Android Testing Environment Cheatsheet (Part 2)

This part will cover installing Android testing tools on the Kali VM and their basic usage.

Configuring Burp

Burp is already installed on the Kali VM. The following changes are needed:

Configure Burp on Kali
Choose the Proxy -> Options tab.
Choose Edit
In the Binding tab, select listen on all interfaces (or the address of Kali VM vbox network)

Configure proxy settings in Genymotion
Choose Settings -> Wi-Fi.
Hold down WiredSSID and choose Modify.
In Advanced Options, choose Manual proxy.
Enter the Kali VM address for the Proxy hostname e.g. 192.168.56.101.
Enter Burp’s port number for the Proxy port e.g. 8080.

Install Burp’s cert in Genymotion
Install Chrome e.g. $ sudo apt-get install chromium
In the Kali VM Chrome browser: Settings -> Network -> Network proxy.
Add 127.0.0.1, port 8080 in for the Manual proxy settings.
If your burp is not listening on all interfaces, change your burp listener to listen on 127.0.0.1 temporarily.
Visit http://burp.
Download the portswigger cert from the CA Certificate link.
Rename the downloaded cert to cacert.cer.

Copy the cert onto Genymotion’s sdcard:
Connect to Genymotion using adb as shown in Part 1, then:
$ adb push cacert.cer /sdcard/cacert.cer

In Genymotion, Settings -> Security -> Install from SD card.
Choose the cacert.cer at the bottom of the list and install.
Name the cert portswigger.

Finally, if your burp is not listening on all interfaces, change your burp listener back to listen on the address of your Kali VM vbox network.

Test your setup by visiting a web page in Genymotion and verifying that the traffic can be seen in Burp on the Kali VM.

Obtaining and installing android apps for testing

Install a plugin for chrome which allows downloading of APKs from the Google Play store e.g. APK Downloader Appsofto
Create a test google account for logging into the play store.
When visiting the play store, just click on the app’s icon and paste in the name of the package to download.
Of course, make sure to download apps which are compatible with your target Genymotion device.

Installing an APK onto Genymotion
To install your downloaded APK from the app store onto Genymotion, run the following command in the Kali VM:
$ adb install appname.apk

The installed app should now be in the Genymotion menu.

Install testing tools on Kali VM

Install Chrome browser
$ sudo apt-get install chromium

Install Drozer
Download Drozer.
Download drozer.apk agent.

Install Drozer server on Kali VM:
$ sudo apt-get install python-protobuf
$ sudo apt-get -f install (to install deps for python-protobuf)
$ sudo dpkg -i drozer.deb

Install Drozer agent on GenyMotion:
Connect to Genymotion using adb as shown in Part 1, then:
$ adb install drozer.apk

In Genymotion:
Open the drozer agent app on Genymotion and turn ON the server.

In Kali:
$ adb forward tcp:31415 tcp:31415
$ drozer console connect

Install APKtool
Download the apktool.
Download the apktool wrapper.
$ mv apktool-ver-number.jar apktool.jar
$ sudo cp apktool.jar /usr/local/bin
$ sudo cp apktool /usr/local/bin
$ sudo chmod u+x /usr/local/bin/apktool*

You should now be able to run the apktool against your target APK and browse the resulting directory to review the manifest file etc:
$ apktool d appname.apk

Install dex2jar
dex2jar: convert an APK file into a JAR file.

Download dex2jar.
Unzip and add the dex2jar script to your PATH/.profile:
$ unzip dex2jar-ver-num.zip
$ PATH="$PATH:/home/android/tools/dex2jar-ver-num/"

You should now be able to run the dex2jar tool against your target APK to create a jar file for browsing with jd-gui tool.
$ dex2jar-ver-num appname.apk

Install jd-gui
jd-ui: browse a JAR file and save source files as .java.

Download the jd-gui jar file.
Create a file name jd-gui with the following command tailored for your location:
java -jar /home/android/tools/jd-ui-ver-num.jar

Make the file executable and add to your PATH/.profile:
$ chmod u+x jd-gui
$ PATH="$PATH:/home/android/tools/"

You should now be able to run the jd-gui tool and open your newly created jar file from dex2jar, and browse the reconstructed Java source:
$ jd-gui

Install jdax
jdax: converts an APK file into Java source code (also useful if dex2jar doesn’t work).

Download jadx and unzip.
Add to your PATH/.profile:
$ PATH="$PATH:/home/android/tools/jadx-vernum/bin/"

Run jadx-gui and select your target APK or JAR file to browse:
$ jadx-gui

Install FindBugs & FindSecurityBugs
These plugins will work with Android Studio and can be used to scan source code for potential security issues.

Install FindBug:
Open Android Studio, File -> Settings -> Plugins.
Search for “FindBugs”, install and restart Android Studio.

Install FindSecurityBugs:
Download FindSecurityBugs plugin for Android Studio.
In Android Studio, File -> Settings -> Plugins -> Install plugin form disk.
Select the plugin zip file and restart Android Studio.

Android Testing Environment Cheatsheet (Part 1)

Environment

Genymotion and Android emulators cannot run within a VM.
Instead, this setup can help contain all the tools you need:
– Install Genymotion on your host OS.
– Install your android tools on a Kali VM to keep it portable.
– Connect to your android apps running in Genymotion from the Kali VM.

Note:
– Using an Ubuntu host here.
– Using Virtualbox here to create Kali VM but could be any VM platform.
– Genymotion requires Virtualbox to be installed for its emulation.
– Genymotion must be run natively on your host.
– If you prefer not to use a VM to store all your tools, just install everything on your host instead.

Configure the Kali VM

Install Virtualbox:
$ sudo apt-get install virtualbox

For the following steps, it is assumed Kali is installed in a Virtualbox VM. Tip: pressing the right control keyboard button releases your mouse from Virtualbox.

Install Virtualbox guest addons
apt-get update
apt-get install -y virtualbox-guest-x11
reboot

Create android test user
useradd -m android
passwd android
usermod -a -G sudo android
chsh -s /bin/bash android
logout

Install Android Studio
Download from android.com.
Unpack:
unzip android-studio-ide-*.zip
Run first time to install:
~/tools/android-studio/bin/studio.sh

Add Android Studio to your PATH/.profile:
$ PATH="$PATH:/home/android/tools/android-studio

Note: The command line android SDK tools (e.g. adb) are stored in:
~/Android/Sdk/platform-tools

Add Android SDK tools to your PATH/.profile:
$PATH="$PATH:/home/android/Android/Sdk/tools/:/home/android/Android/Sdk/platform-tools/:/home/android/Android/Sdk/build-tools/2.4.0.3/"

Configure network interfaces
In the Virtualbox network settings for the Kali VM, for Adapter 1, choose Host-only Adapter (vboxnet0).
This will allow the VM and the Genymotion VM to talk to each other over ADB.
In the same network settings window, enable Adapter 2 for NAT
Adapter 1 will allow connections to Genymotion, while Adapter 2 will allow internet.
Reboot the Kali VM and run
$ sudo ifconfig
If the second adapter does not have an IP address run:
$ dhclient -r eth1
$ dhclient eth1

You should now have an internet connection on your Kali VM.

Install Genymotion on host

Create a Genymotion account at genymotion.com.
Download Genymotion.
If your host is Windows, download Genymotion & Virtualbox as a package.
If your host is Linux/Mac, ensure you have Virtualbox installed already.

Install Genymotion
chmod u+x genymotion-*.bin
./genymotion-2.8.0-linux_x64.bin
The installer will ask you to setup a virtual device.
Sign in using your created Genymotion account to complete this step.
Select your target device e.g. Google Nexus 4.
Once the download has completed and installed, the new virtual device will be listed.

Configuring Genymotion

In Genymotion Settings, ADB tab, deselect the Genymotion Android tools (default), just choose custom Android SDR tools and leave it blank (this avoids the device is “offline” errors when connecting with adb from a VM).
Choose Start to launch the virtual device.
The network settings for Genymotion can be left as default (these are configured in the Virtualbox settings rather than in the Genymotion settings and should be left as Host-only Adapter vboxnet0).
In the same network settings window, enable Adapter 2 for NAT
Adapter 1 will allow connections from the Kali VM, while Adapter 2 will allow internet in Genymotion.
If you have Virtualbox installed on your host the device should start.
Click “No” for the question “Do you want to specify the Android SDK location?”.

Connecting to Genymotion

Here, we will connect to Genymotion from our Kali VM:
$ adb devices
$ adb connect 192.168.56.101 (the IP of your Genymotion emulator, when you mouse over it it should be in title of the window)
$ adb devices (should now see the listed connected device)
$ adb shell

Now your Kali VM is ready to install all the essential android testing tools and can connect to a Genymotion emulator. Having all your android testing tools in a VM allows moving of the VM to different computers, backing up and can save lots of setup time.

Listening to Iridium satellite traffic on Ubuntu (16.04 LTS)

Software
Download gr-iridium.
Download iridium-toolkit.

Hardware
RTLSDR/HackRF (using HackRF here).
A L-band patch antenna (using outernet’s antenna here).
A low noise amplifier allowing frequencies 1.616 – 1.6265 GHz (ideal but optional to perform initial tests).
A modified GPS antenna can also be used instead.
For a full list of hardware options please refer to CCC.

Target Frequencies
1.616 – 1.6265 GHz (L-band).
The outernet LNA does not fit this band but can be modified.
To get going quickly with rough results, it is still possible to receive messages without any filter.

Installing gr-iridium
Assuming GNU Radio and HackRF are already installed.
Download gr-iridium.
Install with the following commands:
$ mkdir build
$ cd build
$ cmake ..
$ make
$ sudo make install
$ sudo ldconfig

There should now be iridium blocks available in GNU Radio Companion.
The command line tool iridium-extractor should also be available.

Installing iridium-toolkit
Download iridium-toolkit.
No installation needed, just extract the zip file.

Listening to Iridium signals
Within the gr-iridium directory, the following command can be used:
(if using a RTLSDR, then use the rtl-sdr.conf file instead)
$ iridium-extractor -D 4 examples/hackrf.conf | grep "A:OK" > output.bit

Output should look something like:
osmosdr 0.1.4 (0.1.4) gnuradio 3.7.9
built-in source types: file osmosdr fcd rtl rtl_tcp uhd miri hackrf bladerf rfspace airspy redpitaya
Using HackRF One with firmware git-44df9d1
(RF) Gain: 14.0 (Requested 10)
BB Gain: 20.0 (Requested 20)
IF Gain: 40.0 (Requested 40)
Bandwidth: 10000000.0 (Requested 10000000)
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO1476513419 | i: 0/s | i_avg: 0/s | q: 0 | q_max: 0 | o: 0/s | ok: 0% | ok: 0/s | ok_avg: 0% | ok: 0 | ok_avg: 0/s | d: 0
OO1476513420 | i: 5/s | i_avg: 2/s | q: 0 | q_max: 3 | o: 5/s | ok: 83% | ok: 4/s | ok_avg: 83% | ok: 5 | ok_avg: 2/s | d: 0
1476513421 | i: 12/s | i_avg: 6/s | q: 0 | q_max: 2 | o: 12/s | ok: 84% | ok: 10/s | ok_avg: 84% | ok: 16 | ok_avg: 5/s | d: 0
1476513422 | i: 14/s | i_avg: 8/s | q: 0 | q_max: 2 | o: 14/s | ok: 100% | ok: 14/s | ok_avg: 91% | ok: 31 | ok_avg: 7/s | d: 0
1476513423 | i: 16/s | i_avg: 10/s | q: 0 | q_max: 3 | o: 16/s | ok: 88% | ok: 14/s | ok_avg: 90% | ok: 46 | ok_avg: 9/s | d: 0
1476513424 | i: 19/s | i_avg: 11/s | q: 0 | q_max: 3 | o: 19/s | ok: 70% | ok: 13/s | ok_avg: 84% | ok: 60 | ok_avg: 9/s | d: 0
1476513425 | i: 20/s | i_avg: 13/s | q: 0 | q_max: 3 | o: 20/s | ok: 80% | ok: 16/s | ok_avg: 83% | ok: 77 | ok_avg: 10/s | d: 0
...

Next, look at the captured traffic in the output.bit file:
$ tail -f output.bit

The output should look something like:
RAW: i-1476565594-t1 0009152 1626448000 A:OK I:00000000041 98% 0.009 132 001100000011000011110011001100111111001100110011111100110000101000011111
01000001001000010000000010100010100001001100011000000000000000000000000000000000000000000000000000000000000000001100110011001100110011001100110011
0011001100110011001100110011001001011110101101101100110011111111100001
RAW: i-1476565594-t1 0014822 1626280832 A:OK I:00000000045 86% 0.003 86 001100000011000011110011100000101001110001111111010001010110000010101111
1010010010110010011111010010001000000001101111100100100010001100100001100011010100110001100000000001000011100000111111111111
RAW: i-1476565594-t1 0019142 1626280448 A:OK I:00000000055 90% 0.004 140 001100000011000011110011100101001011100100001111011010010111001110101000
10101000011100110111001110110000000000001000001001010000011000000110001000100000001100001000010010100110101011001111111111111111111111111111111111
11111111111111111111111111111110010111101011011011001100111101000000100010001001000001
RAW: i-1476565594-t1 0020032 1621280384 A:OK I:00000000067 82% 0.003 179 001100000011000011110011000100011011001100000010001000000111001101100001
00010101110101001100110001010101010011010100110101010101010101010101010101010101010101010101010101010101010101010101110001001101010101010101010101
01010101010101010101010101010111000011010101010101010101010101010101010101110001010101010101010101010101010101010101010101010101010101010101010101
010101011100010101

Decoding Iridium signals
Within the iridium-toolkit directory, the following command can be used:
$ python iridium-parser.py output.bit > output.parsed

The output should look something like:
IRA: i-1476565594-t1 000053431 1626276608 81% 0.004 131 DL sat:80 beam:28 pos=(-43.58/+139.10) alt=804 RAI:48 ?10 bc_sb:07 PAGE(tmsi:38018671 msc_id:01) descr_extra:11101011010111100111001100111110100110
IRA: i-1476565594-t1 000054512 1626276480 95% 0.005 110 DL sat:80 beam:31 pos=(-43.51/+139.09) alt=803 RAI:48 ?10 bc_sb:12 PAGE(NONE) descr_extra:011010110101111001110011001111011011100000000000000110010011
IBC: i-1476565594-t1 000059452 1619859200 86% 0.004 137 DL bc:0 sat:80 cell:31 0 ts:1 sv_blkn:0 aq_cl:1111111111111111 aq_sb:12 aq_ch:0 00 0000 time:2016-10-16T08:07:36Z descr_extra:101110001100
IBC: i-1476565594-t1 000059632 1619859072 90% 0.004 143 DL bc:0 sat:80 cell:31 0 ts:1 sv_blkn:0 aq_cl:1111111111111111 aq_sb:12 aq_ch:0 00 101110100011111111111111110000 max_uplink_pwr:31 descr_extra:011110010111010100111101
IBC: i-1476565594-t1 000059812 1619858944 94% 0.004 137 DL bc:0 sat:80 cell:31 0 ts:1 sv_blkn:0 aq_cl:1111111111111111 aq_sb:12 aq_ch:0 00 0000 tmsi_expiry:284264056 descr_extra:001101000111
IBC: i-1476565594-t1 000059992 1619859072 87% 0.004 138 DL bc:0 sat:80 cell:31 0 ts:1 sv_blkn:0 aq_cl:1111111111111111 aq_sb:12 aq_ch:0 00 0000 time:2016-10-16T08:07:37Z descr_extra:00001100011001
IBC: i-1476565594-t1 000060172 1619858944 92% 0.004 139 DL bc:0 sat:80 cell:31 0 ts:1 sv_blkn:0 aq_cl:1111111111111111 aq_sb:12 aq_ch:0 00 101110100011111111111111110000 max_uplink_pwr:31 descr_extra:1111000101010101
IBC: i-1476565594-t1 000060352 1619858944 90% 0.004 142 DL bc:0 sat:80 cell:31 0 ts:1 sv_blkn:0 aq_cl:1111111111111111 aq_sb:12 aq_ch:0 00 0000 tmsi_expiry:284264056 descr_extra:0101001110110011010100
...

To visualise the types of messages captured:
$ python stats.py output.parsed

To check if your data contains voice calls:
$ python stats-voc.py output.parsed

Select the samples and play-iridium-ambe will decode and play the calls.