
WiFi hacking on tablets
Ever since I bought my first Android device, I wanted to use the device for WEP cracking. Not because I need it, but I want it 🙂 After some googling, I read that you can’t use your WiFi chipset for packet injection, and I forgot the whole topic.
After a while, I read about hacking on tablets (this was around a year ago), and my first opinion was:
At the beginning I looked at the Pwn Pad as a device that can replace a pentest workstation, working at the attacker side. Boy was I wrong. Pwn Pad should be used as a pentest device deployed at the victim’s side!
- You have 1095 USD + VAT + shipping to buy this Pwn Pad
- You have around 200 USD to buy an old Nexus 7 tablet, a USB OTG cable, a USB WiFi dongle (e.g. TP-Link Wireless TL-WN722N USB adapter works).
Wifite
- Start the Wifite app
- Choose your adapter (the USB WiFi)
- Choose the target network (wep_lan in the next example)
- Wait for a minute
- PROFIT!
SSH reverse shell
This is one of the key functionalities of the Pwn Pad. You deploy the tablet at the Victim side, and let the tablet connect to your server via (tunneled) SSH.
The basic concept of the reverse shells are that an SSH tunnel is established between the Pwn Pad tablet (client) and your external SSH server (either directly or encapsulated in other tunneling protocol), and remote port forward is set up, which means on your SSH server you connect to a localport which is forwarded to the Pwn Pad and handled by the Pwn Pad SSH server.
I believe the best option would be to use the reverse shell over 3G, and let the tablet connect to the victim network through Ethernet or WiFi. But your preference might vary. The steps for reverse shells are again well documented in the documentation, except that by default you also have to start the SSH server on the Pwn Pad. It is not hard, there is an app for that 😉 On your external SSH server you might need to install stunnel and ptunnel if you are not using Kali. The following output shows what you can see on your external SSH server after successful reverse shell.
root@myserver:/home/ubuntu# ssh -p 3333 pwnie@localhost
The authenticity of host '[localhost]:3333 ([127.0.0.1]:3333)' can't be established.
ECDSA key fingerprint is 14:d4:67:04:90:30:18:a4:7a:f6:82:04:e0:3c:c6:dc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:3333' (ECDSA) to the list of known hosts.
pwnie@localhost's password:
_____ ___ _ ___ ___ _____ _____ ___ ___ ___ ___
| _ \ \ / / \| |_ _| __| | __\ \/ / _ \ _ \ __/ __/ __|
| _/\ \/\/ /| .` || || _| | _| > <| _/ / _|\__ \__ \
|_| \_/\_/ |_|\_|___|___| |___/_/\_\_| |_|_\___|___/___/
Release Version: 1.5.5
Release Date: 2014-01-30
Copyright 2014 Pwnie Express. All rights reserved.
By using this product you agree to the terms of the Rapid Focus
Security EULA: http://pwnieexpress.com/pdfs/RFSEULA.pdf
This product contains both open source and proprietary software.
Proprietary software is distributed under the terms of the EULA.
Open source software is distributed under the GNU GPL:
http://www.gnu.org/licenses/gpl.html
pwnie@localhost:~$
EvilAP and DSniff
Start EvilAP (it is again a wrapper around airobase), choose interface (for me the Internal Nexus Wifi worked), enter an SSID (e.g freewifi), enter channel, choose whether force all clients to connect to you or just those who really want to connect to you, and start.
The next step is to start DSniff, choose interface at0, and wait 🙂 In this example, I used a popular Hungarian webmail, which has a checkbox option for “secure” login (with default off). There are sooo many problems with this approach, e.g. you can’t check the certificate before connecting, and the login page is delivered over HTTP, so one can disable the secure login checkbox seamlessly in the background, etc. In this case, I left the “secure” option on default off.
In the next tutorial, I’m going to show my next favorite app, DSploit 😉
Lessons learned
Hacking has been never so easy before
In a home environment, only use WPA2 PSK
Choose a long, nondictionary passphrase as the password for WPA2
Don’t share your WiFi passwords with people you don’t trust, or change it when they don’t need it anymore
Don’t let your client device auto-connect to WiFi stations, even if the SSID looks familiar
And last but not least I would like to thank to the Pwn Pad developers for releasing the Community Edition!
*** This is a Security Bloggers Network syndicated blog from Jump ESP, jump! authored by Z. Read the original post at: https://jumpespjump.blogspot.com/2014/04/wifi-hacking-on-tablets.html