever tried to use dSploit, you probably know that zANTI has quite similar features (some unchanged, some updated, and some new). So, how should we start?
I'd say fire up zANTI! Hang on a second! You might not have it downloaded, right? Well, if you don't have it yet, the link is https://www.zimperium.com/zanti-mobile-penetration-testing (input your e-mail in the field, the application link will be sent to your address).
Before you hit the Install button, be sure to have the unknown sources option enabled.
This can be done in the security section of settings: open settings, go to security and tap unknown sources button—enabling this option will let you install applications that are not published in the Google Play store, which is, generally speaking, pretty dangerous—considering you might install a harmful application that will try to steal your personal information.
However, this won't happen in our case, zANTI2 is a safe app and doesn't come with any malware whatsoever. The reason it's not available on Google Play is that it does not meet the requirements. For your security, don't forget to disable this option back, or simply install apps from Google Play store only.
Once Unknown sources option is checked, you will be able to install applications that do not come from the official Google Play store, but from other sources as well. Since zANTI2 is not available on Google Play, assure this option is checked.
Done installing? Good! Open the app and be sure to grant the superuser permissions so that it can execute commands as root. Otherwise, the application will not work. Also, ensure that everything you need is properly installed—talking about BusyBox. Sit back and get ready to zANTI.
zANTI2 needs superuser privileges to work. Be sure to grant the full access, otherwise zANTI2 will not be functional.
Run through the initial setup, accept the terms of use, and grant superuser permission.
Let's take a first look at zANTI2's interface and explain the basic functions.
We'll start from the top. The action bar shows you SSID—the name of a network you're connected to. Pretty useful stuff! Moving on, now we have the History button. Tapping this gets you to another window showing the networks you connected to along with the targets that were found during the scan. It will also show you the number of open ports and IP and MAC addresses. This might come in useful when gathering information about networks you connected to in the past.
Right next to the History button is a map network function. We will talk about this more in the following chapter as it's very important and needs more pages to fully explain the whole idea of it.
The next button is Search; it lets you find a device on a network by inputting its IP, MAC address, or a name.
The last button adds a host to the network, which can be useful for adding hosts from the Wide Area Network (WAN) and performing further actions on them; for example, you can check for remote vulnerabilities such as ShellShock or Poodle.
The rest you see in the middle is a result of a completed scan—displaying targets on a network. Every target has an IP address followed by a MAC address and occasionally a name.
The little round icon on the left represents the OS running on a target—Windows, Linux, or Android. It also shows you the type of a target, whether it's a computer, network router, or a device. The icon you see on the top indicates the entire network. When selected, any further action will affect every single device on the network.
Then, there's the distributor of the target, Apple, Huawei, Samsung, Intel, HTC—even this is something that gets captured by a quick network mapping.
The number you see on the very right is the number of open ports on the target. Open ports are very important for us, as we will use these numbers to find out further information and connect to them, and if they show any signs of vulnerabilities, run exploits on them.
Moving on. You can access more little features by swiping your finger to the right. These are not the main, primary, or even new functions to the network penetration tools, though they might come in very useful and mostly, they're here, making zANTI2 an even more complete and compact application.
As you can see, we have a few more things to explore. Starting with network tasks, the MAC Changer does what it says; it simply changes your MAC address. MAC addresses are identifiers of each node of a specific network. You've probably signed up to networks, in airports for example, which will let you use the Internet connection for only 30 minutes or so. After you reach the limit your MAC address gets banned from the network, thus you can't use it anymore.
Changing your MAC address might in some cases give you 30 more minutes for a quick browse through the net.
A certain company once used special trash bins to track people's movement around the city based on their MAC addresses. This is possible because your MAC address gets broadcasted even if you're not connected to any network.
Ever heard of the app, Pry-Fi?
Pry-Fi aims to make your device as safe as possible, changing your MAC address every once in a while. The app also comes with something known as a War mode, which makes your device appear like it's a dozen people. This, according to the author's words, will flood the tracking data with useless information and possibly reduce the tracking that is being done on an everyday basis. Pry-Fi randomizes your MAC address, following a pattern that still makes the trackers think you are a real person, but they will not encounter your MAC address again.
That said, if you're not feeling safe enough, definitely check this app out, it comes free and is available on Google Play Store.
Moving on to zTether. Ever shared your mobile data connection to your friends? Well, this little feature lets you play with them a bit.
zTether offers full tether control by executing the MITM type of attacks, including redirect, a replace images feature, download interception, and every other feature that zANTI has to offer. We'll be talking about the MITM attacks in Chapter 5, Attacking – MITM Style.
The next feature, coming with a pretty fancy name, is RouterPWN. RouterPWN is a web application that uses and exploits various vulnerabilities in devices such as routers, access points, or switches.
It allows you to run local or remote web exploits, allows offline exploitation, and runs smoothly even on a mobile web browser, making it a really interactive tool for lots of penetration stuff.
For example, RouterPWN is capable of converting SSID to wireless key (WEP) for Thomson SpeedTouch ST858 v6 models. So if your neighbor seems to use this kind of router, you might want to let him know his security status by doing some MITM magic on his network. RouterPWN is a great tool for security purposes, finding vulnerabilities in your network and making your network much more safe to use.
As seen in the preceding screenshot, RouterPWN opens in a nice mobile web, which makes it really practical and even easy to use. That said, clicking on this in the zANTI app opens the URL for you, letting you further interact with this awesome tool on the Web.
The next function is the so-called cloud reports. We will not be using cloud reports, since this requires zConsole. Let's move on.
The Wi-Fi monitor shows a list of all available Wi-Fi networks in range. There's also a nice implementation of scanner, which shows the intensity of each network.
You can see a little bookmark-like marker that changes color depending on network security—green for secured, red for open ones; showing us that it's not a good thing to leave our Wi-Fi routers accessible to anyone—and it really isn't; we'll get to that, don't worry, this is what the book is about.
Moving onto the next one, the HTTP server quickly creates an on-device HTTP server, letting you share folders/files through HTTP connections. This is useful for sharing files and the likes, but we won't be interested in this one in our penetration testing chapters.
Looks like we're done with the Network Tasks section, leaving the Usability section untouched. This section contains a not-so-descriptive tutorial that quickly introduces users to the interface. This is followed by the Contact Us button, which allows you to share your thoughts, feedback and problems if you have any.
Should we have a look at settings, or not? It's just settings. Let's move on!
Come back to the home screen. The text saying devices found on your network clearly suggests the list you're looking at is the list of devices that are currently connected to the Internet.
If you're not seeing anything, it might be because either nobody is connected (though you should always see your device, that's the one saying This Device) or because zANTI2 hasn't scanned for devices yet.
To perform a quick scan, go ahead and tap that little button next to search.
A tiny popup will appear; let's leave the Intrusive Scan option unselected for now and hit OK to start scanning. The length of time may vary, depending on the network and number of devices connected.
If your scan has finished already and you start scanning a fresh, old values will be replaced with the new ones. Therefore, if you just fired up zANTI2 after a little while, you might want to manually rescan to work with results that are up to date.
Yay! Network scan completed. If you're that type of guy, you can even tweet about your freshly-completed scan but that's completely up to you.
If you take a closer look, you'll probably see your router with an IP address, let's say 192.168.1.1. This is the default gateway and it's also the IP of the router you're most likely connected to.
Let's go ahead and click on one of your targets, the router, for example. A new window will pop up giving you further information about the target. The IP, MAC, Name of the target, and ports are included in the report.
Take a look at the Comments section. You see, the guys from Zimperium have thought about your great and open mind, leaving you the whole section free to express yourself. You can input words such as Hacked this bloke a week ago, this guy needs a rest. Will be back in two months!, and maybe some other types of useful stuff. Well, on a serious note, this section can be used to document and make notes of your progress.
Let's skip the middle section for now, but don't worry, we'll get back to it later.
Have a look at Nmap scan:
Nmap (Network Mapper) is an open source utility for network discovery and scanning, available not only for Linux but also Windows, when it comes to it. It supports a wide variety of scan types, including basic scan, ping scan, UDP scan, IP protocol scan, and many more. Since we'll be talking more about scans in the following chapters, let's just say Nmap is really a great utility with huge usability especially in network pentesting.
"We have all seen many movies like Hackers which pass off ridiculous 3D animated eye-candy scenes as hacking. So Fyodor was shocked to find that Trinity does it properly in The Matrix Reloaded. Needing to hack the city power grid, she whips out Nmap version 2.54BETA25, uses it to find a vulnerable SSH server, and then proceeds to exploit it using the SSH1 CRC32 exploit from 2001. Shame on the city for being vulnerable (timing notes)."
Yup, the Nmap scan was even featured in the Matrix Reloaded.
That said, let's finally move on to the middle section, which will lead us to operative and attack actions. Don't worry, we'll get to know Nmap much better in the following chapter; it's an amazing tool!
Operative actions are those kinds of actions where the device tries to interact or discover the target and investigate it a bit closer, whereas attack actions simply perform attacks on that target.
To explain operative actions more (scan, remote ports connection), you'll read about these two in the following chapters (Chapter 2, Scanning for Your Victim, and Chapter 3, Connecting to Open Ports). Just to briefly show you around, scan action performs a second scan, this time on the target only.
Scans, as mentioned earlier, are done using Nmap and are logged into the Nmap scan log afterwards.
Apart from having the opportunity to choose from a fine amount of scan types, including Ping scan, UDP scan, and others, you also can execute a script. You can run AUTH, BROADCAST, BRUTE, DNS, SSH, SLL, and many more types on the target, resulting in the scan-log output, where you'll be retrieving information from the target.
We shouldn't forget about a tiny feature called smart scanning, which automatically searches for exploitable vulnerabilities.
Moving to the port connection, this is one very interesting feature. zANTI2 lets you choose one of the available ports and establishes a connection to it.
We will, again, learn about this particular feature and its usability in Chapter 3, Connecting to Open Ports; it needs to be a bit further explained and investigated.
Let's have a look at attack actions, starting with password complexity audit.
The password complexity audit feature checks and eventually tries to crack access passwords for available services (SSH, for example) using available dictionaries in the app.
Note
The password complexity audit function uses THC Hydra. Hydra brute-force cracks remote authentication services, against more than 30 protocols, including HTTP, HTTPS, TELNET, FTP, and many more.
To crack an access password, you'll ideally need some dictionaries to crack from. The developers made it easy, leaving five preloaded dictionaries directly in the app. You can also perform a brute-force attack without using a dictionary, but this might not always be the best option. You'll see why in Chapter 3, Connecting to Open Ports.
Starting with a small dictionary, this one's for the shortest possible passwords. This logically takes the least amount of time; thanks to having the lowest combination of words. On the other hand, a huge dictionary contains a way greater amount of words. This will increase the probability of finding and cracking the access password, but the whole process will take way more time.
While dictionary attacks work by searching for possible words listed in the dictionary provided by the user, incremental is a brute-force attack. This kind of attack seems to be the simplest one. Simply put, it tries password combinations over and over again, until finally it gets the right one.
Logically, attempting to crack a password without using any dictionaries is the most time-demanding process because the possible combinations are generated using your phone's processor, instead of trying predefined words from a dictionary.
In case you wondered, this is how the cracked password message looks. Not the safest password now, is it?
Right below the password cracker is the well-known MITM, which is one of the spiciest features of the whole zANTI2 app. Hijacking accounts, passwords, replacing images, injecting custom JavaScript, and much more—this all is done using the Man-In-The-Middle attack. Amazing! Isn't it?
More about MITM, how it works and functions to come in Chapter 5, Attacking – MITM Style, (the last chapter, ending it in style.)
The last two options in attack actions are the vulnerability checks. zANTI2 currently offers checking of ShellShock and SSL Poodle.
Leaving the public clueless about further development of zANTI, the Zimperium team has successfully made cloud exploits available from within the app and created something known as Zetasploit.
Using Metasploit, one of the most used penetration utilities, Zetasploit aims to run and exploit vulnerabilities based on scan results. Unfortunately, Zetasploit is available to enterprise users only and supposedly will be available for public users as well at some time. Hopefully, it is now when you're reading these lines!
You've probably seen the video showing the power of Zetasploit. (If not, look it up, it's crazy—https://youtu.be/di5FHSh3Z7c).
From what we know, there are over eight separate exploits (probably many more) available from the server, then there's a client tab followed by file intercept.
The guy seems to run a Windows exploit that exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the server service. Then, he selects an available VNC payload to connect the desktop and finally launches the exploit.
He then takes control of the entire system using the graphical interface, which was successfully provided by the VNC.
VNC is not the only option for connecting to the victim; the video also shows us how to interact with the generic shell and execute the shutdown –r command, which reboots the computer. Easy, peasy!
Although all of these sound very interesting, we'll probably not get our hands on them till they're officially announced in the next release. However, as you will read in Chapter 3, Connecting to Open Ports, regarding connecting to open ports, it is possible to intrude into a computer using port number 3389, which is responsible for remote desktop connection.
That being said, you can't run Metasploit on your Android powered device. Or can you?
Oh, of course you can! The newly-updated cSploit, which is being continuously updated by one of the former developers of dSploit has (apart from original dSploit features) slightly improved tweaks and added new features such as:
The vulnerability finder
The exploit finder
Metasploit Framework integration
At least that's what http://www.csploit.org/ says, and it looks like the app is doing really well. Since the main developer is only one person and is often busy, we can't expect frequent updates, but it's great to see that we can use Metasploit exploits using a free Android tool.
In this chapter, we learned what penetration testing is and how Android comes into the picture to perform testing over networks. We also were introduced to zANTI, and learned about its various features in brief and how effective it is in performing network penetration testing.
In the next chapter, we'll move on to learn about scanning and the different types of scan used for this purpose.
