Setting up an Android Hacking Environment

For the 0DayAllDay event a friend and I are hosting June 9th 2018. I needed to setup a handful of Android virtual machines. Since we will be hacking on Password Managers and their associated Android apps. I didn't want people wasting their time setting up Android to work with Burp Suite. Especially since it can be difficult with information so spread out. I thought it would be good to centralize the information I needed to get a working Android Hacking Environment setup.

I won't be doing a step by step guide (Plenty of those out there). I am assuming the audience knows how to setup virtual machines. Just highlighting the important stuff.

Hypervisor I use is Proxmox (Qemu/kvm). I'm sure the steps will be fairly similar for other Hypervisors.

For the Android Operating System I will be using android-x86 specifically 'android-x86_64-7.1-r2.iso'

Create a virtual machine, I used the following:

  • 4 vCPU kvm64 (2 vCPU should be work fine)
  • 2 GB Memory
  • 15 GB Storage VirtIO SCSI
  • Use tablet for pointer should be set to 'No' for the mouse to work correctly.

Once you load up the android-x86 iso, start the virtual machine up. For details regarding the install, reference their documentation here. During the install it will ask if you want to install /system directory as read-write. Choose 'Yes' here. This will make everything easier.

Once the install is complete reboot.

The mouse pointer is most likely going to be off from your host mouse. It's annoying but it works.

Just like any Android, on first boot you need to setup everything.

For Proxmox to use another VNC client instead of the built in console follow the steps here. I prefer to use Remmina VNC client.

Now that you have a working Android virtual machine setup we can start to have fun.

There are two ways to get to the Android shell. On the VM Console you can hit ALT+F1 and it will switch tty's. The other way is ADB shell. For more information on how to connect via ADB shell see their documentation here.

To intercept traffic with Burp Suite you first need to download the CA Certificate. On the host computer go to http://proxyAddress:8080 in the top right hand corner click on 'CA Certificate'. Save cacert.der somwhere on your computer.

The certificate needs to be in PEM format. To do this run the following:

openssl x509 -inform der -in cacert.der -out cacert.pem

Next, you need to get the hash of the certificate. To do this run the following:

openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1

You will get something similar to 9a5ba575

Now we need to write the contents of cacert.pem to a new file using this hash and an extension of .0

cat cacert.pem > 9a5ba575.0

Now we need to export the PEM information into the bottom of this new file.

openssl x509 -inform PEM -text -in cacert.pem -out /dev/null >> 9a5ba575.0

These steps were stolen from here; however, to add value I made a one liner command.

openssl x509 -inform der -in cacert.der -out cacert.pem; cat cacert.pem >> $(openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1).0;openssl x509 -inform PEM -text -in cacert.pem -out /dev/null >> ????????.0

Now that we have the CA certificate in a format that will be recognized by Android System. You just need to push the certificate with adb.

Obtain the IP address of the virtual machine. I just flip to tty1 ALT+F1 and run ifconfig.

Once you have the IP Address. Start adb as root.

adb root

Next, connect to the virtual machine.

adb connect <ip address>

Then push the certificate. Replacing the certificate name with yours.

adb push 9a5ba575.0 /system/etc/security/cacerts/

Last thing to do is set the correct permissions. First open a adb shell.

adb shell

Then run:

chmod 644 /system/etc/security/cacerts/9a5ba575.0

Reboot and your certificate will now be trusted.

Unfortunately, this isn't the end of the story. You now need to get the traffic from the virtual machine to Burp Suite. Because there isn't a wifi controller in the VM, the standard tools like ProxyDroid, or the system wifi proxy won't work. You will need to use iptables.

Open adb shell as root and run the following: (Replacing the BURP_HOST and BURP_PORT with the correct information for your configuration)

iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination BURP_HOST:BURP_PORT
iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination BURP_HOST:BURP_PORT

In Burp suite under Proxy -> Options -> Proxy Listeners. Edit your Proxy Listener. Under the Binding tab, set 'Bind to address:' to either 'All interfaces' or 'Specific address'. So that the proxy listener can accept connections from the Android VM.

Next, under the Request handling tab, select 'Support invisible proxying'

That is it, you should now be able to successfully man in the middle your android device. I test this by opening up Google Play and download an Application.

Bonus

If you need to delete your iptables you can either reboot or run the following.

First get the line number of the rule you want to delete.

iptables -t nat -nvL --line-numbers

Once you have the line number delete it with:

iptables -t nate -D OUTPUT #

To download an APK from Google Play to your workstation I use gplaycli what can be found here. Best tool i've found for this. You don't need to give your gmail creds or device ID.

To decompile the APK to source I use this online tool which uses Jadx. It's easy and the APK's are already public so it's not like you are uploading sensitive data.