Mobile Penetration Testing: There’s An App For That
When most people think of penetration testing, they think of a simulated external attack where the tester tries to break into a network from a remotely.
Companies focus most of the security spending and policies on keeping hackers from the outside in, from firewalls and other security hardening appliances, software and tools.
- Getting Inside
- The Phone Setup
- USB Hacks
- Network & Vulnerability Scanners
- Session Hi-Jacking & ARP Spoofing
- Wi-Fi Sniffing
- Remote Access
- Remote Shell & Scripting
However, given the proliferation of mobile devices in the workplace and use of Wi-Fi networks inside of an office, attacking from inside the network provides unique opportunities.
Smartphones have become much more powerful over the past few years, with powerful processors and a plethora of hardware at your fingertips. Combine this power into a compact unit with the right apps you can scan a network from the inside in seconds along with several other new types of attacks and information gathering.
Mobile devices have accelerated productivity as they move to replace many of the other devices we used to carry in a small package. Most phones have Wi-Fi capability, cameras, mass storage capability and a persistent internet connection via 3G and 4G and allow a wide number of applications and if rooted provide many of the same tools as a computer, but with more hardware and network capabilities.
These conveniences also carry over to make them an very powerful tool to use in penetration tests, more powerful I would argue than a laptop, as a mobile device can be easily hidden on your person, or inside of an office building.
Most organizations spend a great deal of money and time focusing on protecting their networks form outside threats, making sure the hackers outside cannot get in. However, security inside the network is generally lacking, both physical security and network security. Security is generally more relaxed inside an office because of the simple need to get work done.
Attacking a network from within has actually become easier over the last few years. As there are an increasing number and variety of devices inside an office than there were even just a few years ago when you dealt primarily with stationary desktop systems hard wired via ethernet in secured offices.
Today most offices utilize Wi-Fi, with a many different types of devices in use from laptops, tablet computers, mobile phones, flash drives and portable media players. Not only are there devices that are owned by the company, but also people’s personal devices they bring in from home.
Attacking from inside is a target rich environment with a multitude of attack vectors. Given the increasing number of devices that are brought in and being used, internal policies regarding the use of these devices is generally lax, not enforced or simply non-existent. Employees are generally also not trained on security issues around mobile devices, which is something you can take advantage of in your tests.
Attacking inside of a network poses the unique challenge of getting inside or at least close to your target, however there are a number of ways to do this using a bit of social engineering. A few ways to get inside of a corporate building are via job interviews, business meetings, or posing as a delivery driver, maintenance worker, cleaner or solicitor, or get an insider to help you ( even if they are not aware they are helping you).
Many companies also host events, particularly tech companies, where they allow their space to be used for developer meet-ups, or presentations so watch for this opportunity as well. You may not even need to get inside the building, but can work outside of it in the parking lot, an office next door, the employee cafeteria or other areas that are not secured. Monitor the company’s website and check for jobs posted, used online services such as LinkedIn to search for positions as well as track current employees of the target company for opportunities that may present themselves.
As my weapon of choice I use an Android phone, a rooted Samsung Galaxy S to be specific. I highly recommend rooting the phone and installing a ROM such as Cyanogen, for this article I am using Cyanogen 7. Many of the apps I will mention here require a rooted device and require root privileges. I have seen some apps that are available for rooted iOS devices, however there are many more robust solutions available for Android.
You can install most Linux distros on an Android phone including Backtrack 5 using Gitbrew. However using a Linux distro on an Android phone, even on a tablet is quite kludgy and you would be better served using a netbook. For this article I will stick with Android specific tools that take advantage of the portability and hardware available to smartphones.
In some of the examples I outline hiding a phone in an office building, which runs the risk of the device being found and tracked back to me if the device has an active SIM card. To mitigate this risk an attacker would use a phone they purchased used, or that was stolen with the SIM card removed and will rely on Wi-Fi to connect to the device remotely from outside.
T-Mobile sells pre-paid smartphone plans with data connectivity now, however they still require a credit card to get. A criminal could use a stolen credit card and identity to get a phone with a working SIM that is untraceable, but for the purposes of our test we will be sticking with primarily Wi-Fi based connections.
The first set of tools I will install on the device are not mobile apps at all. Android devices easily double as a flash drive, which provides a great attack vector to leverage many USB based tools to infect a network and steal data from behind the firewall. Even today, USB flash drives are a great way to deliver a malicious payload, particularly in highly secure environments.
The International Space Station was even hit by a virus that was transmitted via flash drive, flash drives are also the primary suspect in the delivery of Stuxnet and the recent keylogger malware discovered on military systems controlling drones. With a mobile device you also have a great excuse to plug the device into a computer “My phone battery is about to die, can I plug my USB charger into your computer for a bit?”
There are a number of USB tools available that will allow you to pull data, a few easy tools include USB Hacksaw and USB Switchblade both of which are multipurpose utilities which will pull data from the target device and open backdoors into the system. The primary purpose of the tools are to silently recover information from Windows systems, such as password hashes, LSA secrets, IP information, as well as browser history, and auto-fill information as well as create a backdoor to the target system for later access. The data can be quickly loaded to the phone as the tools only need a few seconds to pull sensitive information from a given device.
Another useful tool is USBDumper which can be loaded onto a target computer and will silently copy the contents of any removable media device connected to the computer and can be modified to upload this data to a remote location. This tool can be handy if you see and gain access to a shared system that might be used for presentations in a conference room, this is usually the case at colleges and universities and some businesses as well.
There are many other great tools available that can be loaded from a USB device, or you can easily create your own. A lot of the USB based trojans in the wild have been Your browser may not support display of this image. flagged by anti-virus companies as malicious, however if you get the source code and modify it you can easily create executables with unique signatures that will not be detected. If you plan on hijacking a host computer and transmit data to outside the network, make sure you use an SSL connection, this will help evade firewalls as well as hide what data is being transmitted outside the network.
When conducting a penetration test you usually do not need to actually transmit data, simply writing a simple script that is executed that sends the IP address, name of the person logged into the computer and unique device IDs is enough to indicate the system and potentially the network could have been compromised. How far you actually go to show the network was infiltrated is between you and the client, just be aware that some of the USB based tools mentioned above can cause harm to the system and data as well as other devices on the network.
Network & Vulnerability Scanners
The first mobile application you need is for network mapping, there are quite a few available in the Android Marketplace. Network Discovery, is a great one that is free and does not require your device to be rooted. The user interface is really well designed and provides you with a clear view of the network and devices at a glance, not easy to do with the limited screen real-estate on a mobile device. The application identifies the OS and manufacturer of the device as well as identifies the type of device. The Network Discovery app works well when connected to a Wi-Fi network that you know is open or have the password to access and provides great visibility of the target network.
Mapping a network is one thing, but being able to scan for open Wi-Fi, scan device ports, find vulnerabilities and other acts take a lot more time and usually a lot more tools. Thankfully an Israeli security firm called Zimperium has made this easier for you, with their Android Network Toolkit named Anti.
Anti provides automated tools to carry out penetration testing tasks on insecure wireless networks. Once activate the app will run scans to find open networks, locate devices on the network and determine vulnerabilities on the devices. Once vulnerabilities are discovered the app can run exploits from Metasploit and ExploitDB to gain access at which stage you can then trigger various actions remotely from your phone from taking a screen shot to ejecting the disc drive to prove you have control of the target machine.
The first version of the application only had a few exploits, however the developer provided me with an early version of the 2.1 release which has a larger library of potential exploits. In addition the suite provides additional tools including a brute force password cracking tool along with different types of dictionaries to load for the attack.
The “Cracker” feature runs well and hits all open ports it finds on devices within the network. This can take some time depending on the number of ports and the type dictionary used in the attack. I was able to locate several vulnerabilities on a test network, mostly Windows file shares and a router that still had the manufacturer’s default password settings.
The in-app Wi-Fi monitor feature provides a listing of all Wi-Fi networks, their signal strengths and whether or not they are open via an easy to read icon, along with the device’s MAC address. The network scanning is quite fast and I was able to map a decent sized network in about 30 seconds. When you run the scan it then asks you if you want to initiate an intrusive scan which gathers more information regarding potential vulnerabilities.
Some of the features I was not able to test such as “Foreign Targets” where you can run scans on domains and IPs outside the network, even use Anti’ whenever I tried this the app would crash, guess due to the version I have being beta. Other useful features include an HTTP Server you can run and the ability to run initiate attacks from Zimperium’s cloud utilities to run penetration tests from outside of the network.
Anti is a great tool that makes mobile penetration testing as easy as one click, allowing you to run quick tests for unsecured Wi-Fi networks and gather information in an automated fashion. The fact you can initiate a scan and put the phone in your pocket makes it a powerful tool.
Session Hi-Jacking & ARP Spoofing
Your browser may not support display of this image. Many may be familiar with FireSheep, the Firefox browser plug-in that allowed you to easily sniff out and hijack Facebook, Twitter and other sessions. Well there is also an app for that, it is called DroidSheep and it work similarly. The application requires a rooted Android phone. Once you run the application you can run the app in a few different modes, when it is connected to an open network it uses ARP spoofing to hijack the sessions.
A word of warning, on some networks it can slow a network and be detected, this occurred a few times on my test network. You can disable ARP-Spoofing, which will make it undetectable, however is not as efficient and will not pick anything up on an encrypted network.
The application provides a “Generic mode” that will display all possible account sessions, not just from known sites like Twitter and Facebook. During my test I was able to pick up sessions from WordPress, Facebook, Twitter and Trimet.org (Portland’s public transporation portal).
Your browser may not support display of this image. Another application that provides a more invasive approach is Network Spoofer which allows you to user ARP Spoofing to actually alter the web traffic being sent to a network or specific machine. The application requires a pretty large download at around 600MB which is actually a Debian image that includes Squid proxy to modify the data and some other tools to modify images and other tasks. The application allows you to redirect web traffic to a specific site, flip images, alter queries and other harmless attacks allowing you to show the client the network was compromised.
The application works well on an open network, however on a WPA/WPA2 network it simply cripples or slows the network. Hardware is also an issue, although the application works with most phones, some device are incompatible, I tested it on a Nexus One and a Galaxy S and both worked.
Network Spoofer ( no longer available in the Android market) also allows you redirect all network traffic directly to the phone. The packet data can then be logged by packet sniffer application such as Shark for root which is one of the better apps I found for this task. The issue with using ARP Spoofing for this however is that it can slow or cripple the network.
A better route for packet sniffing is to create a Wi-Fi hotspot on the device itself. A great thing about a rooted Android phone is the ability for it to be an ad-hoc Wi-Fi hot spot. By creating an open Wi-Fi hot spot on the device that has a similar name to an existing on in the office, or one that simply one that looks like a guest account ( “Acme-Guest”) allows you a great way to intercept a great deal of traffic from users duped into connecting to it.
There are a number of packet sniffing apps available for Android, the best I have found is Shark for root, which logs the pcap file to the SD card of your device. There is also a Shark Reader application that allows you to read the pcap files, however you will probably want to copy the files over to your laptop via FTP etc and view them in Wireshark.
The one thing I hate about “Shark for root” is that as it is a free app ads appear at the top, this can actually mess with capture. The fact you have ads running in a security app is wrong for many reasons, I wish they would offer a paid for version of the app without ads.
Smartphones are not only good for running apps, but also have a lot of other great hardware in one package that makes them great for use in spying from the inside. If you are able to sneak a phone into an office building and plug it in to a wall socket you will have have eyes and ears in the building as well as provide yourself with more time to run tests from the outside. Plants make a great hiding place, as they are usually against a wall near power outlets. Common areas such as break rooms are also a good place as you can leave them in plain sight, most will assume it is a co-workers phone left to charge.
Most smartphones today have at least one camera, which can be accessed remotely, many of these tools also come with motion detection. Some apps can also call out to another number when motion is detected allowing you to listen in on any conversations that may be occurring near the phone.
A free tool that makes remote access easy is Remote Web Desktop a free app available in the Android Marketplace which provides access to all the hardware on the device including the camera, as well as the ability to launch apps remotely from a web browser on your laptop. You can connect directly through Wi-Fi, or if you are using the 3G connection you can use their bridging service to access the device.
Your browser may not support display of this image. Remote Web Desktop also provides access to all the apps on the phone, as well as an FTP server to easily transfer log files and reports from the device. Another helpful utility that Remote Web Desktop provides is the ability to bridge the connection. If for example you are using the 3G connection vs Wi-Fi they provide a service that allows you to easily connect to the device remotely, however keep in mind that this approach could leave a trace of your activities. This approach also provides you with access to the device if you are using the device as a Wi-Fi hotspot, as you cannot run connect to the device via Wi-Fi as well as run it as a hot spot.
There are a number of terminal emulators available for Android including one that comes with Cyanogen, however I would also recommend installing ConnectBot as it allows for multiple sessions and secure tunnels. I also installed Scripting Layer for Android (SL4A) to allow me to run scripts from the device as needed. Once these apps are loaded it makes it easier to remotely deploy and execute scripts to the device.
I installed the Python interpreter on my device to run various scripts to automate capturing photos and wiping apps from the device if it becomes compromised. If you prefer to write your own native Android apps more power to you, but I found it a lot easier to have a scripting environment available to me on the device for on-the-fly app development.
As you can see a smartphone can be a very powerful tool in your penetration test arsenal, in some ways much more powerful than a laptop. The sophistication of many applications available for Android, particularly on rooted devices provide an increasing number of weapons for penetration testers and hackers alike.
Using these tools to test your network, as well as being aware of what tools malicious users may be using to find a weakness will help you better secure your environment. Many of these applications provide rich user interfaces and reports that will also help you visually show your clients and employees the risks that mobile devices can pose in their organization if policies and procedures are not followed.