Chapter 16
Mobile Device Security

---

CEH EXAM OBJECTIVES COVERED IN THIS CHAPTER:

•   III. Security
  •   P. Vulnerabilities
•   IV. Tools/Systems/Programs
  •   O. Operating environments
  •   Q. Log analysis tools
  •   S. Exploitation tools

  Over the last few years, the workplace has undergone a dramatic shift, with a large increase in the number of mobile devices. The idea of a small powerful device that can do many if not all of the tasks that a notebook or desktop computer can do is very attractive. The power of mobile devices ranging from smartphones to tablets has increased to the point where they are acceptable replacements for day-to-day tasks and more. This fact—coupled with their ease of use, small form factor, long battery life, and low cost—has led to their rapid adoption and spread into both personal and professional circles.

Today the average person possesses at least three mobile devices, with many having more. These tend to be the smartphone, tablet, and notebook. These have become so feature packed and powerful that many people who wouldn’t have dreamed of carrying such devices in the past now can’t part with them and have them in their possession 24 hours a day.

With the wide variety of devices and the sheer number present, the impact on personal lives and the workplace is undeniable. Owners of the devices are bringing them into the workplace, and businesses are purchasing their own. This situation has led to a number of problems, including the mixing of personal and business data as well as inconsistent application of security settings and protocols, making mobile devices a prime target of attack by a malicious party.

In this chapter we will explore these issues and how to test mobile devices for vulnerabilities as well as discuss countermeasures that can be used.

Mobile OS Models and Architectures

The rapid adoption of the mobile device in the workplace has had two obvious consequences: an increase in productivity and capability as well as a corresponding rise in the number of security risks. The designers of devices have frequently made a tradeoff between security and features by leaning toward features, with security being an afterthought. While new security features have helped to somewhat reduce the issues present, many of the devices still have problems to be addressed.

---

  A great many problems in enterprise environments come from the fact that devices owned by individuals transition in and out of the enterprise ecosystem. Devices that are used for both personal and business reasons end up mixing the security needs and data types of both areas in a potentially insecure manner. Security managers of many organizations have had to deal with personally owned devices accessing corporate services, viewing corporate data, and conducting business operations. Compounding this problem is that these personally owned devices are not managed by the organization, which means, by extension, anything stored on them isn’t managed either.

---

Goals of Mobile Security

Mobile operating systems come in four flavors: Blackberry, Windows Mobile, Google Android, and Apple iOS. Of these, the Apple iOS and Google Android operating systems are by far the ones most commonly found on modern devices. In order to simplify the examination of mobile operating systems and devices in this chapter, the discussion will consider only iOS and Android.

---

  Of the mobile operating systems available, the Android operating system dominates with about 83 percent of the market share. Second place in the market is Apple’s iOS with about 14 percent and Windows and Blackberry owning 2.6 percent and .3 percent, respectively.

An estimated 1.5 billion devices are running the Android OS worldwide, and this trend is showing no signs of slowing down anytime soon.

---

Both of these operating systems have been designed to address some of the most basic threats and risks right out of the box, such as the following:

• Web-based attacks
• Network-based attacks
• Malware
• Social engineering attacks
• Resource and service availability abuse
• Malicious and unintentional data loss
• Attacks on the integrity of data

Before analyzing the security models of these two operating systems, a brief recap of each of these attacks as they relate to mobile devices might be helpful:

Web and Network Attacks These are typically launched by malicious websites or compromised legitimate websites. The attacking website sends malformed network content to the victim’s browser, causing the browser to run malicious logic of the attacker’s choosing.

Malware Malware can be broken into three high-level categories: traditional computer viruses, computer worms, and Trojan horse programs. Much like traditional systems, malware does plague mobile systems, and in fact there are pieces of malware designed exclusively for mobile devices.

Social Engineering Attacks Social engineering attacks such as phishing attempt to trick the user into disclosing sensitive information. Social engineering attacks can also be used to entice a user to install malware on a mobile device. In many cases social engineering attacks are easier to accomplish on mobile devices largely because of their personal nature and the fact that they are already used to share information on social media and other similar services.

Data Loss Data loss occurs when a device used to store sensitive data is either carried away by a malicious person or is lost. While many of these situations can be mitigated through encryption and remote wipes, the problem is still very serious.

Data Theft This is one of the bigger problems that have emerged with mobile devices because criminals target them for the information they contain. Malware has been observed on mobile devices that steals sensitive information.

Device Security Models

So how have designers built their systems with an eye toward addressing security problems? Several steps have been taken, but overall there has been an attempt to approach the problem of security through five key areas, each addressing a specific problem or need:

• Access control is used to protect devices, which includes passwords, biometrics, and least-privilege technologies, to name a few.
• Digital signing has become part of the application model of most if not all mobile OSs. This feature allows applications to be signed so they can be verified that they originated from a specific author, and they cannot be tampered with without such activities being detected. While digital signing is not required, Android will not allow the installation of apps from unknown sources by default. In iOS, applications from unknown sources cannot be installed at all unless the owner specifically modifies or “jailbreaks” the phone to allow this.
• Encryption is another vital component of the security model of a mobile OS. Encryption is employed on devices to ensure that data is kept safe in the event a device is lost, stolen, or compromised. While not consistently implemented on many mobile devices in the past, this has changed, with Android 6.0 (codename Marshmallow) even requiring storage encryption by default.
• Isolation, which seeks to limit the access an application has, is an important issue addressed in mobile devices. Essentially, this is a form of least privilege for applications, where if you don’t need access to sensitive data or processes, you don’t get it.
• Permissions-based access control works much as it does on server and desktop operating systems. This feature limits the scope of access of an application by blocking those actions the user may attempt but has not been granted access to.

Google Android OS

First, let’s look at the market leader, Android, in our exploration of mobile operating systems.

Android took shape way back in 2003 at the hands of Android Inc., which was acquired by Google in 2005. From the beginning, the OS was designed to be a mobile platform that was not only feature rich, powerful, and mobile but also open source. As designed, Android can be installed on a wide range of hardware, and it supports and integrates with a myriad of advanced software technologies. It was also designed to integrate with external data sources, cloud services, and other technologies as well as to run applications locally. In order to provide these features and do so safely and securely, Google followed the five tenets mentioned earlier. This resulted in security for users, data, applications, the device, and the network around it.

---

  Android is based directly on the Linux kernel and borrows many of its design cues from the OS. While not identical to the Linux OS, it does share a number of design influences that you would notice if you started digging into the OS or tweaking the system.

---

Android was envisioned and created with a multi-layered security model that allows for the flexibility essential in an open platform, while providing protection for users and applications.

Another goal of the OS is to support developers and make the platform easy to work with and easy to engage security controls. In practice, developers should be able to easily call on the security controls of the system, and if they are experienced developers, they can tweak the controls as needed. Less-experienced developers or those unfamiliar with proper security settings are protected because the system puts default settings in place to ensure that safety and security are maintained.

---

  Some devices, such as those from certain parts of Asia, have been shown to up the security threat by actually having malware preinstalled. Devices by Huawei, for example, were shown to have malware in the form of rootkits on them when they shipped.

---

But what about the device users themselves? What does Android offer to protect them while they use the system? Just as Android was developed to make it easy on developers to develop and deploy applications, the system was designed with the user in mind. To this end the system was developed with the expectation that attacks would happen, such as the common malware issue, data theft, and others. It also was designed with the idea that the users themselves might try things that may adversely affect the system. Android was designed to allow the user to work with the system and do everyday tasks but not give them a high level of access Specifically, Android does not let the user have root access to the system without the user deliberately overriding this protection.

---

  If you have an Android device or have read about the operating system, you may have heard the term “rooting the device.” In a nutshell, this refers to undertaking a process of gaining root access to a device. Typically, this involves running an application or script that grants root access to the user. Once access is granted, the user can do pretty much whatever they want on the system without restriction. However, one of the downsides of this process is that the device is now exposed to greater danger from external threats as well.

---

Design of Android

Android, under the hood, is a series of components working together to make the system work. Each component in the system is self-contained and focuses on performing whatever task it was designed to do. Each component focuses on security measures for itself and assumes that every other component is also doing the same. In addition, in a normal installation, only a very small portion of the Android OS ever runs with root access, this being the kernel, and everything else runs with less access and in an application sandbox to further isolate and protect each application.

---

  Sandboxing is a common technique used in application development, and it’s very effective at providing security, stability, and isolation. Sandboxing, as the name implies, limits an application or environment’s access to a specific portion of the system, essentially creating its own “sandbox” to work in. Sandboxing is not limited to a specific platform or technology; rather, it is a concept encountered in many areas implemented in different ways, in technologies such as Java, Android, and web browsers.

---

So what are the basic components of the Android OS?

• Device hardware—Android runs on a wide range of hardware configurations including smartphones, tablets, and set-top boxes. Keep in mind that this list of hardware is very short and can be extended substantially to include other devices such as smartwatches.
• Android operating system—The core operating system is built on top of the Linux kernel. All device resources, like camera functions, GPS data, Bluetooth functions, telephony functions, network connections, and the like are accessed through the operating system.
• Android application runtime—Android applications are most often written in the Java programming language and run in the Dalvik virtual machine. In Android 4.4 and higher, a faster replacement for Dalvik was introduced known as the Android runtime (ART). In Android 5.0 and above, ART completely replaces Dalvik.
• Android applications extend the core Android operating system. There are two primary sources for applications:
  • Preinstalled applications—These are applications that come prepackaged with the Android OS. These applications include things like Gmail, Calendar, and others. These do not include the bloatware that comes preinstalled from a vendor such as AT&T or Verizon.
  • User-installed applications—Android provides an open development environment supporting any third-party application. Google Play offers users hundreds of thousands of applications.
• Google provides a set of cloud-based services that are available to any compatible Android device. The primary services are these:
  • Google Play is a collection of services that allow users to discover, install, and purchase applications from their Android device or the web. Google Play makes it easy for developers to reach Android users and potential customers. Google Play also provides community review, application license verification, application security scanning, and other security services.
  • Android Updates delivers new capabilities and security updates to Android devices, including updates through the web or over the air (OTA).
  • Application services include frameworks that allow Android applications to use cloud capabilities such as backing up application data and settings and cloud-to-device messaging (C2DM) for push messaging.

In practice Android has proven to be flexible, open, adaptable, portable, and highly stable as well as extremely customizable.

---

    An Army of Androids

Because Android is so customizable and is open source, it has seen a huge number of tweaks, much like the Linux operation system it is derived from. These range from tweaks to the OS itself to entirely new versions of the OS.

The Android community of developers and enthusiasts has actually created numerous custom versions of Android that span the range of options. Don’t like stock Android because you find it too slow? No worries; wipe your device and install SlimROM, an extremely stripped-down version of Android that’s small, fast, and very functional. Want to go with something a little fancier? Try the Android Open Kang Project (AOKP), which looks like standard Android but is customizable. Want something highly configurable? Try Paranoid Android or CyanogenMod for your needs, or go to a site such as www.xda-developers.com, which is a community of Android developers, for help.

These are just a few of the options available. If you want to really tweak and adjust or just do whatever you want in the OS, you can certainly find a version that allows it.

---

Apple iOS

The second most popular mobile operating system in the market is Apple’s iOS, which is present on multiple devices including the iPod, iPad, and iPhone. Much as Android is based on the Linux kernel, iOS is a slimmed-down version of OS X for the Mac. However, while it is based on OS X, which is based on FreeBSD, it is not fully Unix compatible.

Unlike Android, which covers all five core components of system design, iOS covers only four. Specifically, it addresses these areas:

Traditional Access Control iOS provides traditional access control security options, including password configuration options as well as account lockout options.

Application Provenance Just as Android items that are in the Google Play store have been verified and therefore trusted, in iOS it’s the same type of deal with apps being created by Apple-approved developers, who have the ability to sign their app before placing it in the store.

Encryption iOS uses hardware-accelerated AES-256 encryption to encrypt all data stored on the device as well as additional encryption for email and other services.

Isolation The iOS operating system isolates each app from every other app on the system, and apps aren’t allowed to view or modify each other’s data, logic, and the like.

There is something to pay attention to and expand upon in this list, something that is more than it appears, and that is the application provenance issue. Both Android and iOS use this to ensure that apps that are installed by the user come from legitimate sources, meaning approved developers. However, users of Apple devices cannot install non-Apple-approved applications on their phone as Android users can.

But with this in mind, you may have seen an iPhone or two running an app or something else that didn’t come from the App Store. So how does this occur? Through a process known as jailbreaking. So what is jailbreaking, and how does it work? Let’s talk about this a bit.

First of all, you need to understand that many manufacturers of smartphones, tablets, game consoles, and other systems include digital rights management (DRM) in their products. DRM exists to control the types of software you can run on your device as well as preserve security in some cases. This is where jailbreaking comes in. Jailbreaking is used to get around the restrictions imposed by DRM and let you run whatever you want to run and do whatever you want to do on the device.

From a technical standpoint, jailbreaking is simply applying a set of kernel-level patches to a system that allows the owner of the device to run unsigned applications. This process also grants root access to the device and removes the restrictions associated with having non-root access.

One drawback of this process is a little thing called voiding your warranty. Another drawback is that you are effectively opening the device up with so much access that anything can run without restriction, including malware.

Common Problems with Mobile Devices

So mobile devices are commonplace, and we know that just by opening our eyes and looking around. However, a lot of common problems also occur that could be easy ways for an attacker to cause you harm:

• One of the more common problems with mobile devices is that they quite often do not have passwords set, or else the passwords are incredibly weak. While some devices do offer simple-to-use and effective biometric systems for authentication instead of passwords, they are far from being the norm. Although most devices support passwords, PIN codes, and gesture-based authentication, many people do not use these mechanisms, which means if the device is lost or stolen, their data can be easily accessed.
• Unprotected wireless connections are also a known issue with many devices and seem to be worse on mobile devices. This is more than likely due to owners of these devices being out and about and then finding an open access point and connecting without regard to whether it is protected or not.
• Malware problems seem to be more of an issue with mobile devices than they are with other devices. This is due to owners downloading apps from the Internet with little concern that they may contain malware and not having an antimalware scanner on the device.
• Users neglect to install security software on mobile devices even though such software is readily available from major vendors without restriction and is free. Many owners of these devices may even believe that malware doesn’t exist for mobile devices or that they are immune.
• Unmaintained and out-of-date operating system software is a big problem. Similarly to desktop systems, patches and fixes for mobile OS software are also released from time to time. These patches may not get applied for a number of reasons. One of the bigger ones tends to be a provider such as AT&T tweaking stock Android into something that includes their applications and bloatware, not to mention adjustments. When this happens, the patches and updates that Google releases may not work on those tweaked versions. In this case you would have to wait for some update to be made for your device by your provider before you can apply the patch. This process could take months or even a year and in some cases never.
• Much like the OS, there may be software on the device that is not patched and is out of date.
• Internet connections may be on and insecure, which can lead to someone getting on the system in the same ways we discussed in earlier chapters on scanning, enumeration, and system hacking.
• Mobile devices may be rooted or jailbroken, meaning that if that device is connected to your network, it could be an easy way to introduce malware into your environment.
• Fragmentation is common with Android devices. Specifically, this refers to the fact that unlike iOS there are a vast number of versions of the Android OS with different features, interfaces, capabilities, and more. This can lead to support problems for the enterprise due to the amount of variation and inconsistency.

While these are some of the known problems that exist with mobile devices, they don’t necessarily represent the current state of threats, and you must do due diligence if you will be managing an environment that allows these devices.

One way to help you get a snapshot of the known problems in the mobile area is to use the Open Web Application Security Project (OWASP). OWASP is an organization that keeps track of various issues such as web application concerns, and it also happens to maintain top 10 lists of various issues including mobile device problems. You may want to check their site, www.owasp.org, periodically to learn the latest issues that may be appearing and that you could use in your testing process.

However, there still is one more area that mobile devices have really brought to the forefront that we need to take a look at, and that is bring your own device (BYOD).

Bring Your Own Device/Bring Your Own Problems

BYOD has been a trend over the last several years in the business world and has accelerated in popularity. Simply put, the concept of BYOD is one where employees provide their own equipment in the form of smartphones, laptops, tablets, and other types of electronics. Nowadays when employees bring their own stuff, it is mainly in the form of tablets and smartphones more than laptops and notebooks simply because of how small and powerful they are. These devices are connected to the corporate network and the employees use the devices to do their jobs.

Today, many employees have come to expect that they will be able to use their smartphones and other personal devices such as tablets at work. The problem with this situation is that maintaining a secure environment with equipment that the company does not own and may not even have any management over is tough. While companies have taken steps to define their position on how these devices will be allowed to interact with corporate services, there still are concerns. IT departments by necessity have to be extra vigilant about the security issues that can appear in this environment.

One of the biggest defenses that can be used initially is for IT and security to clearly detail the requirements each device must meet before being used in the corporate environment. For example, a policy may need to be established stating that devices meet certain standards such as patches, antimalware requirements, password requirements, applications allowed and blocked, as well as encryption requirements. In addition, the company should never discount the value of using intrusion detection devices on the network itself to control the activities of these hosts when they appear.

In practice, two things should happen administratively to make sure things get done right. First, a policy should exist that states the responsibilities of the system administrator in relation to their handling of mobile devices. Second, a policy should be created and made aware to the end users so that they understand the responsibility that comes with connecting their personal devices to the network.

---

  Many individuals who have attached their personal smartphones to corporate networks have found out the hard way the cost of doing so. Specifically, there have been a handful of cases where individuals who attached their own personal devices to a company network had their personal phone wiped and all their data and other information lost that was stored on it. Why did this happen? Simply put, a system administrator sent out a remote wipe command to the device and instructed it to wipe itself of all apps and data to keep it from falling in the wrong hands. Or an administrator may have found the device and did not recognize it, so they wiped it in response.

To avoid the heat that comes with the remote wiping of personally owned devices, companies should make employees sign a paper stating they accept the possibility that this may happen.

---

In order to make BYOD and mobile device integration easier, many enterprises have resorted to management software solutions. These solutions allow for the tracking, monitoring, and management of mobile devices in the same vein as traditional enterprise asset management solutions. Solutions include Microsoft’s System Center Mobile Device Manager software and IBM’s MaaS360 management technology.

Penetration Testing Mobile Devices

So how do we pen test mobile devices? In many ways the process is similar to what we are already using in a traditional setting but with some minor differences along the way.

---

  Remember that in regard to security, mobiles are so diverse that they are a bit of an unknown quantity. You also need to keep in mind how users of these devices work; they can be extremely mobile and this means data and communications can be flowing in all different directions and ways, unlike in traditional office settings.

---

So what does the testing process look like when mobile devices start to creep into the picture? Here is a quick overview of how to evaluate these devices.

Footprinting Many of the scanning tools we examined in our footprinting phase can be used to locate and identify a mobile device plugged into a network. A tool like Nmap, for example, can be used to fingerprint an OS under many conditions and return information as to its version and type.

Once you find mobile devices in the environment, make sure to note their information such as MAC address, IP address, version, type, and anything else of value.

Scanning For mobile devices attached to the network you are evaluating, use a piece of software such as Kismet to find out which wireless networks the devices are looking for.

Exploitation Use man-in-the-middle attacks, spoofing, ARP poisoning, and other such mechanisms to attack a device. Use traffic insertion attacks to deliver client-side exploits to vulnerable systems and devices or manipulate captured traffic to exploit back-end servers.

Post Exploitation Inspect sensitive data areas on mobile devices for information such as the Short Message Service (SMS), and browser history databases. Note that forensic tools are available for cell phones that can extract this information as well.

Penetration Testing Using Android

One other option that is possible for you to use in penetration testing is a mobile device. In this section we will look at the tools that can be installed on Android that can enhance our capabilities to run a thorough test.

---

  Since we have covered all the attacks and theories behind these tools in other chapters, we will not give long descriptions of each type of attack again here.

If you wish to try any of these tools, you will need to root your phone and make sure you have backed up your data beforehand.

---

Networking Tools

• IP Tools by AmazingByte is a collection of tools used to provide information about different properties of the network, including routing information, DNS settings, IP configuration, and more.
• LanDroid by Fidanov Networks is another collection of network information tools much like IP Tools. It’s not as complete as IP Tools, but it is still useful and well designed.
• The Network Handbook by Smoothy Education is a set of tools and information that is designed to aid in network troubleshooting, but it can also be helpful for gaining information about a network.
• Fing by Overlook is a set of tools for network analysis that includes the ability to assist in the evaluation of network security, host detection, and some Wi-Fi tools.
• Mobile NM by Gao Feng is a mobile version of the powerful Nmap port and network scanner. The mobile version operates with essentially the same capabilities as the Nmap we explored in other parts of this book.
• Port Scanner by Catch 23 can gain much of the same information as the rest of the tools in this list, but it also includes support for technologies such as 3G and more.
• Network Discovery by Aubort Jean-Baptiste is similar to Fing in many ways but with a different interface.
• Packet Capture by Grey Shirts is much like Wireshark but does not use root permissions to operate.
• Packet Generator by NetScan Tools is one of the few packet crafters available for the Android OS, and it works similarly to regular packet crafters like hping.
• Shark for Root by Elviss Kuštans is essentially a scaled-down version of Wireshark for Android. Unlike some other sniffers, this requires root access on the device to function properly. You must download Shark Reader to examine the captured traffic on the phone or tablet this is run on.
• UPnP Scanner by GeminiApps can scan and detect Universal Plug and Play devices on the network. This means other computers, mobile devices, printers, and other devices can be revealed on the network.
• Intercepter-NG is a network toolkit that has the functionality of several well-known separate tools built in and offers a good and unique alternative over other sniffing tools.
• NetCat for Android by NikedLab is simply a port of the original NetCat for the Android operating system.
• PacketShark from GL Communications is a packet sniffer application. Its features include a friendly capture options interface, filter support, live capture view, and Dropbox upload of captured files.
• SharesFinder by srcguardian is a utility designed to find network shares on the local network segment. It can be useful in locating unsecured or unprotected shares.

Session Hijacking Tools

• DroidSheep by Andreas Koch works as a session hijacker for non-encrypted sites and allows you to save cookies/files/sessions for later analysis. This one is not available on the Google Play store and must be located through a search. The device must be rooted.
• FaceNiff is an app that allows you to sniff and intercept web session profiles over Wi-Fi networks. This tool is also not available on the Google Play store so you will have to search for this one.
• SSLStrip for Android(Root) by NotExists is an app used to target SSL-enabled sessions and use non-SSL-enabled links in order to sniff their contents.

Denial of Service

• Low Orbit Ion Cannon (LOIC) by Rifat Rashid is a tool for network stress-testing a denial-of-service attack against a target application. LOIC performs a denial-of-service (DoS) attack (or when used by multiple individuals, a DDoS attack) on a target site by flooding the server with TCP or UDP packets with the intention of disrupting the service of a particular host.
• AnDOSid by Scott Herbert allows security professionals to simulate a DOS attack. AnDOSid launches an HTTP POST flood attack, where the number of HTTP requests becomes so huge that a victim’s server has trouble responding to them all.
• Easy Packet Blaster by Hunter Davis is another utility that is simple to use but can very effectively shut down a network host with traffic.

Scanners

• WPScan for Android by Alessio Dalla Piazza is a black-box WordPress vulnerability scanner written in Ruby that attempts to find known security weaknesses within WordPress installations. See Exercise 16.1.
• App Scanner by Trident Inc. is a utility designed to specifically target applications and their potential vulnerabilities.
• CCTV Scanner is an app designed to locate cameras on networks and give information regarding the devices.
• NetCut by Fortiz Tools is used to test the security of firewalls.

---

EXERCISE 16.1

Using WPScan

In this exercise you will use WPScan to target a site using WordPress in order to discover vulnerabilities that may exist in the installation. To perform this exercise you will need to either have WPScan installed on Android or use Kali Linux.

1. First, enumerate the plugins that are installed in a WordPress installation by using the following command:

   ruby wpscan.rb --url http(s)://www.yoursiteurl.com --enumerate p
   

2. The output this command generates only gives a list of installed plugins. If you want to look for vulnerable plugins, you can use the following command:

   ruby wpscan.rb --url http(s)://www.yoursiteurl.com --enumerate vp
   

   Running this command will output a list of only those themes that expose WordPress to known vulnerabilities. If you look closely at the results, you will see where to get information on the vulnerabilities.

3. Next, you can look for themes that contain known vulnerabilities. To locate the themes and see which ones are vulnerable, use this command:

   ruby wpscan.rb --url http(s)://www.targetsite.com --enumerate t
   

4. To filter the output to only those themes that have vulnerabilities in them, use the following command:

   ruby wpscan.rb --url http(s)://www.targetsite.com --enumerate vt
   

   This command, just like its predecessors, will list only those installed themes that are vulnerable and show what the vulnerability is.

Enumerate Users

• WPScan can also identify users who have valid accounts on the system, like so:

  ruby wpscan.rb --url http(s)://www.targetsite.com --enumerate u
  

• Once you have valid users located, you can try some password cracking. You can do this with a brute-force attack until the password is revealed:

  ruby wpscan.rb --url localhost/wp_site --wordlist password.txt --username admin
  

• In practice, WPScan is very useful during a penetration test of WordPress.

---

SQL Injection Tools

• DroidSQLi is an automated MySQL injection tool for Android. It allows you to test your MySQL-based web application against SQL injection attacks.
• sqlmapchik by Maxim Tsoy is a cross-platform sqlmap GUI for the popular sqlmap tool. It is primarily used on mobile devices.
• SQLite Editor by Weavebytes is a high-quality and very capable tool for evaluating and testing for SQL injections within web applications.

Proxy Tools

• SandroProxy by sandrob is used to send your traffic through a preselected proxy to cover up obfuscating attacks.
• Psiphon is not really a proxy tool but a VPN technology that can be used to protect traffic to and from a mobile device. It can be used to protect only web traffic or it can tunnel all the traffic on a device through the service.

Web Application Testing

• HTTP Injector by Evozi is used to modify requests to and from websites and is helpful at analyzing web applications.
• HTTP Tool by ViBO is designed to allow the tester to execute custom HTTP requests to evaluate how an application responds.
• Burp Suite is simply a port of the same tool from the desktop version.

Log File Readers

• Syslog is used for reading log files on a mobile system.
• ALog reader is another log file reader.

Wi-Fi Tools

• Wifite is an automated wireless cracking tool for Android and the Linux platform. It can crack WEP and WPA as well as WPS-enabled networks.
• AirMon by Maxters is an app for sensing, monitoring, and picking up wireless traffic.
• WifiKill by Mat Development can scan a network and terminate wireless hosts it discovers.
• Wigle Wi-Fi Wardriving from WiGLE.net is a port of the same tool for the desktop environment.
• Kismet is available for Android and is a port of the popular Linux tool.

Pentesting Suites

• dSploit Scripts by jkush321 is a suite of tools that can easily map your network, fingerprint live hosts’ operating systems and running services, search for known vulnerabilities, crack logon procedures of many TCP protocols, and perform man-in-the-middle attacks such as password sniffing and real-time traffic manipulation. Note that dSploit’s developer has merged his effort with zANTI, which is also listed here.
• zANTI is a comprehensive network diagnostics toolkit that enables complex audits and penetration tests at the push of a button. zANTI offers a comprehensive range of fully customizable scans to reveal everything from authentication, backdoor, and brute-force attempts to database, DNS, and protocol-specific attacks, including rogue access points.
• Hackode by Ravi Kumar Purbey is another suite of tools much like zANTI and dSploit in scope and power.

Staying Anonymous

• Orbot is a free proxy app from the Tor Project that empowers other apps to use the Internet more securely. Orbot uses Tor to encrypt your Internet traffic and then hides it by bouncing through a series of computers around the world.
• Orweb from the Guardian Project is a private web browser specifically designed to work with Orbot and is free. It can be a little slow, but it offers a high degree of protection and the most anonymous way to access any website, even if it’s normally blocked, monitored, or on the hidden web.
• Incognito is a web browser built for private browsing. It may not be as secure and private as Orweb, but it is still a great option to have available.

Countermeasures

Similar to securing desktops, servers, networks, and other equipment, you can take some basic steps to make mobile devices more resistant to attacks. What’s included here is some basic guidance but not a comprehensive list of all that can be done:

• Setting passwords on all mobile devices is a requirement for all devices that will be attached to a corporate network and/or store sensitive data. It is worth noting that enabling certain features such as encryption will require the setting of a password before they will work.
• Strong passwords are recommended on all devices. This step is of particular importance because many mobile devices allow you to use methods to unlock the device other than passwords. Many devices allow you to set PIN codes, gestures, and regular alphanumeric passwords.
• Install antimalware applications to thwart the spread and infection of malware. Ideally, the antimalware application should scan not only the device but also newly installed applications and email for maximum effect.
• Use encryption on all devices wherever possible to protect both internal storage and SD cards. This is an essential part of protecting data on a device in the event that it is lost or stolen. Note that some older devices and older operating systems do not support encryption.
• Ensure that your device is always current with the latest software updates. This can be problematic because devices that are subsidized by wireless companies such as AT&T do not always get the latest updates until long after they are released. Such is the case with subsidized devices that run Android; Google will release updates to the system, but providers may not release them to their users for up to a year or more.
• Avoid installing applications from unknown sources. Not all apps that can be installed on a device must come from Google or Apple; many can be downloaded from various websites. While many of these applications are legitimate, others may contain malware or cause other issues.
• Back up the device regularly. Do we really need to say more on this topic?
• Avoid rooting or jailbreaking a device. While it may seem attractive to get more power and control over a device, doing so introduces security risks.
• Enable remote wipes if possible. This feature, if available, should be enabled on devices that contain sensitive data and are susceptible to being lost or stolen.
• Verify applications before downloading. Some apps could be harmful to your mobile device, either by carrying malware or by directing you to a malicious website that may collect your sensitive information.

Summary

Mobile devices have taken the world by storm and have seen incredibly rapid growth and adoption over the last several years. Along with this growth have come a number of security issues to plague mobile devices. The ability to have a small and powerful device that is Internet connected and allows communication from anywhere at any time is alluring as well as a problem for companies.

With the average person today possessing at least three mobile devices and using those devices for both personal and work purposes, the devices pose a problem for the workplace. With the rise of BYOD policies at many workplaces, users now attach to a network not only because they want to but also because they have to in order to work.

Operating systems such as Google’s Android and the second-place Apple iOS are in many ways similar to but also different from traditional systems, presenting a security challenge. The vast number of devices has led to a host of problems, including mixing of multiple versions of the same OS and countless numbers of devices each having unique characteristics.

As a penetration tester you will need to familiarize yourself with the similarities and differences of the myriad of devices that exist. Pen testing these devices will require a combination of methods learned over previous chapters as well as the adoption of new tools and techniques to properly test the systems.

Exam Essentials

Know the challenges posed by mobile devices. Mobile devices represent a shift from laptops and desktop PCs to highly compact tablets and smartphones. While very powerful and portable, they present a huge potential for security holes within an organization.

Know the basics of protecting mobile data. Data on mobile devices is much more vulnerable than data in a fixed location. The risk that data may be compromised on a lost or stolen device is quite high and thus requires extra protection.

Understand the challenges of keeping Android devices up to date. Android devices come in many different versions and flavors by vendor and device. Since there are so many versions, patches and other updates may not be available as quickly as needed on many devices.

Review Questions

1. What is the benefit of encryption on mobile devices?

   1. Protection against stolen devices
   2. Protection of data on lost or stolen devices
   3. Prevention of malware
   4. Protection of data being sent to websites

2. Jailbreaking a phone refers to what?

   1. Removing DRM from the system
   2. Removing a device from a network
   3. Acquiring root access on a device
   4. Removing ransomware from a system

3. What does rooting a device do?

   1. Removes updates from a system
   2. Removes access to a user
   3. Provides root-level access to a user on a system
   4. Increases security on a device

4. Android is based on which operating system?

   1. Windows
   2. OS X
   3. Unix
   4. Linux

5. iOS is based on which operating system?

   1. Windows
   2. OS X
   3. Unix
   4. Linux

6. What could a company do to protect itself from a loss of data when a phone is stolen? (Choose all that apply.)

   1. Passwords
   2. Patching
   3. Encryption
   4. Remote wipe

7. A utility for auditing WordPress from Android is __________.

   1. DroidSheep
   2. Firesheep
   3. WPScan
   4. Nmap

8. What utility could be used to avoid sniffing of traffic?

   1. SandroProxy
   2. Proxify
   3. Psiphon
   4. Shark

9. Jennifer has captured the following URL: www.snaz22enu.com/&w25/session=22525. She realizes that she can perform a session hijack. Which utility would she use?

   1. Shark
   2. DroidSheep
   3. Airmon
   4. Droid

10. Jennifer is concerned about her scans being tracked back to her tablet. What could she use to hide the source of the scans?

    1. Sniffing
    2. SandroProxy
    3. FaceNiff
    4. Blind scanning

11. What option would you use to install software that’s not from the Google Play store?

    1. Install from unknown sources.
    2. Install unsigned sources.
    3. Install from unknown locations.
    4. Install from unsigned services.

12. Which technology can provide protection against session hijacking?

    1. IPsec
    2. UDP
    3. TCP
    4. IDS

13. When a device is rooted, what is the effect on security?

    1. Improved
    2. Lowered
    3. Stays the same
    4. Hardened

14. Session hijacking can be thwarted with which of the following?

    1. SandroProxy
    2. DroidSheep
    3. FaceNiff
    4. Psiphon

15. A denial of service application for Android is __________.

    1. Blaster
    2. LOIC
    3. Evil
    4. Pryfi

16. A man-in-the-browser attack delivered by a piece of malware can be prevented by which of the following?

    1. Anti-virus
    2. Anti-spyware
    3. Using Firefox
    4. Rooting a device

17. An attack that can be performed using FaceNiff is __________.

    1. Infecting the client system
    2. Infecting the server system
    3. Inserting oneself into an active session
    4. Inserting oneself into a web application

18. Remote wipes do what? (Choose two.)

    1. Wipe all data off a device.
    2. Remove sensitive information such as contacts from a remote system.
    3. Factory reset a device.
    4. Insert cookies and devices.

19. A session hijack can be used against a mobile device using all of the following except?

    1. Emails
    2. Browsers
    3. Worms
    4. Cookies

20. NetCut is used to do what? (Choose two.)

    1. Test firewalls.
    2. Craft packets.
    3. Take over a session.
    4. Scan a network.