android Android data looting

[oXis]

Hi,

 

I just ordered my Bash Bunny, and while I'm waiting for it, I'm gathering info for my project.

On the github, there is a payload to loot data from a Windows host and I would like to do the same for an Android phone. The idea will be to use adb to extract the data, but if the Debug Mode is not on (mostly the case for normal users) you can't really use adb.

I have a Galaxy S5 mini (Android 4.4 I think) to test my code on. The idea is to proceed like below:

1/ Being able to steal data from an -unlocked- phone with Debub mode enable (I think this part is easy :) ).

2/ Being able to steal data from an -unlocked- phone with Debub mode disabled.

3/ Being able to steal data from a -locked- phone with Debub mode disabled.

 

 

Do you people have some kind of idea about how to do it? Like exploit a flaw to use adb or inject an app. I'm sure we can find something :)

[VincBreaker]

1. Since the bash bunny is a linux box, you possible could install the adb-tools if they are not bigger than 2 gigabytes (which is the free space you have on your bunny). You shouldn't have to install the complete android toolset but just the adb-tools so I think that my fit.

2. Try to connect a normal keyboard to your mobile and enable debug mode using it. If you can do so, you can use the HID attack vector to enable debug mode.

3. There is already a unlock script for android in the ducky repo, maybe this will work for you. If not, you will have to find a way to unlock your phone / byass the lock screen to enable the debug mode and exfiltrate data. Good luck.

[oXis]

Thanks, I haven't thought about looking for Ducky scripts..., I actually found a script to bypass the lock screen, can't test it now though.

3 minutes ago, VincBreaker said:

find a way to unlock your phone / byass the lock screen to enable the debug mode

Yes, that's what I'm looking for.

[VincBreaker]

22 minutes ago, oXis said:

Thanks, I haven't thought about looking for Ducky scripts..., I actually found a script to bypass the lock screen, can't test it now though.

Yes, that's what I'm looking for.

As I said, you already can do some research using a keyboard and an adapter to connect your keyboard / bunny to your phone. Maybe, the method used by the ducky script works for you, or you find a new way of bypassing to lock screen for your surely white hat / ethical hacking research...

[oXis]

1 minute ago, VincBreaker said:

you find a new way of bypassing the lock screen

I'm far from being able to do that.

[LowValueTarget]

Although I ordered mine on launch day, it shipped today.

That being said, I have been thinking along the same lines as you as well. Since we'll primarily be dealing with unrooted, carrier-rom devices, picture exfil only at the moment.

Here are my rough plans/ideas.

Plugging the BB into an android device, pictures will be exfil'd to the BB via ADB or MTP.

Prereqs:

- The phone has to be unlocked, or unlockable
- The phone has to have MTP enabled or preferrably USB debugging enabled

LED
-----
OFF - Detecting Exfil method
WHITE - ADB Exfil
WHITE (blink) - ADB Exfil nearing BB storage capacity
YELLOW - MTP Exfil
YELLOW (blink) - MTP Exfil nearing BB storage capacity
GREEN - Exfil completed or BB full
RED - Unable to exfil -- MTP or USB Debugging unavailable

1. Check to see if USB Debugging is enabled
2. If USB Debugging is enabled, set LED to WHITE and exfil data to BB via series of ADB pulls
   a. Check and sync BB filesystem ever so often and blink LED WHITE if disk space is getting scarce.
   b. End data exfil if all photos are retrieved or BB disk is full - GREEN LED
   c. DONE

3. If USB Debugging is disabled, check to see if MTP is enabled
4. If enabled, set LED to YELLOW and exfil data to BB via MTP download
    1. Check and sync BB filesystem ever so often and blink LED YELLOW if disk space is getting scarce.
    2. End data exfil if all photos are retrieved or BB disk is full - GREEN LED
    3. DONE

 

This is still all theoretical since I don't have my device yet, and I have a single android to 'test' manually on.

Ideally, I would like to be able to enable USB Debugging via HID if disabled, simply because of throughput advantages over MTP. The roadblock right now is ensuring a method universal to most/all android mobile devices. I haven't messed with that at all.

This approach could easily be modified to exfil other data accessible via ADB.

[Mohamed A. Baset]

13 hours ago, oXis said:

Hi,

 

I just ordered my Bash Bunny, and while I'm waiting for it, I'm gathering info for my project.

On the github, there is a payload to loot data from a Windows host and I would like to do the same for an Android phone. The idea will be to use adb to extract the data, but if the Debug Mode is not on (mostly the case for normal users) you can't really use adb.

I have a Galaxy S5 mini (Android 4.4 I think) to test my code on. The idea is to proceed like below:

1/ Being able to steal data from an -unlocked- phone with Debub mode enable (I think this part is easy :) ).

2/ Being able to steal data from an -unlocked- phone with Debub mode disabled.

3/ Being able to steal data from a -locked- phone with Debub mode disabled.

 

 

Do you people have some kind of idea about how to do it? Like exploit a flaw to use adb or inject an app. I'm sure we can find something :)

search about this attack "adb p2p attack", might help!

[LowValueTarget]

Just a heads up. I'm not sure the bunny supports communication to usb devices as a host. 

No luck as of yet. 

[Harold Finch]

Who solved this problem?  I've same problem,  too. I need to install any apk to my android phone with bash bunny. I installed adb tools to bunny with ssh, but cant install any apk to my phone with bunny.