In the Scanning with Mobile Devices post, we learned how to perform some of the reconnaissance tasks using the Android command line interface. In this post, we will take a look at one of the common exploitation tasks: cracking passwords to gain access to services on the target system, follow the steps below for hacking with android.
Step 1: Starting Android Emulator
First, we need to start an emulated Android device. Enter the following command:
android-sdk-linux/tools/emulator @android17 -no-windows
It may take several minutes for the emulator instance to start. Be patient.
After performing step 1 open up a new tab in terminal by following command:
Ctrl + Shift + T
Step 2: Uploading Word List
Since we will be cracking passwords, a word list would come in handy. We will use the ADB push command to upload a word list to our emulated device. Issue the following command to upload the wordlist.txt file to the /data/local/ folder:
adb push wordlist.txt /data/local
You will see the "device offline error" during the first several tries.
It takes a few minutes for the device to get connected to the ADB server. Keep re-entering the command, waiting 3-4 seconds before each try, until you see the transfer confirmation (number of bytes and time).
Remember that even though we are using the emulated device in this lab, the process will be exactly the same for an actual physical Android device. You can easily find numerous terminal emulator applications that allow you to run commands on the device. Many tasks, such as installing portable versions of pentesting tools, may even be possible without root access.
Step 3: Opening ADB Shell
Now we will use the ADB shell to send commands to our device. Enter the following command:
Step 4: Changing Directories
Next, let's change to the /data/local/ directory where we just uploaded our word list, which also contains all our custom pentesting tools:
Step 5: Listing Directory Contents
As you may remember, ADB shell accepts some of the common Linux OS commands. Let's do a directory listing to make sure our word list was actually uploaded:
Step 6: Finding Services
Next, let's do a quick scan to find the services we're interested in. In the Scanning with Mobile Devices post, we saw that we can use Nmap on our Android emulator. Let's use it to locate the Telnet and FTP service, by scanning their default ports# 21 and 23. Use the IP provided below (this is the IP of the host computer, as the emulated devices sees it):
./nmap -p 21,23 10.0.*.*
Both scanned ports are open.
We can proceed with our attack.
Step 7: Cracking Telnet Passwords
To crack the passwords and gain access to identified services, we will use the portable binary of a popular tool called THC-Hydra. It supports multiple protocols and allows for a lot of flexibility with the cracking methods.
For Telnet, we will use the -l ("login") and* -p* ("password") options, which are used to submit a single pair of credentials. We will cheat a bit and submit the correct credentials right away to see how it works. Feel free to try other values first to see what the outcome would be. Make sure to specify the host IP and the protocol as shown below:
./hydra -l skillsetuser1 -p p@ssw0rd 10.0.2.2 telnet
You may need to try several times before the attack succeeds.
Step 8: Cracking FTP Passwords
To use word lists with the -C ("colon-separated") option, it has to be formatted as username:password, which our word list is not. However, we can still use it as both contains a list of usernames and passwords. We will just need to replace the lowercase -l and -p with the uppercase as follows (don't forget to change the protocol as well):
./hydra -L wordlist.txt -P wordlist.txt 10.0.2.2 ftp
THC-Hydra quickly cracked the FTP passwords on the host's server.
If you get a message saying that no passwords were found or only 1 password was found, just try the command again.
As you can see, you can use most of the tools and techniques on a mobile device just as effectively. In the Android Exploitation post, we will reverse the process and see how a mobile device can be penetrated from a computer.
Also Read: Network scanning with Mobile Devices