Big companies are trying to improve the user experience by simplifying everything and increasing performance and connections with IoT's. Today with operating system Android being installed on the most powerful smartphones, there are advantages and disadvantages. For example, in a system Linux, there are positives and negatives. The user who "Roots" on the mobile device, will have full access in the system for viewing, editing and deleting files and folders from the Android system as well as for installing tools of various functions. At this point it is worth mentioning that it is easy to have a smartphone with penetration testing tools and run scan network, wireless scanning, sniffer, vulnerability scanning and other functions. But how do we turn an Android smartphone into a penetration tester?
Android preparation smartphone to convert it into a penetration tester
The Google Play provides two applications (free and paid) to have the bash terminal of an Android system. Once the application, we need to do the "Root" function to gain full access to the Android system. Therefore, we can install penetration testing and monitoring tools.
Apt-get is a powerful package management system used to work with its APT (Advanced Packaging Tool) library Ubuntu to execute the installation of new packages software, removing existing software packages and upgrading existing software packages.
We will first use Linux repositories for penetration testing. By order Apt-get update, we will have reliable font tools. Apt-get is a powerful packet management system used in collaboration with Ubuntu's APT (Advanced Packaging Tool) library to perform the installation of new software packages, remove existing software packages, and upgrade existing software packages.
Tools we receive after updating the list:
- NMAP: Security Scanner, Port Scanner and Network Exploration Tool.
- Bettercap: Powerful tool for performing attacks.
- MITM Setoolkit: Allows you to perform many Social Engineering activities.
We will first try the "NMAP" tool on the network where the smartphone is connected.
With NMAP installed, we have several ways to scan the network and test certain services located on servers. A network scan detected two network components, but without any vulnerable attack service.
We got the credentials to connect to the access router. In addition to HTTP, we also receive HTTPS. With the weakest link of information security being the user, he will always be subject to attacks and even without realizing that the website's digital certificate will change to that of the intruder MITM attack.
We may not use the smartphone 100% like a laptop with thousands of intrusion tools. Of course, we will have several limitations, because it is a smartphone. However, we can use the mobile in bridge mode, known as "Pivoting". You can also use a VPS as a command control and use Android rotation to perform the penetration test.
Another method of forgery, by using tools to perform this technique and download Apache2 on Android, we can insert a malicious page so that the user can enter his credentials to connect to the page and thus gain access to it. . Once we change the test page from apache and leave the fake Google page for this test, we will enter the email and password to make sure the attack works.
Once the victim enters their credentials on the fake page, they will be redirected to the Google page without realizing that it has been "violated".
In it, his credentials have already been recorded and suggested in a simple text file for better viewing. As a result of the loss of connection, the cracker program can gain silent access to your emails and files.
The content of this article, which concerns the conversion of an Android smartphone into a penetration testing device, belongs to Priya James (Cyber Security Enthusiast, Certified Ethical Hacker, Security Blogger, Technical Editor and Author in "GBHackers"). "Secnews" has no responsibility for this. This article is for educational purposes only. The experiment described was tested on any Android smartphone and no external sites were attacked.
The "Author" and "Secnews" will not be held liable in the event that criminal charges are brought against any person who misuses the information on this website for violating the law. Reproduction of this content, which involves the conversion of an Android smartphone into a penetration testing device, without permission is strictly prohibited.