Shulou(Shulou.com)05/31 Report--

How to build the Android penetration testing platform Kali, aiming at this problem, this article introduces the corresponding analysis and answer in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

The hardware and software environment used

1 OnePlus x mobile phone

2 Windows 7 64-bit system

3 QDLoader-HS-USB_Driver_64bit_Setup

4 OnePlus_X_14_A.04_151103

5 twrp-3.0.2-0-onyx.img

6 nethunter-generic-armhf-kalifs-full-2020.1.zip

7 platform-tools_r29.0.6-windows

OPX refers to OnePlus x, win7 refers to Windows 7 64-bit system, and twrp refers to twrp-3.0.2-0-onyx.img

Background introduction of Android brushing machine

The so-called brushing machine is to reinstall the system for the mobile phone. Think of a mobile phone as a PC computer, then the flash on the phone is analogous to a hard drive. We install Windows/Linux to the hard drive, which is similar to installing Android to flash.

For example, our computer installed Windows system, the hard disk is divided into two partitions, namely C disk, D disk. Flash is similarly divided into multiple partitions. Brush the corresponding file of ROM to the corresponding partition and complete the process of brushing the machine.

Before brushing the machine, take a look at the various states of the phone. As far as the prototype OPX is concerned, there are four states, namely

1 Download status (Qualcomm soc only, communicating through 9008 COM)

2 fastboot statu

3 Recovery statu

4 Android OS statu

There are two types of line brushes and card brushes. Line brushes refer to connecting mobile phones and computers through usb lines and brushing rom with tools. The card brush refers to putting the rom into the local storage of the phone or SD Card, and then brushing the machine through Recovery.

The relationship between the four states from startup to running system is as follows

Startup > [Download status] > fastboot status > Recovery status = Android OS status

The following environment is built first through Download, then twrp in fastboot, then kali in Recovery, and finally start the system normally.

Download status brushing machine

In the brush industry often heard a saying is to brush the phone into a brick, the so-called brush into a brick refers to the fastboot state, Recovery state, Android OS state can not enter. At this time, for ordinary users, you can only swipe the machine through Download status. This Download status is a unique feature of Qualcomm soc.

In most cases, this step does not need to be carried out. With the attitude of learning, the author tried to brush the machine through Download status. Readers who are not interested can skip this chapter directly.

Preparatory work

1 prepare an OPX mobile phone and a USB line

2 download QDLoader-HS-USB_Driver_64bit_Setup, download

3 download OnePlus_X_14_A.04_151103, download 1, download 2

4 install QDLoader-HS-USB_Driver_64bit_Setup and restart the computer

I can't find the official release channel for the above Stock Firmware ROM. I can't guarantee the security of the ROM provided by these two addresses. Please be careful when you swipe the machine.

Start browsing ROM

Step 1, connect the phone to the computer, hold down the OPX Volume + key, and connect the phone to the computer with the usb cable at the same time, until Qualcomm HS-USB QDLoader 9008 (COM n) appears in the win7 device Manager ports (COM and LPT).

Step 2, open the MsmDownloadTool V2.0.2 tool, which is included in OnePlus_X_14_A.04_151103. In the device type, you can see that one is a Com device, indicating that it is ready. At this point, click the verify button to verify whether the Stock Firmware ROM is correct, and it is no problem to display OK. When you are ready, click start, and the communication status of the tool will show "downloading mirror system.img". Wait for a period of time (about a few minutes). When the tool shows "shutting down...", it indicates that brushing is complete. Press the power button to power on, and you can enter the oxygen OS system.

At this point, the Download status brushing process is over, and at this time, all the partition information of the phone flash is reset into the Stock Firmware ROM file, which is exactly the same as the factory setting.

Fastboot status brush twrp

Generally speaking, manufacturers have relatively few recovery functions, we want to brush into twrp, let's get started!

Preparatory work

1 prepare an OPX mobile phone and a USB line

Download adb,fastboot Android debugging tool set, platform-tools_r30.0.1-windows.zip

3 download twrp,twrp-3.0.2-0-onyx.img

Start browsing Recovery

Step 1 turn off the phone, press the volume + and power on button until the phone screen displays "Fastboot Mode"

Step 2 connect the mobile phone to the computer through the usb line

Step 3 enter the platform-tools directory and execute the command fastboot devices

C:\ Users\ test\ Desktop\ platform-tools_r29.0.6-windows\ platform-tools > fastboot.exe devices1a7c2bf0 fastboot

The print above indicates that the fastboot connection is normal.

Step 4 execute the command fastboot oem device-info to see if fastboot is locked. If so, you need to unlock before you can enter twrp

The image above shows that it is currently in a locked state (Device unlocked: false). Enter the command fastboot oem unlock to try to unlock and prompt "oem unlock is disabled". It shows that it cannot be unlocked in the fastboot state. Fortunately, after checking the data, it is found that when entering the developer mode of the oxygen OS system, you can unlock the fastboot, as follows

1 restart the equipment and enter oxygen OS

2 Open Settings-- About phone-- Build number 7 times, exit About phone and enter Developer options

3 enable OEM unlocking

After the above operations are completed, re-enter fastboot mode and execute fastboot oem unlock again. At this time, the phone prompts you to unlock the user data. If you want to continue, click yes, and the phone will restart to enter the oxygen system, re-enter fastboot mode, view the lock information, and find that the unlock is successful.

Everything is ready, start brushing like twrp.

I put twrp-3.0.2-0-onyx.img on the desktop c:\ Users\ test\ Desktop\

Execute the command fastboot flash recovery c:\ Users\ test\ Desktop\ twrp-3.0.2-0-onyx.img

Sending 'recovery' (14758 KB) OKAY [0.583s] Writing' recovery' OKAY [0.277s] Finished. Total time: 0.873s

Execute the command fastboot boot c:\ Users\ test\ Desktop\ twrp-3.0.2-0-onyx.img, let the phone enter twrp, click Reboot-- Recovery, and you will be prompted "Install SuperSU now?" Drag the icon to select the installation, because root permission is required for subsequent brushing kali. When the phone enters the Recovery interface again, the process of browsing twrp in fastboot status is done.

Click Reboot-- System to enter the system, configure the WiFi, then the message prompts SuperSU Installer, click enter, select TWRP, wait for the download to complete, select continue, and then launch to recovery to install SuperSU. After installation, you will automatically restart and enter OOS (oxygen OS).

So far, twrp has been brushed and written.

Recovery status brush kali

After the above work is completed, you can swipe into kali.

Preparatory work

1 prepare an OPX mobile phone and a USB line

2 download nethunter-generic-armhf-kalifs-full-2020.1.zip, download Generic ARMhf

Start browsing kali

Step 1 turn off the phone and press the volume-key and boot button for a long time to make the phone enter recovery mode

Step 2 Click Advanced-- ADB Sideload, while the phone is waiting

Step 3 go to the platform-tools directory and execute the command adb sideload c:\ Users\ test\ Desktop\ nethunter-generic-armhf-kalifs-full-2020.1.zip (I put nethunter-generic-armhf-kalifs-full-2020.1.zip on the desktop c:\ Users\ test\ Desktop\)

Step 4 wait for the progress to be 100% complete

When rebooting, a cool interface is displayed.

Next, after entering the system, configure the network and install SuperSU

The establishment of the Kali environment for the Android platform ends here. Next, explore the principle of brushing machine.

Explore the mysteries of brushing machines

Whether it is Download status / fastboot status / Recovery status, we use some tools to refresh the machine, simple operation can be done, hacker spirit so that we can not stay at the level of script boy.

Let's take a look at the secret of brushing machine.

First of all, we enable usb debugging in the developer options, let adb connect to the phone, enter the platform-tools directory, execute adb root, find that the execution failed, and then execute adb shell. At this point, you can get a low-level shell. By executing the command su, let's get root shell.

First of all, let's take a look at the flash partition.

Root@OnePlus:/dev/block # ls...mmcblk0mmcblk0p1mmcblk0p10mmcblk0p11mmcblk0p12mmcblk0p13mmcblk0p14mmcblk0p15mmcblk0p16mmcblk0p17mmcblk0p18mmcblk0p19mmcblk0p2mmcblk0p20mmcblk0p21mmcblk0p22mmcblk0p23mmcblk0p24mmcblk0p25mmcblk0p26mmcblk0p27mmcblk0p28mmcblk0p29mmcblk0p3mmcblk0p4mmcblk0p5mmcblk0p6mmcblk0p7mmcblk0p8mmcblk0p9

Next, let's look at the corresponding name of each partition.

DDR-> / dev/block/mmcblk0p4DRIVER-> / dev/block/mmcblk0p22LOGO-> / dev/block/mmcblk0p21aboot-> / dev/block/mmcblk0p5boot-> / dev/block/mmcblk0p7cache-> / dev/block/mmcblk0p15config-> / dev/block/mmcblk0p26dbi-> / dev/block/mmcblk0p3fsc-> / dev/block/mmcblk0p18fsg-> / dev/block/mmcblk0p17grow-> / dev/block/mmcblk0p29misc-> / dev/block/mmcblk0p20modem-> / dev/block/mmcblk0p1modemst1-> / dev/block/mmcblk0p10modemst2-> / dev/block/ Mmcblk0p11oppodycnvbk-> / dev/block/mmcblk0p12oppostanvbk-> / dev/block/mmcblk0p13pad-> / dev/block/mmcblk0p9param-> / dev/block/mmcblk0p23persist-> / dev/block/mmcblk0p14recovery-> / dev/block/mmcblk0p16reserve1-> / dev/block/mmcblk0p24reserve2-> / dev/block/mmcblk0p25rpm-> / dev/block/mmcblk0p6sbl1-> / dev/block/mmcblk0p2ssd-> / dev/block/mmcblk0p19system-> / dev/block/mmcblk0p27tz-> / dev/block/mmcblk0p8userdata-> / dev/block/mmcblk0p28

Are you familiar with these partition tags? most of these files exist in Stock Firmware ROM, and there are also these hints when checking with tools.

Then the process of brushing the machine should be the process of writing the corresponding files to the partition, and the ROM packages of card brushes and line brushes are different, because the files and contents protected by ROM and the packaging format are different in different machine brushing modes.

Take the recovery partition as an example to see if it is what we guessed. The verification process is: dump the recovery partition and compare the dump binary with the twrp image. The expected effect is that the two binaries are the same.

View recovery partition siz

Root@OnePlus:/dev/block/platform/msm_sdcc.1 # cat / proc/partitionsmajor minor # blocks name... 179 16 16384 mmcblk0p16...

If each block is 1k, then the recovery partition is the size of 16MB. We dump the entire recovery partition locally, and then pull it from the phone through adb.

Root@OnePlus:/dev/block/platform/msm_sdcc.1 # dd if=/dev/block/mmcblk0p16 of=/sdcard/recv.dump bs=1024 count=16384C:\ Users\ test\ Desktop\ platform-tools_r29.0.6-windows\ platform-tools > adb.exe pull / sdcard/recv.dump. / sdcard/recv.dump: 1 file pulled, 0 skipped. 3.9 MB/s (16777216 bytes in 4.062s)

The size of twrp-3.0.2-0-onyx.img is 14.4m, with a total of 15112192 bytes. Recv.dump is the entire partition size of 16m. By comparison, it is found that the first 15112192 bytes of recv.dump are exactly the same as twrp-3.0.2-0-onyx.img.

This confirms the previous conjecture, that is, whether it is recovery or Android ROM, the corresponding binary is written to the partition.

Next, I made an attempt to transfer the recovery.img from OnePlus_X_14_A.04_151103 to the phone through adb, and in adb shell, write recovery.img to the recovery partition through dd.

Dd if=/sdcard/recovery.img of=/dev/block/mmcblk0p16

Turn off the computer, enter recovery mode, and find that twrp has been covered and returned to the original recovery.

I guess the difference between line brushes and card brushes is that there is no file system concept when line brushes (Download mode and fastboot mode). You can only write the whole file to the partition and only overwrite the original partition file.

And the card brush is different, the card brush is in recovery mode, and this mode is a stripped-down version of linux,recovery is at the same level as android os. In this mode, on the one hand, you can directly write partitions like line brushes, or you can mount the original Android file system to add, delete and modify the android file system to achieve the purpose of upgrading.

Use Android Kali

The process of brushing kali in Recovery state is actually a process of upgrading. When upgrading kali's zip package, we will make some changes to boot img, install kali file system, install some apk packages, such as NetHunter.apk, NetHunterStore.apk, NetHunterTerminal.apk, etc., when we use NetHunter, it should be chroot to kali file system, this time for operators, just like in the kali environment.

There are so many tutorials in Kali online that this article will not teach you how to play tricks.

Next I'll use two examples to demonstrate the use of the mobile version of kali.

Demo 1: create a payload with msf

Demo 2: modify the native mac address, and then do a port scan with nmap

Open NetHunter

Demo 1: generate payload with msf

Demo 2: modify the MAC of the phone for Nmap scanning

First open the NetHunter application, click MAC Changer, and change the mac address to aa:bb:cc:dd:ee:ff

Next, open the NetHunter Terminal application and execute the command nmap-A 192.168.1.6 (another host on the same network segment)

Grab the packet in the host and find that the MAC address of the phone has indeed become aa:bb:cc:dd:ee:ff.

This is the answer to the question on how to build the Android penetration testing platform Kali. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.