Thursday, August 20, 2015

Roll your own Pwnie On a Samsung Galaxy Tab 3

If you have ever researched a Pwnie Express device for penetration tests you may have been floored, like I was, by the price/performance ratio. On my recent trip to Defcon23 I stopped at the Pwnie Express table to play with the Pwn Pad https://www.pwnieexpress.com/product/pwn-pad-2014-penetration-testing-tablet/ . Let me start by saying they have taken the idea and put a fit and finish I will never be able to achieve on my own. they have a slick interface and tie all the apps together in a logical and attractive (to me) manner.

However, I do not need slick, I break fit, and I scuff finishes. So rather than pay a lot more than I felt comfortable with I set out to build my own version. Total investment was $100.00 and about 3 hours of my time. Here is how you can make your own:



**Make sure you have researched what firmware version you have. It is possible to brick your device and I will not be held responsible...you flash your firmware at your own risk
** Using sketchy apps to root your phone is dangerous! Make sure you research the developement company before executing any program!


Hardware:
Samsung Galaxy Tab 3 (SM-T217-A). Other tablets with Android 4.x or newer will work. You will need to have root access to your device. For mine I tried several different 'one click root' apps but the one that was able to do it was Wondershare MobileGo. They also have a nice desktop to phone management app if that is your kind of thing. Once you have root, you can install the software to manage it all.

8-32Gb MicroSD card. The more space, the better you will do installing tools and updating in the future. I have partitioned my setup so that the core system is installed to the internal memory, while all the tools and data are stored on the external microSD memory.

Software (Galaxy Tab 3):
Superuser.apk
Superuser is an app available through the play store which helps manage root permissions on rooted android devices. When you go to install the programs that request root access, you will need to allow them through this program. A pop up will automatically alert you when this happens.
 
Linux Deploy. This is fast becoming the standard for running Linux Distros on Android devices. There are lots of tutorials on the basics of setting up Kali using Linux Deploy, so I will skip that part and tell you some snags I hit that I had to dig to figure out.

- Logging in as root@localhost takes some work. You need to delete the included shell and ln -s a better shell. I found this series of commands on the GitHub account  issue list (https://github.com/meefik/linuxdeploy/issues/60)
  •  Install Busybox somewhere (/system/xbin is fine)
  • Change ENV Directory (in linuxdeploy/settings) from /data/local/linux to
    /data/data/ru.meefik.linuxdeploy/linux
    and hit Update ENV
  •  In a terminal :
      su -
      cd /data/data/ru.meefik.linuxdeploy/linux/bin
      rm sh chroot
      ln -s /system/bin/mksh sh
      ln -s /system/xbin/busybox chroot
  • Install Kali
  • In a terminal
    su -
    . /data/data/ru.meefik.linuxdeploy/linux/bin/linuxdeploy shell
  - Access to the phone's file system is configurable. By default mine was mounted to /mnt/0/

After that, I could log in to the server with the user I created (default is android) and I can access su, sudo, etc.I could also remove useless packages, bloatware from the device's host OS.

After creating the Image during the install process you will get a Kali ARMhf Virtual Machine running VNC and SSH with the username you provided and the default password changeme. Connect using your preferred VNC or SSH client and begin managing your new Kali instance

Change default SSH keys
#This moves the old keys to a folder called default_keys
cd /etc/ssh/
mkdir default_keys
mv ssh_host_* default_keys/


#This generates the new keys
dpkg-reconfigure openssh-server


Change default Password
As the default user:
passwd
Then enter your new password twice. Changing the root password is the same, except you execute the command while you are root.

Software (Kali Instance)
Pentester's Framework
grab a copy of the Pentester's framework. I have a fork available at https://github.com/dreilly369/ptf
Once you have cloned PTF and set it up, you can use it to install most of the popular security tools from the Kali Suite. You can also grab some of the other security related forks I have at my github to round out the list of available tools.

You will want to change the default location to store the tools on the microSD memory to avoid filling up your root file system. I think a few tools that make sense to have are:
  • Aircrack-ng 
  • Man-in-the-middle framework (my fork is at https://github.com/dreilly369/mitmf)
  • Discover 
  • Metasploit
  • Browser Exploitation Framework (BeEF)
  • Macchanger
  • Dsniff
These tools allow me to monitor the network, capture the traffic, do recon, catch shells, and all other manner of fun...without needing to pull out my whole laptop. I will be rolling out pre-configured versions in the next few months if you do not want to invest the time to do it yourself. I am targeting a price point closer to $250.00 so it will be a far more affordable option.

No comments:

Post a Comment