WiFi Hacking On Tablets

Disclaimer: Don't hack anything where you don't have the authorization to do so. Stay legal.

Ever since I bought my first Android device, I wanted to use the device for WEP cracking. Not because I need it, but I want it :) After some googling, I read that you can't use your WiFi chipset for packet injection, and I forgot the whole topic.

After a while, I read about hacking on tablets (this was around a year ago), and my first opinion was: 

"This is stupid, lame, and the usage of that can be very limited".

After playing one day with it, my opinion just changed: 

"This is stupid, lame, the usage is limited, but when it works, it is really funny :-)"

At the beginning I looked at the Pwn Pad as a device that can replace a pentest workstation, working at the attacker side. Boy was I wrong. Pwn Pad should be used as a pentest device deployed at the victim's side!

You have the following options:

1. You have 1095 USD + VAT + shipping to buy this Pwn Pad
2. You have around 200 USD to buy an old Nexus 7 tablet, a USB OTG cable, a USB WiFi dongle (e.g. TP-Link Wireless TL-WN722N USB adapter works).

In my example, I bought a used, old 2012 Nexus WiFi. Originally I bought this to play with different custom Android ROMs, and play with rooted applications. After a while, I found this Pwn Pad hype again and gave it a shot.

The Pwn Pad community edition has an easy-to-use installer, with a proper installation description. Don't forget to backup everything from your tablet before installing Pwn Pad on it!

I don't want to repeat the install guide, it is as easy as ABC. I booted a Ubuntu Live CD, installed adb and fastboot, and it was ready-to-roll. I have not measured the time, but the whole process was around 20 minutes.

The internal WiFi chipset can be used to sniff traffic or even ARP poisoning for active MiTM. But in my case, I was not able to use the internal chipset for packet injection, which means you can't use it for WEP cracking, WPA disauth, etc. This is where the external USB WiFi comes handy. And this is why we need the Pwn Pad Android ROM, and can't use an average ROM.

There are two things where Pwn Pad really rocks. The first one is the integrated drivers for the external WiFi with monitor mode and packet injection capabilities. The second cool thing is the chroot wrapper around the Linux hacking tools. Every hacking tool has a start icon, so it feels like it is a native Android application, although it is running in a chroot Kali environment.

Wifite

The first recommended app is Wifite. Think of it as a wrapper around the aircrack - airmon - airodump suite. My biggest problem with WEP cracking was that I had to remember a bunch of commands, or have the WEP cracking manual with me every time I have to crack it. It was overcomplicated. But thanks to Wifite, that is past.

In order to crack a WEP key, you have to:

1. Start the Wifite app
2. Choose your adapter (the USB WiFi)
   
   
   
3. Choose the target network (wep_lan in the next example)
4. Wait for a minute 
5. PROFIT!

SSH reverse shell

This is one of the key functionalities of the Pwn Pad. You deploy the tablet at the Victim side, and let the tablet connect to your server via (tunneled) SSH.

The basic concept of the reverse shells are that an SSH tunnel is established between the Pwn Pad tablet (client) and your external SSH server (either directly or encapsulated in other tunneling protocol), and remote port forward is set up, which means on your SSH server you connect to a localport which is forwarded to the Pwn Pad and handled by the Pwn Pad SSH server.

I believe the best option would be to use the reverse shell over 3G, and let the tablet connect to the victim network through Ethernet or WiFi. But your preference might vary. The steps for reverse shells are again well documented in the documentation, except that by default you also have to start the SSH server on the Pwn Pad. It is not hard, there is an app for that ;-) On your external SSH server you might need to install stunnel and ptunnel if you are not using Kali. The following output shows what you can see on your external SSH server after successful reverse shell.

root@myserver:/home/ubuntu# ssh -p 3333 pwnie@localhost The authenticity of host '[localhost]:3333 ([127.0.0.1]:3333)' can't be established. ECDSA key fingerprint is 14:d4:67:04:90:30:18:a4:7a:f6:82:04:e0:3c:c6:dc. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[localhost]:3333' (ECDSA) to the list of known hosts. pwnie@localhost's password:   _____      ___  _ ___ ___   _____  _____ ___ ___ ___ ___  | _ \ \    / / \| |_ _| __| | __\ \/ / _ \ _ \ __/ __/ __|  |  _/\ \/\/ /| .` || || _|  | _| >  <|  _/   / _|\__ \__ \  |_|   \_/\_/ |_|\_|___|___| |___/_/\_\_| |_|_\___|___/___/   Release Version: 1.5.5  Release Date: 2014-01-30  Copyright 2014 Pwnie Express. All rights reserved.   By using this product you agree to the terms of the Rapid Focus  Security EULA: http://pwnieexpress.com/pdfs/RFSEULA.pdf   This product contains both open source and proprietary software.  Proprietary software is distributed under the terms of the EULA.  Open source software is distributed under the GNU GPL:  http://www.gnu.org/licenses/gpl.html  pwnie@localhost:~$ 

Now you have a shell on a machine that is connected to the victim network. Sweet :) Now Metasploit really makes sense on the tablet, and all other command-line tools.

EvilAP and DSniff

Start EvilAP (it is again a wrapper around airobase), choose interface (for me the Internal Nexus Wifi worked), enter an SSID (e.g freewifi), enter channel, choose whether force all clients to connect to you or just those who really want to connect to you, and start.

The next step is to start DSniff, choose interface at0, and wait :) In this example, I used a popular Hungarian webmail, which has a checkbox option for "secure" login (with default off). There are sooo many problems with this approach, e.g. you can't check the certificate before connecting, and the login page is delivered over HTTP, so one can disable the secure login checkbox seamlessly in the background, etc. In this case, I left the "secure" option on default off.

In the next tutorial, I'm going to show my next favorite app, DSploit ;)

Lessons learned

Hacking has been never so easy before
In a home environment, only use WPA2 PSK
Choose a long, nondictionary passphrase as the password for WPA2
Don't share your WiFi passwords with people you don't trust, or change it when they don't need it anymore
Don't let your client device auto-connect to WiFi stations, even if the SSID looks familiar

I believe during an engagement a Pwn Plug has better "physical cloaking" possibilities, but playing with the Pwn Pad Community Edition really gave me fun moments.

And last but not least I would like to thank to the Pwn Pad developers for releasing the Community Edition!

Related links

1. Hacking Tools For Games
2. Hacking Apps
3. Hacking Tools Usb
4. Hack Tools Online
5. What Are Hacking Tools
6. Hacking Tools Pc
7. Hacker Tools Windows
8. Hack Tools For Pc
9. Usb Pentest Tools
10. Pentest Automation Tools
11. Hackers Toolbox
12. Tools Used For Hacking
13. Hacking Tools For Windows
14. Wifi Hacker Tools For Windows
15. Nsa Hacker Tools
16. Hacking Tools Kit
17. Termux Hacking Tools 2019
18. New Hack Tools
19. Hack Tools For Games
20. Hacker Tools Github
21. Hacking Tools For Kali Linux
22. Hacking Tools Windows
23. Pentest Tools Tcp Port Scanner
24. How To Make Hacking Tools
25. Tools For Hacker
26. Top Pentest Tools
27. Kik Hack Tools
28. Hacker Tools Apk Download
29. Hacking Tools Online
30. Best Pentesting Tools 2018
31. Nsa Hack Tools
32. Hackers Toolbox
33. Pentest Tools
34. Hacking Tools And Software
35. Hacking Tools Hardware
36. Pentest Tools Framework
37. Hacking Tools Pc
38. Hackrf Tools
39. Tools Used For Hacking
40. Hacker Hardware Tools
41. Hacking App
42. Hacker Tools Linux
43. Hacking Tools For Kali Linux
44. Tools For Hacker
45. Hacking Tools Download
46. Hacker Tools For Pc
47. What Are Hacking Tools
48. Ethical Hacker Tools
49. Kik Hack Tools
50. Computer Hacker
51. Hack Tools For Windows
52. Pentest Automation Tools
53. Hacking Tools Github
54. Hacking Tools 2020
55. Hacker Tools For Pc
56. Hacker Hardware Tools
57. Pentest Tools Android
58. Best Pentesting Tools 2018
59. Bluetooth Hacking Tools Kali
60. What Are Hacking Tools
61. Hacker Tools Free
62. Pentest Tools Nmap
63. Hacker Search Tools
64. Hacking Tools And Software
65. Hacker Tools For Mac
66. Bluetooth Hacking Tools Kali
67. Pentest Tools Framework
68. Free Pentest Tools For Windows
69. Easy Hack Tools
70. Pentest Tools Bluekeep
71. How To Hack
72. Pentest Tools Nmap
73. Blackhat Hacker Tools
74. Best Hacking Tools 2019
75. Hacking Tools Name
76. Hack Website Online Tool
77. Hacker Security Tools
78. Hacker Tools 2020
79. Hacking Tools Github
80. Hacker Tools Github
81. Hacker Hardware Tools
82. Blackhat Hacker Tools
83. Hacker Tools Linux
84. Pentest Recon Tools
85. Pentest Tools List
86. New Hack Tools
87. Pentest Tools
88. Game Hacking
89. Kik Hack Tools
90. Pentest Tools Url Fuzzer
91. Hacking Tools Github
92. Pentest Tools Windows
93. Hacking Tools Name
94. Hackrf Tools
95. Pentest Tools
96. Pentest Tools Nmap
97. Android Hack Tools Github
98. Black Hat Hacker Tools
99. Pentest Tools For Mac
100. Top Pentest Tools
101. Hacking App
102. Hack Tools For Windows
103. Pentest Tools Android
104. Pentest Tools Github
105. Pentest Tools Github
106. Pentest Tools Kali Linux
107. Pentest Tools For Ubuntu
108. Pentest Tools Website
109. Hack Tools For Games
110. Hack Tools Mac
111. Pentest Automation Tools
112. New Hacker Tools
113. Pentest Tools
114. Hacker Tools List
115. Nsa Hack Tools Download
116. Tools Used For Hacking
117. Pentest Tools Alternative
118. Pentest Box Tools Download
119. Pentest Tools Linux
120. Hack Apps
121. Hacking Tools For Games
122. Hacker Tools Software
123. Hack Rom Tools
124. Hack App
125. Pentest Tools Subdomain
126. Pentest Tools Free
127. Hacking Tools Usb
128. Pentest Tools Website
129. Hacker Tools For Windows
130. Hacker
131. Kik Hack Tools
132. Pentest Tools Kali Linux
133. Hacking Tools For Windows
134. Pentest Automation Tools
135. What Is Hacking Tools
136. Hacking Tools For Pc
137. Hacking Tools
138. Pentest Box Tools Download
139. Hacking Tools For Windows
140. Hacking Tools Name
141. Hacking Tools Hardware
142. Hacking Tools Github
143. Ethical Hacker Tools
144. Hacker Tools
145. Physical Pentest Tools
146. Free Pentest Tools For Windows
147. Hacking Tools For Games
148. Github Hacking Tools
149. Hack Tools For Mac
150. Nsa Hack Tools
151. Hacking Tools Windows
152. Pentest Tools For Android
153. Hacking Apps
154. Hacker Hardware Tools
155. Pentest Box Tools Download
156. Free Pentest Tools For Windows
157. Blackhat Hacker Tools
158. Hacker Security Tools
159. Hacking Tools 2019
160. Hacker Tools Apk
161. Hacking Tools Hardware
162. Tools For Hacker
163. Best Hacking Tools 2019
164. Android Hack Tools Github
165. Hacker Tools For Mac
166. Hacking Tools Name
167. Hacker
168. Hacking Tools 2020
169. How To Make Hacking Tools
170. Hacker Tools Software
171. World No 1 Hacker Software