Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
They say that laziness is the engine of progress. In my opinion, competition works better. The ability to freely choose devices, applications and information is now the driving force that motivates developers to create and improve their products. Today I want to discuss what alternative there might be to the famous pentest toolkit. Sit back and welcome under the cut.
But each such device has a set of interfaces for interaction with the outside world, and this will initially limit its capabilities. In most cases, the number of interfaces can be increased by adding conditional "modules" in the form of an additional network card, a wireless interface, or some kind of RFID tag programmer. This is a reasonable but difficult path. It is necessary to take into account the compatibility of devices and the presence or absence of software for a specific hardware platform.
Each of us probably has some slightly outdated smartphone on Android - this is the same portable computer with a bunch of interfaces and a completely understandable procedure for connecting additional devices. Using a smartphone for pentesting looks attractive exactly until the moment comes to evaluate the number of available interfaces and the ability to freely gain superuser access. The first is still more or less easy to choose by looking at the performance characteristics of a specific device. But with the second, everything is not so simple. Not every smartphone can be easily and effortlessly rooted. For some models, this option is not provided at all. The first thing you should do when choosing a device is to look at some specialized forum like 4pda and make sure that the smartphone can be subjected to this wonderful procedure.
USB-C adapter with USB network card connected
From the bins of my homeland I take out the simplest USB network adapter assembled in China, plug it into the adapter and then into the smartphone. Purely for the sake of experiment, I turn off mobile data transfer and Wi-Fi. A second later, a new icon appears in the top curtain like <···> — and voila, the network works. Now I know for sure that there are no problems with connecting almost any smartphone to a regular wired network or network device. In most cases, the drivers are in the OS kernel, and therefore it starts without dancing with a tambourine.
Huawei P9 Lite connected to the network
I only had three old smartphones on hand, so I decided to check if this would work with all of them:
It turns out to be an interesting but logical picture. If the firmware developer has not cut out the standard drivers for such network USB adapters, everything takes off without problems. Otherwise, alas, only independent attempts to add the necessary driver to the kernel, which does not always work. But let's give Blackview another chance and add one of my favorite Chinese USB sticks RTL-SDR.
SDR Touch Launched on Blackview P6600 Pro
Everything works great, now you can take this bundle to any convenient place. Well, the huge Blackview battery can provide long-term operation of the resulting SDR receiver. But both of my Huawei will not work - as far as I know, there is no way to easily unlock the bootloader. The trick is that you need an OEM code for this, and Huawei provided it only upon request and only until 2018. And then that's it - you will not have root rightsand we don't care about your claims. It seems that there are paid utilities, but no one guarantees the result. Although if any of our readers share a working method of unlocking, I will be very grateful.
USB to UART
Next, I tried to connect the USB level converter from FTDI to communicate with other devices via UART. To check, I will connect to a Raspberry Pi 3 B+, in which the UART protocol was previously activated on standard pins (enable_uart=1 in config.txt of the bootfs section):
For Android, there are convenient applications such as Serial USB Terminal and UsbTerminal. They automatically detect the type of device and allow you to access it in a couple of clicks:
List of automatically detected devices in UsbTerminal
Now we launch the Raspberry Pi and after a few seconds we see an invitation to enter the device console:
Successful connection to the Raspberry Pi via UART
We enter the username and password, after which we get full access to control. To execute simple basic commands, you do not need to connect a monitor and keyboard. At this point, the phone works only as an input-output device. However, this allows full control without the need to occupy Wi-Fi or Bluetooth, allowing these devices to do more interesting things.
Installing AndraX build 4 (image source)
Let's move on to the most interesting part. Since Android is based on the Linux kernel, it can run scripts originally created for Linux. One independent developer decided that it would be a good idea to take the Metasploit Framework, add Nmap, Aircrack-NG and a lot of other good stuff and make a convenient interface for launching. This is how AndraX was born, allowing you to turn almost any smartphone on Android version 5 and higher into a pentesting tool.
But it's only in words that everything is easy and clear. The reality will be extremely disappointing. If we are talking about scripts that are not tied to working with specific smartphone hardware, then this will work. But as soon as it comes to, for example, intercepting a wireless network handshake protected by WPA, a number of problems arise.
The thing is that for successful attacks of this kind, the Wi-Fi adapter must be switched to a special "promiscuous" mode (monitor mode). Firstly, not every Wi-Fi adapter allows you to do this trick. Although after some dancing with a tambourine on certain smartphone models, for example, Xiaomi Redmi Note 3, it will work. Secondly, without root rights, this will not work either. Well, if you connect an external Wi-Fi adapter, then there is a high probability that it will not start "out of the box" and you will have to patch the kernel, and then flash the phone with it. There are plenty of options to break something.
At some point, the creator of AndraX decided to hype up the project: he deleted the official group and repositories of the project, and then spread a rumor that the developer had allegedly been killed. However, a couple of weeks later, he triumphantly returned to the network, diluting his "I'm back, m*****f*******". Then another release was released. The story then made a lot of noise, the discussion can be found on 4pda.
At the time of this post, the project is more dead than alive. The official website is down, and downloading custom builds is completely unsafe. Everything here is entirely at your own risk. Both the APKs and the archive with scripts were spotted on GitHub. But there are no guarantees that this will even run. I checked it in several Android emulators, but none of them worked correctly.
Kali NetHunter interface on a Nexus smartphone image source)
Now let's look at another interesting project to turn an Android smartphone into a pentester's tool. Kali NetHunter is a separate branch of the Kali Linux project. The developers decided not to skimp and made their set of tools in three possible versions:
The latter option allows you to go all out, because the redesigned core makes it possible to do all those tricks that the stock core is not capable of. In addition, it provides the ability to connect a regular monitor via HDMI and get a full-fledged desktop with basic tools. What is surprising is that there are even a couple of images for smart watches on WearOS (TicWatch Pro / Pro 4G / LTE / Pro 2020 and TicWatch Pro 3 GPS / Pro 3 LTE / Pro 3 Ultra GPS / Pro 3 Ultra LTE).
It should be noted right away that, unlike AndraX, the Kali NetHunter project is alive and regularly updated. As a replacement for the standard firmware, it is recommended to use pure AOSP or LineageOS (former CyanogenMod). Instead of the standard recovery, you should install TWRP, and to obtain superuser rights - Magisk. This bundle will give you full control over the system, of course, at your own risk.
The Kali NetHunter kit includes a large number of different tools, including those that allow the phone to pretend to be various USB devices: from a keyboard whose keystrokes can be pre-programmed to a USB pocket that connects any ISO/IMG image. In addition, if your smartphone is not on the list of recommended ones, you can try to build a custom image for your specific model using Kernel builder.
The project has good documentation, which is updated and supplemented more or less regularly. You can ask your question in Discord or IRC (#kali-linux on the irc.oftc.net server), plus read the forums and discussions of the posted images on XDA.
As for the comparison with Flipper Zero, everything will depend on the task at hand. If you need a portable device that can communicate via UART, almost any rooted phone with the appropriate level converter will do the trick. For greater flexibility, you can even take an Arduino Mega and get the full GPIO experience.
Porting the same Kali NetHunter to your device is a great task for more than one evening. It can even become a separate hobby for those who like to study operating systems and build their own kernels. There is great scope for creativity here, and a successful result can be rightfully proud of.
Have you tried turning your Android smartphone into a pentesting tool? Tell us in the comments.
Source
Why a smartphone?
Nowadays, the choice of devices for any vulnerability researcher is very wide: from a tiny but powerful UMPC, like GPD Win 4, to a single-board computer like Raspberry Pi Zero. It is clear that by default such devices have nothing to do with penetration testing or exploitation of undocumented features. This is all the lot of software - from home-made scripts to ready-made distributions like Kali Linux (formerly BackTrack).But each such device has a set of interfaces for interaction with the outside world, and this will initially limit its capabilities. In most cases, the number of interfaces can be increased by adding conditional "modules" in the form of an additional network card, a wireless interface, or some kind of RFID tag programmer. This is a reasonable but difficult path. It is necessary to take into account the compatibility of devices and the presence or absence of software for a specific hardware platform.
Each of us probably has some slightly outdated smartphone on Android - this is the same portable computer with a bunch of interfaces and a completely understandable procedure for connecting additional devices. Using a smartphone for pentesting looks attractive exactly until the moment comes to evaluate the number of available interfaces and the ability to freely gain superuser access. The first is still more or less easy to choose by looking at the performance characteristics of a specific device. But with the second, everything is not so simple. Not every smartphone can be easily and effortlessly rooted. For some models, this option is not provided at all. The first thing you should do when choosing a device is to look at some specialized forum like 4pda and make sure that the smartphone can be subjected to this wonderful procedure.
Ethernet
Now a few words about connecting additional interfaces. Here Android can often surprise. For example, I decided to check whether my old smartphone will see the simplest USB network card at 100 Mbit/s. To connect a USB device, I will use an adapter that has Type-C on one side, and on the output offers USB-A, HDMI, VGA and Jack 3.5” to boot:
USB-C adapter with USB network card connected
From the bins of my homeland I take out the simplest USB network adapter assembled in China, plug it into the adapter and then into the smartphone. Purely for the sake of experiment, I turn off mobile data transfer and Wi-Fi. A second later, a new icon appears in the top curtain like <···> — and voila, the network works. Now I know for sure that there are no problems with connecting almost any smartphone to a regular wired network or network device. In most cases, the drivers are in the OS kernel, and therefore it starts without dancing with a tambourine.
Huawei P9 Lite connected to the network
I only had three old smartphones on hand, so I decided to check if this would work with all of them:
- Huawei P9 Lite (Android 9) - works.
- Huawei P Smart Z (EMUI 12) - works.
- Blackview P6600 Pro (Android 11) - suddenly does not work, but sees USB hub.
It turns out to be an interesting but logical picture. If the firmware developer has not cut out the standard drivers for such network USB adapters, everything takes off without problems. Otherwise, alas, only independent attempts to add the necessary driver to the kernel, which does not always work. But let's give Blackview another chance and add one of my favorite Chinese USB sticks RTL-SDR.
SDR
But it is not enough to just connect it there: for the SDR to work, we need the appropriate software and a modified driver. Fortunately, such a program and driver are available on Google Play. It is called SDR Touch. This allows you to turn a bundle of a smartphone and an RTL-SDR keychain into a primitive, but quite working SDR receiver. The only condition is that it is compatible only with rooted phones. First, we install the SDR Driver application, then SDR Touch and finally, for $ 12, we buy a license for this wonderful software. We connect it to the BlackView P6600 Pro, which I rooted a year ago:
SDR Touch Launched on Blackview P6600 Pro
Everything works great, now you can take this bundle to any convenient place. Well, the huge Blackview battery can provide long-term operation of the resulting SDR receiver. But both of my Huawei will not work - as far as I know, there is no way to easily unlock the bootloader. The trick is that you need an OEM code for this, and Huawei provided it only upon request and only until 2018. And then that's it - you will not have root rights
UART
USB to UART
Next, I tried to connect the USB level converter from FTDI to communicate with other devices via UART. To check, I will connect to a Raspberry Pi 3 B+, in which the UART protocol was previously activated on standard pins (enable_uart=1 in config.txt of the bootfs section):
- RPI Pin 8 / GPIO14 - FTDI TXD;
- RPI Pin 10 / GPIO15 - FTDI RXD;
- RPI Pin 6/Ground - FTDI GND.
For Android, there are convenient applications such as Serial USB Terminal and UsbTerminal. They automatically detect the type of device and allow you to access it in a couple of clicks:
List of automatically detected devices in UsbTerminal
Now we launch the Raspberry Pi and after a few seconds we see an invitation to enter the device console:
Successful connection to the Raspberry Pi via UART
We enter the username and password, after which we get full access to control. To execute simple basic commands, you do not need to connect a monitor and keyboard. At this point, the phone works only as an input-output device. However, this allows full control without the need to occupy Wi-Fi or Bluetooth, allowing these devices to do more interesting things.
AndraX
Installing AndraX build 4 (image source)
Let's move on to the most interesting part. Since Android is based on the Linux kernel, it can run scripts originally created for Linux. One independent developer decided that it would be a good idea to take the Metasploit Framework, add Nmap, Aircrack-NG and a lot of other good stuff and make a convenient interface for launching. This is how AndraX was born, allowing you to turn almost any smartphone on Android version 5 and higher into a pentesting tool.
But it's only in words that everything is easy and clear. The reality will be extremely disappointing. If we are talking about scripts that are not tied to working with specific smartphone hardware, then this will work. But as soon as it comes to, for example, intercepting a wireless network handshake protected by WPA, a number of problems arise.
The thing is that for successful attacks of this kind, the Wi-Fi adapter must be switched to a special "promiscuous" mode (monitor mode). Firstly, not every Wi-Fi adapter allows you to do this trick. Although after some dancing with a tambourine on certain smartphone models, for example, Xiaomi Redmi Note 3, it will work. Secondly, without root rights, this will not work either. Well, if you connect an external Wi-Fi adapter, then there is a high probability that it will not start "out of the box" and you will have to patch the kernel, and then flash the phone with it. There are plenty of options to break something.
At some point, the creator of AndraX decided to hype up the project: he deleted the official group and repositories of the project, and then spread a rumor that the developer had allegedly been killed. However, a couple of weeks later, he triumphantly returned to the network, diluting his "I'm back, m*****f*******". Then another release was released. The story then made a lot of noise, the discussion can be found on 4pda.
At the time of this post, the project is more dead than alive. The official website is down, and downloading custom builds is completely unsafe. Everything here is entirely at your own risk. Both the APKs and the archive with scripts were spotted on GitHub. But there are no guarantees that this will even run. I checked it in several Android emulators, but none of them worked correctly.
Kali NetHunter
Kali NetHunter interface on a Nexus smartphone image source)
Now let's look at another interesting project to turn an Android smartphone into a pentester's tool. Kali NetHunter is a separate branch of the Kali Linux project. The developers decided not to skimp and made their set of tools in three possible versions:
- NetHunter Rootless for smartphones without root rights.
- NetHunter Lite for rooted devices with custom recovery.
- NetHunter for rooted phones of certain models, for which the developers have created a separate kernel.
The latter option allows you to go all out, because the redesigned core makes it possible to do all those tricks that the stock core is not capable of. In addition, it provides the ability to connect a regular monitor via HDMI and get a full-fledged desktop with basic tools. What is surprising is that there are even a couple of images for smart watches on WearOS (TicWatch Pro / Pro 4G / LTE / Pro 2020 and TicWatch Pro 3 GPS / Pro 3 LTE / Pro 3 Ultra GPS / Pro 3 Ultra LTE).
It should be noted right away that, unlike AndraX, the Kali NetHunter project is alive and regularly updated. As a replacement for the standard firmware, it is recommended to use pure AOSP or LineageOS (former CyanogenMod). Instead of the standard recovery, you should install TWRP, and to obtain superuser rights - Magisk. This bundle will give you full control over the system, of course, at your own risk.
The Kali NetHunter kit includes a large number of different tools, including those that allow the phone to pretend to be various USB devices: from a keyboard whose keystrokes can be pre-programmed to a USB pocket that connects any ISO/IMG image. In addition, if your smartphone is not on the list of recommended ones, you can try to build a custom image for your specific model using Kernel builder.
The project has good documentation, which is updated and supplemented more or less regularly. You can ask your question in Discord or IRC (#kali-linux on the irc.oftc.net server), plus read the forums and discussions of the posted images on XDA.
What's the bottom line?
It is definitely possible to turn a smartphone into a convenient and functional pentesting tool. The main thing is to choose the right model. The easiest way, in my opinion, is to look at the list of available Kali NetHunter images and buy the right device on the secondary market, there are more than enough offers. But even in this case, be prepared to spend a lot of hours to get everything working correctly.As for the comparison with Flipper Zero, everything will depend on the task at hand. If you need a portable device that can communicate via UART, almost any rooted phone with the appropriate level converter will do the trick. For greater flexibility, you can even take an Arduino Mega and get the full GPIO experience.
Porting the same Kali NetHunter to your device is a great task for more than one evening. It can even become a separate hobby for those who like to study operating systems and build their own kernels. There is great scope for creativity here, and a successful result can be rightfully proud of.
Have you tried turning your Android smartphone into a pentesting tool? Tell us in the comments.
Source
