0

Are there any built in tools/programs in Kali Linux that specifically target cell phones? Furthermore, do any of these tools/programs work remotely without sending a listener to the target?

Cody Rutscher
  • 37
  • 1
  • 2
  • 10
  • By cell phones are you referring to feature phones or smartphones? As both have different attack vectors and different OSs. – safesploit Aug 21 '18 at 04:52
  • specifically iphone and android smart phones. – Cody Rutscher Aug 21 '18 at 05:19
  • 3
    This question seems to stem from your other question. Looking at phone-specific tools is also not going to yield any insight as to how you might have been hacked. A browser exploit can work on mobile browsers, too. Phones are just hand-held computers. – schroeder Aug 21 '18 at 06:11
  • I guess more specifically, I am concerned that a software exists that allows the user to "hack" a phone with just the phone number, IMEI number, mac address, etc. If this software exists please let me know. I understand there are so many ways you can be hacked like browser, software vulnerabilities, updates, etc. But for the sake of this question, I am trying to zone in on a specific software that transcends these other exploits and just hacks based on phone number. – Cody Rutscher Aug 21 '18 at 06:19

1 Answers1

3

Kali Linux has tools under the category: Hardware Hacking. smali, apktool and android-sdk. These tools are specifically intended to target Android. Although, your question was more around the idea of remote exploitation, like that offered by Metasploit.

To clarify:

  • Phone number (Used to identify the SIM card)
  • IMEI number (Used to identify the phone)
  • MAC address (Used to identify the physical network address)

These are all selectors which uniquely identify you. They do not necessarily allow the device to be hacked. But does allow for correlations when tracking a user. The assumption being, device location equals owners location.

WARRIOR PRIDE code name for a pair of spyware kits that can be installed on the iPhone and Android-based smartphones. See, Angry Birds and 'leaky' phone apps targeted by NSA and GCHQ for user data which outlines the framework of WARRIOR PRIDE.

  • DREAMY SMURF – handles power management, which according to The Guardian includes "an ability to stealthily activate a phone that is apparently turned off"

  • NOSEY SMURF – "hot mic", turning on the microphone to listen in on conversations

  • TRACKER SMURF – high-precision geolocation

  • PORUS – "kernel stealth"

  • PARANOID SMURF – "self-protection"

Now we have an idea of how real programs compromise Android and iOS. We can focus on the feasibility of using a phone number to compromise the device, which is to say, not feasible. Like with targeting an IP address, we will need open ports to exploit software, and most smartphones do not run servers which will have open ports. Unless you are aware of a character string set which the SMS client will give elevated privileges to (zero-day exploit), the phone number will serve as little purpose, other than being a unique identifier.

What about when the user updates an application, could I MITM and replace the real update with a modified update containing spyware? Absolutely, but this mechanism is either deployed over HTTPS or uses signed checksum validation, like that seen with APT. So, unless you break the public-key cryptography they are using, this is not an option.

What about crafting a website that will run malicious JavaScript (or PDF) code and give browser (or elevated privileges)? Possible.

Safari on iOS 4.0.2 '.pdf' Local Privilege Escalation 'Jailbreak'. An exploit like this would have likely, been detected by noticing the browser would crash (often a buffer overflow) when loading a PDF under certain conditions. CVE-2010-1797

I speak about this exploit in more depth How do hackers find vulnerabilities in closed source operating systems?.

I am brought back to SMS and malicious string sets, despite this not being an area where many scenarios have been documented its still an attack vector. So, I will focus on the social engineering perspective instead. Most people will open a well-crafted SMS, email, instant message without too much extra thought. This is how you can go from simply sending an SMS to directing the user onto a malicious website you control. Some messaging apps will display a URL by fetching the HTML title header and displaying that instead. Although, this is focusing more around the ideas of phishing (hacking the person) to compromise the device. Rather than hacking the device's software.

safesploit
  • 1,847
  • 8
  • 18
  • I think this is an outstanding answer. However, let me give you some context of my situation. I was hacked by someone who had my phone number, but did not do any social engineering or send me any executables or hyperlinks. This being said, this person(s) had to have some unique identifier about me/my phone in order to gain root access to my device. I really want to find out what software program would be capable of such an attack without me taking any action. – Cody Rutscher Aug 21 '18 at 12:35
  • How you know you had been hacked, and why Kali? – ThoriumBR Aug 21 '18 at 12:43
  • You are confusing a payload for an exploit. For exploiting a device the cycle: vulnerability, exploit, payload. Must be followed. Where the tool you describe is the payload. So, the short answer, there are no public toolkits for this. Only zero-day exploits. See, https://security.stackexchange.com/questions/34419/what-is-the-difference-between-exploit-and-payload – safesploit Aug 21 '18 at 13:48