User:Harita mittal/sandbox

Capstone Information Security Project

No Branch Bank (imaginary bank)

Android Penetration Testing & Metasploit

Project Proposal

Executive Summary

BYOD (Bring Your Own Device) is a widely-used approach used by companies these days to meet-up with the rapidly growing technologies and employee work environment demands. As BYOD culture is increasing in corporate environment, so is the security of these devices becoming a matter of concern. Majority of the BYOD devices are smartphones (Apple, Android, Windows Phone, Blackberry), Wearables (Apple Watch, Android Wear), etc. These devices are based on different Operating Systems which have different vulnerabilities. These vulnerabilities can be exploited by the hackers to infiltrate the corporate network. So, the sole purpose of this project is to do penetration testing on the No Branch Bank’s employee’s BYOD Android devices. As a result of this testing we would reach on a decision to secure BYOD Android Devices which would be governed by company policies and province laws.

Background and Significance

Android is an open source mobile operating system, developed by Google and Open Handset Alliance, which is based on Linux kernel with applications being exclusively developed on Java. Unlike Java Virtual Machine (JVM), the applications developed on android run on Dalvik Virtual Machine (DVM). Moreover, it comes with a rich development environment: “Android Studio” which includes device emulator, tools for debugging and other similar stuff. Android’s Online Store “Play Store” has now more than one million apps available to download. With the never-ending rise and expansion of technology and the inclining ease to use it, it has become important to test every area of the network. People are becoming smarter day by day, so are hackers. On the other hand, smartphones have become the need of the hour, no one can image life without a smartphone. Technically, smartphones are miniature computers capable of doing the same things a computer can do on smaller scale. No matter how much secure a network is, a device from outside can open doors for infiltrating the network. So, pentesting BYOD Devices is a critical aspect to keep in mind when setting up a new network.

Requirements


 * PC with Kali Linux installed or Kali Linux Live img on USB (Metasploit comes pre-installed)
 * 3 Android Smartphones

Summary of Design

Pre-requisite:

Make sure the target android device(s) and the testing android device or Metasploit PC are on same Local Area Network.

There are two methods to perform this penetration testing: Phase 1
 * 1) Using Metasploit for Windows or using Metasploit pre-installed on Kali Linux
 * 2) Using Android tools on one android device or web proxy such as Burp Suite (if the target device is an emulated device) to intercept communication between other android smartphones
 * Gathering and studying information about android pentesting (Referred Books, SANS Projects, DEFCON)
 * Gathering tools--- including a penetration testing tool that is capable of testing android devices.
 * Re-determine the scenarios based on lessons learnt. (Must be Approved by Harita)
 * Design the Architecture blueprint of lab in Microsoft Visio on basis of approved scenarios
 * Preparing a lab environment Infrastructure

Phase 2
 * Installation and configuration

Phase 3
 * Conducting Penetration Testing
 * Preparing android device for Method 1
 * Making necessary changes in android phone
 * Installing some communication apps
 * Executing Method 1

Phase 4
 * Conducting Exploits
 * Preparing android device for Method 2
 * Making necessary changes in android phone
 * Installing some communication apps
 * Unlock and root android device(s)
 * Executing Method 2

Phase 5
 * Demonstration
 * Documenting outcomes and developing a recommended security strategy for securing BYOD android devices

Feasibility

Technical feasibility:

This project is technically feasible the tools and equipment purposed for this project are limited in number and most of them are pre-tested by developers and other organizations. Moreover, only stable versions will be used to perform this project. Economic feasibility:

This project is economically feasible as well because the cost incurred by this project will be in the bank’s budget as most of the tools for this project are free or open source except few tools and hardware components.

Operational feasibility:

This project will have minimal effect on normal operations of the bank because it will be implemented on just one PC and 3 android devices which will use minimal bandwidth of the bank. Validation

This project needs validation from the higher management of the bank because we will need to pentest BYOD employee devices which can be used to infiltrate the network.

Deliverables


 * To deliver the steps to defend the bank’s network from metasploit exploitation.
 * To deliver the steps to defend the bank’s network from passive & active hacking attacks.
 * To deliver the recommended security plan for BYOD Android Devices.

Legal and Regulatory Issues

A prior contract from the bank is needed in order to carry out this project because it involves testing BYOD android devices of employees for security purpose which are used to access bank’s confidential data on daily basis. However, as it is level 3 testing (penetration testing), it is not concerned with bank’s policies. We acknowledge that if we come in contact with any information of no use to us for the purpose of penetration testing, we will ignore it. We acknowledge that we will keep legal, ethical and professional aspect in mind while carrying out this testing.

Timeline/Milestones

Summary

To recapitulate, this project will try to find out minor to major vulnerabilities in the android OS and show how those vulnerabilities can be exploited. Moreover, it will provide the best practice solutions to those problems which can be implemented using Mobile Device Management (MDM) in the bank. Thus, it will make employee’s Android devices secure and BYOD a lucrative decision for bank.

Phase 1 Report

Method 1:

We searched for android penetration testing using metasploit over internet and an e-book ‘Metasploit penetration testing cookbook’. For method one exploitation only one scenario is possible because it only involves using metasploit commands. So we approved that scenario.

Approved Scenario:


 * 1) Go to settings>security and allow install apps from unknown sources on two android devices.
 * 2) Install some SNS apps such as whatsapp, facebook, twitter, etc. on two android devices.
 * 3) Start Kali Linux PC and launch Metasploit.
 * 4) Create a backdoor malicious apk using metasploit. This apk will allow us to access the target device using reverse TCP connection.
 * 5) Now, set up a metasploit listener on the attacker side that will accept the reverse TCP connection.
 * 6) Now, make sure to stay anonymous (good if pentesting a phone on unknown network) using OpenVPN, Orbot or Orweb.
 * 7) Now, send the malicious apk to one of the android devices using phishing or social engineering attacks.
 * 8) As soon as you are successful in installing malicious app on one of these devices, use multi handler exploit on you metasploit machine.
 * 9) Set the reverse TCP android payload, local and remote hosts, local port from metasploit.
 * 10) Now run the exploit command from metasploit.
 * 11) Various commands can be used now to view the running processes, searching and getting a file, taking photos using the front or back camera, recording sound using device’s microphone on the device.

Method 2:

We searched for different scenarios possible for android penetration testing. However, most of them included using nearly similar tools. The following was the scenario being considered for passive attack on target device:


 * 1) Use packet sniffers such as Intercepter-NG, Shark for Root, PacketShark to sniff the communication between two android devices (Device A & B).
 * 2) Use Wireshark for android, Veracode, tPacketCapture, etc. for analysing these packets.
 * 3) Now device C knows what has been sent by device A to device B.
 * 4) To exploit further, use passive vulnerability scanners such as PVS and others.
 * 5) Now, device C knows about vulnerabilities which can be exploited. It can use session hijacking vulnerabilities to get access to any username/passwords or other credentials directly. Tools such as Droidsheep and FaceNiff can be used here.

Approved Scenario:


 * 1) First, go to settings>developer options and turn on USB debugging.
 * 2) Now, go to settings>security and allow install apps from unknown sources (not needed if done already).
 * 3) Install some SNS apps such as whatsapp, facebook, twitter, etc. on two android devices.
 * 4) Unlock and root Android Device A (sender), Device B (receiver) and C (Man In The Middle device) using one of these tools: SuperOneClick, Superboot, One Click Root or Kingo Android ROOT.
 * 5) Use one of these root checkers: Unrevoked, RescueRoot or Unlock Root Pro to verify root status of the devices.
 * 6) If this verification is successfully done, then we are ready to go.
 * 7) Make sure that the android phones have been rooted properly.
 * 8) Now, make sure to make Device C anonymous (good to hide identity) using OpenVPN, Orbot or Orweb, Arpspoof, etc.
 * 9) Send a message from Device A to Device B on any of the Social apps.
 * 10) Pick up the Android Device C and use the apps such as Port Scanner, Fing, Network Discovery, Anmap etc. to detect the target device A and B and open ports available on these devices on the local network.

Passive Attack on target device:

For the passive attack, we have considered to use complete Android Pentesting Suites (zANTI or dSploit) which includes network discovery, packet sniffing, packet analysis, vulnerability scanners, etc.

Active Attack on target device:


 * 1) Perform DoS and DDoS attacks on the android device(s) (Device A & B) using apps such as AnDOSid, LOIC, etc.
 * 2) Check for vulnerabilities like cross-application-scripting error in the android browser. It will allow us to break down the web browser’s sandbox using malicious JavaScript code. Apps such as Nessus, Nikto Droid, WPScan can be used to accomplish this task.
 * 3) Then, check for vulnerabilities like passwords stored as plaintext in SQLite database and whether unencrypted SQLite database is used by Skype to store data. Apps like DroidSQLi, Sqlmapchik, etc. can be used for this purpose.
 * 4) Next, try to exploit Android intents (breaking android’s communication channel) to obtain user’s sensitive data. ComDroid can be used here.
 * 5) Detect any capability leaks in the Android device. We can use Woodpecker tool to detect such leaks.
 * 6) These capability leaks in Android can allow us to inject a malicious apk which can directly give us access to victims’ (Device A or B) camera, file storage, contacts, etc.

Lab setup for Method 1: Lab setup for Method 2:
 * Metasploit Windows and Oracle VMware/Kali Linux installed and android phone(s) prepared
 * Wi-Fi access point set up.
 * Tools installed on android phone(s).
 * Wi-Fi access point set up.

End of Phase 1 Report

References