Your SlideShare is downloading. ×
My Null  Android Penetration Session
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

My Null Android Penetration Session

1,865
views

Published on

I attended the Android Penetration testing session organized by Null Bangalore. It was an AWESOME session by Ashish and everyone enjoyed it. This is the first time the Humla session was organized at …

I attended the Android Penetration testing session organized by Null Bangalore. It was an AWESOME session by Ashish and everyone enjoyed it. This is the first time the Humla session was organized at Flipkart and it was beautiful venue. As I was sure that I may forget it later, I documented the entire session so that it will help me to revise it later as well. I have tried to make it as comprehensive as possible which gives you precise step by step instructions. It also covers most of the errors and solutions
we all faced during the session. This will help all of us to revise whatever we were taught in the Humla Session. It covers everything except the challenges. I am sure once you go through this document it will help you and others as well who were not able to attend.

Cheers !!!

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,865
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
126
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 1 Hi Everyone, I attended the Android Penetration testing session organized by Null Bangalore. It was an AWESOME session by Ashish and everyone enjoyed it. This is the first time the Humla session was organized at Flipkart and it was beautiful venue. As I was sure that I may forget it later, I documented the entire session so that it will help me to revise it later as well. I have tried to make it as comprehensive as possible which gives you precise step by step instructions. It also covers most of the errors and solutions we all faced during the session. This will help all of us to revise whatever we were taught in the Humla Session. It covers everything except the challenges. I am sure once you go through this document it will help you and others as well who were not able to attend. Cheers !!!
  • 2. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 2 Install the AppUse VM Open Android SDK Manager root@dev-virtual-machine:~/Desktop/AppUse# android Go to Tool Manage Avd New
  • 3. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 3
  • 4. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 4 Emulator is rooted Own device needs to be rooted for this. root@dev-virtual-machine:~/Desktop/AppUse/.Android/android-sdk-linux_86/tools# emulator -avd Null Before that lets view which tools are available within AppUse
  • 5. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 5 For those comfortable with explorer Got to- On desktop  Appuse folder Cntrl+H to view hidden files
  • 6. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 6 To open and configure Burp Right click Use java to open Configure as seen below
  • 7. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 7 Remember to Tick the selected line for the configuration to be active Scale is size -cpu-deplay 0 This tells us that the delay is set to zero i.e there should not be delay root@dev-virtual-machine:~/Desktop/AppUse/.Android/android-sdk-linux_86/tools# emulator -avd Null -scale 0.7 -cpu-delay 0 -http-proxy http://127.0.0.1:8080 Few may face errors such as your emulator didn’t open or hangs in that case you need to kill the process and repeat the above command .This usually happens if you have low RAM or scale value to set to a large number. Error 1:- If hangs follow below command ps aux | grep emulator kill -9 <pid> if any any avd is open Error 1:- If there is no DNS found error Configure your VM setting to Bridged mode
  • 8. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 8
  • 9. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 9 To capture https traffic Do the following Open Mozilla Edit tab- Preferences
  • 10. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 10
  • 11. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 11 Select Port Cwiigger CA and press export .Save it on your Desktop.
  • 12. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 12 Rename certificate to PortSwiggerCA.crt { Abd- Android Debugging Bridge- Ref:- http://developer.android.com/tools/help/adb.html To check the attached devices use the below command:- root@dev-virtual-machine:~/Desktop/AppUse/Pentest# adb devices List of devices attached emulator-5554 device Lets Push the Certificate to sdcard
  • 13. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 13 After pushing certificate into sdcard . Go to Device –Menu-Setting-Press security
  • 14. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 14 Install from SD Card option
  • 15. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 15
  • 16. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 16 Give any pin here 1111 I used Port swigger installed We are storing certificate in external location .Certificate to be stored in sd card. Android Debug Bridge (adb) is a versatile command line tool that lets you communicate with an emulator instance or connected Android-powered device. Install certificate in SD Card. Copy all apks provided during null session and place them in AppUse VM in any folder of your choice.
  • 17. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 17 GoatDroid-Vulnerable Apps 1. -FourGoat 2. -Hear Financial
  • 18. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 18 Install Apk of FOurgoat root@dev-virtual-machine:~/Desktop/APK/OWASP-GoatDroid-0.9/OWASP-GoatDroid- 0.9/goatdroid_apps/FourGoats/android_app# adb install OWASP GoatDroid- FourGoats Android App.apk Fourgoat is installed and new icon can be seen in ur emulator After you reach the Apk file location press TAB and enter.
  • 19. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 19 Now do the same process for installing other apk file as well. Rest we can see that after installation we see a success message .We can also confirm the looking at the device emulator. root@dev-virtual-machine:~/Desktop/APK/OWASP-GoatDroid-0.9/OWASP-GoatDroid- 0.9/goatdroid_apps/HerdFinancial/android_app# adb install OWASP GoatDroid- Herd Financial Android App.apk
  • 20. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 20 Open the below selected .You will be able to see the DB info (Server side). Using right click and run java Then start webservice for Hear Financial
  • 21. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 21 Go to emulator and press the herd financial app We have server setup Click on Menu then click on destination info
  • 22. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 22 Give default port 9888 Click save
  • 23. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 23 After you have logged into the application. The Testing then is just as same as normal Web application security testing. Press check balance Alter the account id to /9876543210
  • 24. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 24 To start the testing you are required to know other user account number Tools>utilities>Database browser To transfer fund testing 2
  • 25. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 25 Alter account numbers Goat droid testing-Four Gaots
  • 26. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 26 Do the same ip settings by pressing Menudestination info Let’s see files created by App- Goto Terminal and use below command adb shell Every apk will create some files inside
  • 27. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 27 root@android:/ # cd /data/data root@android:/data/data # ls We can observe that after apk installation below files were created  org.owasp.goatdroid.fourgoats  org.owasp.goatdroid.herdfinancial (Location  data/data is used for all applications data storeed inside this folder) root@android:/data/data # cd org.owasp.goatdroid.fourgoats root@android:/data/data/org.owasp.goatdroid.fourgoats # We can view the file permissions on each file as well. Ref below link if you donot have understanding of file permissions format. (http://www.linux.com/learn/tutorials/309527-understanding-linux-file-permissions )
  • 28. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 28 Let’s see what is stored in files by fourgoat. Read permission to all users. Open the credentials.xml file:-Terminal command Cat credentials.xml HardCoded –Username and Password can be seen.
  • 29. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 29 root@android:/data/data/org.owasp.goatdroid.fourgoats/shared_prefs # exit
  • 30. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 30 Now We Decompile the apk file for code review Memory error due to java may occur.If not you will end up with Code file Refer Below links helpful for tool downloads if any required
  • 31. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 31 http://droiddudes.com/howto-extract-apk-into-readable-java-source-code-and-xml-files/ In this session the below jar was directly provided to me as I ran out of memory so save time :P
  • 32. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 32 Highlighted line in below pic contains ‘1’ as mode set Ref link for understanding the Vulnerabilty  http://developer.android.com/reference/android/content/Context.html#getSharedPreferences%28java. lang.String,%20int%29
  • 33. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 33  0 Private mode  1 World readable  2 World writable  4 Multiple process- defines permission for application to use Second Flaw:- Hardcoded password root@dev-virtual-machine:~/Desktop/APK/OWASP-GoatDroid-0.9/OWASP-GoatDroid- 0.9/goatdroid_apps/FourGoats/android_app# adb shell root@android:/ # cd data/data root@android:/data/data # We will use sqlite to read the contents of files stored by fourgoat and herdFinancial in the data/data folder 
  • 34. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 34 root@android:/data/data/org.owasp.goatdroid.fourgoats/databases #sqlite3 userinfo.db Error  Y Bcoz you need to end your sql statement using semicolon at the end.  sqlite> .tables
  • 35. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 35 (List the table inside- .tables) android_metadata info sqlite> select * from info; 1|881b71832d7fc841f498f54bf698e0344a557ec42e562981b88f81136175d688dc66b9d4d9fddcec652c8 52a977d789799d7f0745d9f95fe8a625d9942b29c09|goatdroid|true|true|false Now let’s go for another app which is supposed to be a financial application(Herd Financial). Error:- File Contents are Encrypted  Need not worry .We have Decrypting method Lets decompile the app first .Let’s see if we have any clues
  • 36. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 36 this.db = localUserInfoOpenHelper.getWritableDatabase("hammer"); hammer is the key From above pic we can see the key is stored which is a Bad Practice Now Installing App which will help us decipher the encrypted db as we have the key from the code
  • 37. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 37 SQL Cipher Decrypt installed -Move db to sdcard as sd card is world readable root@android:/ # cp data/data/org.owasp.goatdroid.herdfinancial//databases/userinfo.db /mnt/sdcard (cp<copy> from <space> <to> location)
  • 38. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 38 Open SQL Cipher Decrypt .Fill the details as above and press ok In device Press parameter- 1 is location of move file 2 is to be copied to location name 3 is key. Lets press decrypt  and open using sqlite
  • 39. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 39 root@android:/mnt/sdcard # sqlite3 decryptbank.db Got the details 
  • 40. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 40 Each application has manifest file .Tool name apktool Apktool d root@dev-virtual-machine:~/Desktop/APK/OWASP-GoatDroid-0.9/OWASP-GoatDroid- 0.9/goatdroid_apps/FourGoats/android_app# apktool d /Desktop/APK/OWASP-GoatDroid-0.9/OWASP- GoatDroid-0.9/goatdroid_apps/FourGoats/android_app/OWASP GoatDroid- FourGoats Android App.apk Three things to check in Manifest file. Export, Permission and Debugging Ref Link:- http://developer.android.com/guide/topics/security/permissions.html#manifest Permission will tell us which provision the app is assigned to use. Ref Link: https://developer.android.com/guide/topics/manifest/manifest-intro.html#perms Other Sample Applications :-  Geni motion  Anroid Tamer Hope you all Njoyed reading this article 

×