Penetration Testing Mobile Devices: So how do we pen test mobile devices? In many ways the process is similar to what we are already using in a traditional setting but with some minor difference along the way.
NOTE: Remember that in regard to security, mobiles are so diverse that they are a bit of an unknown quantity.
You also need to keep in mind how users of these devices work; they can be extremely mobile and this means data and communications can be flowing in all different directions and ways, unlike in traditional office settings.
So what does the testing process look like when mobile devices start to creep into the picture? Here is a quick overview of how to evaluate these devices.
Footprinting Many of the scanning tools we examined in our Footprinting phase can be used to locate and identify a mobile device plugged into a network.
A tool like Nmap, for example, can be used to fingerprint an OS under many conditions and return information as to its version and type.
Once you find mobile devices in the environment, make sure to note their information such as MAC address, IP address, version, type, and anything else of value.
Scanning For mobile devices attached to the network you are evaluating use a piece of software such as Kismet to find out which wireless networks the devices are looking for.
Exploitation Use man-in-the-middle attacks, spoofing, ARP poisoning, and other such mechanism to attack a device.
Use traffic insertion attacks to deliver client-side exploits to vulnerable systems and devices or manipulate captured traffic to exploit back-end servers.
Post Exploitation Inspect sensitive data areas on mobile devices for information such as the Short Message Service (SMS), and browser history databases.
Note that forensics tools are available for cell phone that can extract this information as well.
Penetration Testing Using Android
One other option that is possible for you to use in penetration testing is a mobile device. In this section we will look at the tools that can be installed on Android that can enhance out capabilities to run a thorough test.
NOTE: Since we have covered all the attacks and theories behind these tools in other articles. We will not give long descriptions of each types of attack again here.
If you wish to try any of these tools, you will need to root your phone and make sure you have backed up your data beforehand.
- IP Tools by AmazingByte is a collection of tools used to provide information about different properties of the network, including routing information, DNS settings, IP configuration, and more.
- LandDroid by Fidanov Networks is a anther collection of network information tools much like IP Tools. It’s not as complete as IP Tools, but it is still useful and well designed.
- The Network Handbook by Smoothy Education is a set of tools and information that is designed to aid in network troubleshooting, but it can also be helpful for gaining information about a network.
- Fing by Overlook is a set of tools for network analysis that include the ability to assist in the evaluation of network security, host detection, and some Wi-Fi tools.
- Mobile NM by Gao Feng is a mobile version of the powerful Nmap port and network scanner.
The mobile version operates with essentially the same capabilities as the Nmap we explored in other parts of this blog articles.
- Port Scanner by Catch 23 can gain much of the same information as the rest of the tools in this list, but it also includes support for technologies such as 3G and more.
- Network Discovery by Aubort Jean-Baptiste is similar to Fing in many wasy but with a different interface.
- Packet Capture by Grey Shirts is much like Wireshark but does not root permissions to operate.
- Packet Generator by NetScan Tools is one of the few packet crafters available for the Android OS, and it works similarly to regular packet crafters like hping.
- Shark for Roots by Elviss Kustans is essentially a scaled-down version of Wireshark for Android. Unlike some other sniffers, this requires root access on the device to function properly.
You must download Shark Reader to examine the capture traffic on the phone or tablet this is run on.
- UPnP Scanner by GeminiApps can scan and detect Universal Plug and Play devices on the network.
This means other computers, mobile devices, printers, and other devices can be revealed on the network.
- Intercepter-NG is a network toolkit that has the functionality of several well-known separate tools built in and offers a good and unique alternative over other sniffing tools.
- NetCat for Android by NikedLab is simply a port of the original NetCat for the Android operating system.
- PacketShark from GL Communications is a packet sniffers application. It’s features include a friendly capture options interface, filter support, live capture view, and Drop include a friendly capture options interface, filter support, live capture view, and Dropbox upload of captured files.
- SharesFinder by srcguardian is a utility designed to find network shares on the local network segment. It can be useful in locating unsecured or unprotected shares.
Session Hijacking Tools
- DroidSheep by Andreas Koch works as a session hijacker for non-encrypted sites and allows you to save cookies/files/sessions for later analysis.
This one is not available on the Google Play Store and must be located through a search. This device must be rooted.
- FaceNiff is an app that allows you to sniff and intercept web session profiles over Wi-Fi networks.
This tool is also not available on the Google Play store so you will have to search for this one.
- SSLStrip for Android(Root) by NotExists is an app used to target SSL-enabled sessions and use non-SSL-enabled links in order to sniff their content.
Denial of Service
- Low Orbit Ion Cannon (LOIC) by Rifat Rashid is a tool for network stress-testing a denial-of-service attack against a target application.
LOIC performs a denial-of-service (DoS) attack (or when used by multiple individuals, a DDoS attack) on a target site by flooding the server with TCP or UDP packets with the intention of disrupting the service of a particular host.
- AnDOSid by Scott Herbert allows security professionals to simulate a DOS attac.
AnDOSid launches an HTTP POST flood attack, where the number of HTTP requests becomes so huge that a victim’s server has trouble responding to them all.
- Easy Packet Blaster by Hunter Davis is an another utility that is simple to use but can very effectively shut down a network host with traffic.
- WPScan for Android by Alessio Dallas Piazza is a black-box WordPress vulnerability scanner written in Ruby that attempts to find known security weaknesses with WordPress installations.
- App Scanner by Trident Inc. is a utility designed to specifically target applications and their potential vulnerabilities.
- CCTV Scanner is an app designed to locate cameras on networks and give information regarding the device.
- NetCat by Fortiz Tools is used to test the security of firewalls.
SQL Injection Tools
- DroidSQLi is an automated MySQL injection tool for Android. It allows you to test your MySQL-based web application against SQL injection attacks.
- Sqlmapchik by Maxim Tsoy is a cross-platform sqlmap GUI for the popular sqlmap tool. It is primarily used on mobile devices.
- SQLite Editor by Weavebytes is a high-quality and very capable tool for evaluating and testing for SQL injection within web applications.
- SandroProxy by sandrob is used to send your traffic through a preselected proxy to cover up obfuscating attacks.
- Psiphon is not really a proxy tool but a VPN technology that can be used to protect traffic to and from a mobile device.
It can be used to protect only web traffic or it can tunnel all the traffic on a device through the service.
Web Application Testing
- HTTP Injection by Evozi is used to modify requests to and from websites and is helpful at analyzing web applications.
- HTTP Tool by ViBO is designed to allow the tester to execute custom HTTP requests to evaluate how an application responds.
- Burp Suite is simply a port of the same tool from the desktop version.
Log File Readers
- Syslog is used for reading log files on a mobile system.
- ALog reader is another log file reader.
- Wifite is an automated wireless cracking tool for Android and the Linux platform.
It can crack WEP and WPA as well as WPS-enabled networks.
- AirMon by Maxters is an app for sensing, monitoring, and picking up wireless traffic.
- WifiKill by Mat Development can scan a network and terminate wireless hosts it discovers.
- Wigle Wi-Fi Wardriving from WiGle.net is a port of the same tool for the desktop environment.
- Kismet is available for Android and is a port of the popular Linux tool.
- dSploit Scripts by jkush321 is a suite of tools that can easily map your network, fingerprint live hosts’ operating system and running services, search for known vulnerabilities, crack logon procedures of many TCP protocols, and perform man-in-the-middle attacks such as password sniffing and real-time traffic manipulation.
Note that dSploit’s developers have merged his effort with zANTI, which is also listed here.
- zANTI is a comprehensive network diagnostic toolkit that enables complex audits and penetration tests the push of a button.
zANTI offers a comprehensive range of fully customizable scans to reveal everything from authentication, backdoor, and brute force attempts to database, DNS, and protocol-specific attacks, including rogue access points.
- Hacode by Ravi Kumar Purbey is another suite of tools much like zANTI and dSploit in scope and power.
- Orbot is a free proxy app from the Tor Project that empowers of other apps to use the Internet more securely.
Orbot uses Tor or encrypt your Internet traffic and then hides it by bouncing through a series of computer around the world.
- Orweb from the Guardian Project is a private web browser specifically designed to work with Orbot and is free.
It can be little slow, but if offers a high degree of protection and the most anonymous way to access any website, even if it’s normally blocked, monitored, or on the hidden web.
- Incognito is a web browser built for private browsing. It may not be as secure and private as Oweb, but it is still a great option to have available.