How Safe Are Your Valuable Privacy From Hackers ?
When some people hear about this new tool, they think its about running nmap from a smartphone. Rather, this tool allows you to assess the security of the smartphones in your environment in the manner you've come to expect with modern penetration testing tools.
The product of a DARPA Cyber Fast Track grant, the Smartphone Pentest Framework is an open source security tool, designed to aid in assessing the security posture of smartphones in an environment.
SPF Version 0.1 contains remote attacks, client side attacks, social engineering attacks, and post exploitation, targeting smartphone devices.
SPF is an on going project, with plans in the works to support additional devices, more modules in each attack vector category, integration with existing tools such as Metasploit, SET.
What does this do ?
Works a lot like your regular RAT. You configure an Xampp server on your computer and once people install your app you can control them from your own phone. You can read all there messages, contacts and get shell access.
Requirements :
- Kali Linux
- Port Forwarding : if you are using this outside of your own network
- Xampp for linux
- Android Phone
Step 1 [installing Xampp]
Open up a terminal window and type
Once xampp has finished downloading, go to your home directory and you should have a file called
"download.php?xampp-linux-1.7.3a.tar.gz" rename it to something like "xampp.tar.gz".
In your terminal window run
tar xvfz xampp.tar.gz -C /opt
Everything should be installed and you can find xampp in /opt/lampp/ directory
Step 2 [Configuring Xampp]
Use /opt/lampp/lampp start
Use /opt/lampp/lampp stop
To start and stop the Xampp service
Once Xampp has started, go to "localhost" in your browser and select your language. Navigated to "Phpmyadmin" and create a new database called "framework".
Next add a new user by going to the "privileges" tab then "add a new user" Use whatever username and password you want and select "local" from the hosts list.
Make sure you "Check All" global privileges, then click go.
Now delete the htdocs folder in /opt/lampp/
Navigate to the SPF config file
/pentest/exploits/smartphone-pentest-framework/frameworkconsole/config
And replace
#IPADDRESS FOR WEBSERVER - with your local/public ip.
#IP ADDRESS TO LISTEN ON FOR SHELLS - with your local/public ip.
#IP ADDRESS OF SQLSERVER 127.0.0.1 IF LOCALHOST - with 127.0.0.1
#USERNAME OF THE MYSQL USER TO USE - with the username you made in phpmyadmin
#PASSWORD OF THE MYSQL USER TO USE - with the password of the user you set
Step 4 [Configuring SPF]
Open up the smartphone-pentest-framework window by going to applications>kali>exploitation tools>wireless exploitation tools>gsm exploitation>Smartphone-pentest-framework
Select option 4 then select option 2.
Input your phone number, then input a 7 digit control key to connect to your victims and then enter the path you want your app to located on your webserver (I will be using /). Now don't expect anything to happen just yet, you need to configure your phone with SPF.
Locate the file
/pentest/exploits/smartphone-pentest-framework/FrameworkAndroidApp/bin/FrameworkAndroidApp.apk
And move it over to your phone by uploading it to dropbox or just connecting your phone to your computer.
Install it then open it up. Put in the details you filled out a minute ago in
SPF and your ip the web server is setup on and press setup.
Step 5 [Attacking People]
Open up smartphone-pentest-framework and select option 6 then pick between the direct download (just sends a text to the person from your phone with a direct download to the file) or client side shell (uses a browser exploit in android phones to give you shell access).
If you select option 1 you must move the file
To your root directory.
Once you get a victim, just open up smartphone-pentest-framework again, select option 1, fill in the details and you can then control the victim from your mobile phone.
I founded the Blog DepoTech in January 2015. Self-taught in development, I have always pushed my curiosity about the topics,Web and Tech news.
ConversionConversion EmoticonEmoticon