G900F - MITM attack help - Galaxy S 5 Q&A, Help & Troubleshooting

Hi
I'm not entirely sure where to put this question so please move if appropriate.
I have a G900F running Omega v9.
I have been playing with some apps for wireless pen testing such as dsploit and zanti.
Every time I launch a mitm attack the first part of the attack seems to work, I. E traffic is being routed to the phone as a proxy for the attack vector.
However there is some kind of routing issue as no traffic makes it past the device. So client devices have no Internet connection.
Any ideas?
Obviously on a pc it's much easier to troubleshoot but not sure where to start on the phone!

hongman said:
Hi
I'm not entirely sure where to put this question so please move if appropriate.
I have a G900F running Omega v9.
I have been playing with some apps for wireless pen testing such as dsploit and zanti.
Every time I launch a mitm attack the first part of the attack seems to work, I. E traffic is being routed to the phone as a proxy for the attack vector.
However there is some kind of routing issue as no traffic makes it past the device. So client devices have no Internet connection.
Any ideas?
Obviously on a pc it's much easier to troubleshoot but not sure where to start on the phone!
Click to expand...
Click to collapse
Not sure on android specifically, but if it were Linux it sounds like IP forwarding is not enabled or the attack was not setup properly.

Does android have any built in firewalling? The attacks are very simple to set up in all of the apps I have, nothing much to set!

hongman said:
Does android have any built in firewalling? The attacks are very simple to set up in all of the apps I have, nothing much to set!
Click to expand...
Click to collapse
Honestly not sure, but I would assume if you WiFi hotspot app works then IP forwarding should be enabled.

hongman said:
Does android have any built in firewalling? The attacks are very simple to set up in all of the apps I have, nothing much to set!
Click to expand...
Click to collapse
Yes it's called iptables. And an gui is also there, called AFWall+.

Related

HTTP POST Capture

I was wondering whether there is such software for the android that can capture http posts before sending. i.e. like the firefox addons you can get and apps like http analyzer?
This would be really useful for testing purposes.
Cheers.
Gazos
You can try some general traffic capture tools (Like tcpdump or airodump-ng). If You have rooted phone, check out Shark for Root (tcpdump on phone).
Thanks for the update but I guess what I want is real time captures (and manipulation) like its possible in Firefox using only the phone.
I currently use tcpdump to capture data but want to edit the data before its sent out.
You can try to find/write small proxy server application and run it on phone, so you will be in control.
ex87 said:
You can try to find/write small proxy server application and run it on phone, so you will be in control.
Click to expand...
Click to collapse
Or you could run paros (http://sourceforge.net/projects/paros/files/) on a machine on your network and get the android browser to use it as the proxy (which looks like a bit of a task in it's self.)
The only viable way I can think of to do this (given Android's insane lack of proxy support) is to hack a custom firmware for a Linksys WRT54g so it basically routes everything to a transparent proxy (Fiddler2, Webscarab, Paros, Burp, etc) running on a PC. Something like this:
Android =[wi-fi]=> WRT54g -[ethernet]-> PC with proxy -> internet router
It might even be possible to achieve this without hacking the WRT54g.
The only problem you might still have (not sure) is Android's handling of invalid SSL certs since the proxy would basically be doing a man in the middle attack, and the app running on the Android phone would see an invalid SSL cert.
Be warned that trying this with a Windows host PC is almost guaranteed to fail unless it's Pro/Ultimate, and in any case this is going to involve some seriously hardcore manual routing config that goes beyond anything Windows' config screens were really intended to set up.
You can try to find/write small proxy server application and run it on phone, so you will be in control.
Click to expand...
Click to collapse
I'm pretty sure I saw this discussed on the android.security list, and the consensus was that the current API doesn't give any way to do this transparently, and it's questionable whether you could even implement something like WebScarab natively on Android using the NDK. I believe the general consensus was that if you want to host something like WebScarab on Android, it's going to take a custom kernel to pull it off, and some solution that lets you offload the actual proxying to a regular PC would be infinitely easier to pull off, and less cumbersome to use for actual security testing (it's enough of a pain trying to use Fiddler2 or Webscarab with a 1280x1024 display, let alone 854x480... not to mention trying to cut and paste examples into Word Documents for vulnerability assessment reports (shudder)).
^^^ OMG. I just installed AOSP ("Buufed") for the CDMA Hero, and it actually HAS the ability to set proxy for WiFi. I haven't tried it yet, and I'm not sure whether it's purely an "AOSP" feature or something I've just overlooked up to now that was in DamageControl, but it looks like at least *some* Android builds DO have it now

New android malware

http://www.ubergizmo.com/2012/09/new-naval-app-secretly-recreates-environments-from-your-phone/
The Naval Warfare Surface Center in Crane, Indiana today revealed a smartphone app that puts the capability of modern smartphones to observe areas in sharp relief and shows the power of malware to tap into those capabilities. The app, PlaceRaider, is capable of running in the background of any smartphone running Android 2.3. While running in the background, it takes photos at random while recording the orientation and location of the phone. Those photos get sent back to a central server, where they can be used to reconstruct a pretty good idea of where the phone has physically been.
Click to expand...
Click to collapse
What do you guys think?
I'm gonna do it to my every single one of my friends and creep on them.
At least with Android it will eventually be found and will be a fix or a way to prevent it, who knows what Apple is doing with iOS and even if the problem is founded, one would have to wait for Apple to patch a bug, but only if they choose to.
http://news.cnet.com/8301-13579_3-20014356-37.html
In some embodiments, an unauthorized user can be detected by comparing the identity of the current user to the identities of authorized users of the electronic device. For example, a photograph of the current user can be taken, a recording of the current user's voice can be recorded, the heartbeat of the current user can be recorded, or any combination of the above. The photograph, recording, or heartbeat can be compared, respectively, to a photograph, recording, or heartbeat of authorized users of the electronic device to determine whether they match. If they do not match, the current user can be detected as an unauthorized user.
Click to expand...
Click to collapse
The linux kernel have the iptables as firewall, if you are rooted, you can use DroidWall to manage it, not even that spying app can get any internet. Personally, I always manage which app gets internet access on my device.
eksasol said:
At least with Android it will eventually be found and will be a fix or a way to prevent it, who knows what Apple is doing with iOS and even if the problem is founded, one would have to wait for Apple to patch a bug, but only if they choose to.
http://news.cnet.com/8301-13579_3-20014356-37.html
The linux kernel have the iptables as firewall, if you are rooted, you can use DroidWall to manage it, not even that spying app can get any internet. Personally, I always manage which app gets internet access on my device.
Click to expand...
Click to collapse
Very nice tip! I downloaded DroidWall and it does exactly as you say!
Thanx!
However, with DroidWall you need to enable all the system apps and services, otherwise you'll start finding things like PlayStore not working.
If using DroidWall gets confusing LBE Security Manager also have internet firewall, but it doesn't utilize the same method, DroidWall works at the kernel level and will override LBE. Although LBE is also a very essential app. It can monitor how much data each app uses as well and set the permission for each app. Although if you flash roms all the time it gets tiresome to configure after each flash, also you have to know which permission to enable for some apps to not interfere with its normal functions.
Dear hacker guy,
Good luck reconstructing the images and dimensions of my butt pocket.
-signed dgaf user
Sent from my SGH-T959
suchavibrantthang said:
Dear hacker guy,
Good luck reconstructing the images and dimensions of my butt pocket.
-signed dgaf user
Sent from my SGH-T959
Click to expand...
Click to collapse
?????

Mobile phone Intrusion Detection System

Hi,
I'm new to this forum and after having a solid look around the site I have been unable to find anything that comes close to what I have in mind.
I am currently a student at Edinburgh Napier University and I am looking into the possibility of creating a local Intrusion Detection System on a Smartphone. One capable of informing a user that an intruder is currently attempting to gain access to their device and carry out malicious activities.
Has anyone managed to find anything I have not as I am under the impression that no such software exists for any type of Smartphone device. My main consideration is with Windows Phone but I would like to hear about anything that is out there that relates to this.
Any help would be amazing.
Thanks in advance :highfive:
I have no input, but this is interesting stuff. Will the hardware be robust enough to support it?
I know people have gotten Ubuntu running on various mobile devices, but it'd be interesting to see how SNORT (or similar) plays with mobile hardware.
The problem you are going to have (not unsurmountable) is that if you ignore the infosec/marketing what you have out there is primarily black box IDS devices, with capabilities to also run as an IPS.
However only the most nieve such as UK Gov & Local Gov have( certainly none of the Tier 1 Inv.Banks I have worked for) have switched IPS on for fear of backlash. It would be something if developed I would be interested in seeing, certainly if it could act as an IDS on a Ad-Hoc VPN there is commercial opportunities there....
So ask yourself - are you REALLY wanting to BOTH Detect and Prevent or merely Detect and Acknowledge. The latter a more easy task, less of a hit on functionality.
Perhaps there is an old Cybertrust source code now opensource....as a thought for you, but it would need reengineering as was a custom image.
In the meantime if what you actually want is Single IP/MAC/Hardware protection - why not root the device, install Synodroid (to control who or what has SU equivalent access) & DroidWall (firewall to limit traffic) & do an audit of the Apps you have downloaded of the rights requested. Perhaps setup a VPN to your university network or local broadband router (if you trust who manages them) so at least there is another layer to go through. However if you someone who opens zip's//tars on the device with install privileges elevated then your accepting the consequences. (Above Android related)
There is bound to be an IP traffic audit tool app - so you could use to Record a 24/26/48 hour period of the address ranges and what process linked back. But as you then start moving down the completely pain in the neck Firewall Rule analysis piece and SIEM world, don't!
Thanks finlaand
Thanks finlaand that is a lot to go on I really appreciate your thoughts.
I will be sure to keep you all up-to-date on how things are going.
Many thanks again :good:

Request: Tcping

I'm a network admin and I use the free utility Tcping to ping my access points remotely. I'd like to be able to use it on my phone as well, but there isn't an app that does anything like it as far as I can tell. I tried compiling it from source on my phone, but I wasn't able to get it to work.
Does anyone know if it is possible to port the linux version of tcping to android (without installing debian/ubuntu)?
Link: http://www.linuxco.de/tcping/tcping.html
cheezbergher said:
I'm a network admin and I use the free utility Tcping to ping my access points remotely. I'd like to be able to use it on my phone as well, but there isn't an app that does anything like it as far as I can tell. I tried compiling it from source on my phone, but I wasn't able to get it to work.
Does anyone know if it is possible to port the linux version of tcping to android (without installing debian/ubuntu)?
Link: http://www.linuxco.de/tcping/tcping.html
Click to expand...
Click to collapse
Have a look at https://play.google.com/store/apps/details?id=se.ping.android.hostmonitor
It's not tcping, but it's an app capable of tcp ping. A really good app, if I may say so myself.
kuisma said:
Have a look at https://play.google.com/store/apps/details?id=se.ping.android.hostmonitor
It's not tcping, but it's an app capable of tcp ping. A really good app, if I may say so myself.
Click to expand...
Click to collapse
Thanks for the suggestion! That app is capable of pinging a specific port, but it lacks certain features that I would need as well. I couldn't find a way to do a manual refresh (necessary for troubleshooting) and the way that this app manages port numbers is just not what I'm looking for. I need to be able to just type in a port and hit go, I don't want to be creating a gigantic list of ports in the app's settings.
However, I did find this app, which is a lot closer to what I want: http://play.google.com/store/apps/details?id=com.odinnet.servermonitor&hl=en
cheezbergher said:
I couldn't find a way to do a manual refresh (necessary for troubleshooting)
Click to expand...
Click to collapse
Ping HostMonitor refreshes each time the main activity (host list) opens/reopens.
Sorry, I just realized that was your app. Allow me to explain what I need so you can see what I'm looking to do.
I'm a wifi network technician. The company I work for manages the guest networks for hundreds of hotels all over the southeastern US. On each site, we have dozens of access points (theres actually one resort where we have over 500 aps). All of the access points are accessible through our firewall via specified ports that vary from site to site.
We have a webpage that displays all of the APs at each site with their port# and uptime display that is only accurate to within 15 minutes. So if I'm troubleshooting remotely I use tcping to see when an AP comes up in real time after a remote reboot.
Your app seems to be geared more towards what ipsentry does, where it pings in 15 minute intervals. I'm looking to run pings in 3 second intervals or less.
Also, I would like to be able to just type the hostname and port then hit go. Your app is made more for a network admin who manages a single or couple of networks, and it just takes too many steps to enter in a port to be pinged. However, there are some features of your app that I really really like including only pinging a specific host when conected to a certain ssid.
I really like your app, but I need to run pings in 3 second intervals and it's just too difficult on Ping HostMonitor. If you wouod consider adding this feature, I will be eternally grateful.
cheezbergher said:
Sorry, I just realized that was your app. Allow me to explain what I need so you can see what I'm looking to do.
Click to expand...
Click to collapse
Something like this?
Hey thanks man! I tried it though and I can't get it to run. I've attached a screenshot, am I doing it wrong?
cheezbergher said:
Hey thanks man! I tried it though and I can't get it to run. I've attached a screenshot, am I doing it wrong?
Click to expand...
Click to collapse
The sdcard isn't mounted allowing execute access. Put it someplace else, e.g. /data/local/tcping
holy moly it works perfectly! thanks a million man!
now if you had the time, you could make an app version with a gui. i'd definitely pay for an app that could do this.
thanks again for all your help!

VPN and AFWall+

I have a Shield TV arriving later today. On my previous Android box I setup a VPN with a kill switch via AFWall+. This involved the installation of the OpenVPN connect application with my VPN provider details, then I used AFWall+ to prevent any data that didn't originate via a VPN connection, effectively making this a kill switch. This involved allowing both the OpenVPN application and Android's VPN api full access. It's the latter I'm enquiring about, does this api exist on the Shield TV? I've heard that native VPN isn't possible as the normal VPN settings aren't present. But does that include the vpn service api itself?
No one?
Beefheart said:
I have a Shield TV arriving later today. On my previous Android box I setup a VPN with a kill switch via AFWall+. This involved the installation of the OpenVPN connect application with my VPN provider details, then I used AFWall+ to prevent any data that didn't originate via a VPN connection, effectively making this a kill switch. This involved allowing both the OpenVPN application and Android's VPN api full access. It's the latter I'm enquiring about, does this api exist on the Shield TV? I've heard that native VPN isn't possible as the normal VPN settings aren't present. But does that include the vpn service api itself?
Click to expand...
Click to collapse
i have the exact same setup on all my devices, including shield tv, although ive only had to allow the openvpn app, wifi/data/vpn access for things to work, ive never had to allow androids vpn ........is their a specific reason you grant android vpn access?does it not work otherwise?
I use the other openvpn app, by the way
I originally set it up on the tutorial in the link below, which mentions that the VPN Networking service needs to have full access. Is that service present on the Shield?
https://www.privateinternetaccess.c...otection-on-android-with-afwall-requires-root
Beefheart said:
I originally set it up on the tutorial in the link below, which mentions that the VPN Networking service needs to have full access. Is that service present on the Shield?
https://www.privateinternetaccess.c...otection-on-android-with-afwall-requires-root
Click to expand...
Click to collapse
I just checked for you, and yes, its there, mind you, im using zulu's full rom, not sure about stock rom but as with all my devices, i havent needed to allow this for vpn to work.
Unless theres a specific reason to do so, try without on your current devices, i suspect, vpn networking may only apply if you use androids inbuilt vpn found in settings
Edit
By the way, i dont know how far you wanna take it, but afwall has tasker plugin support, which i use to apply an afwall profile, i named "secure", that denies everything when screen turns off......aswell as other things in the same vain
Edit
I do it a little differently then what youre link suggests, i only allow the bare minimum of apps, those that i actually need internet for.......if an app has internet capability, but i have no need for that side of it, its denied, i dont whitelist ALL apps for vpn as your link suggests
I also suspect that guide was written for privateinternets method of using vpn on android, so maybe vpn networking applies if using private internet, but as for my openvpn app, its not needed.......neither is "GPS"
Cheers. Everything set up and working perfectly in stock, no DNS leaks. A combination of AFWall+, VPN and Xprivacy has the device locked down pretty well.
And what a device, the speed is in another league compared to other similar boxes and worth the extra money. I'm glad I returned my newly purchased Minix Neo U1, this thing is so much faster and not as restricted as I was lead to believe. With a bit of work the Shield TV, even on stock, can do as much as any other Android based TV box, even one based on vanilla.
Beefheart said:
Cheers. Everything set up and working perfectly in stock, no DNS leaks. A combination of AFWall+, VPN and Xprivacy has the device locked down pretty well.
And what a device, the speed is in another league compared to other similar boxes and worth the extra money. I'm glad I returned my newly purchased Minix Neo U1, this thing is so much faster and not as restricted as I was lead to believe. With a bit of work the Shield TV, even on stock, can do as much as any other Android based TV box, even one based on vanilla.
Click to expand...
Click to collapse
Yep, ive said it before and ill say it again, the shields an impressive piece of kit for sure
Xprivacy.........snap
We seem to have a very similar setup........believe me, if you wanna take it further at some point in the future.......tasker.........although, fair warning, theres a learning curve
Just some of the more basic things i automate with tasker with plugins like afwalls
When screen goes off, tasker......
Turns off wifi/3g
Turns of bluetooth
Afwall secure profile
Greenify all preselected apps
turn off "unknown sources" for extra measure, as tasker turns this off after it detects an apk install anyway
Turn of "debugging", incase i turn it on one day out of need and forget to turn off
Media volume set to 4 edit:this ones a bit out of place
Aplly afwall profiles depending on what app you happen to be using
Many possibilities with tasker, VERY usefull for many things
Non security related....kinda......... could potentially be used for such if modified
I have a small bluetooth media remote which has the numbers 1 to ten, with tasker and xposed additions module, i fooled around with it, pressing 1 connects the shields bluetooth to the bedroom speakers, long pressing 1 connects to the living room speakers..........i can imagine my self doing some neat stuff with these combination of apps and future accesories
Also, i use it to turn the shields light led to dim to let me now at a glance if the shields on or asleep, without having to change the channel
food for thought for those with similar setups
Edit
By the way, you mention dns leak, i assume you used a test site to check for the leak, any chance of a link? Incase its something very new
This ones the one i use,
https://ipleak.net/
Detects webrtc leaks on the specific browser you happen to be using at the time
Edit
For those interested
More on webrtc here
https://www.privateinternetaccess.c...ome-and-mozilla-firefox-while-using-private-i
If you use firefox or chrome, you can disable manually following this guide
https://www.purevpn.com/blog/disable-webrtc-in-chrome-and-firefox-to-protect-anonymity/
I think there are addons aswell
Edit
"and not as restricted as I was lead to believe"
Yep, i had the same thoughts, just my own assumption really, that android tv was completely different, internally, to "standard" android , pleasantly surprised, no incompatibilities so far............................good to know that stock is like that too :good:
Cheers, I'll read into all that.
One issue I'm finding at the moment is that, on a reboot, AFWall+ doesn't apply as default on the Shield and has to be done manually. This doesn't happen on my Note 3 running Lollipop. I'm sure there is a simple explanation, I'll look into it a bit more.
That website is the one I user to check leaks but there are numerous others too.
Beefheart said:
Cheers, I'll read into all that.
One issue I'm finding at the moment is that, on a reboot, AFWall+ doesn't apply as default on the Shield and has to be done manually. This doesn't happen on my Note 3 running Lollipop. I'm sure there is a simple explanation, I'll look into it a bit more.
That website is the one I user to check leaks but there are numerous others too.
Click to expand...
Click to collapse
Im not sure i understand fully, afwall is not enabled? Or, afwall IS enabled, but your prefered profile is not "applied"?
On full android at least, afwall is enabled upon reboot i havent had any issues in that regard, (saw your other post) i dont need init.d script (usefull to have though, if/when possible)
Have you tried reverting all afwalls settings to default, to rule out that likely suspect
Another likely suspect, xprivacy, but that depends if you restrict everything like i do, including system apps , if so, have you checked xprivacies usage data for afwall and global apps?
Another suspect, could be stock firmware, but i have my doubts about that one
Assuming im understanding the issue correctly
Edit
I dont have "fix startup data leak" checked(as we dont have init.d), nor ipv6 support checked as your link described

Categories

Resources