Pentesting on the Fly : Android Phone - Part 3) My Phone Is a Recon Machine


Pentesting on the Fly : Android Phone - Part 3) My Phone Is a Recon Machine

Let's take it a step further and go back to hacking's first step : RECON
--Keep in Mind that at each chapter you'll need to launch Linux Deploy, tap "Start", and then SSH android@localhost and type in changeme --

If you followed my first post and the second, you now know that our hero, John traveled to NYC, backdoored his hotel's security system PC and a guard phone, then got friend with a business man and MITM credentials from his enterprise.He's on his way back home, taking plane.

0) SCENARIO
I took plane a few hours ago to get back home and I landed at Chicago's airport for a short stopover. I have around two hours before taking off one again.
Guess what ? I'm sitting on chair and i'm bored...

So let's walk a little bit. As you might know, I love exploring my environment, there's always something to hack/discover. Makin my way through the moving crowd, I finally arrive in front of those countless "duty-free shops".
Well... I have an idea !Remember the credentials I stole last chapter ? They drove me to some secrets servers located in Japan. Seems like my "friend"'s enterprise holds some secrets. I bet they're not just implicated in managing enterprises but, they hold some secrets of great corporations' dirty business....
I'd like to pentest them, but first I need to scan their systems and... I'd rather not use Tor, too slow... So I need a new IP not related to me.
There must be one of thoses pre-paid SIM cards including mobiles data ! I enter the shop and get one (for 20 bucks...):

Great ! I know have an Anonymous IP adress and if they trace me, they'll only get to this airport, and I'm hidden in the crowd, with my phone in my Pocket, scanning their systems. I'm neaarly untraceable.Let's see what we can find...
FIRE ! I GRAB MY PHONE!!!

I) MAIN IDEA
Today we'll start a recon on our target systems :
Two basics Tools :
  • Nmap
  • Any vulnerability scanner compatible with command line only and sufficiently light
  • Optional :DNS discovery tool (won't be treated here, we keep it light and efficient.
II) REQUIREMENTS
  • Have sucessfully set up the environment following this tutorial
  • Nmap installed
  • W3af installed
  • Nikto installed
III)INSTALL WHAT'S REQUIRED !
Nmap :
apt-get install nmap
W3af:
apt-get install w3af
Nikto:
apt-get install nikto

IV) LET'S SCAN ! 1) First, fire up Nmap toward our worst ennemy's : Null Byte's servers ;)
(basic scan without options) :

nmap null-byte.wonderhowto.com

Second : Let's use nmap to perform a quick vuln scannmap --script vuln null-byte.wonderhowto.com

Vuln Rapport :
(I won't drag on on Nmap usage, it's a really complete and surprising tool)2) Fire up Nikto toward Null Byte's URL (or IP)
nikto -h "null-byte.wonderhowto.com

3) Let's Perform a more Advanced scan using W3af, another Advanced scannerW3af is a bit more complex. First I Remind you that we have to stay in command line so :
w3af_console
There's full of possibilites with W3AF, i give you two links to learn how to master its possibilities with command line :
http://pentesterconfessions.blogspot.fr/2007/10/how-to-use-w3af-to-audit-web.html
http://resources.infosecinstitute.com/w3af-tutorial/
Let's set up scan :
1) see options : help
2) Set up FIRST the profile (type of scan, there's a lot, here we'll use OWASP_TOP10)
3) THEN set up target
4) Scan
5) List vulns/shells/exploits
help

profileshelp
use profile OWASP_TOP10

backtarget
help
set target null-byte.wonderhowto.com
back

start
kblist exploits/shells/vulns

V) CONCLUSION
  • Scan done
  • Ip range scanned
  • Ports scanned
  • Quick vuln scan made with 2 différents tools
  • IP hidden by using a prepaid sim, paid with cash
  • Traceable, but can't be related to anything, except a hack launched in an airport where thousands of people transit in one day
  • No obvious traces on CCTV : Phone left in Pocket during the whole scan (except for typing some lines, but looks like texting)
  • But i'd strongly suggest you don't use the card just after you paid it -too obvious-, buy one and use days later
VI) END OF CHAPTER
Great ! I performed the scan stealthly and quickly, and I can move almost immediatly so I won't be traced.
I remove the prepaid SIM, go to the nearest WC, locate a cleaning trolley, steal some bleach, spread it on the sim card, grind it Under my feet, then I go out of the airport and discreetly launch the rest of it into a taxi car boot.

Mission CompleteThe Vulnerability scan detected the heartbleed vulnerability. After exploiting it I was able to steal some datas using Metasploit, before the connection was suddenly broken.
I now know that their servers are located in Japan, and that they hide infos about a kind of secret organization conspiring for internet's total Control.
The IP is located in Okinawa at Naha city?
Now I know where I go. I exchange my tickets and fly to Kyoto. This time i'll get into their systems once for all and know where all this leads.
Even if I have to enter their offices.

To be continued...._______________
Post Scriptum :
I got authorization to perform the scan from Bryan Crow, followed by Justin Meyers and Occupytheweb (all three administrators and moderators)
Pentesting a non-consenting target is illegal, so please don't fire up your phones and vuln
_______________

Aucun commentaire:

Publier un commentaire