I have been doing quite a few mobile application penetration tests of late. One thing that I had to do in order to hook up an Android device to use Burp as a proxy was to install Burp’s CA certificate. This is required to be installed on the phone otherwise applications that rely on SSL will break.
While I had my phone’s wifi connection set to use Burp’s IP (running on a laptop on the LAN) as a proxy, I browsed to http://burp/cert. The phone automatically downloaded cacert.der. Android had no way of importing this. After a bunch of Googling and no clear answers, all signs pointed at me needing to root the phone. I did no want to do this. Then I figured out a way.
1. Download a file manager for Android so you can browse to where the cacert.der was saved. (I used X-plore and browsed to my Downloads directory)
2. Rename cacert.der to cacert.crt.
3. Open cacert.crt by clicking on it in the file manager.
4. The installer will start. Enter any name for the certificate and press OK. If you don’t have a lock screen enabled, this is required and you are prompted to set one up.
At the moment of writing, Android doesn’t allow you to import a trusted system certificate without being root. The method above created a trusted ‘user’ certificate, and it works just fine for proxying traffic.
- Happy mobile app pentesting.
I have had my blog on hold for almost 2 years now. Due to hosting changes, I have lost all of my post’s graphics, ads and other random things. I am just leaving this here for clarity purposes.
I'm sure you do Billy, I'm sure you do... *backs away slowly*
This is purely hypothetical… un-proven, and simply my own mind at work. I have no stats to back up my claim, nor pretty graphs. I have not tried this, and will not try this. I am purely doing a brain dump and hope some people enjoy.
CallCentre1 is PCI compliant. They do not store any credit card data in their databases. When a customer makes a payment with their details, it goes straight through their systems over a secured channel to a payment gateway.
Staff at CallCentre1 also get basic ‘PCI compliance’ training which outlines the relevant section to their daily duties. “Don’t tell a customer their Credit Card details for confirmation, get them to tell you” and the like.
So let’s say a hacker were to infiltrate CallCentre1. If the company were PCI compliant there shouldn’t be any sensitive CC data laying around which the hackers could take, right?
What I am about to discuss is nothing new. But the lack of user education on this matter has prompted me to try and explain why a tool like EvilGrade is so dangerous.
I was always the type of person that had the attitude of ‘I don’t need a piece of paper to get a job, I have the skills, experience, and probably studied more cert materials than anyone I know”.
This remained my attitude… until a little thing called the Global Financial Crisis came to town.
The ‘Local Administrator’ account on a Windows workstation is one of the most scariest of all accounts. Not ‘scary’ as in it has more privileges than other accounts (Domain Administrator, NT Authority\System etc.) But ‘scary’ in the fact it is often overlooked by System Administrators as being a huge security risk. The ‘risk’ of this account is that more often than not, every computer in a given network will have the same local administrator account. (Usually due to standardisation and SOE imaging throughout the company)
“So what? The local admin account on our network won’t get you any network resources. Every user’s profile on the domain is stored on the server, nothing is local and everything has correct access permissions. Even If an attacker got this password and logged in to a machine, they can’t do anything (and good luck installing a keylogger or some malware – we have Anti Virus!” – I hear some of you System Admins saying.
Not true. Not true at all. The local admin account, if an attacker can get it, is a very valuable and damaging weapon. In this post I will point out ways that an attacker can not only obtain the local admin account/password for a given network environment, but how they use it to penetrate your entire Windows Domain, gaining domain credentials along the way. (I previously wrote a post about a disgruntled IT employee using local admin to pilfer his bosses bank account)
Targeted Spear Phishing Attacks exploiting client-side vulnerabilities have been on the rise for years. These type of attacks ‘trick’ and end-user to either visit a malicious website or click on a malicious link (which may, or may not appear to be legitimate).
I’ve seen this happen many a time. Each time is slightly different. Because as a hacker, the possibilities are almost endless in the ways and methods you can use to pull of a successful attack. You are only limited by your creativity. (Or, THEY are I should say *ahem*)