Module 10: Wireless Penetration Testing Methodology : Exercise 1: Gaining Complete Access to an Android Device Using SpyNet

Module 10: Wireless Penetration Testing Methodology

Objective

The labs in this module are designed to make you familiar with pen testing methodology to audit a wireless network infrastructure consisting of mobile devices by creating a malicious apk file and executing it.

Scenario

Wireless networks provide the attackers with convenient access points to penetrate an organization. By finding a secure spot in the vicinity of a building, hackers can exploit a wireless signal and gain entry into an organization’s internal network. Starting from the SSID of the wireless network to its strength in different areas of its radius, everything is critical to wireless security. Password for the wireless signal, encryption methodology and protocols used, devices interacting with the network are all potential weak points for the hackers to exploit. As a wireless penetration tester, you have to ensure that all the vulnerable points of a network are either secured or strengthened. You also have to identify the users who can easily be enticed to click on links or execute the malicious files you built.

Exercise 1: Gaining Complete Access to an Android Device Using SpyNet

Scenario

SpyNote is a client/server application developed in Java Android for the client side and in Java/Swing for the Server side. The goal of the application is to provide the control of the Android system remotely and retrieve information from it.

Personnel working in an organization might carry their mobile devices to the workplace and use them to access enterprise data and systems. Hence, it is evident that mobile devices contain sensitive information related to organizations. This might open doors for attackers to perform attacks and get control over the personnel’ devices and access them to gain sensible information related to the organizations. This might reveal information related to the policies of the organization, payrolls of its personnel, HR policies, quotations signed by clients, and so on.

Being a penetration tester or an information security auditor, you should have knowledge of how to develop a malicious apk file and merge it with a genuine apk file. When this file is shared with an employee in an organization and he/she installs it, the apk gives complete access to the pentester.

In this lab, you will learn how to gain remote access to a device by using a remote access Trojan.

Lab Duration: 40 Minutes

1. Click Windows Server 2012 (Internal Network).
   
2. In the password field click Pa$$w0rd and press Enter.
   

   You can also use the Type Passwordoption from the Commands menu to enter the password.

   
3. Navigate to E:\ECSAv10 Module 10 Wireless Penetration Testing Methodology\SpyNoteand double-click SpyNote.exe.
   

   If an Open File - Security Warning pop-up appears, click Run.

   
4. SpyNote listener window appears.
   You need to configure a port on which you want SpyNote to listen. To perform this, click Listen Port option in the lower left corner of the Listener window.
   
5. Open Port window appears. In this lab, we will be configuring SpyNote to listen on port 4444. To perform this, type 4444 in the Port field and click Add.
   
6. You will observe that the port has been added. Click Ok to close the window.
   
7. Click Build Client option in the lower section of the listener window to launch the Build Client.
   
8. Build Client window appears displaying the Client Info section. Enter the App Name as Instagram and click Dynamic DNS tab.
   
9. Dynamic DNS section appears, enter the IP address of Windows Server 2012 (Internal Network) in the IP field. The IP address to enter is 192.168.168.8.
   Type 4444 in the Port field and click Add.
   By doing so, we are configuring the client to connect to 192.168.168.8 on port 4444.
   
10. The IP Address and Port are added to the client. Click on Properties tab.
    
11. We will be configuring the client in such a way that it gets hidden upon installation. To perform this, check Hide application option, and uncheck the other options as we are not focusing on keylogging, device administration, and so on in this lab.
    Once you check the option, click on the Merging app tab.
    
12. We will be merging the malicious apk with Instagram app. So, when a person installs the app, the original Instagram app is installed and displayed in the applications menu, while the malicious app gets hidden and runs in the background.
    To merge with the Instagram app, check Merging app, and click Add.
    
13. Open window appears, navigate to E:\ECSAv10 Module 10 Wireless Penetration Testing Methodology\SpyNote\Patch, select com.instagram.android.apk and click Open.
    
14. The Instagram apk has been added to the Merging App section. Enter the Package Nameas com.instagram.android.apk.
    
15. Now, click on Build button in the top left corner of the Build Client window and click Build APK.
    
16. Open window appears, navigate to E:\ECSAv10 Module 10 Wireless Penetration Testing Methodology\Remote Access Trojans\SpyNote\Patch, select Patch-release.apk and click Open.
    
17. SpyNote takes some time to build the client.
    Once the client is created, the client folder opens as shown in the screenshot.
    
18. In order to make the client look more realistic, we shall rename the file to Instagram.apk as shown in the screenshot below.
    
19. Now, close the Build Client window.
    
20. Click Marketing Dept Subnet D and click Ctrl+Alt+Delete.
    
21. In the password field click Pa$$w0rd and press Enter.
    

    You can use the Type Password option from the Commands menu to enter the password.

    
22. Double-click AVD Manager.exe shortcut icon on the Desktop to launch the Android Virtual Device Manager.
    
23. Android Virtual Device (AVD) Manager window appears, select AVD_for_3_2_QVGA_ADP2 and click Start…
    
24. Launch Options window appears, check Scale display to real size option, enter the Screen Sizeas 6, and click Launch.
    
25. AVD_for_3_2_QVGA_ADP2 emulator window appears, wait for the device to boot. It takes around 5 minutes for the booting process to complete.
    

    Close the Starting Android Emulatorwindow which appears behind the Emulator.

    
26. On successful boot, Android home screen appears. Leave the emulator device idle for 1-2 minutes in order to allow the device to gather all its resources.
    
27. In this lab, we will be allowing installation of apps from unknown sources on the device.
    Click the App Drawer icon on the home screen to launch the android menu.
    
28. Android Apps screen appears, Click Settings.
    
29. Settings screen appears; scroll down and click Security.
    
30. In the Security screen, check Unknown Sourcesto allow installation of apps from unknown sources on the device.
    
31. A pop-up appears; click OK.
    
32. Now, press Ctrl+H to navigate to the Homescreen.
    
33. Now, you need to install the malicious apk file in the emulator. In real-time, an attacker creates a malicious apk file and shares it with the victim through Email or any other means. As we do not have internet connectivity in iLabs, we shall be installing the apk file directly through adb shell.
    Navigate to \\192.168.168.8\ECSA-Tools\Building\apktool\out, copy Instagram.apk and paste it in C:\Program Files (x86)\Android\android-sdk\platform-tools.
    
34. In the same location, right-click adb.exe and click CmdHere from the context menu.
    
35. Type the command adb install Instagram.apkand press Enter. This installs the malicious application onto the emulator device.
    
36. On completing the installation, open the emulator window. Click the App Drawer icon on the home screen to launch the android menu
    
37. Android menu appears; click the Instagramapplication.
    
38. Instagram installation wizard appears again. By this time, the user will become suspicious about the application installed. He/she may discontinue the installation. However, by this time, SpyNet Client has already established a connection.
    You may install the Instagram application, or quit the installation.
    
39. If you proceed with Instagram installation, click Done.
    If you discontinued the installation, skip to the next step.
    

    Once you click on Done, you will observe that the original Instagram application has been installed on the device and the backdoor has gone into stealth mode, making the victim believe that nothing has gone wrong.

    
40. Now click Windows Server 2012 (Internal Network)
    As soon as you launch the application, you will observe that the SpyNet listener established a connection and displays the details of emulator device as shown in the screenshot.
    
41. Right-click on the device connection and click on Settings to view the device information.
    
42. Settings window appears displaying the device information in the Phone Info tab.
    Scroll down the window to view detailed information.
    Once you are done viewing the information, close the Settings window.
    
43. Right-click on the device connection and click on File Manager to view the file manager in the emulator.
    
44. File Manager window appears displaying the contents of /mnt/sdcard location.
    Now, we shall view and download the files present in the DCIM folder. To view the files, double-click DCIM.
    
45. The File Manager displays the thumbnails of the selected file in the right pane of the File Manager window.
    If you want to download a file, right-click on the desired file and click Download. This downloads the file to the local machine.
    
46. Once the file is downloaded, close the File Manager window.
    The downloaded file is stored in E:\ECSAv10 Module 10 Wireless Penetration Testing Methodology\Remote Access Trojans\SpyNote\App_Resources\Folder_Clients\null000000000000000\Download_Manager. Navigate to this location to view the file.
    
47. Right-click on the device connection and click on Contacts Manager to view the contacts stored in the emulator.
    
48. A Contacts Manager window appears displaying the contacts stored in the emulator as shown in the screenshot below.
    Once you go through the contacts, close the window.
    
49. Right-click on the device connection and click on SMS Manager to view the messages stored in the emulator.
    
50. SMS Manager window appears displaying the SMSes stored in the device as shown in the screenshot below.
    Once you go through the messages, close the window.
    
51. In the same way, you may use other features of SpyNote and explore the contents of the emulator.

In this lab, you have learned how to gain remote access to a mobile device (emulator) using SpyNote