Penetration testing
A penetration test (or pentest, if you wish to call it that), is some sort of intrusion, or attack, that is intended to uncover weakness, security issues or vulnerability of a local network, for instance.
In this book, we will focus on Android penetration tests. We won't be focusing on these tests for exploiting Android vulnerabilities and proving insufficient security in the system, but on those network tests that are done using an Android device. As you might know, there is a whole bunch of network penetration tools for Linux-powered operating systems, including Kali Linux (formerly BackTrack) and there's a good amount of Android tools as well.
Here's a screenshot from DroidSheep, a very popular app in the past for its simple user interface and high functionality, though it was capable of only one feature—session hijacks. The app didn't have a fully working SSL strip, but we'll get to that. Actually, there was no big need for SSL back then. Most of the protocols were HTTP and open for hijacks.
This finally gets us to penetration tests and mainly, their role in networking, OS, security and basically anywhere else. If it weren't for penetration tests, there would be massive attacks due to unpatched vulnerabilities, exploited security holes, and stolen data, from hackers who just were smart enough to find and exploit some random vulnerability in the system.
That said, we need penetration tests, period.
Getting to know the dark side of Android
Android uses a Linux core since it's a Linux-based OS. Since Linux is very flexible, we can do nice things to it, not in terms of changing live wallpapers, rather about permissions: root permissions, to be precise. Heard about them? Probably yes, as you're going to need these for pentests.
The fact that your Android device is rooted may actually be caused by an exploited vulnerability in the OS. If you've ever tried to root your device running Android 2.3 Gingerbread, you've probably heard about GingerBreak software. This application ran an exploit that tried to obtain root. When succeeded, the exploit then remounts the system as R/W and runs an installer script to do the job. Superuser binary is installed, along with the well-known superuser app, and it reboots the system. Boom, easy. Most one-click root apps work like this by exploiting a vulnerability that leads and provides better access to the system.
Besides root access, you'll need the Swiss knife of Unix, BusyBox.
BusyBox is a utility that combines all Unix utilities and commands that are not commonly used in Android (so they aren't there) and lets you install all of these in one package.
By typing busybox
inside of the terminal you notice how many commands BusyBox features with. BusyBox installation is a necessity for us to run network attacks and perform penetration test on a network.
Since our little penetration application uses quite a few utilities available in BusyBox, be sure to have it fully installed on your Android. BusyBox can easily be installed from one of the BusyBox installers available in the Google Play store, just search for BusyBox
and you should be good to go.
To avoid any problems, I recommend that you use the BusyBox application by Stephen (Stericson) developer; it works seamlessly. The following screenshot displays the BusyBox application's download screen:
One of the most advanced penetration testing tools for Android, the very well-known dSploit, was created a few years ago. It was capable of some crazy stuff. Here's the list of some of game changing features that really moved the Android penetration testing game forward:
- Inspector (inspects the target, specifies OS, and more)
- The vulnerability finder
- The login cracker
- Man-in-the-middle attacks, including redirect, image/video replacement, JavaScript Injector or custom filter that changes text values on the Web
These are just a few features that made dSploit an awesome tool. A few years later, the main developer of dSploit joined Zimperium, a company offering enterprise class protection for mobile/tablet devices against advanced mobile attacks. They made some really good tools, which include:
- zIPS
- zConsole
- zANTI
zIPS aims to protect your device as much as possible, alerts you when there's an attacker around trying to hijack your passwords, or just performs a TCP scan of your device. zIPS also automatically keeps you safe and protects against the attack. zConsole takes all the reports from zIPS or zANTI and shows them in a nice interface on your desktop. If you're interested in taking the network security to a higher level, you can protect yourself and order these tools on http://www.zimperium.com/.
And then, there's zANTI—the reason why you're here reading these lines.