Alright, now on to zANTI2. If you've ever tried to use dSploit, you probably know that zANTI has quite similar features (some unchanged, some updated, and some new). So, how should we start?
I'd say fire up zANTI! Hang on a second! You might not have it downloaded, right? Well, if you don't have it yet, the link is https://www.zimperium.com/zanti-mobile-penetration-testing (input your e-mail in the field, the application link will be sent to your address).
Before you hit the Install button, be sure to have the unknown sources option enabled.
This can be done in the security section of settings: open settings, go to security and tap unknown sources button—enabling this option will let you install applications that are not published in the Google Play store, which is, generally speaking, pretty dangerous—considering you might install a harmful application that will try to steal your personal information.
However, this won't happen in our case, zANTI2 is a safe app and doesn't come with any malware whatsoever. The reason it's not available on Google Play is that it does not meet the requirements. For your security, don't forget to disable this option back, or simply install apps from Google Play store only.
Once Unknown sources option is checked, you will be able to install applications that do not come from the official Google Play store, but from other sources as well. Since zANTI2 is not available on Google Play, assure this option is checked.
Done installing? Good! Open the app and be sure to grant the superuser permissions so that it can execute commands as root. Otherwise, the application will not work. Also, ensure that everything you need is properly installed—talking about BusyBox. Sit back and get ready to zANTI.
zANTI2 needs superuser privileges to work. Be sure to grant the full access, otherwise zANTI2 will not be functional.
Run through the initial setup, accept the terms of use, and grant superuser permission.
Let's take a first look at zANTI2's interface and explain the basic functions.
We'll start from the top. The action bar shows you SSID—the name of a network you're connected to. Pretty useful stuff! Moving on, now we have the History button. Tapping this gets you to another window showing the networks you connected to along with the targets that were found during the scan. It will also show you the number of open ports and IP and MAC addresses. This might come in useful when gathering information about networks you connected to in the past.
Right next to the History button is a map network function. We will talk about this more in the following chapter as it's very important and needs more pages to fully explain the whole idea of it.
The next button is Search; it lets you find a device on a network by inputting its IP, MAC address, or a name.
The last button adds a host to the network, which can be useful for adding hosts from the Wide Area Network (WAN) and performing further actions on them; for example, you can check for remote vulnerabilities such as ShellShock or Poodle.
The rest you see in the middle is a result of a completed scan—displaying targets on a network. Every target has an IP address followed by a MAC address and occasionally a name.
The little round icon on the left represents the OS running on a target—Windows, Linux, or Android. It also shows you the type of a target, whether it's a computer, network router, or a device. The icon you see on the top indicates the entire network. When selected, any further action will affect every single device on the network.
Then, there's the distributor of the target, Apple, Huawei, Samsung, Intel, HTC—even this is something that gets captured by a quick network mapping.
The number you see on the very right is the number of open ports on the target. Open ports are very important for us, as we will use these numbers to find out further information and connect to them, and if they show any signs of vulnerabilities, run exploits on them.
Moving on. You can access more little features by swiping your finger to the right. These are not the main, primary, or even new functions to the network penetration tools, though they might come in very useful and mostly, they're here, making zANTI2 an even more complete and compact application.
As you can see, we have a few more things to explore. Starting with network tasks, the MAC Changer does what it says; it simply changes your MAC address. MAC addresses are identifiers of each node of a specific network. You've probably signed up to networks, in airports for example, which will let you use the Internet connection for only 30 minutes or so. After you reach the limit your MAC address gets banned from the network, thus you can't use it anymore.
Changing your MAC address might in some cases give you 30 more minutes for a quick browse through the net.
A certain company once used special trash bins to track people's movement around the city based on their MAC addresses. This is possible because your MAC address gets broadcasted even if you're not connected to any network.
Ever heard of the app, Pry-Fi?
Pry-Fi aims to make your device as safe as possible, changing your MAC address every once in a while. The app also comes with something known as a War mode, which makes your device appear like it's a dozen people. This, according to the author's words, will flood the tracking data with useless information and possibly reduce the tracking that is being done on an everyday basis. Pry-Fi randomizes your MAC address, following a pattern that still makes the trackers think you are a real person, but they will not encounter your MAC address again.
That said, if you're not feeling safe enough, definitely check this app out, it comes free and is available on Google Play Store.
Moving on to zTether. Ever shared your mobile data connection to your friends? Well, this little feature lets you play with them a bit.
zTether offers full tether control by executing the MITM type of attacks, including redirect, a replace images feature, download interception, and every other feature that zANTI has to offer. We'll be talking about the MITM attacks in Chapter 5, Attacking – MITM Style.
The next feature, coming with a pretty fancy name, is RouterPWN. RouterPWN is a web application that uses and exploits various vulnerabilities in devices such as routers, access points, or switches.
It allows you to run local or remote web exploits, allows offline exploitation, and runs smoothly even on a mobile web browser, making it a really interactive tool for lots of penetration stuff.
For example, RouterPWN is capable of converting SSID to wireless key (WEP) for Thomson SpeedTouch ST858 v6 models. So if your neighbor seems to use this kind of router, you might want to let him know his security status by doing some MITM magic on his network. RouterPWN is a great tool for security purposes, finding vulnerabilities in your network and making your network much more safe to use.
As seen in the preceding screenshot, RouterPWN opens in a nice mobile web, which makes it really practical and even easy to use. That said, clicking on this in the zANTI app opens the URL for you, letting you further interact with this awesome tool on the Web.
The next function is the so-called cloud reports. We will not be using cloud reports, since this requires zConsole. Let's move on.
The Wi-Fi monitor shows a list of all available Wi-Fi networks in range. There's also a nice implementation of scanner, which shows the intensity of each network.
You can see a little bookmark-like marker that changes color depending on network security—green for secured, red for open ones; showing us that it's not a good thing to leave our Wi-Fi routers accessible to anyone—and it really isn't; we'll get to that, don't worry, this is what the book is about.
Moving onto the next one, the HTTP server quickly creates an on-device HTTP server, letting you share folders/files through HTTP connections. This is useful for sharing files and the likes, but we won't be interested in this one in our penetration testing chapters.
Looks like we're done with the Network Tasks section, leaving the Usability section untouched. This section contains a not-so-descriptive tutorial that quickly introduces users to the interface. This is followed by the Contact Us button, which allows you to share your thoughts, feedback and problems if you have any.
Should we have a look at settings, or not? It's just settings. Let's move on!
Come back to the home screen. The text saying devices found on your network clearly suggests the list you're looking at is the list of devices that are currently connected to the Internet.
If you're not seeing anything, it might be because either nobody is connected (though you should always see your device, that's the one saying This Device) or because zANTI2 hasn't scanned for devices yet.
To perform a quick scan, go ahead and tap that little button next to search.
A tiny popup will appear; let's leave the Intrusive Scan option unselected for now and hit OK to start scanning. The length of time may vary, depending on the network and number of devices connected.
If your scan has finished already and you start scanning a fresh, old values will be replaced with the new ones. Therefore, if you just fired up zANTI2 after a little while, you might want to manually rescan to work with results that are up to date.
Yay! Network scan completed. If you're that type of guy, you can even tweet about your freshly-completed scan but that's completely up to you.
If you take a closer look, you'll probably see your router with an IP address, let's say 192.168.1.1. This is the default gateway and it's also the IP of the router you're most likely connected to.
Let's go ahead and click on one of your targets, the router, for example. A new window will pop up giving you further information about the target. The IP, MAC, Name of the target, and ports are included in the report.
Take a look at the Comments section. You see, the guys from Zimperium have thought about your great and open mind, leaving you the whole section free to express yourself. You can input words such as Hacked this bloke a week ago, this guy needs a rest. Will be back in two months!, and maybe some other types of useful stuff. Well, on a serious note, this section can be used to document and make notes of your progress.
Let's skip the middle section for now, but don't worry, we'll get back to it later.
Have a look at Nmap scan:
Nmap (Network Mapper) is an open source utility for network discovery and scanning, available not only for Linux but also Windows, when it comes to it. It supports a wide variety of scan types, including basic scan, ping scan, UDP scan, IP protocol scan, and many more. Since we'll be talking more about scans in the following chapters, let's just say Nmap is really a great utility with huge usability especially in network pentesting.
"We have all seen many movies like Hackers which pass off ridiculous 3D animated eye-candy scenes as hacking. So Fyodor was shocked to find that Trinity does it properly in The Matrix Reloaded. Needing to hack the city power grid, she whips out Nmap version 2.54BETA25, uses it to find a vulnerable SSH server, and then proceeds to exploit it using the SSH1 CRC32 exploit from 2001. Shame on the city for being vulnerable (timing notes)."
- http://nmap.org/movies/
Yup, the Nmap scan was even featured in the Matrix Reloaded.
That said, let's finally move on to the middle section, which will lead us to operative and attack actions. Don't worry, we'll get to know Nmap much better in the following chapter; it's an amazing tool!
Operative actions are those kinds of actions where the device tries to interact or discover the target and investigate it a bit closer, whereas attack actions simply perform attacks on that target.
To explain operative actions more (scan, remote ports connection), you'll read about these two in the following chapters (Chapter 2, Scanning for Your Victim, and Chapter 3, Connecting to Open Ports). Just to briefly show you around, scan action performs a second scan, this time on the target only.
Scans, as mentioned earlier, are done using Nmap and are logged into the Nmap scan log afterwards.
Apart from having the opportunity to choose from a fine amount of scan types, including Ping scan, UDP scan, and others, you also can execute a script. You can run AUTH, BROADCAST, BRUTE, DNS, SSH, SLL, and many more types on the target, resulting in the scan-log output, where you'll be retrieving information from the target.
We shouldn't forget about a tiny feature called smart scanning, which automatically searches for exploitable vulnerabilities.
Moving to the port connection, this is one very interesting feature. zANTI2 lets you choose one of the available ports and establishes a connection to it.
We will, again, learn about this particular feature and its usability in Chapter 3, Connecting to Open Ports; it needs to be a bit further explained and investigated.
Let's have a look at attack actions, starting with password complexity audit.
Password complexity audit
The password complexity audit feature checks and eventually tries to crack access passwords for available services (SSH, for example) using available dictionaries in the app.
Note
The password complexity audit function uses THC Hydra. Hydra brute-force cracks remote authentication services, against more than 30 protocols, including HTTP, HTTPS, TELNET, FTP, and many more.
To crack an access password, you'll ideally need some dictionaries to crack from. The developers made it easy, leaving five preloaded dictionaries directly in the app. You can also perform a brute-force attack without using a dictionary, but this might not always be the best option. You'll see why in Chapter 3, Connecting to Open Ports.
Starting with a small dictionary, this one's for the shortest possible passwords. This logically takes the least amount of time; thanks to having the lowest combination of words. On the other hand, a huge dictionary contains a way greater amount of words. This will increase the probability of finding and cracking the access password, but the whole process will take way more time.
While dictionary attacks work by searching for possible words listed in the dictionary provided by the user, incremental is a brute-force attack. This kind of attack seems to be the simplest one. Simply put, it tries password combinations over and over again, until finally it gets the right one.
Logically, attempting to crack a password without using any dictionaries is the most time-demanding process because the possible combinations are generated using your phone's processor, instead of trying predefined words from a dictionary.
In case you wondered, this is how the cracked password message looks. Not the safest password now, is it?
Right below the password cracker is the well-known MITM, which is one of the spiciest features of the whole zANTI2 app. Hijacking accounts, passwords, replacing images, injecting custom JavaScript, and much more—this all is done using the Man-In-The-Middle attack. Amazing! Isn't it?
More about MITM, how it works and functions to come in Chapter 5, Attacking – MITM Style, (the last chapter, ending it in style.)
The last two options in attack actions are the vulnerability checks. zANTI2 currently offers checking of ShellShock and SSL Poodle.
United States
Great Britain
India
Germany
France
Canada
Russia
Spain
Brazil
Australia
Singapore
Hungary
Ukraine
Luxembourg
Estonia
Lithuania
South Korea
Turkey
Switzerland
Colombia
Taiwan
Chile
Norway
Ecuador
Indonesia
New Zealand
Cyprus
Denmark
Finland
Poland
Malta
Czechia
Austria
Sweden
Italy
Egypt
Belgium
Portugal
Slovenia
Ireland
Romania
Greece
Argentina
Netherlands
Bulgaria
Latvia
South Africa
Malaysia
Japan
Slovakia
Philippines
Mexico
Thailand
