Lester: Hey Nash, are you scanning our school’s network with just your smartphone?

Nash: Well, yes I am! I’m using a network penetration suite just to check out if the students are aware and practicing what they learned from my network security class, and because I just told them about password sniffing…

Lester: Ah, I see…you just want to test if they are prepared and secured…hehe nice one!

Have you ever wanted to turn your android phone into a penetration testing tool or a handy dandy network analysis device? You tried booting it up with a Linux distro and installed some network penetration testing and networking applications, but you discovered that it consumes a lot of your phone’s RAM or it hangs up your phone. No need to worry about that, because dSploit has been unleashed (although it is still in its beta stage) by Simone Margaritelli a.k.a evilsocket, which is also sponsored by the BackBox Linux as one of its projects just like Weevely, Fang and NetCommander.

dSploit is an Android network penetration suite or an all-in-one network analysis application that is free to download for you to try out. The said application allows a user or a tester to perform network security assessments and penetration tests by just clicking on the available modules and options that are pre-compiled in the app. It is designed to be fast, handy, and easy to use (more of a point and click app).

How to Install dSploit in Your Android Device

What you need first is to secure or get an Android device that has at least the 2.3 ( Gingerbread ) version of the Operating System, and then root it. If you haven’t rooted your Android device yet, then the article entitled ‘The Always Up-To-Date Guide to Rooting the Most Popular Android Phones‘ from Lifehacker.com could maybe help you solve your problem. After rooting your device, install the Busybox app on your phone. Make sure that you install all of its utilities or do a full install!

Then download the apk file by scanning the “QR Code” to easily download the file onto your Android device. In my case, I used the QR Droid app to scan the “QR Code” from the URL.

After scanning the code, it should prompt you to open a URL that automatically downloads the apk file.

After the device has finished downloading the apk file, you should be able to open it and install dSploit.

Take note that before you open up the dSploit app, make sure that you are currently connected to a network through a wireless connection or WiFi so that you could already start your network security assessments and your dSploit exploration. I know you are very excited, so let’s move on with the basics of dSploit and how to work with it based on what I did while scanning my network, with no harm done to the network of course.

dSploit Description and Basics

Before we talk about digging into dSploit’s usage, let’s take a look at the available modules for the said application as introduced and explained by evilsocket of Backbox Linux in the xda-developers forum site:

RouterPWN

= Launch the http://routerpwn.com/ service to pwn your router.

Trace

= Perform a traceroute on target.

Port Scanner

= A syn port scanner to find quickly open ports on a single target.

Inspector

= Performs target operating system and services deep detection, slower than syn port scanner but more accurate.

Vulnerability Finder

= Search for known vulnerabilities for target running services upon National Vulnerability Database.

Login Cracker

= A very fast network logon cracker which supports many different services.

Packet Forger

= Craft and send a custom TCP or UDP packet to the target.

MITM

= A set of man-in-the-middle tools to command & conquer the whole network. (See the images below for the complete MITM tools with their description)

Once dSploit is opened or started, it automatically maps the network you are currently connected to and fingerprints the active or alive hosts in your network, including your device, just like the image below.

As you can see from the image above, the application recognizes your network subnet mask, your network gateway or the router, your Android device (my Samsung Galaxy Pocket GT-S5300) on 192.168.10.6, the active devices that are connected to the network, and the mac addressees of the devices.

By selecting your network subnet mask or a certain device and host that is connected to the network (e.g the IP address 192.168.10.7 which is my laptop), you can easily perform man-in-the-middle attacks such as network sniffing (http, ftp, imaps, irc, msn, telnet logins, mysql, ssh, etc.), session hijacking, kill connections, redirect all the http traffics to a certain web address, replace all images and YouTube videos on web pages with a specified one, inject a JavaScript in every visited web page, and replace custom text on web pages with a specified one by using the MITM module.

Here is a screenshot I took after selecting the IP address 192.168.10.7 as my target and selected the MITM module specifically the Password Sniffer option while logging in to a website that I was registered to and while establishing a telnet connection to a free OpenVMS cluster in deathrow.vistech.net.

By default the sniffer logs are stored in the /sdcard/dsploit-password-sniff.log but you can also change its log file name under the Password Sniffer File option of the dSploit Settings. Thus, you keep the logs for future references.

Want to learn more?? The InfoSec Institute Advanced Hacking course aims to train you on how to successfully attack fully patched and hardened systems by developing your own exploits. You will how to circumvent common security controls such as DEP and ASLR, and how to get to confidential data. You take this knowledge back to your organization and can then formulate a way to defend against these sophisticated attacks. Some features of this course include:
  • Create 0day attacks as part of the Advanced Persistent Threat
  • 5 days of Intensive Hands-On Labs
  • Use fuzzers and dynamic analysis to attack custom and COTS apps
  • Reverse engineer binaries to find new vulnerabilities never discovered before
  • Attack and defeat VPNs, IDS/IPS and other security technologies

Aside from the MITM module, if you have selected a certain device as your target (e.g 192.168.10.7 which is running Ubuntu Linux) you can also perform a syn port scan by using the Port Scanner module, but I prefer using the Inspector module which does a deep scan on your operating system and identifies the services that are up and running. It also recognizes the operating system or kernel and is more accurate but slower than the syn port scan. There are still a lot of improvements to be done for the scanning option of the Inspector module, but at least it has detected that my LAMP (Linux Apache MySQL, PHP / Perl / Python) server is running.

Then you can use the Vulnerability Finder module to check for the known vulnerabilities that the target is running as scanned by the Inspector module. It uses the National Vulnerability Database as its reference. Take note that you cannot select the Vulnerability Finder module without using the Inspector module first.

Selecting the Kill Connections option under the MITM module could really prevent a certain target from reaching any website, which reminds me of a similar app called Wifi Kill, but the target still remains connected to the network. This can be used for trolling other users if they are watching pr0n (LOL).

By selecting your router or network gateway as your target you can use all the modules including the exceptional RouterPWN module, which launches a web application that helps you in the exploitation of known vulnerabilities for SOHO (Small Office / Home Office) routers like the exploits; Huawei HG5XX Mac2wepkey Default Wireless Key Generator, EasyBox Standard WPA2 Key Generator, Backdoor password in Accton-based switches (3com, Dell, SMC, Foundry and EdgeCore), D-Link WBR-1310 Authentication Bypass set new password, D-Link DIR-615, DIR-320, DIR-300 Authentication Bypass, D-Link DAP-1160 Authentication Bypass, 704P denial of service, DSL-G624T DSL-G604T directory traversal, DWL-7x00AP configuration disclosure, G604T DSL Routers “firmwarecfg” Authentication Bypass, HG520c HG530 Listadeparametros.html information disclosure, HG510 rebootinfo.cgi denial of service, Arris Password of The Day Generator, OfficeConnect 3CRWE454G72 configuration disclosure, and many more to mention.

For each of the exploits in the RouterPwn web application, you can change the destination IP by clicking on the [IP] link next to the exploit. Although there are still exploits for Huawei that are not included, which I hope to be included next time, like the Huawei bm622 Local file disclosure under the 192.168.1.1/html/management/account.asp address and the default usernames and passwords for some Huawei devices in telnet and for its web application.

The RouterPWN module is only available for use if the target is detected as your network gateway or router just like the targets below.

Aside from scanning and probing your network, you can also add a custom or a foreign target by selecting the ‘+’ sign. Then you can just type and enter the URL, hostname, or IP address just like the image below.

In my case, I chose my favorite search engine website which is Google. Based on the target that I have just chosen, I can use the modules: Trace, Port Scanner, Inspector, Vulnerability Finder, Login Cracker, and the Packet Forger. And so here are some screenshots I took in the selection of the modules Trace, Port Scanner, Inspector, and Vulnerability Finder.

What’s good about dSploit is that it checks for updates everytime the application is started and prompts you to download the new version.

You can actually disable the update under the Settings page, wherein you can also the edit and change the Module options like Sniffer Sample Time, HTTP Max Buffer Size, and the Password Sniffer File, but I prefer updating it if there is a new version available.

Anti and DroidSheep Guard

In this section we will talk about two other network related apps which could be of interest to you, so that we could really unleash your phone with network exploration tools.

There is an application similar to dSploit called Anti which is an Android Network Toolkit from ZImperium LTD. Sad to say that the free version has only tools for OS Detection, Traceroute, Port Connect, WIFI Monitor, and HTTP server, but the premium version has tools for man-in-the-middle attacks, remote exploitation, etc. In terms of application, dSploit wins because it is free. Hurrah! But the good thing about Anti is that it determines vulnerabilities and the app can run exploits from Metasploit and ExploitDB for final pawnage.

Because we are talking about MITM attacks like network sniffing, session hijacking, etc., most of you may now be so worried about such attacks that you are already afraid to login to your network. No need to worry again, because DroidSheep Guard will protect and alert you from such attacks and is also an anti-Droidsheep app.

DroidSheep Guard is developed by the creator of DroidSheep, which is an Android app used for session hijacking. FYI, the DroidSheep (not DroidSheep Guard) development has been stopped because in Germany (where the author lived) has some very strict laws against hacking tools, and the development and distribution of such tools is prohibited by the law in their country, but you can still find it in other websites.

For more information about DroidSheep Guard, visit its official usage guide.

And so guys, I leave the rest to all of you in exploring these tools. Have fun as always, but don’t abuse these tools….

INTERESTED IN LEARNING MORE? CHECK OUT OUR ETHICAL HACKING TRAINING COURSE. FILL OUT THE FORM BELOW FOR A COURSE SYLLABUS AND PRICING INFORMATION.

Resources:

http://droidsheep.de/

https://github.com/evilsocket/dsploit

http://www.backbox.org/blog/dsploit-android-network-penetration-suite

http://forum.xda-developers.com/showthread.php?t=1914699