Jump to content
Pol DeNais

Mobile App security Demo

Recommended Posts

Hi All,

new to the forum so was looking for some advice and help. I am looking at purchasing the hak5 Essentials Field kit (really because it looks cool) for a demo at a stand that I have to give on Mobile App Security in my workplace. I know the Field kit isn't exactly linked to anything related to Mobile App Security but I was thinking on just giving a demo on "the dangers connecting to Public Wifis". The audience passing through aren't in any distinct working group within cybersecurity so they sometimes just like to see something simple and related to Cybersecurity that would shock them in their everyday lives. 

 

I was just wondering if anyone has any other ideas that I could demo on using the kit, that lets say was exactly related to Mobile App security or Mobile security as I will have various android and iOS devices sitting on the stand.

 

Sorry for all the long reading above.

 

thanks,

Paul

 

Share this post


Link to post
Share on other sites

Hey bro, welcome to hak5.

Got a bit of a cheeky idea for a demo ?

Try to get a hold of one of the senior exec’s phone or the CEO’s (for greater effect). Tell them it’s for a harmless educational demo on the topic of “why you shouldn’t give strangers your phone”.

Then pump a meterpreter payload into it and dump their txt messages and pics onto the big screen. Hopefully there’s something in there from a mistress or the secretary (if you know what I mean). People are definitely going to be shocked at how quickly you departed the company ?

I’m jk ?

I wouldn’t recommend doing any live demos (especially with wifi). You could inadvertently breach your company’s IT policy or even a federal law. Anyway, I can't tell you how to run your show. Check out the Pineapple nano forums for payload ideas since that’s what you’d be getting in the field kit.

Let us know how the demo goes ?

Share this post


Link to post
Share on other sites

Thanks Icarus255 ?

 

I should have said my Live Demo Would be on a private network that is setup for test purposes. The devices again connected to this would be test devices and none of the audience will be able to connect to our network. 

 

Thanks again 

Share this post


Link to post
Share on other sites

To be completely honest with you, I have never used any of the hak5 WiFi gear. I have the BB (which I love) and received my packet squirrel  yesterday. You have to keep in mind that these are just automated tools and frameworks designed to help pen-testers and enthusiasts learn about IT security. You can carry out the same wifi attacks with your laptop and two wireless adapters that the pineapple can .

I don't work in IT but I work for a large organisation and I still recommend just showing a video demo of your exploits rather than doing anything live. Wifi signals are hard to control unless you know what you're doing and if you've never used the tools before.... anyway I said my warnings and disclaimers.

Once you have users on a network (regardless of whether it's open or protected) where you can control and manipulate traffic, a malicious user can carry out a wide variety of attacks starting from simple traffic captures, enrcyption downgrades, DNS spoofing, and packet injection. The goal in most cases is to either capture login credentials and/or distribute malware. These attacks are much harder to carry out in real life though because web developers, browser vendors, and AV products will use their own defences to protect their users against these attacks.

There are many tools out there that will help you with your educational requirements. Evil Portal and Wifi Phisher are just some examples and can get you started on your journey.

https://github.com/wifiphisher/wifiphisher

https://github.com/frozenjava/EvilPortalNano

https://github.com/kbeflo/evilportals

I haven't used these tools before so I can't tell you how to use them but I'm sure there have been some discussions on the forums and the google ?

Good luck, amigo.

Share this post


Link to post
Share on other sites

Everyone has there own idea of what a computer hacker does and should be able to do. No single hacker is the same all unique. Same goes with the tools used. Lots of different ones out there. Do what you feel is right.

Edited by Bigbiz

Share this post


Link to post
Share on other sites
2 hours ago, Bigbiz said:

Everyone has there own idea of what a computer hacker does and should be able to do. No single hacker is the same all unique. Same goes with the tools used. Lots of different ones out there. Do what you feel is right.

Thanks Bigbiz. Yes everyone to their own. I never used the hak5 gear so was just looking for ideas on it as it might be useful and easy to setup. 

Share this post


Link to post
Share on other sites
5 hours ago, icarus255 said:

To be completely honest with you, I have never used any of the hak5 WiFi gear. I have the BB (which I love) and received my packet squirrel  yesterday. You have to keep in mind that these are just automated tools and frameworks designed to help pen-testers and enthusiasts learn about IT security. You can carry out the same wifi attacks with your laptop and two wireless adapters that the pineapple can .

I don't work in IT but I work for a large organisation and I still recommend just showing a video demo of your exploits rather than doing anything live. Wifi signals are hard to control unless you know what you're doing and if you've never used the tools before.... anyway I said my warnings and disclaimers.

Once you have users on a network (regardless of whether it's open or protected) where you can control and manipulate traffic, a malicious user can carry out a wide variety of attacks starting from simple traffic captures, enrcyption downgrades, DNS spoofing, and packet injection. The goal in most cases is to either capture login credentials and/or distribute malware. These attacks are much harder to carry out in real life though because web developers, browser vendors, and AV products will use their own defences to protect their users against these attacks.

There are many tools out there that will help you with your educational requirements. Evil Portal and Wifi Phisher are just some examples and can get you started on your journey.

https://github.com/wifiphisher/wifiphisher

https://github.com/frozenjava/EvilPortalNano

https://github.com/kbeflo/evilportals

I haven't used these tools before so I can't tell you how to use them but I'm sure there have been some discussions on the forums and the google ?

Good luck, amigo.

Thanks for the info above. Live demos yes are the trickiest things to do in Security but we find now that audiences prefer live as it seems more genuine. Even recently we done a live hack where things did go wrong and our team recovered during it and the audience actually loved it because things did go wrong and they seen it was genuine then rather than a video. 

Share this post


Link to post
Share on other sites

just some quick thoughts ?

For demo purposes, i would recommend a laptop running dual alfa wifi cards, as it's easier to use a laptop if something goes wrong, or you need to adapt.
I usually do it that way, and keep the HAK5 stuff for easy depployment on field tests if need be.

But, as for showing the dangers of wifi, i would say you're on the right track, if you can demonstrate deployment of malware, capturing credentials, dns spoofing, java-script injection and stuff like that. Just simple stuff, but with an impact none the less. It really shows why you shouldn't be using the network on McD or Starbucks without a VPN ?

Something like DNSchef, Beef-Xss, Metasploit and Blackeye captive portal comes to mind ?

As far as using videos, I think you're right. Better to make mistakes "live" than using a video. It better demonstrates what can be done and the tech behind it.
Even though I failed at a demo, and had to try a second time, it gave everybody an opportunity to talk about the tech behind it, why it failed, what to do about it, and so on. So what could have been a dissaster, ended up begin a really nice talk with the people present about a lot of stuff related to security, and the ides and technologies behind the demo.

Share this post


Link to post
Share on other sites

I remembered an article I read a while back about people using open wifis to mine moneroz and other cryptos. I can't remember where I read the original article but could be an interesting idea for a demo. Link below is a summary of the method.

https://www.helpnetsecurity.com/2018/01/08/public-wifi-cryptocurrency-mining/

The idea is to inject some inital js code into the user's requested html page which calls the crypto miner. The link above summarises the process in a bit more detail... ?

The article talks about using CoffeeMiner but I guess you could achieve similar outcomes with mitmfm etc.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...