Analyzing APK Files for Security Vulnerabilities with APK Monster

As mobile applications become more integral to our daily lives, ensuring their security is paramount. Vulnerabilities in mobile apps can expose sensitive data, lead to unauthorized access, and compromise user privacy. To help address these challenges, we introduce APK Monster, a comprehensive tool for analyzing Android APK files for a wide range of security vulnerabilities.

Introducing APK Monster

APK Monster is designed to scan and analyze APK files against the OWASP Mobile Top 10 vulnerabilities and other common security issues. This powerful tool extracts critical information from the APK, examines its components, and identifies potential security weaknesses.

Key Features of APK Monster

1. String Extraction: Extracts all strings from XML, ARSC, TXT, and JSON files within the APK, helping identify hardcoded secrets like passwords, tokens, and API keys.

2. Permission Analysis: Checks for insecure permissions that may expose the app to unnecessary risks.

3. Cryptography Review: Identifies weak cryptographic practices within the app’s code.

4. Exported Component Detection: Highlights exported activities, services, receivers, and providers that could be accessed by malicious entities.

5. Storage Security: Scans for insecure storage locations used by the app.

6. Communication Security: Detects the use of insecure communication protocols, such as HTTP.

7. Authentication Practices: Reviews the app for insecure authentication practices.

8. Code Quality: Flags poor coding practices that may affect the app’s security.

9. Tampering Protections: Checks for mechanisms protecting the app from tampering.

10. Reverse Engineering: Looks for protections against reverse engineering, such as obfuscation.

11. Extraneous Functionality: Identifies unnecessary or debug functionalities left in the production code.

How to Use APK Monster

Using APK Monster is straightforward. Follow these steps to analyze an APK file:

1. Install Dependencies:

Ensure you have the necessary Python packages installed:

 pip install androguard termcolor tqdm

2. Run the Tool:

Execute the script with the path to your APK file and the output file for the results:

python analyze_apk.py path/to/your.apk path/to/output.txt

Understanding the Results

APK Monster generates a detailed report highlighting each aspect of the APK’s security. The report categorizes issues and provides clear indications of potential vulnerabilities. For instance:

Hardcoded Secrets: Reveals any hardcoded credentials or sensitive information.

Insecure Permissions: Lists permissions that could expose the app to risks.

Weak Cryptography: Points out cryptographic algorithms that are considered weak or outdated.

Exported Components: Identifies components that are unnecessarily exposed and could be targeted by attackers.

Why APK Monster?

APK Monster stands out due to its comprehensive approach, covering a broad spectrum of vulnerabilities as outlined by the OWASP Mobile Top 10. It is a valuable tool for security researchers, developers, and penetration testers looking to ensure their apps are secure.

Download APK Monster

Read More

Moukthar - Android Remote Administration Tool

Remote adminitration tool for android

Features

• Notifications listener
• SMS listener
• Phone call recording
• Image capturing and screenshots
• Persistence
• Read & write contacts
• List installed applications
• Download & upload files
• Get device location

Installation

• Clone repository console git clone https://github.com/Tomiwa-Ot/moukthar.git
• Move server files to /var/www/html/ and install dependencies console mv moukthar/Server/* /var/www/html/ cd /var/www/html/c2-server composer install cd /var/www/html/web\ socket/ composer install The default credentials are username: android and password: the rastafarian in you
• Set database credentials in c2-server/.env and web socket/.env
• Execute database.sql
• Start web socket server or deploy as service in linux console php Server/web\ socket/App.php # OR sudo mv Server/websocket.service /etc/systemd/system/ sudo systemctl daemon-reload sudo systemctl enable websocket.service sudo systemctl start websocket.service
• Modify /etc/apache2/apache2.conf xml <Directory /var/www/html/c2-server> Options -Indexes DirectoryIndex app.php AllowOverride All Require all granted </Directory>
• Set C2 server and web socket server address in client functionality/Utils.java ```java public static final String C2_SERVER = "http://localhost";

public static final String WEB_SOCKET_SERVER = "ws://localhost:8080"; ``` - Compile APK using Android Studio and deploy to target

TODO

• Auto scroll logs on dashboard

Download Moukthar

Read More

Blutter - Flutter Mobile Application Reverse Engineering Tool

Flutter Mobile Application Reverse Engineering Tool by Compiling Dart AOT Runtime

Currently the application supports only Android libapp.so (arm64 only). Also the application is currently work only against recent Dart versions.

For high priority missing features, see TODO

Environment Setup

This application uses C++20 Formatting library. It requires very recent C++ compiler such as g++>=13, Clang>=15.

I recommend using Linux OS (only tested on Deiban sid/trixie) because it is easy to setup.

Debian Unstable (gcc 13)

• Install build tools and depenencies

apt install python3-pyelftools python3-requests git cmake ninja-build \
    build-essential pkg-config libicu-dev libcapstone-dev

Windows

• Install git and python 3
• Install latest Visual Studio with "Desktop development with C++" and "C++ CMake tools"
• Install required libraries (libcapstone and libicu4c)

python scripts\init_env_win.py

• Start "x64 Native Tools Command Prompt"

macOS Ventura (clang 15)

• Install XCode
• Install clang 15 and required tools

brew install llvm@15 cmake ninja pkg-config icu4c capstone
pip3 install pyelftools requests

Usage

Extract "lib" directory from apk file

python3 blutter.py path/to/app/lib/arm64-v8a out_dir

The blutter.py will automatically detect the Dart version from the flutter engine and call executable of blutter to get the information from libapp.so.

If the blutter executable for required Dart version does not exists, the script will automatically checkout Dart source code and compiling it.

Update

You can use git pull to update and run blutter.py with --rebuild option to force rebuild the executable

python3 blutter.py path/to/app/lib/arm64-v8a out_dir --rebuild

Output files

• asm/* libapp assemblies with symbols
• blutter_frida.js the frida script template for the target application
• objs.txt complete (nested) dump of Object from Object Pool
• pp.txt all Dart objects in Object Pool

Directories

• bin contains blutter executables for each Dart version in "blutter_dartvm<ver>_<os>_<arch>" format
• blutter contains source code. need building against Dart VM library
• build contains building projects which can be deleted after finishing the build process
• dartsdk contains checkout of Dart Runtime which can be deleted after finishing the build process
• external contains 3rd party libraries for Windows only
• packages contains the static libraries of Dart Runtime
• scripts contains python scripts for getting/building Dart

Generating Visual Studio Solution for Development

I use Visual Studio to delevlop Blutter on Windows. --vs-sln options can be used to generate a Visual Studio solution.

python blutter.py path\to\lib\arm64-v8a build\vs --vs-sln

TODO

• More code analysis
  • Function arguments and return type
  • Some psuedo code for code pattern
• Generate better Frida script
  • More internal classes
  • Object modification
• Obfuscated app (still missing many functions)
• Reading iOS binary
• Input as apk or ipa

Download Blutter

Read More

Diggy - Extract Enpoints From APK Files

Diggy can extract endpoints/URLs from apk files. It saves the result into a txt file for further processing.


Dependencies

• apktool

Usage

./diggy.sh /path/to/apk/file.apk

You can also install it for easier access by running install.sh
After that, you will be able to run Diggy as follows:

diggy /path/to/apk/file.apk

Download Diggy

Read More

XBruteForcer - CMS Brute Force Tool (WP, Joomla, DruPal, OpenCart, Magento)

Brute Force Tool: WP , Joomla , DruPal , OpenCart , Magento

Simple brute force script
[1] WordPress (Auto Detect Username)
[2] Joomla
[3] DruPal
[4] OpenCart
[5] Magento
[6] All (Auto Detect CMS)

Usage

Short Form	Long Form	Description
-l	--list	websites list
-p	--passwords	Passwords list

Example
perl XBruteForcer.pl -l list.txt -p passwords.txt

for coloring in windows Add This Line
use Win32::Console::ANSI;

BUG ?

• Submit new issue
• pm me in gmail
• do you want ask about all my tools ? you can add me in https://fb.me/moham3driahi

Installation Linux

git clone https://github.com/Moham3dRiahi/XBruteForcer.git
cd XBruteForcer
perl XBruteForcer.pl -l list.txt -p passwords.txt 

Installation Android
Download Termux

cpan install LWP::UserAgent
cpan install HTTP::Request
git clone https://github.com/Moham3dRiahi/XBruteForcer.git
cd XBruteForcer
perl XBruteForcer.pl -l list.txt -p passwords.txt 

Installation Windows

Download Perl
Download XBruteForcer
Extract XBruteForcer into Desktop
Open CMD and type the following commands:
cd Desktop/XBruteForcer-master/
perl XBruteForcer.pl -l list.txt -p passwords.txt 

Version
Current version is 1.2 What's New
• speed up
• Bug fixes
version 1.1
• Bug fixes

Download XBruteForcer

Read More

Penetration Testing and Auditing Toolkit for Android Apps - AndroTickler

A java tool that helps to pentest Android apps faster, more easily and more efficiently. AndroTickler offers many features of information gathering, static and dynamic checks that cover most of the aspects of Android apps pentesting. It also offers several features that pentesters need during their pentests. AndroTickler also integrates with Frida to provide method tracing and manipulation. It was previously published under the name of Tickler.

AndroTickler requires a linux host and a rooted Android device connected to its USB port. The tool does not install anything on the Android device, it only creates a Tickler directory on /sdcard . AndroTickler depends on Android SDK to run commands on the device and copy app's data to TicklerWorkspace directory on the host for further analysis. TicklerWorkspace is the working directory of AndroTickler and each app has a separate subdirectory in TicklerWorkspace which can contain the following (depending on user actions):

• DataDir directory: a copy of the data directory of the app
• extracted directory: Output of apktool on the app, contains smali code, resources, libraries...etc.
• bgSnapshots directory: Contains background snapshots copied from the device.
• images directory: contains any screenshots taken for the app.
• JavaCode directory: Contains app's Java code decompiled by dex2jar and JD tools
• logs directory: contains log files produced by -t -log, as explained below
• transfers: files and directories copied from the device to the host using -copy2host
• AndroidManifest.xml: The manifest file of the app as per apktool
• base.apk: the APK file of the app, installed on the device
• debuggable.apk: a debuggable version of the app, produced by -dbg

libs directory and Tickler.conf configuration file exist in the same directory of the jar file. The configuration file sets the location of TicklerDir directory on the host and Tickler on /sdcard of the android device. If the configuration file does not exist or these 2 directories are not set, then default values will be used (Tickler_workspace on the current directory and /sdcard/Tickler respectively). Tickler_lib directory contains some Java libraries and external tools used by AndroTickler such as apktool and dex2jar.

AndroTickler highly depends on the following tools, so they should exist on your machine before using it:

• Java 7 or higher
• Android SDK tools (adb and friends)
• sqlite3

Other tools are required for some features, but AndroTickler can still run without them:

• Frida
• jarsigner

How to use it

1. Build tool from code
2. Move AndroTickler.jar is to the same directory as Tickler_lib directory and Tickler.conf file (automatically created in build/libs)
3. Connect your Android device with the application-to-test installed on

Install

curl -s "https://get.sdkman.io" | bash
source "$HOME/.sdkman/bin/sdkman-init.sh"
sdk install gradle 4.4
git clone https://github.com/ernw/AndroTickler
cd AndroTickler
gradle build

The current version does the following:
Command help

java -jar AndroTickler.jar -h

Information gathering/Static analysis:
List installed Apps on the device:

java -jar AndroTickler.jar -pkgs

Searches for an app (package) installed on the device, whose package name contains the searchKey

java -jar AndroTickler.jar -findPkg <searchKey>

package without extra attributes

java -jar AndroTickler.jar -pkg <package> [other options]

Any command with a -pkg option (whether used with any of the following options or not), does the following actions if they have not been done before:

• Copies the app from the device
• Extracts the Manifest file of the app
• Decompiles the app to Java code using dex2jar and JD tools

General Info

java -jar AndroTickler.jar -pkg <package> -info

Returns the following information:

• App's user ID
• App's Directories path
• If the app's code indicate usage of external storage
• App's directories that already exist in External storage
• Content URIs in the code
• If the app is backable
• If the app is debuggable
• Data schemes (like iOS IPC)
• The permissions it uses

Code Squeezing

java -jar AndroTickler.jar -pkg <package> -squeeze [short | <codeLocation> ]

Fetches the following from the decompiled Java code of the app:

• Log messages
• Any indication of possible user credentials
• Java comments
• Used libs
• URLs in code
• Usage of shared preferences
• Usage of external storage
• Common components such as OkHttp and WebView

Unsurprisingly, its output is usually huge, so it is recommended to redirect the command's output to a file
short Squeezes only the decompiled code that belongs to the developer. For example, if an app has a package name of com.notEnaf.myapp, then squeeze short squeezes only the code in com/notEnaf directory.
Squeezes the code only in codeLocation directory. Helpful to limit your search or squeeze the source code if available.

Listing Components

java -jar AndroTickler.jar -pkg <package> -l [-exp] [-v]

Lists all components of the app
-exp Shows only exported components
-v Gives more detailed information for each component:

• Component type
• Whether exported or not
• Its intent filters
• The tool checks the corresponding Java class to each component and returns all possible intent extras

Listing any kind of components

java -jar AndroTickler.jar -pkg <package> -l [-act | -ser | -rec | -prov ] [-exp] [-v]

• -act : activities
• -ser : services
• -rec: broadcast receivers
• -prov: Content providers
• -exp: show only exported components of any of the above type

Databases

java -jar AndroTickler.jar -pkg <package> -db [|e|l|d] [nu]

By default, all -db commands update the app's data storage directory on the host before running the check.
no attribute OR e Tests whether the databases of the app are encrypted. It is the default action in case no option is given after -db flag. l Lists all databases of the app. Encrypted databases might not be detected. d Takes a sqlite dump of any of the unencrypted databases. nu noUpdate: runs any of the above options without updating the app's data directory on the host.

Data Storage Directory Comparison

java -jar AndroTickler.jar -pkg <package> -diff [d|detailed]

Copies the data storage directory of the app (to DataDirOld) then asks the user to do the action he wants and to press Enter when he's done. Then it copies the data storage directory again (to DataDir) and runs diff between them to show which files got added, deleted or modified.
d|detailed Does the same as the normal -diff command, also shows what exactly changed in text files and unencrypted databases.

Search

Code

java -jar AndroTickler.jar -pkg <package> -sc <key> [<customLocation>]

Searches for the key in the following locations:

• The decompiled Java code of the app
• res/values/strings.xml
• res/values/arrays.xml

Search is case insensitive.
Replaces the decompiled Java code location with the custom location.

Storage

java -jar AndroTickler.jar -pkg <package> -sd <key>

Searches the Data storage directory of the app for the given key

Tickling
Triggers components of the app, by all possible combinations of intents. For example, if an activity has an intent-filter of 2 possible actions and 3 data URI schemes, then AndroTickler will trigger this activity with all possible combinations of this intent. Additionally, AndroTickler captures the intent extras mentioned in the Java class corresponding to the component, assign them dummy values and add them to the possible intent combinations. Only extras of type boolean, string, int and float are supported.
if the -exp option is used, then the components will be triggered without root privileges or any special permissions. If not, then the components will be trigged with root privileges. This helps to test the app in 2 different scenarios: against normal-privileged or high-privileged attackers.
Before triggering components, AndroTickler prints all the commands to be executed. Then for each command, it triggers the component, prints the command then waits for the user. This gives the user enough time to do any extra checks after the command's execution. Before the user moves on to the next command, he's given the option to capture a screenshot of the device for PoC documentation.

java -jar AndroTickler.jar -pkg <package> -t [-all | -exp] [target] [-log]

target as explained with list command, can be:

• -act : activities. starts the (activity/activities) with all intent combinations as explained above
• -ser : services. starts the service(s) with all intent combinations as explained above
• -rec: broadcast receivers: sends all possible broadcast messages that would match the broadcast receiver(s)
• -prov: Content providers: queries the content provider(s)

if no value, then the target is all of the above
[-comp] <component_name> Specifies one component only. You can also use <component_name> directly without -comp flag. -exp AndroTickler uses normal privileges to trigger only the exported targets. -all The default option. AndroTickler uses root privileges to trigger the exported targets -log Captures all logcat messages generated during the triggering session. Log file is saved in logs subdirectory.

Frida:
Frida should be installed on your host machine. Also the location of Frida server on the Android device should be added to Tickler.conf file in the Frida_server_path entry

Capture Arguments and return value

java -jar AndroTickler.jar -pkg <package> -frida vals <ClassName> <MethodName> <NumberOfArgs> [-reuse]

Displays arguments and return value of this method (only primitive datatypes and String)
reuse In case of vals and set options, Frida creates/updates a Frida script of that functionality. You can modify the created script as you want, then if you want to run it through AndroTickler, then use -reuse option so that it doesn't get overridden.

Modify Arguments or Return Value

java -jar AndroTickler.jar -pkg <package> -frida set <ClassName> <MethodName> <NumberOfArgs> <NumberOfArgToModify> <newValue>[-reuse]

Sets the argument number NumberOfArgToModify to newValue (only primitive datatypes and String) If NumberOfArgToModify > NumberOfArgs: sets the return value

Run JS Frida script

java -jar AndroTickler.jar -pkg <package> -frida script <scriptPath>

Runs a frida JS script located at scriptPath on your host
Enumerate loaded classes:

java -jar AndroTickler.jar -pkg <package> -frida enum

Other Features

Debuggable version

java -jar AndroTickler.jar -pkg <package> -dbg

Creates a debuggable version of the app, which can be installed on the device and debugged using any external tool. AndroTickler comes with a keystore to sign the debuggable apk, but it requires jarsigner tool on the host.

Custom version

java -jar AndroTickler.jar -pkg <package> -apk <decompiledDirectory>

Builds an apk file from a directory, signs it and installs it.

Background Snapshots

java -jar AndroTickler.jar [-pkg <package>] [-bg|--bgSnapshots]

Copies the background snapshots taken by the device (works with and without -pkg option) to bgSnapshots subdirectory.

Copy files / directories
Copy Data storage directory:

java -jar AndroTickler.jar -pkg <package> -dataDir  [dest]

Copies Data storage directory to DataDir dest Optional name of the destination directory, which will be located anyway at transfers sudirectory.
Copy any file / directory:

java -jar AndroTickler.jar -pkg <package> -cp2host <source_path> [dest]

Copies files / directories from the android devices.

• source_path is the absolute location of what you want to copy from the android device
• dest: optional name of the destination directory, which will be located anyway at transfers sudirectory.

If dest option is not given then the directory's name will be the timestamp of the transaction.

Screenshot

java -jar AndroTickler.jar [-pkg <package>] -screen

• Captures the current screenshot of the device and saves them in images subdirectory
• Works with or without the package flag

Note
For the options that do not require -pkg option, their data will be saved at Tickler_Dir/NoPackage

Examples:

java -jar AndroTickler.jar -pkg <package> -t  -act -exp

Triggers exported activities

java -jar AndroTickler.jar -pkg <package> -t -prov -log

Queries all content providers and saves logcat messages until the tool stops execution

java -jar AndroTickler.jar -pkg <package> -t <component_name> 

Triggers the component, type of triggering depends on the type of the component

Download AndroTickler

Read More

Advance Android Malware Analysis Framework - Droidefense

Droidefense (originally named atom: analysis through observation machine)* is the codename for android apps/malware analysis/reversing tool. It was built focused on security issues and tricks that malware researcher have on they every day work. For those situations on where the malware has anti-analysis routines, Droidefense attemps to bypass them in order to get to the code and 'bad boy' routine. Sometimes those techniques can be virtual machine detection, emulator detection, self certificate checking, pipes detection. tracer pid check, and so on.

Droidefense uses an innovative idea in where the code is not decompiled rather than viewed. This allow us to get the global view of the execution workflow of the code with a 100% accuracy on gathered information. With this situation, Droidefense generates a fancy html report with the results for an easy understanding.

Usage

TL;DR

java -jar droidefense-cli-1.0-SNAPSHOT.jar -i /path/to/your/sample.apk

Detailed usage

java -jar droidefense-cli-1.0-SNAPSHOT.jar

________               .__    .___      _____                            
\______ \_______  ____ |__| __| _/_____/ ____\____   ____   ______ ____  
 |    |  \_  __ \/  _ \|  |/ __ |/ __ \   __\/ __ \ /    \ /  ___// __ \ 
 |    `   \  | \(  <_> )  / /_/ \  ___/|  | \  ___/|   |  \\___ \\  ___/ 
/_______  /__|   \____/|__\____ |\___  >__|  \___  >___|  /____  >\___  >
        \/                     \/    \/          \/     \/     \/     \/ 


 * Current build:    2017_12_05__12_07_01
 * Check out on Github:    https://github.com/droidefense/
 * Report your issue:    https://github.com/droidefense/engine/issues
 * Lead developer:    @zerjioang

usage: droidefense
 -d,--debug                 print debugging information
 -h,--help                  print this message
 -i,--input <apk>           input .apk to be analyzed
 -o,--output <format>       select prefered output:
                            json
                            json.min
                            html
 -p,--profile               Wait for JVM profiler
 -s,--show                  show generated report after scan
 -u,--unpacker <unpacker>   select prefered unpacker:
                            zip
                            memapktool
 -v,--verbose               be verbose
 -V,--version               show current version information
 

Useful info

• Checkout how to compile new version at:
  • https://github.com/droidefense/engine/wiki/Compilation
• Checkout report example at:
  • https://github.com/droidefense/engine/wiki/Pornoplayer-report
• Checkout execution logs at:
  • https://github.com/droidefense/engine/wiki/Execution-logs

Download Droidefense

Read More

Learn Hacking Using Android From Scratch

The course will start with you from scratch, from preparing your Android device and computer, installing the needed apps and will finish up with examples of real life scenarios that will give you full control over various computer systems.

This course focuses on the practical side penetration testing without neglecting the theory behind each attack, for each attack you will learn how that attack works and then you will learn how to practically launch that attack, this will give you full understanding of the conditions which allow this attack to be successfully executed, this knowledge will help you to detect and sometimes prevent this attack from happening. The the attacks explained in this course are launched against real devices in my lab.

Type: Course
Language: English
Number of videos: 25
Year: 2017
Format: MP4
Size: 1.14 GB
Password: offsec

Download Course

Read More

Infineon RSA Vulnerability - ROC

This tool is related to ACM CCS 2017 conference paper #124 Return of the Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli.

It enables you to test public RSA keys for a presence of the described vulnerability.

Update: The paper of the attack is already online, ACM version.

Currently the tool supports the following key formats:

• X509 Certificate, DER encoded, one per file, *.der, *.crt
• X509 Certificate, PEM encoded, more per file, *.pem
• RSA PEM encoded private key, public key, more per file, *.pem (has to have correct header -----BEGIN RSA...)
• SSH public key, *.pub, starting with "ssh-rsa", one per line
• ASC encoded PGP key, *.pgp, *.asc. More per file, has to have correct header -----BEGIN PGP...
• APK android application, *.apk
• one modulus per line text file *.txt, modulus can be a) base64 encoded number, b) hex coded number, c) decimal coded number
• JSON file with moduli, one record per line, record with modulus has key "mod" (int, base64, hex, dec encoding supported) certificate(s) with key "cert" / array of certificates with key "certs" are supported, base64 encoded DER.
• LDIFF file - LDAP database dump. Any field ending with ";binary::" is attempted to decode as X509 certificate
• Java Key Store file (JKS). Tries empty password & some common, specify more with --jks-pass-file
• PKCS7 signature with user certificate

The detection tool is intentionally one-file implementation for easy integration / manipulation.

Pip install
Install with pip (installs all dependencies)

pip install roca-detect

Local install
Execute in the root folder of the package:

pip install --upgrade --find-links=. .

Dependencies
It may be required to install additional dependencies so pip can install e.g. cryptography package.
CentOS / RHEL:

sudo yum install python-devel python-pip gcc gcc-c++ make automake autoreconf libtool openssl-devel libffi-devel dialog

Ubuntu:

sudo apt-get install python-pip python-dev build-essential libssl-dev libffi-dev swig

Usage
To print the basic usage:

# If installed with pip / manually
roca-detect --help

# Without installation (can miss dependencies)
python roca/detect.py

The testing tool accepts multiple file names / directories as the input argument. It returns the report showing how many files has been fingerprinted (and which are those).
Example (no vulnerabilities found):
Running recursively on all my SSH keys and known_hosts:

$> roca-detect ~/.ssh
2017-10-16 13:39:21 [51272] INFO ### SUMMARY ####################
2017-10-16 13:39:21 [51272] INFO Records tested: 92
2017-10-16 13:39:21 [51272] INFO .. PEM certs: . . . 0
2017-10-16 13:39:21 [51272] INFO .. DER certs: . . . 0
2017-10-16 13:39:21 [51272] INFO .. RSA key files: . 16
2017-10-16 13:39:21 [51272] INFO .. PGP master keys: 0
2017-10-16 13:39:21 [51272] INFO .. PGP total keys:  0
2017-10-16 13:39:21 [51272] INFO .. SSH keys:  . . . 76
2017-10-16 13:39:21 [51272] INFO .. APK keys:  . . . 0
2017-10-16 13:39:21 [51272] INFO .. JSON keys: . . . 0
2017-10-16 13:39:21 [51272] INFO .. LDIFF certs: . . 0
2017-10-16 13:39:21 [51272] INFO .. JKS certs: . . . 0
2017-10-16 13:39:21 [51272] INFO .. PKCS7: . . . . . 0
2017-10-16 13:39:21 [51272] INFO No fingerprinted keys found (OK)
2017-10-16 13:39:21 [51272] INFO ################################

Example (vulnerabilities found):
Running recursively on all my SSH keys and known_hosts:

$> roca-detect ~/.ssh
2017-10-16 13:39:21 [51272] WARNING Fingerprint found in the Certificate
...
2017-10-16 13:39:21 [51272] INFO ### SUMMARY ####################
2017-10-16 13:39:21 [51272] INFO Records tested: 92
2017-10-16 13:39:21 [51272] INFO .. PEM certs: . . . 0
2017-10-16 13:39:21 [51272] INFO .. DER certs: . . . 0
2017-10-16 13:39:21 [51272] INFO .. RSA key files: . 16
2017-10-16 13:39:21 [51272] INFO .. PGP master keys: 0
2017-10-16 13:39:21 [51272] INFO .. PGP total keys:  0
2017-10-16 13:39:21 [51272] INFO .. SSH keys:  . . . 76
2017-10-16 13:39:21 [51272] INFO .. APK keys:  . . . 0
2017-10-16 13:39:21 [51272] INFO .. JSON keys: . . . 0
2017-10-16 13:39:21 [51272] INFO .. LDIFF certs: . . 0
2017-10-16 13:39:21 [51272] INFO .. JKS certs: . . . 0
2017-10-16 13:39:21 [51272] INFO .. PKCS7: . . . . . 0
2017-10-16 13:39:21 [51272] INFO Fingerprinted keys found: 1
2017-10-16 13:39:21 [51272] INFO WARNING: Potential vulnerability
2017-10-16 13:39:21 [51272] INFO ################################

PGP key
In order to test your PGP key you can export it from your email client or download it from the PGP key server such as https://pgp.mit.edu/
You can also use gpg command line utility to export your public key:

gpg --armor --export [email protected] > mykey.asc

Advanced use case
Detection tool extracts information about the key which can be displayed:

roca-detect.py --dump --flatten --indent  ~/.ssh/

Advanced installation methods

Virtual environment
It is usually recommended to create a new python virtual environment for the project:

virtualenv ~/pyenv
source ~/pyenv/bin/activate
pip install --upgrade pip
pip install --upgrade --find-links=. .

Separate Python 2.7.13
We tested tool with Python 2.7.13 and it works (see Travis for more info). We have reports saying lower versions (<=2.6) do not work properly so we highly recommend using up to date Python 2.7
Use pyenv to install a new Python version locally if you cannot / don't want to update system Python.
It internally downloads Python sources and installs it to ~/.pyenv.

git clone https://github.com/pyenv/pyenv.git ~/.pyenv
echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc
echo 'export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(pyenv init -)"' >> ~/.bashrc
exec $SHELL
pyenv install 2.7.13
pyenv local 2.7.13

Python 3
Basic testing routine is quite simple and works with Py3 but the rest of the code that processes the different key formats and extracts the modulus for inspection is not yet fully py3 ready.
We are working on Py3 compatible version.

Docker container
Run via Docker container to avoid environment inconsistency. Dockerfile source can be audited at https://hub.docker.com/r/unnawut/roca-detect/.

docker run --rm -v /path/to/your/keys:/keys --network none unnawut/roca-detect

Make sure to use --rm and --network none flags to disable container's network connection and delete the container after running.

Download ROCA

Read More

All-in-One Wi-Fi Cracking Tools for Android - Hijacker v1.4

Hijacker is a Graphical User Interface for the penetration testing tools Aircrack-ng, Airodump-ng, MDK3 and Reaver. It offers a simple and easy UI to use these tools without typing commands in a console and copy&pasting MAC addresses.

This application requires an ARM android device with a wireless adapter that supports Monitor Mode. A few android devices do, but none of them natively. This means that you will need a custom firmware. Nexus 5 and any other device that uses the BCM4339 chipset (MSM8974, such as Xperia Z2, LG G2 etc) will work with Nexmon (it also supports some other chipsets). Devices that use BCM4330 can use bcmon. An alternative would be to use an external adapter that supports monitor mode in Android with an OTG cable.

The required tools are included for armv7l and aarch64 devices as of version 1.1. The Nexmon driver and management utility for BCM4339 are also included.

Root is also necessary, as these tools need root to work.

Features

Information Gathering

• View a list of access points and stations (clients) around you (even hidden ones)
• View the activity of a specific network (by measuring beacons and data packets) and its clients
• Statistics about access points and stations
• See the manufacturer of a device (AP or station) from the OUI database
• See the signal power of devices and filter the ones that are closer to you
• Save captured packets in .cap file

Attacks

• Deauthenticate all the clients of a network (either targeting each one (effective) or without specific target)
• Deauthenticate a specific client from the network it's connected
• MDK3 Beacon Flooding with custom options and SSID list
• MDK3 Authentication DoS for a specific network or to everyone
• Capture a WPA handshake or gather IVs to crack a WEP network
• Reaver WPS cracking (pixie-dust attack using NetHunter chroot and external adapter)

Other

• Leave the app running in the background, optionally with a notification
• Copy commands or MAC addresses to clipboard
• Includes the required tools, no need for manual installation
• Includes the nexmon driver and management utility for BCM4339 devices
• Set commands to enable and disable monitor mode automatically
• Crack .cap files with a custom wordlist
• Create custom actions and run them on an access point or a client easily
• Sort and filter Access Points with many parameters
• Export all the gathered information to a file
• Add an alias to a device (by MAC) for easier identification

Screenshots

Installation

Make sure:

• you are on Android 5+
• you are rooted (SuperSU is required, if you are on CM/LineageOS install SuperSU)
• have a firmware to support Monitor Mode on your wireless interface

Download the latest version here.

When you run Hijacker for the first time, you will be asked whether you want to install the nexmon firmware or go to home screen. If you have installed your firmware or use an external adapter, you can just go to the home screen. Otherwise, click 'Install Nexmon' and follow the instructions. Keep in mind that on some devices, changing files in /system might trigger an Android security feature and your system partition will be restored when you reboot. After installing the firmware you will land on the home screen and airodump will start. Make sure you have enabled your WiFi and it's in monitor mode.

Troubleshooting

This app is designed and tested for ARM devices. All the binaries included are compiled for that architecture and will not work on anything else. You can check by going to settings: if you have the option to install nexmon, then you are on the correct architecture, otherwise you will have to install all the tools manually (busybox, aircrack-ng suite, mdk3, reaver, wireless tools, libfakeioctl.so library) and set the 'Prefix' option for the tools to preload the library they need.

In settings, there is an option to test the tools. If something fails, then you can click 'Copy test command' and select the tool that fails. This will copy a test command to your clipboard, which you can run in a terminal and see what's wrong. If all the tests pass and you still have a problem, feel free to open an issue here to fix it, or use the 'Send feedback' feature of the app in settings.

If the app happens to crash, a new activity will start which will generate a report in your external storage and give you the option to send it directly or by email. I suggest you do that, and if you are worried about what will be sent you can check it out yourself, it's just a txt file in your external storage directory. The part with the most important information is shown in the activity.

Please do not report bugs for devices that are not supported or when you are using an outdated version.

Keep in mind that Hijacker is just a GUI for these tools. The way it runs the tools is fairly simple, and if all the tests pass and you are in monitor mode, you should be getting the results you want. Also keep in mind that these are AUDITING tools. This means that they are used to TEST the integrity of your network, so there is a chance (and you should hope for it) that the attacks don't work on your network. It's not the app's fault, it's actually something to be happy about (given that this means that your network is safe). However, if an attack works when you type a command in a terminal, but not with the app, feel free to post here to resolve the issue. This app is still under development so bugs are to be expected.

Warning

Legal

It is highly illegal to use this application against networks for which you don't have permission. You can use it only on YOUR network or a network that you are authorized to. Using a software that uses a network adapter in promiscuous mode may be considered illegal even without actively using it against someone, and don't think for a second it's untracable. I am not responsible for how you use this application and any damages you may cause.

Device

The app gives you the option to install the nexmon firmware on your device. Even though the app performs a chipset check, you have the option to override it, if you believe that your device has the BCM4339 wireless adapter. However, installing a custom firmware intended for BCM4339 on a different chipset can possibly damage your device (and I mean hardware, not something that is fixable with factory reset). I am not responsible for any damage caused to your device by this software.

Download Hijacker

Read More