Mobile security has been gaining popularity in recent times. Many mobile-based attacks are being discovered as the mobile industry grows more complex and new technology is implemented. Recently the pattern unlock mechanism, designed by Google, has been cracked by hackers without even rooting the phone. Malicious users can access the phone using the ADB push method, thus bypassing the pattern unlock mechanism which appeared to be one of the secured mechanisms. Similarly, if you look into android-based malware, most of the android-based applications are packed with malicious payloads. According to the researchers, more than 35% of Android malware enclose platform-level exploits to escalate privileges.
The below image shows the stats of mobile-based malware according to McAfee.
So in this article, we will learn about an operating system named Santoku Community Edition, which is a pre-configured, bootable Linux environment. It’s an .iso image which contains a variety of packages, drivers, and applications. Santoku is a free linux distribution mainly for mobile forensics, mobile malware analysis and assessment of mobile security.
Santoku comes with a number of open source tools which can make our job in mobile forensics, malware analysis, and security testing easy. The tools are categorized in the following lists.
- Android SDK Manager
- SBF Flash
- AFLogical Open Source Edition
- Android Brute Force Encryption
- Sleuth Kit
- DNS Chef
- DNS Sniff
- TCP Dump
- Wireshark (As Root)
- Burp Suite
- SSL Strip
- Zenmap (As Root)
- APK Tool
You can download the iso image from the following link: https://santoku-linux.com/download
The installation is similar to other VMware images we use. Once it has been installed, you will see the screen as shown below. You will find all the tools under the option Santoku. Let’s see how to use one of the tools in this operating system. In devices that run Android 3.0 or newer, the standard Linux dm-crypt encryption is used. These devices make use of the same password to unlock/login to the device and for encrypting and decrypting data. It uses brute-force attack to achieve this.
Brute-force attack is theoretically a strategy than can break any data encryption method. When any other possible weakness in an encryption algorithm cannot be exploited, a brute-force attack may be put to use.
ViaExtract has the capability to bypass Pattern/PIN lock and decrypt Android data. It also offers guided data extraction and flexible reporting.
The initial release of viaExtract supports the Samsung Galaxy Nexus and Galaxy Nexus S and the device must have an unlocked bootloader running Android 4.0 or higher. It is not recommended to use viaExtract on a locked bootloader as a successful attempt may wipe the device.
You can download viaExtract from https://viaforensics.com/products/viaextract/download/
Follow the below mentioned steps to crack Android encryption using brute-force attack:
1. Put the device into fastboot mode. Switch off the device, hold the volume down button and press and hold the power button to get the fastboot mode. In some devices, instead of holding the volume down button, pressing both the volume up and down buttons and then pressing and holding the power button only works.
2. Pass the device to the VM by selecting Device -> USB Devices -> “Fastboot Device”.
3. Open a case; select ‘New’ -> ‘Encryption Brute Force’
4. Now, with the device in fastboot mode, select “Automatically download footer and header from device”. Click “Forward”.
5. After the above window shows ‘Complete’, click “Forward”. If successful, the pin will be displayed as follows:
In order to complete this manually and upload your own header and footer files, the following commands can be made use of:
For Nexus S:
adb shell dd if=/dev/block/mmcblk0p2 of=tmp_header bs=512 count=1
adb pull tmp_header
adb shell mount -t yaffs2 /dev/block/mtdblock6 /root
adb pull /root/userdata_footer tmp_footer
adb shell dd if=/dev/block/mmcblk0p12 of=tmp_header bs=512 count=1
adb pull tmp_header
adb shell dd if=/dev/block/mmcblk0p13 of=tmp_footer
adb pull tmp_footer
After issuing these commands, return to the VM, select “Encryption Brute Force” and select “Decrypt from header and footer file”. Select the location where the header and footer files are stored. Click “Forward” and follow the prompts to decrypt the passcode. Depending on the length and complexity of the passcode, it may take from a few minutes to a few hours to decrypt it. The completion level of the attack can be seen from the progress indicator. Now in the article, we have seen how to crack the android pattern-based lock. In future, we will discuss more about other tools and how to use them in detail.