Jump to content

Android data looting


oXis
 Share

Recommended Posts

Hi,

 

I just ordered my Bash Bunny, and while I'm waiting for it, I'm gathering info for my project.

On the github, there is a payload to loot data from a Windows host and I would like to do the same for an Android phone. The idea will be to use adb to extract the data, but if the Debug Mode is not on (mostly the case for normal users) you can't really use adb.

I have a Galaxy S5 mini (Android 4.4 I think) to test my code on. The idea is to proceed like below:

1/ Being able to steal data from an -unlocked- phone with Debub mode enable (I think this part is easy :) ).

2/ Being able to steal data from an -unlocked- phone with Debub mode disabled.

3/ Being able to steal data from a -locked- phone with Debub mode disabled.

 

 

Do you people have some kind of idea about how to do it? Like exploit a flaw to use adb or inject an app. I'm sure we can find something :)

Link to comment
Share on other sites

1. Since the bash bunny is a linux box, you possible could install the adb-tools if they are not bigger than 2 gigabytes (which is the free space you have on your bunny). You shouldn't have to install the complete android toolset but just the adb-tools so I think that my fit.

2. Try to connect a normal keyboard to your mobile and enable debug mode using it. If you can do so, you can use the HID attack vector to enable debug mode.

3. There is already a unlock script for android in the ducky repo, maybe this will work for you. If not, you will have to find a way to unlock your phone / byass the lock screen to enable the debug mode and exfiltrate data. Good luck.

  • Upvote 1
Link to comment
Share on other sites

Thanks, I haven't thought about looking for Ducky scripts..., I actually found a script to bypass the lock screen, can't test it now though.

3 minutes ago, VincBreaker said:

find a way to unlock your phone / byass the lock screen to enable the debug mode

Yes, that's what I'm looking for.

Link to comment
Share on other sites

22 minutes ago, oXis said:

Thanks, I haven't thought about looking for Ducky scripts..., I actually found a script to bypass the lock screen, can't test it now though.

Yes, that's what I'm looking for.

As I said, you already can do some research using a keyboard and an adapter to connect your keyboard / bunny to your phone. Maybe, the method used by the ducky script works for you, or you find a new way of bypassing to lock screen for your surely white hat / ethical hacking research...

  • Upvote 1
Link to comment
Share on other sites

Although I ordered mine on launch day, it shipped today.

That being said, I have been thinking along the same lines as you as well. Since we'll primarily be dealing with unrooted, carrier-rom devices, picture exfil only at the moment.

Here are my rough plans/ideas.

Plugging the BB into an android device, pictures will be exfil'd to the BB via ADB or MTP.

Prereqs:

- The phone has to be unlocked, or unlockable
- The phone has to have MTP enabled or preferrably USB debugging enabled

LED
-----
OFF - Detecting Exfil method
WHITE - ADB Exfil
WHITE (blink) - ADB Exfil nearing BB storage capacity
YELLOW - MTP Exfil
YELLOW (blink) - MTP Exfil nearing BB storage capacity
GREEN - Exfil completed or BB full
RED - Unable to exfil -- MTP or USB Debugging unavailable

1. Check to see if USB Debugging is enabled
2. If USB Debugging is enabled, set LED to WHITE and exfil data to BB via series of ADB pulls
   a. Check and sync BB filesystem ever so often and blink LED WHITE if disk space is getting scarce.
   b. End data exfil if all photos are retrieved or BB disk is full - GREEN LED
   c. DONE

3. If USB Debugging is disabled, check to see if MTP is enabled
4. If enabled, set LED to YELLOW and exfil data to BB via MTP download
    1. Check and sync BB filesystem ever so often and blink LED YELLOW if disk space is getting scarce.
    2. End data exfil if all photos are retrieved or BB disk is full - GREEN LED
    3. DONE

 

This is still all theoretical since I don't have my device yet, and I have a single android to 'test' manually on.

Ideally, I would like to be able to enable USB Debugging via HID if disabled, simply because of throughput advantages over MTP. The roadblock right now is ensuring a method universal to most/all android mobile devices. I haven't messed with that at all.

This approach could easily be modified to exfil other data accessible via ADB.

Link to comment
Share on other sites

13 hours ago, oXis said:

Hi,

 

I just ordered my Bash Bunny, and while I'm waiting for it, I'm gathering info for my project.

On the github, there is a payload to loot data from a Windows host and I would like to do the same for an Android phone. The idea will be to use adb to extract the data, but if the Debug Mode is not on (mostly the case for normal users) you can't really use adb.

I have a Galaxy S5 mini (Android 4.4 I think) to test my code on. The idea is to proceed like below:

1/ Being able to steal data from an -unlocked- phone with Debub mode enable (I think this part is easy :) ).

2/ Being able to steal data from an -unlocked- phone with Debub mode disabled.

3/ Being able to steal data from a -locked- phone with Debub mode disabled.

 

 

Do you people have some kind of idea about how to do it? Like exploit a flaw to use adb or inject an app. I'm sure we can find something :)

search about this attack "adb p2p attack", might help!

Link to comment
Share on other sites

  • 11 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...