building your own open-source android penetration testing platform … · 2019-02-11 · page 3...
TRANSCRIPT
![Page 1: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/1.jpg)
1PAG E
Building Your Own Open-source
Android Penetration Testing Platform
Amadeus Konopko
JP Mitri
![Page 2: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/2.jpg)
2PAG E
We are not responsible for anything you do with this information or these tools. This is
intended for learning purposes.
Disclaimer
![Page 3: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/3.jpg)
3PAG E
Graduated Seneca College in May 2017 from informatics and security degree program
Toward the end of the program focused heavily on Android mobile devices
Researched mobile vulnerabilities, exploits and phishing
Started working with Kali Linux and Metasploit, testing what was available to us …
About Us
![Page 4: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/4.jpg)
4PAG E
Overview
• Android:
Growth, Attack Surface, Permissions and Malware
• Attacks:
Existing Tools, Attack Mediums & Platforms
• Starphish
• Demo
![Page 5: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/5.jpg)
5PAG E
Android
Source https://9to5google.files.wordpress.com/2015/10/android-versions.jpg?quality=82&strip=all&w=1024
![Page 6: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/6.jpg)
6PAG E
Android Growth Spurt
Android phones since last year have
risen to 86% market share
Emerging markets introduce new
affordable phones driving the market
share
Sources: http://www.nasdaq.com/article/the-evolution-of-smartphone-markets-where-growth-is-going-cm619105
![Page 7: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/7.jpg)
7PAG E
Android Attack Surface
Sources: https://threatpost.com/how-google-shrank-the-android-attack-surface/127086/
https://source.android.com/images/android_framework_details.png
http://newandroidbook.com/AIvI-M-RL1.pdf
ApplicationBroadcast Receivers, Services, Content Providers,
Activities
BasebandCellular Voice and Data, SMS and
Radio Interface Layer (RIL)
WIFIPHY, MAC, MLME
![Page 8: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/8.jpg)
8PAG E
Android Permissions
Sources: https://arxiv.org/pdf/1708.03520.pdf
https://eskang.github.io/papers/android-fm15.pdf
Permissions-based Security Model
Intra-library Collusion (ILC)
Protection Level Downgrade
![Page 9: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/9.jpg)
9PAG E
Android Malware
Sources: http://www.alwayson-network.com/wp-content/uploads/2016/08/android-malware.jpg
![Page 10: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/10.jpg)
10PAG E
Android Malware
What is it?
Malicious code through app installation
Existing app downloading a malicious update
Botnets, Rootkits, SPAM, Identity Theft, Banking Trojans, DDOS, Ad-
Click, FakeAV, Ransomware, Spyware...
Source: https://www.cl.cam.ac.uk/~drt24/papers/spsm-scoring.pdf
Attacker injecting malicious code
![Page 11: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/11.jpg)
11PAG E
Android Malware
What does it do?
Installs code or modifies
files to achieve privilege
escalations and persistence
Malicious code runs on
device
Targeted social engineering
gets user to click or install
Takes control from a remote
C2 server
Access SMS, Email,
microphone, camera,
storage anytime
![Page 12: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/12.jpg)
12PAG E
Android Malware
Phishing
25,000 tool used for phishing and keylogging.
12 million credentials stolen via phishing
Source: https:///security.googleblog.com/
https://www.getusecure.com/public/images/images/1502983087.jpg
Phishing poses the greatest threat to users next to
keyloggers and third-party breaches
![Page 13: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/13.jpg)
13PAG E
Domain / Certificate Abuse
15,270 SSL certs containing the word “PayPal”
14,766 were phishing sites
Source: https://www.thesslstore.com/blog/lets-encrypt-phishing/
Not preventing or taking responsibility
![Page 14: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/14.jpg)
14PAG E
Android Remote Control
Source: https://www.hackread.com/wp-content/uploads/2017/04/pegasus-malware-android-google.jpg
![Page 15: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/15.jpg)
15PAG E
Android Remote Control
Sources: https://forensics.spreitzenbarth.de/android-malware/
https://blog.lookout.com/sonicspy-spyware-threat-technical-research
Spyware, Malware and Metasploit
Steals users text messages, emails, calls, photos, location and other data
Thousands of these apps on the Play Store
Metasploit makes it easier for an attacker to create and distribute custom malware
![Page 16: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/16.jpg)
16PAG E
Attack Mediums
GSM
Bluetooth
USB
WIFI
NFC
![Page 17: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/17.jpg)
17PAG E
Attack Mediums
Attacking GSM/Telephony
SMS/MMS/WAP
Signaling System No. 7 (SS7)
Source: https://encrypt-the-planet.com/fight-stingray-imsi-catchers-with-android-imsi-catcher-detector/
Stingray/Surveillance/IMSI Catcher
![Page 18: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/18.jpg)
18PAG E
Attack Mediums
Attacking USB
USBSwitcher
ADB
Source: https://github.com/ud2/advisories/tree/master/android/samsung/nocve-2016-0004
http://bbqand0days.com/Pork-Explosion-Unleashed/
Pork Explosion
![Page 19: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/19.jpg)
19PAG E
Attack Mediums
Wifi Attacks
KRACKs
Evil Twin AP & Captive Portal
Source: https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/
http://www.thesecurityblogger.com/phishing-for-facebook-logins-with-the-wifi-pineapple-mark-v-from-hak5-setup-guide/pineappledash2/
https://null-byte.wonderhowto.com/how-to/hack-wi-fi-creating-evil-twin-wireless-access-point-eavesdrop-data-0147919/
https://www.krackattacks.com/
https://blog.exodusintel.com/2017/07/26/broadpwn/
Broadpwn
![Page 20: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/20.jpg)
20PAG E
Attack Mediums
Bluetooth AttacksBlueBorne
Bluejacking/Bluesnarfing/BlueBugging
Source: https://threatpost.com/wireless-blueborne-attacks-target-billions-of-bluetooth-devices/127921/
https://gcn.com/articles/2005/07/20/a-menu-of-bluetooth-attacks.aspx
http://www.digitalbulls.com/wp-content/uploads/2017/06/bluetooth-hack-01.jpg
DOS
![Page 21: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/21.jpg)
21PAG E
Attack Mediums
NFC Attacks
Eavesdropping
Data Modification
Source:http://resources.infosecinstitute.com/near-field-communication-nfc-technology-vulnerabilities-and-principal-attack-schema/
https://www.intechopen.com/source/html/44973/media/image2.png
Relay Attack
![Page 22: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/22.jpg)
22PAG E
Platforms
Source: https://pctechmag.com/wp-content/uploads/2013/02/opens.jpg
![Page 23: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/23.jpg)
23PAG E
Open-Source Platforms & Tools
Established
Metasploit Framework
Smartphone Pen-Test Framework / Dagah
What we were in search of
Open-Source, Automation, Evasion, Availability and
Scalability….
Source: https://www.metasploit.com/
https://thehackernews.com/2012/03/six-national-television-stations-of.html
Drozer
![Page 24: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/24.jpg)
24PAG E
Starphish
Source: https://vignette.wikia.nocookie.net/angrybirds/images/6/65/Angry_Birds_Fight%21_-_Monster_Pigs_-_Seastar_Pig.png/revision/latest?cb=20151230031826
![Page 25: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/25.jpg)
25PAG E
Starphish
What is it?
Open-Source platform that can create, modify, deploy and
manage exploits and attacks for Android based devices.
It leverages the Metasploit framework for a fully
featured Pen-Test suite
Can operate on multiple hardware
platforms from SoC to Cloud
![Page 26: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/26.jpg)
26PAG E
Starphish
Architecture
Kali Linux
Metasploit framework, payloads and rpcd
king-phisher
pymetasploit by allfro
ClockworkSMS
Source: https://kadk.dk/sites/default/files/styles/media/public/2013-14_lukaszwlodarczyk_membranestudy_cita_blog_0.jpg?itok=Ld-MNCNs&c=e639107c8fe2d0311850f61170264dc9
![Page 27: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/27.jpg)
27PAG E
Starphish
Create
Using our Malware-Builder script
Pulls Metasploit payloads from Github
Implements simple anti-virus evasion
Source: https://i1.wp.com/securityaffairs.co/wordpress/wp-content/uploads/2017/01/FireCrypt-ransomware.png?resize=677%2C342
We use our own X.509 certificate to sign APKs
![Page 28: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/28.jpg)
28PAG E
Starphish
Modify
The name of the malware to suit your campaign
The landing page
Phishing messages
Sources: http://www.eweek.com/imagesvr_ez/b2bezp/2016/08/290x195blueboxfakeid1_2.jpg?alias=article_hero
![Page 29: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/29.jpg)
29PAG E
Starphish
Deploy
SMS, Email, WIFI, USB, QR Code, Social Media
Custom tailor the message to fit your campaign
Quickly deploy messages to many users at once
![Page 30: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/30.jpg)
30PAG E
Starphish
Manage
Using a cloud based C2 server
or
A local deployment
https://www.getusecure.com/public/images/images/1502983087.jpg
![Page 31: Building Your Own Open-source Android Penetration Testing Platform … · 2019-02-11 · PAGE 3 Graduated Seneca College in May 2017 from informatics and security degree program Toward](https://reader035.vdocuments.us/reader035/viewer/2022062506/5f03e33d7e708231d40b4267/html5/thumbnails/31.jpg)
31PAG E
Demo
http://wallpapers.androlib.com/wallicons/wallpaper.big-wzD.cs.png