Time
14 hours 26 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

OK, lets pentest mobile devices. This lesson covers the internal scanning of a mobile device. Participants learn step by step instructions using the spf command to obtain inapp results to gather information. This lesson also gives step by step instructions in how to recreate shell code.

Video Transcription

00:04
Okay, Now let's take a look at something else entirely.
00:09
Well, kind of the same things. This is probably last favorite way
00:13
two. There
00:18
been testing through mobile devices. So we'll take a look at our X P system
00:26
where I have war ftp like we did on Mark's board development section.
00:32
We're just going to in my
00:40
the device and it was gonna be straight through the phone. So it is going to download the and mop
00:46
application.
00:47
Yeah, I was going to run it against that device and is going to record the results and upload them back to us.
00:54
So you can imagine if we did along
00:56
like a list of who said we gave it a sub net. That would take a while. We just did one host, so it should be pretty quick.
01:03
So in this case, we are all on the same network. We're just on my bm where basically,
01:07
But you could see how this would be useful if we have this on the phone that they went toe work or went to the coffee shop or went home, we could use this to physically bypassed the perimeters. Now we're doing an internal began this through the phones are phone nurse TCP ivy, so there's a reason that can't run.
01:25
Currently, it just of the SS in that and not the SUV's about something I need to change, certainly
01:36
give you more options, at least for an map.
01:40
We also need to put in like tunneling so you can do
01:45
necessary or even run medicine flight module straight through.
01:49
There's no reason we can't do you like it should be tunneling,
01:53
since I have SMS tunnel English. Their reason We can't do that. That's an upcoming feature. There's a lot of coming features. In fact, about the time I finish these videos,
02:04
I'm going to spend some time working out updates for SPF. So since this is
02:09
number 13 that should be pretty soon.
02:16
Give it a little bit of time to finish.
02:21
Get this in. My results.
02:36
Backed her. You information gathered. It should put it in a file.
02:46
You have to file
02:50
routes marked from Mendes framework from War Council textile
03:00
or does. Do you have to be
03:02
thought it'd as us actually see the command in here?
03:07
It hasn't finished.
03:09
This is just an empty out, but
03:14
give a lot of immortal have it should give us the actual ports.
03:17
Little pulled a command again
03:22
until it's dumb.
03:35
Still going to give you more options on in map. Right now, it just
03:38
does exactly that and see the command. Dispose it into that folder.
03:46
Downloaded file. Shoulder
03:49
area only
03:53
no
03:54
does.
03:54
It's just us today that it doesn't do a very good job of telling.
04:06
Actually, it's not a story that was obviously something else
04:10
who just does as us
04:13
that might do us tea,
04:15
whatever the default is. So I guess there's TV used to be on TV, so I need to change it. All right, So what we're gonna do
04:21
issues this war FTP interpreter, Nazi.
04:28
But we need to change the show code in it. So we're gonna use it. Must've been, um, same where we did
04:33
in our export development sections.
04:36
There's going to regenerate the shell code to go back to us of this I p address
04:42
Need Thio. Do those bad characters that we have
04:46
an exploit development for war. FT fee
04:51
No. 40 year. Endure the format we want it to be. See, this is going to have to be C code at this point,
05:00
I am working on making it so that you could just have a sieve it through.
05:08
Well, I forgot. I'll host. Oops,
05:11
Back to basics for me,
05:27
curing at the right I p address.
05:29
I'm working on my cancer that you could pivot through. You could hook up modest boy, do it, even reuse Python scripts. But it is right now. It doesn't need to be compiled so it could run on the phone. They'll pretty much run some sort of see like
05:43
or even see proper
05:46
in their current. Also, they can run
05:49
see programs if they're compiled for the correct
05:53
ship sets. This is an armed of Eisler is going to compile it with an arm come cross compiler.
06:00
They were running an arms. Did it?
06:01
Well, the next box. So I can't just use the regular GCC, but there's our shell code.
06:27
One of the few times I like to use B. I use that DD command. Get rid of the show. Go that's in there
06:43
dd overnight to get rid of those lines
07:02
and then call me fashion. I'm just going back to Nana, which I'm more comfortable with
07:09
to finish it. I could finish it in the eye as well. If that's what I was more comfortable. If I just really like manna, particularly for doing
07:19
I'm just gonna paste in my new show code here. I'm not gonna have to worry about any of the offsets
07:24
since it's the same size. If it was anything besides 317 fights, there have been changes in the must've been, um, I might have to worry about the offsets, and I didn't care this particularly well, so it wouldn't be much fun, but in this case, I could just leave it alone, just drop in the new shell code.
07:43
That example is again in the exploits windows
07:46
sections, or you will have it when you pull down SPF It is an example. Anything you have C code for, you can use this with.
07:54
Then I just want to go to compile Go Gerona Mobile devices number nine,
07:59
policy code for arm Androids.
08:01
Give it
08:03
what we want. Thio compile and where we want to put it.
08:07
It'll just be doing GCC except for armed devices. So says the cross compiler, innit?
08:13
That week in years,
08:46
saving on the desktop, it does throw some warnings
08:50
you don't have to worry about that. Just may not coping very well and see, it does compile.
08:56
We'll go back to agent control until it
08:58
wanted. Download a file until it to download this file that I just created will automatically when it downloads it. Make it execute a ble. A swell sort of this being our
09:09
file's directory for this application.
09:37
We'll open up the massive console,
09:41
spell it correctly.
09:46
I am just going to have it. I did use Windows Interpreter Reverse DCP and gave it this guy as the
09:52
elbow. So it was just gonna call back here. Naturally, we could put this in the clouds aware after seven Amazon influence or something
10:01
for that
10:07
until it would call out with the perimeter. It does, as I mentioned, have a nest amassed capability. So instead of
10:13
calling out
10:15
the TCP jahrige, TTP or https, whatever you tell it to, you can just have it do regular river shell in line. Open up a TCP listener on the phone.
10:26
Well, im shape for 44 for four.
10:30
The target in this case when there's X p called back to the phone the phone, consent it out
10:35
to its controller in this case by 554
10:39
be a text message,
10:41
which the controller will pass it back onto the S P s counsel from Show it to you.
10:46
You can send it commands and we'll send it back through again to us investing. Actually bypass the entire perimeter that way.
10:54
So you can't really do that with emulators that they don't really do SMS
10:58
properly.
11:00
Emulate it
11:01
if he wills. But there are some videos of you
11:05
Look out
11:05
on Internet that show it like it's skied on calm. Nothing. 2013. I did it live on stage because I'm insane. But it did work.
11:18
Set up our handler
11:22
for windows. Mature, prettier.
11:24
And if I can spell it correctly,
11:26
it's not my day for typing.
11:41
Okay, We're just gonna do the regular
11:43
call back over TCP network based rather than SMS base. It could do both.
11:50
We've got our handler. So now we've got plenty of time to download the files were gonna do seven execute command,
11:56
so it gives us the option to execute downloaded files as well as any built in
12:01
command that we have access to.
12:05
But you need to give it the I P address on the port we want to attack. That's just based on the C code
12:11
with the i p address of Ex paid for 21. Was it downloaded? Yes. So that I was to look in the downloads folder. So that file folder
12:20
for it.
12:22
If we give it a little bit of times, it does have to check in and get the commanders. We used a t, T. P, and I will execute. It will go on the attack against or Windows X p machine,
12:35
and then we should get a session on matters. Boy, it looks like we just did
12:39
so again. They're all on the same network here, so it's not as exciting, but you could see how it would be. We could be far, far away from that extra machine, but the phone goes to work and has direct network access to it.
12:52
Now we just have a
12:54
interpreter session on it. So you have
12:58
complete control of it. You could think of this is calling out to the cloud. Probably that extreme machine has Internet access.
13:05
We could start doing some of the things we did
13:09
and first exploitation find
13:13
plain tex Passwords. We got hash dump.
13:16
Used many cats
13:18
to get a plain text password
13:20
in Runa
13:22
Interpreter script. Get Gilly
13:26
Able remote desktop, which, if we weren't on the same network, is this. We wouldn't just be able to do this, but
13:33
okay.
13:35
Example.
13:46
First shot. These a standalone examples to use on stage
13:52
here. Um, I actually got access to the system. I would just turn on remote desktop
13:56
that I could read People's e mt.
14:00
You know, sometimes if it's
14:01
if you haven't been to this class Just immature Peter Session. They not seem that interesting. So, Philip, that does top.
14:09
Sure. The email. So just a little bit of it insured a smart, vented his brain where it was just a couple of things it could do.
14:16
There's a lot more

Advanced Penetration Testing

The Advanced Penetration Testing course teaches the cyber attack lifecycle from the perspective of an adversary. Become more familiar with the most widely used penetration-testing tools, manipulate network traffic, and perform web application attacks such as cross-site scripting and SQL injection.

Instructed By

Instructor Profile Image
Georgia Weidman
Founder and CTO at Shevirah and Bulb Security
Instructor