2600 Magazine_ The Hacker Quarterly - Digital Edition - Summer 2011 - 2600 Magazine [14]
Wireless Tether
Wireless Tether is a mainstay of rooted Android phones, as it allows any Android phone to share its cellular Internet connection out over either Ad-Hoc Wi-Fi or Bluetooth PAN. It does this in such a way that prevents your carrier from differentiating between the traffic generated from the Android device itself and any devices connected to it, the upside being that you are able to share the cellular Internet access you already pay (dearly) for without having to sign up for the nonsensical "tethering" charges which many carriers have begun implementing. This is an excellent tool for setting up temporary Internet access for small groups of people, such as at hackerspaces or 2600 meetings.
Shark for Root
Shark for Root is a port and front-end for the venerable tcpdump. I suspect the use and function of tcpdump is well known enough that I don't need to go into explicit detail, but, to put it briefly, it allows the user to examine and log all of the TCP/IP packets going into and out of the Linux kernel. As the name implies, Shark only works properly if it is run as the root user, which allows it complete access over the kernel's networking subsystems.
Shark isn't much to look at, and, in fact, has a few rather annoying bugs in the user interface, but the UI itself is the last thing you are going to be worried about. Installing Shark is the easiest way to get a working tcpdump binary installed on an Android device (though some custom ROMs do include it out of the box), so it's an absolute must-have if you want to do any kind of mobile network analysis.
Remote Exploit Applications
This is more of an "honorable mention" category; there are currently a handful of applications in the Android Market which are designed to use documented remote exploits against various operating systems and server applications. For example, there are a few applications designed to use the recent Windows Vista and Windows 7 remote SMB exploit. These applications can be used to trigger a BSOD on any unpatched Windows system on the same Wi-Fi network as the Android device.
While this type of software is still fairly rare on Android, it is going to become more common as developers get better acquainted with the intricacies of making software for Android. This area of development certainly warrants a close watch from the community, both offensively and defensively.
Mobile MITM Attack
So we have covered a few very useful tools you can download on your Android device, but you still might be wondering how these seemingly innocuous applications could possibly be used maliciously. A powerful mobile device running Android could be used by an attacker in thousands of different ways, but, for this example, we will be focusing on a specific case that involves a few of the applications we just discussed; using a rooted Android phone as part of a man-in-the-middle attack.
The idea is really rather simple. We will be setting up Wireless Tether to make our phone appear to be a public Wi-Fi AP (access point) to our victims, and then, once they connect to our phone (and through it, the Internet), we can capture their traffic for later analysis and data retrieval.
The first step is to scout out a good location. Tools like WiFi Analyzer are helpful here as they can be used to find important information about the existing Wi-Fi coverage in the area. Ideally, the best place to attempt an attack like this would be locations with a high density of users, and a relatively low number of existing Wi-Fi APs. Once an attacker finds a location where there are many potential targets, he can use WiFi Analyzer to determine the signal strength of surrounding APs and how many