The Kali NetHunter platform has additional resources not available in Kali Linux. These additional resources are powerful tools in the hands of a focused penetration tester.
The name of this utility says it all: it can change the media access control (MAC) address of a device's network interface card (NIC) to either a randomized value or a specific address defined by the tester. The MAC Changer on Kali NetHunter has an additional capability of changing the device’s hostname. This can be a very useful feature that can aid a penetration tester in a social-engineering attack:
A man-in-the-middle (MITM) framework of tools and utilities is used when performing all MITM attacks on a network. A MITM attack is when a hacker sits between the victim and another device, such as the default gateway to the internet. The intention of the attack is to intercept all traffic along the path. Looking at the following diagram, all traffic from the PC that is intended to go to the internet which is supposed to be sent directly to the router (default gateway) is indicated by the top arrow. However, with an attacker on the network, they are able to trick the victim's PC into thinking the attacker's machine is now the router (default gateway) and tricking the router into believing the attacker's machine is the PC:
It’s a penetration tester’s powerhouse. Some of its features are key-logging, address resolution protocol (ARP) cache poisoning attacks, spoofing, and SSL stripping attacks using the SSLStip+ feature. The following is the main window of the MITM framework on NetHunter:
Swiping across on the right, you'll encounter another section, Spoof Settings, which will allow a penetration tester to easily execute an MITM attack on a network:
A Human Interface Device (HID) attack converts a Kali NetHunter device, such as a smartphone with on-the-go (OTG) support, into a pre-programmed keyboard. If a penetration tester uses an OTG cable to create a physical connection between the Kali NetHunter device and a target computer, NetHunter has the capabilities of creating an attack vector. The vector uses a combination of the phone’s hardware and software to create a pre-programmed keyboard. The purpose of the pre-programmed keyboard is to inject script attacks into the target system.
Note
According to the official documentation on Kali NetHunter, USB HID attacks are only available on Teensy devices. Teensy devices can be found at https://www.pjrc.com/teensy/.
The USB Rubber Ducky was created by the team at Hak5 (www.hak5.org). It was intended to inject payloads of over 1,000 words per minute into the target device. Kali NetHunter allows a penetration tester to write custom or use existing ducky scripts and simply use the DuckHunter HID attack features to convert ducky scripts into the NetHunter HID attack format.
Note
To create payloads for the USB Rubber Ducky, please visit https://ducktoolkit.com/ for more information.
Kali NetHunter supports the conversion of USB Rubber Ducky scripts in the NetHunter’s HID attacks. What is the USB Rubber Ducky? The USB Rubber Ducky is a keystroke-injection hardware-based tool that looks like a USB flash drive.
The following is a picture of a USB Rubber Ducky. As we can see, the ducky has a motherboard with a removable microSD memory card. The USB rubber ducky receives power when it's inserted into a USB port on a computer. Upon receiving power, the firmware on the ducky's motherboard checks for any payload that may be residing on the microSD memory card. Regular USB thumb drives do not support modular form factor, so a USB thumb drive does not allow a user to expand or replace the flash storage with a microSD card:
By now, you've probably noticed that there are some amazing HID- and USB-based attacks on the Kali NetHunter platform. The BadUSB MITM Attack allows a penetration tester to simply use an OTG cable to create a physical connection between a victim's computer and the NetHunter device. Once a connection has been established, all network traffic leaving the victim computer will be sent to the NetHunter device:
This type of attack is called a man-in-the-middle (MITM) attack as the NetHunter device implants itself between the victim's computer and the internet or any other network it is transmitting data on.
Even if you are starting out in penetration testing, you've probably heard about a wireless security auditing framework called Aircrack-ng. The features of MANA Wireless Toolkit on Kali NetHunter are similar to those of Aircrack-ng. MANA can create an evil-twin access point and perform an MITM attack.
Note
An evil twin is an unauthorized AP implanted in an organization by a hacker. The goal is to trick unaware employees into establishing a connection and transferring sensitive information across the network. Using an evil twin, a hacker will be able to intercept and reroute users' traffic easily.
This tool allows a penetration tester to configure the following when creating an evil twin:
- Basic Service Set Identifier (BSSID): The BSSID is the media access control (MAC) of the wireless router or the AP.
- Service Set Identifier (SSID): The SSID is the name of the wireless network as seen by laptops, smartphones, tablets, and so on.
- Channel: The channel is also known as a wireless band on the spectrum.
The Software defined radio (SDR) feature allows the penetration tester to combine the use of a HackRF device (a physical component) and the Kali NetHunter Android device using various wireless radio frequencies and space. SDR hacking allows a malicious user to listen on radio frequencies, allowing them to intercept police scanners, aircraft radio transmissions, and so on.
A penetration tester's toolkit wouldn't be complete without the popular network-scanning tool Network Mapper (Nmap). This is known as the king of network scanners as it does way more than typical network scanners. Scanning allows a penetration tester to profile a target, it helps to identify the operating system as well as open and closed ports, detect vulnerabilities, determine the service versions of running applications, and a lot more.
The following are the options provided using the Nmap Scan menu on the NetHunter app:
NMap has quite a few benefits:
- Can determine the target’s operating system
- Detects TCP and UDP ports
- Detects service versions by performing banner-grabbing
- Detects a target device's vulnerability to various exploits and malware
- Can use decoy features to reduce the chances of detection
One of the most challenging phases in penetration testing is the Exploitation or the Gain Access phase. Sometimes a penetration tester may use an existing exploit within the Metasploit Framework (MSF); however, if the target system is patched to prevent such an attack, the exploit will most likely fail. Within the MSF is the msfvenom payload-generator utility, which allows a penetration tester to create customized payloads.
The Metasploit Payload Generator allows a penetration tester to easily create payloads using the following options:
- Output type such as ASP, Bash (
.sh), PHP, Powershell (.ps1), Python (.py), Windows (.exe), and so on. This feature allows a payload to be crafted for a specific platform. - Set both the IP address and Port number.
- Payload options can be the default MSF format or the command prompt (CMD).
The following is the interface for the Metasploit Payload Generator on Kali NetHunter, we can see the various options available to us and how simple it is to create a payload using this application. Upon completion, the payload can be sent to our local storage on our Android device or to an HTTP address:
The created payloads can be in the following form:
- Staged or stageless: In a stage payload, the exploitation happens in stages. The attack sends an initial payload to the target system; once compromised, the remainder of the payload is downloaded onto the victim's system. In a stageless payload, a single payload is crafted with all of its functions and is sent to the potential victim.
A penetration tester may sometimes require a known, working exploit to attack a specific vulnerability on a target system. Exploit-DB (www.exploit-db.com) is a popular exploit repository maintained by the team at Offensive Security (www.offensive-security.com). Exploit-DB contains many exploits developed and tested by its community, including penetration testers and vulnerability researchers in cybersecurity.
The searchsploit tool allows a penetration tester to simply search and download exploits directly onto their Kali NetHunter device. The tool queries the Exploit-DB official repository for any search parameters entered by the user. Once the exploit has been downloaded, the penetration tester can deliver the payload as is or customize it to suit the target:
Note
The full manual on SearchSploit can be found at https://www.exploit-db.com/searchsploit.