Saturday, March 2, 2013

Android Pentest, Pentesting using Android? [Part 1]

Android  is a Linux based operating system, developed by Google. Like the other Linux OS that very advance in the security (such as Backtrack Linux), we can change an Android smartphone into a pentest tool or a network analysis device. Android pentest has two different ways to try it, first install a Linux distro plus installed network penetration testing tools like my post before (Install Backtrack on Android) or transform the Android smartphone to pen-testing device so we can use it as Android pentest. In this post I will use the last option, change Android device become pen-testing device (Android Pentest).


We will use dSploit as Android pentest.  dSploit is an free Android pen-testing tool. We can use dSploit as network analysis. It is an all-in-one network analysis application in Android environment and it is free to download.  Android pentest using dSploit is very easy. dSploit allows user to perform network security assessments and penetration tests. This Android pentest application is designed to be quick, handy, user friendly, and easy.

Requirements for Android pentest using dSploit
- Android 2.3 (Gingerbread ) or above
- Rooted
- Installed Busybox (https://play.google.com/store/apps/details?id=com.jrummy.busybox.installer&hl=en)

Download dSploit from https://github.com/evilsocket/dsploit/downloads then install it. Before you open the dSploit and start Android pentest, you must connected to a network through a wireless connection or WiFi.


Let’s take a look at the available modules in the dSpoit! RouterPWN, Trace, Port Scanner,  Inspector, Vulnerability Finder, Login Cracker, Packet Forge, and MITM.

dSploit automatically maps your connected network and detect the other hosts in your network. As an Android pentest tool, dSploit recognizes the network subnet mask, network gateway, router, your device, and all of the mac addressees of the active devices that are connected to the network.


Now I will try the MITM attack in this first part of Android Pentest. By selecting the network subnet mask or a certain device and host, you can perform MITM (man-in-the-middle attacks) such as network sniffing, session hijacking, kill connections, redirect all the http traffics, inject a JavaScript, and etc.


You can chose MITM module and launch it to attack the victim, you can use Password Sniffer to capture the victim’s password of a website when he / she login to website


Password Sniffer logs are stored in the /sdcard/dsploit-password-sniff.log by default.


That's all the part 1 of Android pentest tutorial. Next post I'll explore the other module of dSploit that help you for Android pentest.

1 comment:

  1. I would like to introduce you to DroidSQLi, the first Mysql Injection tool for Android.

    DroidSQLi is the first automated MySQL Injection tool for Android. It allows you to test your MySQL-based web application against SQL injection attacks. It supports the following injection techniques:
    - Time based injection
    - Blind injection
    - Error based injection
    - Normal injection

    It automatically selects the best technique to use and employs some simple filter evasion methods.

    Check it out at Google play store => https://play.google.com/store/apps/details?id=net.edgard.droidsqli

    ReplyDelete