Archives for 27 Mar,2015

INTRODUCTION

This is the first of a series of posts where we will take an old Nexus 7 (2012 wifi) and convert it into a compact penetration testing toolkit. In this first article we’ll setup and install the Nexus 7 tablet and complete our first penetration test on a secure WPA network. It should make a good showcase for the flexibility and extensibility of the Android operating system.

This will be done by installing custom linux chroot onto our device and taking advantage of the freely available penetration testing tools that are available. We will then perform some basic penetration testing against our demo wireless networks in order to demonstrate the importance of understanding network security.

Disclaimer: the author and contributors to this document will accept no responsibility for the consequences of the actions of individuals concerning wireless networks. Penetration testing networks other than your own may be illegal in your country, it is your sole responsibility to act in compliance with all relevant legislation and regulations.

DISTRIBUTIONS
There is a choice of two popular distributions, both are built on the Kali Linux distribution – each with their own advantages and disadvantages, but with identical core functionality.

Kali Linux NetHunter https://www.offensive-security.com/kali-linux-nethunter-download/

• Supports newer version of android (4.4.4)
• Offers an additional toolkit with a simple graphical interface that can carry out sophisticated attacks (HID Attack, BadUSB)

Pwnie Express Community Edition https://www.pwnieexpress.com/community/

• Easier shortcuts to commonly used command line tools

DISCLAIMER

• Unlocking the bootloader will wipe all your data. So ensure your data is backed up before you start!
• Although this process is reversible it can void your warranty

HARDWARE
First you will need a compatible device. This will depend on which distro you decide to go with.

For Pwnie Express (https://www.pwnieexpress.com/community/ )

• Nexus 7
• Nexus 5

For Kali Linux NetHunter (https://www.offensive-security.com/kali-linux-nethunter-download/ https://www.kali.org/kali-linux-nethunter/)

• Nexus 10
• Nexus 7
• Nexus 5
• OnePlus One

USB OTG Y-cable – You can use just a standard OTG cable however using a Y-cable allows us to charge the device at the same time as using a usb peripheral. Note that while the device will charge and the battery percent will increase the charging indicator may not show.

USB ethernet adapter – This allows us to connect the android device to a network via ethernet. I have had mixed success in using this as sometimes the device doesn’t seem to want to register on the network.

USB wifi adapter – It is important to select a wifi adapter that supports monitor mode. The TP­Link TL­WN722N is recommended.

Using a small amount of velcro tape we can attach the wifi and ethernet adapter to the back of the device which makes it easier to move around without accidentally unplugging them.

INSTALLATION
To install NetHunter or Pwnie Express you must first unlock the bootloader and root the device. This is explained in the respective guides, but is very similar to flashing custom roms (such as cyanogen) onto a device.

NetHunter

1. Download the correct image for your device https://www.offensive-security.com/kali-linux-nethunter-download/
2. Follow this guide to install https://www.nethunter.com/prepare/

Pwnie Express

1. Ensure your device is running android 4.2.2, otherwise this will not work! Please downgrade to this version before continuing. You can find the factory images for Nexus devices here https://developers.google.com/android/nexus/images
2. Download the correct image for your device and follow the installation guide here https://www.pwnieexpress.com/community/

PENETRATION TESTING TOOLS
Now we have our device set up it’s time to get to the good stuff! Below is a condensed list of some of the tools available to us:

1. Aircrack-ng – a collection of wifi hacking tools
2. airodump-ng – Sniffing tool
3. aircrack-ng – Cracking tool (WEP/WPA2)
4. airmon-ng – enabled/disables monitor mode of wireless devices connected
5. besside-ng – useful script for capturing WPA handshakes however I’ve not had success getting it working on my Nexus 7.
   many more tools in this package, see https://www.aircrack-ng.org/ for details.
6. Dsniff – Script that watches an interface and scans for passwords and other sensitive strings
7. EvilAP – Script that creates an access point and allows clients to connect to it in order to perform man-in-the-middle attacks between the client.
8. Kismet – Sniffing tool similar to airodump
9. MAC Changer – changes the mac address of interfaces
10. Nmap – Powerful port scanner and OS-fingerprinting tool
11. Tshark – command line version of wireshark for packet capture and analysis
12. Strings Watch – Script that watches an interface and scans for strings
13. Wifite – Python script that automates wireless attacks
14. Ubertooth – bluetooth sniffing tool

Note that as we are running kali linux distro we can download more packages via the package manager (apt), but I have had mixed success with this.

WI-FI NETWORKS
Often we assume that our private wifi networks are secure just because they use a password and as a result sensitive information may be readily available to anyone able to connect/listen to the network. Let’s have a quick look at the wifi tools we can use to defeat basic wireless security.

There are two common types of security employed on wireless networks: Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP has several flaws in it’s implementation and was not intended to be robust to attack, fortunately this has meant that it’s popularity has decreased significantly in recent years and now it is somewhat of a rarity to see WEP networks.

WPA is much more secure and only really vulnerable to dictionary attacks. These dictionary attacks can be performed offline by capturing the 4 way handshake as a client connects to the router.

DEMONSTRATION: ATTACKING WPA NETWORKS
To capture a handshake we need to do the following

1. Put the wireless interface into monitor mode (so it can sniff networks)
2. Select a network to attack
3. Sniff the network until a handshake is sent (sent each time a client connects)
4. Optional: Deauthenticate clients so they must reconnect (and thus send another handshake). This massively speeds up the capture.

Thankfully the wifite script will perform all of these steps for us, which is great considering typing on the Nexus 7 can be time consuming.

Now we have the handshake but brute forcing a password is somewhat beyond the power of our little Nexus 7’s hardware (although we could use a small dictionary). However there exist dedicated and distributed hardware / services that can do this for you we just need to upload the handshake to a website. We look at a couple below:

https://wpa-sec.stanev.org/ – (Free) This is a distributed network of volunteers running a cracking service for free in the interest of promoting better security. You upload the handshake files and it will be tested against several dictionaries. The statistics page shows that about 15.5% of submitted networks are successfully cracked.

https://gpuhash.me – (Paid) – This is a cracking service that charges bitcoins for attempting to crack a handshake. If you know the keyspace used by the key (say a default router password) then this can be very cost effective. For example Sky Routers use an 8 uppercase letters (A-Z), this costs 0.25BTC (current valued at about £40). However if the password has changed from the default then the cracking will be unsuccessful, however many users don’t change their password from the default. Helpfully they show the success rate of each dictionary in the FAQ section on the site.

https://www.cloudcracker.com – (Paid) – Another cracking site that accepts credit card payments and offers numerous dictionaries.

By uploading this handshake file to wpa-sec.stanev.org the password to our network is cracked in minutes. Turns out the password to our wifi network was ‘password1’…

SUMMARY
We’ve dusted off a rather old device going unused and turned it into a very powerful security auditing tool and demonstrated how to capture a WPA handshake in order to brute force the password. Pretty neat.
In the next post we’ll look at exploiting Wifi Protected Setup (WPS) as a quicker and potentially cheaper method of gaining access to WPA protected networks.