Disclaimer: Don't hack anything where you don't have the authorization to do so. Stay legal.
Ever since I bought my first Android device, I wanted to use the device for WEP cracking. Not because I need it, but I want it :) After some googling, I read that you can't use your WiFi chipset for packet injection, and I forgot the whole topic.
After a while, I read about hacking on tablets (this was around a year ago), and my first opinion was:
"This is stupid, lame, and the usage of that can be very limited".
After playing one day with it, my opinion just changed:
"This is stupid, lame, the usage is limited, but when it works, it is really funny :-)"
At the beginning I looked at the Pwn Pad as a device that can replace a pentest workstation, working at the attacker side. Boy was I wrong. Pwn Pad should be used as a pentest device deployed at the victim's side!
You have the following options:
- You have 1095 USD + VAT + shipping to buy this Pwn Pad
- You have around 200 USD to buy an old Nexus 7 tablet, a USB OTG cable, a USB WiFi dongle (e.g. TP-Link Wireless TL-WN722N USB adapter works).
In my example, I bought a used, old 2012 Nexus WiFi. Originally I bought this to play with different custom Android ROMs, and play with rooted applications. After a while, I found this Pwn Pad hype again and gave it a shot.
I don't want to repeat the install guide, it is as easy as ABC. I booted a Ubuntu Live CD, installed adb and fastboot, and it was ready-to-roll. I have not measured the time, but the whole process was around 20 minutes.
The internal WiFi chipset can be used to sniff traffic or even ARP poisoning for active MiTM. But in my case, I was not able to use the internal chipset for packet injection, which means you can't use it for WEP cracking, WPA disauth, etc. This is where the external USB WiFi comes handy. And this is why we need the Pwn Pad Android ROM, and can't use an average ROM.
There are two things where Pwn Pad really rocks. The first one is the integrated drivers for the external WiFi with monitor mode and packet injection capabilities. The second cool thing is the chroot wrapper around the Linux hacking tools. Every hacking tool has a start icon, so it feels like it is a native Android application, although it is running in a chroot Kali environment.
Wifite
The first recommended app is Wifite. Think of it as a wrapper around the aircrack - airmon - airodump suite. My biggest problem with WEP cracking was that I had to remember a bunch of commands, or have the WEP cracking manual with me every time I have to crack it. It was overcomplicated. But thanks to Wifite, that is past.
In order to crack a WEP key, you have to:
- Start the Wifite app
- Choose your adapter (the USB WiFi)
- Choose the target network (wep_lan in the next example)
- Wait for a minute
- PROFIT!
SSH reverse shell
This is one of the key functionalities of the Pwn Pad. You deploy the tablet at the Victim side, and let the tablet connect to your server via (tunneled) SSH.
The basic concept of the reverse shells are that an SSH tunnel is established between the Pwn Pad tablet (client) and your external SSH server (either directly or encapsulated in other tunneling protocol), and remote port forward is set up, which means on your SSH server you connect to a localport which is forwarded to the Pwn Pad and handled by the Pwn Pad SSH server.
I believe the best option would be to use the reverse shell over 3G, and let the tablet connect to the victim network through Ethernet or WiFi. But your preference might vary. The steps for reverse shells are again well documented in the
documentation, except that by default you also have to start the SSH server on the Pwn Pad. It is not hard, there is an app for that ;-) On your external SSH server you might need to install stunnel and ptunnel if you are not using Kali. The following output shows what you can see on your external SSH server after successful reverse shell.
root@myserver:/home/ubuntu# ssh -p 3333 pwnie@localhost The authenticity of host '[localhost]:3333 ([127.0.0.1]:3333)' can't be established. ECDSA key fingerprint is 14:d4:67:04:90:30:18:a4:7a:f6:82:04:e0:3c:c6:dc. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[localhost]:3333' (ECDSA) to the list of known hosts. pwnie@localhost's password: _____ ___ _ ___ ___ _____ _____ ___ ___ ___ ___ | _ \ \ / / \| |_ _| __| | __\ \/ / _ \ _ \ __/ __/ __| | _/\ \/\/ /| .` || || _| | _| > <| _/ / _|\__ \__ \ |_| \_/\_/ |_|\_|___|___| |___/_/\_\_| |_|_\___|___/___/ Release Version: 1.5.5 Release Date: 2014-01-30 Copyright 2014 Pwnie Express. All rights reserved. By using this product you agree to the terms of the Rapid Focus Security EULA: http://pwnieexpress.com/pdfs/RFSEULA.pdf This product contains both open source and proprietary software. Proprietary software is distributed under the terms of the EULA. Open source software is distributed under the GNU GPL: http://www.gnu.org/licenses/gpl.html pwnie@localhost:~$
Now you have a shell on a machine that is connected to the victim network. Sweet :) Now Metasploit really makes sense on the tablet, and all other command-line tools.
EvilAP and DSniff
Start EvilAP (it is again a wrapper around airobase), choose interface (for me the Internal Nexus Wifi worked), enter an SSID (e.g freewifi), enter channel, choose whether force all clients to connect to you or just those who really want to connect to you, and start.
The next step is to start DSniff, choose interface at0, and wait :) In this example, I used a popular Hungarian webmail, which has a checkbox option for "secure" login (with default off). There are sooo many problems with this approach, e.g. you can't check the certificate before connecting, and the login page is delivered over HTTP, so one can disable the secure login checkbox seamlessly in the background, etc. In this case, I left the "secure" option on default off.
In the next tutorial, I'm going to show my next favorite app, DSploit ;)
Lessons learned
Hacking has been never so easy before
In a home environment, only use WPA2 PSK
Choose a long, nondictionary passphrase as the password for WPA2
Don't share your WiFi passwords with people you don't trust, or change it when they don't need it anymore
Don't let your client device auto-connect to WiFi stations, even if the SSID looks familiar
I believe during an engagement a Pwn Plug has better "physical cloaking" possibilities, but playing with the Pwn Pad Community Edition really gave me fun moments.
And last but not least I would like to thank to the Pwn Pad developers for releasing the Community Edition!
Read more
- Pentest Tools Windows
- Pentest Tools Github
- Hacking Tools Windows
- Hack Tools Download
- Usb Pentest Tools
- Best Hacking Tools 2020
- Pentest Recon Tools
- Pentest Tools Framework
- Pentest Tools Github
- Pentest Tools Website Vulnerability
- Hacking Tools Hardware
- Hacking Tools For Pc
- Pentest Tools Framework
- How To Make Hacking Tools
- Hacking Tools Kit
- Pentest Tools Alternative
- Kik Hack Tools
- New Hacker Tools
- Hack Tools Download
- Hack Tools For Ubuntu
- Nsa Hack Tools
- Hacker
- Hack Tools For Mac
- Hacking Tools For Mac
- Install Pentest Tools Ubuntu
- Nsa Hack Tools
- Hack Tools For Windows
- Hack Tools Mac
- Underground Hacker Sites
- Pentest Tools For Ubuntu
- Pentest Tools Apk
- Hacker Tool Kit
- Blackhat Hacker Tools
- Hack Tools For Windows
- Termux Hacking Tools 2019
- Hacking Tools For Windows Free Download
- Hacker Tools Online
- Hacking Tools For Kali Linux
- Underground Hacker Sites
- Pentest Tools For Android
- Nsa Hacker Tools
- Tools For Hacker
- Pentest Tools Website
- Hacking Tools For Beginners
- Hacking Tools For Kali Linux
- Pentest Tools List
- Hacking Tools For Kali Linux
- Android Hack Tools Github
- Termux Hacking Tools 2019
- Hacking Tools Download
- Pentest Tools For Windows
- Hacker Security Tools
- Black Hat Hacker Tools
- Hacking Tools For Beginners
- Hacker Tools Github
- Physical Pentest Tools
- Hacking Tools Pc
- Pentest Tools Open Source
- Hack Tools For Mac
- Hacker Tool Kit
- Hack Tools Download
- Hacker Tools
- Hacking Tools Pc
- Pentest Automation Tools
- Hack Website Online Tool
- Pentest Box Tools Download
- Install Pentest Tools Ubuntu
- Pentest Tools Kali Linux
- Hacking Tools For Mac
- Hacker Tools 2020
- Hacker Tool Kit
- Hack Website Online Tool
- Hack Tool Apk
- Hacking Tools For Windows
- Game Hacking
- Hacking Tools For Beginners
- Hak5 Tools
- Hacker
- Physical Pentest Tools
- Top Pentest Tools
- Hack Tools 2019
- Wifi Hacker Tools For Windows
- Hack App
- Computer Hacker
- Best Hacking Tools 2019
- Tools For Hacker
- World No 1 Hacker Software
- Pentest Tools List
- Nsa Hacker Tools
- World No 1 Hacker Software
- Pentest Tools Online
- Hacking Tools 2020
- Hacker Tools Free
- Hacker Techniques Tools And Incident Handling
- Tools For Hacker
- Underground Hacker Sites
- Hack Tools For Games
- Pentest Tools For Mac
- Hacking Tools 2020
- Hacking Tools Usb
- Hackers Toolbox
- Hacking Tools Pc
- Pentest Tools Nmap
- Hacker Tools Mac
- Pentest Tools Website Vulnerability
- Pentest Tools Github
- Tools For Hacker
- Hackers Toolbox
- Pentest Tools Linux
- Hacking Tools
- Tools 4 Hack
- Pentest Tools Framework
- Hacker Tool Kit
- Hacking Tools 2020
- Hacker Tool Kit
- Pentest Reporting Tools
- New Hack Tools
- Computer Hacker
- Pentest Tools Kali Linux
- Kik Hack Tools
- Hack Tools Github
- Hacker Tools 2019
- Pentest Automation Tools
- Hack Rom Tools
- Hacking Tools Usb
- Growth Hacker Tools
- Hacking Tools Hardware
- Hacking Tools Windows
- Hacker Tools 2020
- Hacker Tools For Pc
- Hack Tools For Windows
- Hacking Tools For Windows 7
- Hacker Tools For Ios
- Hack Tools For Ubuntu
- Nsa Hack Tools
- Hacking Tools Kit
- Hack Rom Tools
- Hacking Tools 2019
- Hacker Tool Kit
- Hacking Tools For Games
- Hacking Apps
- Nsa Hacker Tools
- Nsa Hack Tools
- Hackrf Tools
- Hacking Tools Online
- Hacking App
- Hack Tools For Mac
- Free Pentest Tools For Windows
- Hacking Tools
- Hacker Tools For Ios
- Hacker Tools For Pc
- Hacking Tools Download
- Hacking App
- Hacker Tools Windows
- Hack Tools For Ubuntu
- Hacking Tools Mac
- Top Pentest Tools
- New Hack Tools
- Hacker Tools 2019
- Ethical Hacker Tools
- Hacker Tools For Windows
- Hacker Tools
- Pentest Tools Website Vulnerability
- Hacking Tools Usb