24 January 2024

WiFi Hacking On Tablets

Disclaimer: Don't hack anything where you don't have the authorization to do so. Stay legal.

Ever since I bought my first Android device, I wanted to use the device for WEP cracking. Not because I need it, but I want it :) After some googling, I read that you can't use your WiFi chipset for packet injection, and I forgot the whole topic.

After a while, I read about hacking on tablets (this was around a year ago), and my first opinion was: 
"This is stupid, lame, and the usage of that can be very limited".

After playing one day with it, my opinion just changed: 
"This is stupid, lame, the usage is limited, but when it works, it is really funny :-)"

At the beginning I looked at the Pwn Pad as a device that can replace a pentest workstation, working at the attacker side. Boy was I wrong. Pwn Pad should be used as a pentest device deployed at the victim's side!

You have the following options:
  1. You have 1095 USD + VAT + shipping to buy this Pwn Pad
  2. You have around 200 USD to buy an old Nexus 7 tablet, a USB OTG cable, a USB WiFi dongle (e.g. TP-Link Wireless TL-WN722N USB adapter works).



In my example, I bought a used, old 2012 Nexus WiFi. Originally I bought this to play with different custom Android ROMs, and play with rooted applications. After a while, I found this Pwn Pad hype again and gave it a shot.

The Pwn Pad community edition has an easy-to-use installer, with a proper installation description. Don't forget to backup everything from your tablet before installing Pwn Pad on it!

I don't want to repeat the install guide, it is as easy as ABC. I booted a Ubuntu Live CD, installed adb and fastboot, and it was ready-to-roll. I have not measured the time, but the whole process was around 20 minutes.


The internal WiFi chipset can be used to sniff traffic or even ARP poisoning for active MiTM. But in my case, I was not able to use the internal chipset for packet injection, which means you can't use it for WEP cracking, WPA disauth, etc. This is where the external USB WiFi comes handy. And this is why we need the Pwn Pad Android ROM, and can't use an average ROM.

There are two things where Pwn Pad really rocks. The first one is the integrated drivers for the external WiFi with monitor mode and packet injection capabilities. The second cool thing is the chroot wrapper around the Linux hacking tools. Every hacking tool has a start icon, so it feels like it is a native Android application, although it is running in a chroot Kali environment.

Wifite

The first recommended app is Wifite. Think of it as a wrapper around the aircrack - airmon - airodump suite. My biggest problem with WEP cracking was that I had to remember a bunch of commands, or have the WEP cracking manual with me every time I have to crack it. It was overcomplicated. But thanks to Wifite, that is past.

In order to crack a WEP key, you have to:
  1. Start the Wifite app
  2. Choose your adapter (the USB WiFi)

  3. Choose the target network (wep_lan in the next example)
  4. Wait for a minute 
  5. PROFIT!

SSH reverse shell

This is one of the key functionalities of the Pwn Pad. You deploy the tablet at the Victim side, and let the tablet connect to your server via (tunneled) SSH.

The basic concept of the reverse shells are that an SSH tunnel is established between the Pwn Pad tablet (client) and your external SSH server (either directly or encapsulated in other tunneling protocol), and remote port forward is set up, which means on your SSH server you connect to a localport which is forwarded to the Pwn Pad and handled by the Pwn Pad SSH server.

I believe the best option would be to use the reverse shell over 3G, and let the tablet connect to the victim network through Ethernet or WiFi. But your preference might vary. The steps for reverse shells are again well documented in the documentation, except that by default you also have to start the SSH server on the Pwn Pad. It is not hard, there is an app for that ;-) On your external SSH server you might need to install stunnel and ptunnel if you are not using Kali. The following output shows what you can see on your external SSH server after successful reverse shell.

root@myserver:/home/ubuntu# ssh -p 3333 pwnie@localhost The authenticity of host '[localhost]:3333 ([127.0.0.1]:3333)' can't be established. ECDSA key fingerprint is 14:d4:67:04:90:30:18:a4:7a:f6:82:04:e0:3c:c6:dc. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[localhost]:3333' (ECDSA) to the list of known hosts. pwnie@localhost's password:   _____      ___  _ ___ ___   _____  _____ ___ ___ ___ ___  | _ \ \    / / \| |_ _| __| | __\ \/ / _ \ _ \ __/ __/ __|  |  _/\ \/\/ /| .` || || _|  | _| >  <|  _/   / _|\__ \__ \  |_|   \_/\_/ |_|\_|___|___| |___/_/\_\_| |_|_\___|___/___/   Release Version: 1.5.5  Release Date: 2014-01-30  Copyright 2014 Pwnie Express. All rights reserved.   By using this product you agree to the terms of the Rapid Focus  Security EULA: http://pwnieexpress.com/pdfs/RFSEULA.pdf   This product contains both open source and proprietary software.  Proprietary software is distributed under the terms of the EULA.  Open source software is distributed under the GNU GPL:  http://www.gnu.org/licenses/gpl.html  pwnie@localhost:~$

Now you have a shell on a machine that is connected to the victim network. Sweet :) Now Metasploit really makes sense on the tablet, and all other command-line tools.

EvilAP and DSniff

Start EvilAP (it is again a wrapper around airobase), choose interface (for me the Internal Nexus Wifi worked), enter an SSID (e.g freewifi), enter channel, choose whether force all clients to connect to you or just those who really want to connect to you, and start.


The next step is to start DSniff, choose interface at0, and wait :) In this example, I used a popular Hungarian webmail, which has a checkbox option for "secure" login (with default off). There are sooo many problems with this approach, e.g. you can't check the certificate before connecting, and the login page is delivered over HTTP, so one can disable the secure login checkbox seamlessly in the background, etc. In this case, I left the "secure" option on default off.



In the next tutorial, I'm going to show my next favorite app, DSploit ;)

Lessons learned

Hacking has been never so easy before
In a home environment, only use WPA2 PSK
Choose a long, nondictionary passphrase as the password for WPA2
Don't share your WiFi passwords with people you don't trust, or change it when they don't need it anymore
Don't let your client device auto-connect to WiFi stations, even if the SSID looks familiar

I believe during an engagement a Pwn Plug has better "physical cloaking" possibilities, but playing with the Pwn Pad Community Edition really gave me fun moments.

And last but not least I would like to thank to the Pwn Pad developers for releasing the Community Edition!

Read more


  1. Hacking Tools Kit
  2. Hacker Tools Free
  3. Hacker Tools
  4. Pentest Box Tools Download
  5. Hack Tools For Pc
  6. Easy Hack Tools
  7. Hack App
  8. Tools Used For Hacking
  9. Black Hat Hacker Tools
  10. Kik Hack Tools
  11. Hack Tools Download
  12. Install Pentest Tools Ubuntu
  13. Pentest Tools
  14. Pentest Tools Website Vulnerability
  15. Hack Tools For Windows
  16. Hacker Tools For Pc
  17. Pentest Tools Github
  18. Hacker Tool Kit
  19. Hackrf Tools
  20. Tools For Hacker
  21. Hacking Tools Usb
  22. Hacker Tool Kit
  23. Nsa Hack Tools Download
  24. Pentest Tools Online
  25. Hacking Tools For Windows
  26. Hacker Tools For Mac
  27. Hacker Tools Online
  28. Hack Tools For Games
  29. Pentest Tools Download
  30. Hacker Tools 2019
  31. Tools Used For Hacking
  32. Black Hat Hacker Tools
  33. Hacking Tools For Games
  34. Hack And Tools
  35. Hack Tools Download
  36. New Hacker Tools
  37. Hacker Tools For Mac
  38. Hacking Tools Usb
  39. Best Hacking Tools 2020
  40. Hack Tools For Windows
  41. Best Hacking Tools 2020
  42. Pentest Tools For Windows
  43. Pentest Tools Windows
  44. Pentest Tools Open Source
  45. Hacking Tools For Beginners
  46. Pentest Tools Review
  47. Underground Hacker Sites
  48. Hacking Tools For Games
  49. Hacking Tools Kit
  50. Growth Hacker Tools
  51. Pentest Tools For Windows
  52. Hacking Tools 2020
  53. Bluetooth Hacking Tools Kali
  54. Hacker Tools Hardware
  55. Pentest Tools For Android
  56. Hacks And Tools
  57. Pentest Tools Review
  58. Pentest Tools Find Subdomains
  59. Physical Pentest Tools
  60. Hacker Techniques Tools And Incident Handling
  61. Hack Tools For Pc
  62. Pentest Tools Open Source
  63. Hack Tools For Mac
  64. Hacking Tools Windows 10
  65. Hacking Tools For Mac
  66. Hak5 Tools
  67. Hacking Tools Mac
  68. Hacker Tools Apk Download
  69. Hacking Tools Windows
  70. Pentest Tools Alternative
  71. Pentest Tools For Android
  72. Pentest Tools Framework
  73. Best Pentesting Tools 2018
  74. Hacker Security Tools
  75. Bluetooth Hacking Tools Kali
  76. Hack App
  77. Hak5 Tools
  78. Hacks And Tools
  79. Pentest Tools
  80. Hacking Tools Online
  81. Hacker Tools Free Download
  82. Hacking Tools For Pc
  83. Best Pentesting Tools 2018
  84. Hacking Tools Windows
  85. Hacker Security Tools
  86. Hack Tools For Ubuntu
  87. Hacking Tools Windows 10
  88. New Hack Tools
  89. Best Pentesting Tools 2018
  90. Bluetooth Hacking Tools Kali
  91. Hacking Tools Free Download
  92. Hacker Tools Apk
  93. Hacker Hardware Tools
  94. Hacking Tools For Mac
  95. Hacker Tools Free
  96. Beginner Hacker Tools
  97. Hacking Tools Kit
  98. Pentest Tools For Mac
  99. How To Make Hacking Tools
  100. Hacking Tools For Mac
  101. Hacker Tools Apk
  102. Free Pentest Tools For Windows
  103. Easy Hack Tools
  104. Hack Tools Download
  105. Best Hacking Tools 2020
  106. Hacking Tools 2019
  107. Pentest Tools Free
  108. Hack Tools Download
  109. Pentest Tools Port Scanner
  110. Tools 4 Hack
  111. Hack Rom Tools
  112. How To Install Pentest Tools In Ubuntu
  113. Hackers Toolbox
  114. Pentest Automation Tools
  115. Pentest Tools Tcp Port Scanner
  116. What Are Hacking Tools
  117. Hacking Tools Windows 10
  118. Hacker Tools Linux
  119. Pentest Tools Find Subdomains
  120. Hacking Tools Online
  121. Nsa Hacker Tools
  122. What Is Hacking Tools
  123. Physical Pentest Tools
  124. Hack Tools For Windows
  125. Hacker Tools Hardware
  126. Ethical Hacker Tools
  127. Hacker Tools Windows
  128. Best Hacking Tools 2020
  129. Hacking Tools For Beginners
  130. Hacker Tools Software
  131. Pentest Tools Windows
  132. Pentest Tools Online
  133. Hacking Tools For Windows
  134. Tools 4 Hack
  135. Pentest Recon Tools
  136. Hacker Hardware Tools
  137. Hacking Tools Kit
  138. Hacking Tools 2019
  139. Hacker Tools Windows
  140. Hacker Tools Apk
  141. Hack Tools Mac
  142. Hacking Tools Github
  143. Hack Rom Tools
  144. How To Make Hacking Tools
  145. Pentest Tools For Android
  146. Termux Hacking Tools 2019
  147. Hacker Tools 2020
  148. Hacker Tools Github
  149. Pentest Tools Download
  150. Pentest Automation Tools
  151. Nsa Hack Tools
  152. Pentest Tools Review
  153. Pentest Recon Tools
  154. Ethical Hacker Tools
  155. Hack Tool Apk
  156. Growth Hacker Tools
  157. Hacking Tools Github
  158. Hacker Tools Hardware
  159. Nsa Hack Tools Download
  160. Hacker Tools For Windows
  161. Hacking Tools Mac
  162. Hack Tools Mac
  163. Pentest Tools Android
  164. Hacker Tools 2019
  165. How To Install Pentest Tools In Ubuntu
  166. Hacking Tools Online
  167. Pentest Tools List
  168. Hacker Tools For Mac
  169. Pentest Tools
  170. Hacker Tools For Pc
  171. Hacker Tools Linux
  172. Hacker Tools Github
  173. Hack App

Bookmark and Share

Posted by Surendra Tetarwal at 11:03 AM

Your Ad Here
 

blogger templates 3 columns | Make Money Online