Thursday 16 January 2014

Reverse engineering an apk

In my previous post I had described setting up an access point and getting clients to automatically connect. I then used beef to hook the browsers and run auto modules. I wanted to explore getting a shell on a mobile device and play around with that. One thing I managed was to set up a hidden iframe that downloads a given file. With android and other platforms this still involves a level of user interaction, an acknowledgement to downloading the file. Perhaps with some social engineering this could be made more plausible.
Metasploit have introduced a reverse tcp module for android. Its quite straight forward to set up just like any other windows/linux reverse tcp. The result is an apk file which will open up a meterpreter session on your server. On inspection it has a button called reverse tcp and the icon of the metasploit emblem. I wanted to explore changing things around in the App and customizing it for my own needs. I may use it for an upcoming project in college.

There are some tools on Kali and Backtrack pre-installed for this purpose. I had some issues recompiling with these tools and failed to get them to work. Decompilling the apk worked fine, but after making changes and recompilling, it would throw up errors.
I ended up installing the same tools on a windows machine and they worked straight away.

Tools

apktool (to decompile + recompile apk)
dex2jar (useful for having a look at the underlying java)
Also resigning the apk in kali you can generate your own keys.

Its quite straightforward. Via command line:
DECOMPILE: apktool d (nameOfApp.apk) (name of folder you want to put it in)

From here you can look into the files and do some editing. Change some of the permissions, add some more? Edit the xml files.

RECOMPILE: apktool b [directory in which you have decoded the files]

To look at the java code and figure out how it works you can use dex2jar.




Upon recompiling the app, you still have to resign it in order for it to work on your device. This can be achieved by using openssl in kali.

The metasploit android reverse apk is quite a small file as regards what code is already in it. It should be quite simple to customize your own version of the app and play around with it.

I was looking into ways of autostarting an apk on boot from an android device. Adding this addition to the android reverse tcp apk would mean a consistent connection. I have found some ideas on how to achieve this and would like to see if I can get it working.





Monday 23 December 2013

Access point + beef server + amazon cloud

I wanted to explore the idea of getting devices to automatically connect to my access point. Once connected, they are able to browse as normal, but certain sites trigger a redirect to my apache page. I thought initially to set up a web portal for this purpose, and have everyone redirected to this page before being able to access the internet. At this point I could hook browsers. I ended up doing it a different way and use dnsmasq to redirect specific sites.

So what happens is a user types in a certain address, and dnsmasq redirects them to my apache server. I have it wait for 20 seconds until I hook the browser, then they get redirected to another fake page hosted on the cloud. ( JUST TO NOTE THIS WAS ALL DONE FOR RESEARCH PURPOSES ON MY OWN NETWORK).



Heres the access point script I set up. Note the airbase-ng -P option which basically makes it respond to all probes from devices. The -y means it won't respond to broadcast probes so as to limit its work load. The -C20 relates to how long the probes are sent out. For instance a device sends out a probe for homeWifi. My access point will see this and send out probes saying 'thats me :)' for 20 seconds.

Beef server comes with an option to autostart certain modules. This can be achieved by editing the modules and adding in 'autostart: true' to the config.yaml file. Not all modules work so you can experiment to see which ones do start.

Once the access point and beef is up and running you can try to see if users are being hooked. You have to edit your dnsmasq.conf file to add in the websites you want to spoof. I actually made a separate dnsmasq.hosts file where I add in my pages.
An easy way to get a copy of a page from the web is to use for instance: wget http://www.facebook.com -O test2.htm.
This is what I hosted on my apache server and added in a beef hook to get browsers on my beef server. I also autostarted an invisible iframe to try and keep the browser hooked.. I have the apache page stall for 20 seconds before redirecting the user to my server on the cloud.

Its been fun to mess around with beef server, and have different modules autostart. I'd like to expand on this and look into the metasploit modules that can be integrated into beef. Particularly focusing on getting a meterpreter session on a mobile device. Using my phone as a client I have managed this by directing the iframe to a reverse_tcp payload. It seems once the session is opened, any subsequent commands are not recognized in the meterpreter session. Unknown command shows up. I have to try and fix this.