I was working late last night doing a literature review on my PhD research proposal (I am developing a proposal on Mirai Botnet Forensic Analysis Tool) and when I was about connecting my personal computer to my wifi hospot I noticed a foreign SSID: Infinix_Hot_8 or something like that, which undoubtedly is a mobile hotspot connection created with Infinix Hot 8 mobile device and with no any security whatsoever – an open connection! No I didn’t do anything to it. I am a white hat hacker and a cyber security researcher. So I decided to create a tutorial on possible ways a malicious hacker could have took advantage of that opportunity and possible damage he could do to the owner of that mobile device. In this blog post I will be recreating the same scenario to illustrate the danger of setting up an open Wi-Fi connection and enabling USB debugging.
The first thing that a hacker could have done is joining the open Wi-Fi connection with his attacking machine. So I am joining the open Wi-Fi connection I created with my mobile device. Next I issued the command ifconfig to know the IP address my machine has been assigned with and consequently the network ID.
Next I will be using Nmap to discover all the devices that are connected to the network. But I will be excluding my host machine, Kali Linux machine and the router. Yes, my Kali machine is hosted on a Virtual Machine.
I have spotted a host of interest with the nmap scan I just did. I use nmap with the -sV switch, -O and –exclude. The -sV switch tells nmap that I want to know the version of the services running on the ports on the host machines I am scanning. The -O switch specify that I want to know the operating system version of the host machine. If I know the services running on the host machine I can search for vulnerabilities associated with those services and find an exploit to exploit those vulnerabilities. So also is getting to know the operating system version.
The host that has been discovered is the Android emulator I set up with Genymotion software.
Next I will be using searchsploit tool on Kali Linux to search for exploits associated with the discovered service running on the host machine.
“searchsploit, (is) a command line search tool for Exploit-DB that also allows you to take a copy of Exploit Database with you, everywhere you go. SearchSploit gives you the power to perform detailed off-line searches through your locally checked-out copy of the repository. This capability is particularly useful for security assessments on segregated or air-gapped networks without Internet access.”SearchSploit – The Manual
First I update the SearchSploit tool:
Now using searchsploit I search for the freeciv service and I was able to find many exploits associated with that service.
Now these are all the services associated with that service. Though couldn’t enumerate the version of the service for me, but I can decide to try out all the exploits on the target machine.
Next I searched for exploits associated with the OS. Even thought the nmap didn’t give a perfect enumeration of the exact OS version. It predicts the OS to be between Linux 3.2 – 3.16.
I could also experiment with these exploits. But I am not interested in carrying out any of these server side attacks.
I am more interested in getting access to the mobile device via Android Debug Bridge (ADB). Yes, I know it is an Android mobile device from my nmap scan result. This attack would be successful if the owner of the mobile device has enabled USB debugging on the mobile device.
I tried connecting to the to the Android device via the adb and the connection was successful.
Next I issued the command ‘adb shell’ to get a root shell on the Android device.
Using ls command I was able to see all the directories on the Android device.
Now I can navigate freely on the Android device using Linux commands. Of course Android is based on Linux.
Another way we can hack into the mobile device is with the use of PhoneSploit. PhoneSploit enables us to use the adb but in a more user friendly way. I don’t have PhoneSploit so I need to install it first. I clone it from github into my /opt/ directory which is the ideal place for keeping third party tools.
Next I will need to install a dependency but I found out that I already have it.
Next I navigate into the PhoneSploit directory and install it.
I enter 3 to connect to the Android phone.
To access Shell on the Android device I entered 4.
Selection option 14 gives me a list of all the apps installed on the mobile device.
Option 5 enables me to install an apk file. So I will be generating an backdoored generic apk file using MSFvenom Payload Creator (MSFPC).
“ MSFvenom Payload Creator (MSFPC) is a wrapper that generates multiple types of payloads, based on user-selected options. The idea is to be as simple as possible (using as few as one option) to produce a payload. Fully automating msfvenom & Metasploit is the end goal (well as to be be able to automate MSFPC itself). The rest is to make the user’s life as easy as possible (e.g. IP selection menu, msfconsole resource file/commands, batch payload production and able to enter any argument in any order (in various formats/patterns)).”msfpc Package Description
I generated the generic apk file using the MSFPC but I need to sign and zip align it to make it work properly on the target device.
First I have to generate a key using keytool.
Next I will sign the apk with jarsigner.
Next I verify that the apk has been properly signed.
Next I zipalign the apk file.
Next I set up a Metasploit handler. However, I don’t have to manually configure this handler. Msfpc.sh creates a file named similarly to the payload, with an .rc extension. In order to start a handler for this payload, all I need to do is pull the resource file into Metasploit.
Next I use the PhoneSploit to install the apk file.
I entered option 14 to list all the apps installed on the Android device.
Next I use PhoneSploit to run the apk file.
I gained multiple meterpreter sessions and I could use the ID of any of the sessions and interact with the hacked target.
Once on Meterpreter I can now run many commands and gather information on the target. I ran sysinfo to get information about the device. I hid the app icon of the payload I have installed so that it will not be detected. I then dump the call logs, SMS messages and the contacts of the target device.
I use leafpad note editor to view the call logs and the SMS messages I have gathered.
With this write up we have seen how a hacker could hack into your mobile device once you enable USB debugging (Android Debug Bridge) and you are on the same network with the hacker irrespective of whether the network is wired or wireless.Is this type of attack possible only on a local network? No. This type of attack is possible over the Internet. If we go to Shodan and search for Android Debug Bridge (adb) we would see a lot of devices with USB debugging enabled.
The third device from my search result happens to be a mobile device from a quick Google Search.
This information is created for information and educational purpose only. Check that you disable USB debugging on your mobile device. Never create an open Wi-Fi connection and be wary of connecting to a public Wi-Fi.
Disclaimer: I am not liable for the wrong use of this tutorial to harm any individual or corporation. Only use this information for ethical hacking purpose only.
Join my Ethical Hacking for Beginners and Ethical Hacking with Python for Beginners live classes.