Big companies are trying to improve the user experience by simplifying everything and increasing performance and connections with IoT's. Today with operating system Android being installed on the most powerful smartphones, there are advantages and disadvantages. For example, in a system Linux, there are pros and cons. The user who "Roots" on the mobile device, will be complete access in the system for viewing, editing and deleting files and folders from the Android system as well as for installing tools of various functions. At this point it is worth mentioning that it is easy to have a smartphone with penetration testing tools and run scan network, wireless scanning, sniffer, vulnerability scanning and other functions. But how do we turn an Android smartphone into a penetration tester?
Android preparation smartphone to convert it into a penetration tester
The Google Play provides two applications (free and paid) to have the bash terminal of an Android system. Once the application, we need to do the "Root" function to get full access to the Android system. Therefore, we can install penetration and monitoring testing tools.
Apt-get is a powerful package management system used to work with its APT (Advanced Packaging Tool) library Ubuntu to execute the installation of new packages software, removing existing software packages and upgrading existing software packages.
First of all we will use Linux warehouse distributions for penetration testing. By order “Apt-get update”, we will have reliable font tools. Apt-get is a powerful packet management system used in collaboration with Ubuntu's APT (Advanced Packaging Tool) library to perform the installation of new software packages, remove existing software packages, and upgrade existing software packages.
Tools we receive after updating the list:
- NMAP: Security Scanner, Port Scanner and Network Exploration Tool.
- Bettercap: Powerful tool for performing attacks.
- MITM Setoolkit: Allows you to perform many Social Engineering activities.
We will first try the "NMAP" tool on the network where the smartphone is connected.
With NMAP installed, we have several ways to scan the network and test certain services located on servers. A network scan detected two network components, but without any vulnerable attack service.
We got the credentials to connect to the access router. In addition to HTTP, we also receive HTTPS. With the weakest link of information security being the user, he will always be subject to attacks and even without realizing that the website's digital certificate will change to that of the intruder MITM attack.
We may not use the smartphone 100% as a laptop with thousands of intrusion tools. Of course, we will have several limitations, because they are smartphones. However, we can use the mobile in bridge mode, known as "Pivoting". You can also use a VPS as a command control element and use rotation on Android to perform the penetration test.
Another method of forgery, by using tools to perform this technique and download Apache2 on Android, we can insert a malicious page so that the user can enter his credentials to connect to the page and thus gain access to it. . Once we change the test page from apache and leave the fake Google page for this test, we will enter the email and password to make sure the attack works.
As soon as the victim enters his credentials on the fake page, he will redirect to the Google page without realizing that he has been "violated".
In it, his credentials have already been recorded and suggested in a simple text file for better viewing. As a result of the loss of connection, the cracker program can gain silent access to your emails and files.
The content of this article, which concerns the conversion of an Android smarthphone into an intrusion test device, belongs to Priya James (Cyber Security Enthusiast, Certified Ethical Hacker, Security Blogger, Technical Editor and Author in "GBHackers"). Secnews has no responsibility for this. This article is for educational purposes only. The experiment described was tested on any Android smartphone and no external sites were attacked.
The "Author" and "Secnews" will not be held liable in the event of criminal charges against any person who misuses the information on this site for breach of the law. It is strictly forbidden to reproduce this content, which involves the conversion of an Android smartphone into a penetration test device, without permission.