1 / 37

Mobile Hacking - Fundamentals

Mobile Hacking - Fundamentals. Presenter: Christopher Clayden | christopher.clayden@gmail.com. Mobile Hacking – Fundamentals AGENDA. Brief overview on the mobile threat landscape Discussion on possible attack vectors Examples of exploitation Learn how to protect ourselves Demonstration

emccann
Télécharger la présentation

Mobile Hacking - Fundamentals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mobile Hacking - Fundamentals Presenter: Christopher Clayden | christopher.clayden@gmail.com

  2. Mobile Hacking – Fundamentals AGENDA • Brief overview on the mobile threat landscape • Discussion on possible attack vectors • Examples of exploitation • Learn how to protect ourselves • Demonstration • Questions

  3. Mobile Hacking - The Mobile threat landscape Who are the top contenders in the global mobile OS market? • Android – 84.1% • IOS – 14.8% • Microsoft – 0.7% • RIM – 0.2% http://www.statista.com/statistics/266136/global-market-share-held-by-smartphone-operating-systems/

  4. Mobile Hacking - The Mobile threat landscape Over 1.4 billion people across the world are using Android devices, according to Google. Unlike Apple’s iOS, Android is not tied to a specific manufacturer, making it's OS the top dog of the global OS market (Statistica). However, since Android dominates the smartphone market, it presents an ideal opportunity for hackers to tap into a large base of user information. It’s essential for Android users, as well as iOS users, to learn how to protect themselves. https://www.blackhat.com/latestintel/05122016-mobile-hacking.html

  5. Mobile Hacking - Attack Vectors Possible vectors for exploitation include: • Manual Installation • Direct Access to the device • Use of client-server programs – ex: ADB • Social Engineering • Text Messages – ex: stagefright • RCE vulnerabilities – ex: ADB • exploit/android/adb/adb_server_exec • Etc.

  6. Mobile Hacking - Hacking Android – Example 1 Example 1 • Manual Installation • Raw payload saved in apk format generated with msfvenom • Standard reverse meterpreter

  7. Mobile Hacking - Hacking Android – Example 1

  8. Mobile Hacking - Hacking Android – Example 1

  9. Mobile Hacking - Hacking Android – Example 1

  10. Mobile Hacking - Hacking Android – Example 1

  11. Mobile Hacking - Hacking Android – Example 1

  12. Mobile Hacking - Hacking Android – Example 1

  13. Mobile Hacking - Hacking Android – Example 1

  14. Mobile Hacking - Hacking Android – Example 1

  15. Mobile Hacking - Hacking Android – Example 2 Android Debug Bridge - ADB Android Debug Bridge (ADB) is a versatile command line tool that lets you communicate with an emulator instance or connected Android-powered device. It is a client-server program. • In order to use ADB; developer options must be unlocked and USB debugging enabled. • On Android 4.2 and higher, the Developer options screen is hidden by default. • When running Android 4.2.2 or higher, there is a security mechanism (refereed to as secure USB debugging) where the android system shows a dialog asking the user to accept an RSA key that allows debugging through the computer.

  16. Mobile Hacking - Hacking Android – Example 2 Vulnerabilities have been found in Android that allow attackers to bypass Android’s secure USB debugging which allows them to: • Install Applications • Bypass Android's lock screen - Pattern/PIN locks • Obtain Shells • Etc.. https://developer.android.com/studio/command-line/adb.html

  17. Mobile Hacking - Hacking Android – Example 2

  18. Mobile Hacking - Hacking Android – Example 3 Embed a payload into any android application The Injection process high level: Disassemble the apk files – apktool Both payload and our original application Copy our payload in smali format to the original application Modify the Android Manifest file – AndroidManifest.xml from the original application to include any additional permission required for the payload in addition to services. Modify the smali code in original application to inject new smali code to invoke our payload when the original application is launched. Assemble the new apk file – apktool Generate new keys & sign the apk file Deploy

  19. Mobile Hacking - Hacking Android – Example 3 Embed payload Preamble: Apktool - https://ibotpeaches.github.io/Apktool/ A tool for reverse engineering Android apk files Manifest Every application must have an AndroidManifest.xml file (with precisely that name) in its root directory. The manifest file provides essential information about your app to the Android system, which the system must have before it can run any of the app's code. https://developer.android.com/guide/topics/manifest/manifest-intro.html Smali Smali/Baksmali is an assembler/disassembler for the dex format used by dalvik, Android's Java VM implementation. The names "Smali" and "Baksmali" are the Icelandic equivalents of "assembler" and "disassembler" respectively. https://www.youtube.com/watch?v=h98KtUgUOsg

  20. Mobile Hacking - Hacking Android – Example 3

  21. Mobile Hacking - Hacking Android – Example 3

  22. Mobile Hacking - Hacking Android – Example 3

  23. Mobile Hacking - Hacking Android – Example 3

  24. Mobile Hacking - Hacking Android – Example 3

  25. Mobile Hacking - Hacking Android – Example 3

  26. Mobile Hacking - Hacking Android – Example 3

  27. Mobile Hacking - Hacking Android – Example 3

  28. Mobile Hacking - Hacking Android – Example 3

  29. Mobile Hacking - Hacking Android – Example 3

  30. Mobile Hacking - Hacking Android – Example 3

  31. Mobile Hacking - Hacking Android – Example 3

  32. Mobile Hacking - Hacking Android – Example 3

  33. Mobile Hacking - Hacking Android – Example 3

  34. Mobile Hacking - Hacking Android – Example 3

  35. Mobile Hacking - HELP What can we do to protect ourselves? Start with the basics... • Keep your OS up to date • Keep your applications up to date • Never install anything untrusted • Don't leave your phone laying around • Don't root your phone • Turn off external communication when not in use/needed; ex: Bluetooth • Be mindful of the wireless network that you are connecting to • Use Anti-virus software

  36. Mobile Hacking - DEMO DEMO

  37. Mobile Hacking – Questions? QUESTIONS?

More Related