hacker multitool from an old smartphone
They say that laziness is the engine of progress. In my opinion, competition works better. The ability to freely choose devices, applications and information is now the driving force that motivates developers to create and improve their products. Today I want to discuss what alternative the famous pentester toolkit might have. Sit back comfortably – and welcome to the cat.
Why a smartphone?
Now the choice of devices for any vulnerability researcher is very wide: from a tiny but powerful UMPC, like the GPD Win 4, to a single-board computer like the Raspberry Pi Zero. It is clear that by default such devices have nothing to do with penetration tests or exploitation of undocumented features. This is all the lot of software – from self-written scripts to ready-made distributions like Kali Linux (nee BackTrack).
But each such device has a set of interfaces for interacting with the outside world, and this will initially limit its capabilities. In most cases, the number of interfaces can be increased by adding conditional “modules” in the form of an additional network card, a wireless interface, or some kind of RFID tag programmer. This is a reasonable but difficult path. It is necessary to take into account the compatibility of devices and the presence or absence of software for a specific hardware platform.
Each of us probably has some slightly outdated Android smartphone – this is the same portable computer with a bunch of interfaces and a completely understandable procedure for connecting additional devices. Using a smartphone for pentesting looks attractive until the time comes to evaluate the number of available interfaces and the ability to easily gain superuser access. The first one is even more or less easy to select by looking at the performance characteristics of a particular device. But with the second one everything is not so simple. Not every smartphone can be easily and naturally rooted. For some models this option is not provided at all. The first thing you should do when choosing a device is to look at some specialized forum like 4pda and make sure that the smartphone can be subjected to this wonderful procedure.
Ethernet
Now a few words about connecting additional interfaces. Here Android is often able to surprise. For example, I decided to check whether my old smartphone would see the simplest 100 Mbps USB network card. To connect a USB device, I will use an adapter that on one side has Type-C, and on the output offers USB-A, HDMI, VGA and Jack 3.5” to the heap:
From the bins of my homeland I take out the simplest USB network adapter, assembled in the Middle Kingdom, plug it into the adapter and then into the smartphone. Purely for the sake of experiment, I turn off mobile data and Wi-Fi. After a second, a new view icon appears in the top curtain <···> – and voila, the network is working. Now I know for sure that there are no problems connecting almost any smartphone to a regular wired network or network device. In most cases, drivers are in the OS kernel, and therefore it starts up without dancing with a tambourine.
I only had three old smartphones on hand, so I decided to see if this would work with all of them:
Huawei P9 Lite (Android 9) – works.
Huawei P Smart Z (EMUI 12) – works.
Blackview P6600 Pro (Android 11) – suddenly does not work, but the USB hub sees it.
It turns out to be a curious but logical picture. If the firmware developer did not cut out the standard drivers for such USB network adapters, everything takes off without problems. Otherwise, alas, you can only try to add the required driver to the kernel on your own, which will not always work. But let's give Blackview another chance and add one of my favorite Chinese RTL-SDR USB sticks there.
SDR
But it’s not enough to connect it there: for the SDR to work, we need the appropriate software and a modified driver. Fortunately, such a program and driver are available on Google Play. It's called SDR Touch. This allows you to turn a combination of a smartphone and an RTL-SDR key fob into a primitive, but completely working SDR receiver. The only condition is that it is only compatible with rooted phones. First we install the SDR Driver application, then SDR Touch and finally for $12 we buy a license for this wonderful software. We connect to the BlackView P6600 Pro, which I rooted a year ago:
Everything works great, now you can take this bundle to any convenient place. Well, the huge Blackview battery can ensure long-term operation of the resulting SDR receiver. But both of my Huaweis will not work – as far as I know, there is no way to easily unlock the bootloader. The trick is that this requires an OEM code, and Huawei provided it only upon request and only until 2018. And then that’s it – you won’t have root rights and we don’t care about your complaints. It seems that there are paid utilities, but no one guarantees the result. Although if one of our readers shares a working method of unlocking, I will be very grateful.
UART
Next, I tried to connect a USB level converter from FTDI to communicate with other devices via UART. To check, I will connect to a Raspberry Pi 3 B+, in which the UART protocol was previously activated on standard pins (enable_uart=1 V config.txt section bootfs):
RPI Pin 8 / GPIO14 – FTDI TXD;
RPI Pin 10 / GPIO15 – FTDI RXD;
RPI Pin 6/Ground – FTDI GND.
For Android there are convenient applications such as Serial USB Terminal And USBTerminal. They independently determine the type of device and allow you to access it in a couple of clicks:
Now we launch Raspberry and after a few seconds we see a prompt to log into the device console:
We enter the user's login and password, after which we get full access to management. You don't need to connect a monitor and keyboard to perform simple, basic commands. At this moment, the phone works only as an input/output device. However, it does give you full control without the need for Wi-Fi or Bluetooth, allowing these devices to do more interesting things.
AndraX
Let's move on to the most interesting part. Since Android is based on the Linux kernel, it can run scripts originally written for Linux. One independent developer decided that it would be nice to take the Metasploit Framework and add it there Nmap, Aircrack-NG and a lot of other good stuff and make a convenient interface for launching. This is how AndraX was born, which allows you to turn almost any smartphone running Android version 5 or higher into a pentester tool.
But this is only in words, everything is easy and understandable. The reality will be extremely disappointing. If we are talking about scripts that are not tied to working with specific smartphone hardware, then this will work. But as soon as it comes to, for example, intercepting the handshake of a wireless network protected by WPA, a number of problems arise.
The fact is that for successful attacks of this kind, the Wi-Fi adapter must be switched to a special “promiscuous” mode (monitor mode). Firstly, not every Wi-Fi adapter allows you to do this trick. Although after some dancing with a tambourine On certain smartphone models, such as Xiaomi Redmi Note 3, this will work. Secondly, without root rights this will not work either. Well, if you connect an external Wi-Fi adapter, then there is a high probability that it will not start out of the box and you will have to patch the kernel and then flash the phone with it. There are plenty of options to break something.
At some point, the creator of AndraX decided to hype up: he deleted the official group and project repositories, and then started a rumor that the developer had allegedly been killed. However, a couple of weeks later he triumphantly returned to the network, diluting his “I’m back, m*****f*******.” Then another release was released. The story made a lot of noise back then; the discussion can be found on 4pda.
At the time of this post, the project is more dead than alive. Official website doesn’t work, and downloading custom builds is absolutely unsafe. Everything here is entirely at your own peril and risk. Both the desired APK and an archive with scripts were spotted on GitHub. But there are no guarantees that it will start at all. I tested it in several Android emulators, but none of them worked correctly.
Kali NetHunter
Now let's look at another interesting project to turn an Android smartphone into a pentester tool. Kali NetHunter is a separate branch of the Kali Linux project. The developers decided not to waste time on trifles and made their set of tools in three possible versions:
NetHunter Rootless for smartphones without root rights.
NetHunter Lite for rooted devices with custom recovery.
NetHunter for rooted phones certain modelsfor which the developers created a separate kernel.
The latter option allows you to go all out, because the redesigned core makes it possible to do all the tricks that the stock core is not capable of. In addition, they provided the ability to connect a regular monitor via HDMI and get a full-fledged desktop with basic tools. What’s surprising is that there are even a couple of images for smartwatches on WearOS (TicWatch Pro/Pro 4G/LTE/Pro 2020 and TicWatch Pro 3 GPS/Pro 3 LTE/Pro 3 Ultra GPS/Pro 3 Ultra LTE).
I would like to immediately note that, unlike AndraX, the Kali NetHunter project is alive and regularly updated. It is recommended to use a clean one as a replacement for the standard firmware AOSP or LineageOS (formerly CyanogenMod). Instead of the standard recovery you should install TWRPand to obtain superuser rights – Magisk. This bundle will give you complete control over the system, of course, at your own peril and risk.
The Kali NetHunter suite contains a large number of different tools, including those that allow the phone to pretend to be various USB devices: from a keyboard, the keystrokes of which can be pre-programmed, to a USB pocket that connects any ISO/IMG image. In addition, if your smartphone is not on the list of recommended ones, you can try to create a custom image for your specific model using Kernel builder.
The project is distinguished by good documentation, which is more or less regularly updated and supplemented. You can ask your question at Discord or IRC (#kali-linux on the server irc.oftc.net), plus read forums and discussions of posted images on XDA.
What's the result?
It is definitely possible to turn a smartphone into a convenient and functional pentester tool. The main thing is to choose the right model. The easiest way, in my opinion, is to focus on the list of available Kali NetHunter images and purchase the desired device on the secondary market; there are more than enough offers. But even in this case, be prepared to spend a lot of hours getting everything working correctly.
As for comparison with Flipper Zero, everything will depend on the task at hand. If a portable device that can communicate via UART is important to you, almost any rooted phone along with an appropriate level converter will do the job. For greater flexibility, you can even take an Arduino Mega and get a complete mincemeat for working with GPIO.
Porting the same Kali NetHunter to your device is an excellent task for more than one evening. It can even become a separate hobby for those who like to study operating systems and build their own kernels. There is great scope for creativity here, and you can rightfully be proud of the successful result.
Have you tried turning an Android smartphone into a pentester tool? Tell us in the comments.
