Skip to Main Content
April 24, 2013

Android for Penetration Testers - PwnPad Goodness

Written by David Kennedy
Penetration Testing Security Testing & Analysis
The folks at Pwnie Express released the PwnPad earlier this year which consists of a custom Android kernel with a chrooted custom Ubuntu distribution. The Linux distribution has a number of common penetration testing tools including our personal favorite the Social-Engineer Toolkit. It also includes Metasploit, SMBExec, AirCrack-NG, Easy-Creds, and a number of other tools that are the standard for penetration testers abroad.
We recently needed the pwnpad for a physical penetration test we were performing. We had broken into the facility after climbing some perimeter fences and lockpicking our way to inside of the building without being caught. We found an open cube and placed the PwnPad on the table with a network cable attached to it. The PwnPad and other mobile devices are awesome because we are able to use the GSM capabilities to connect and bridge through a reverse SSH tunnel and circumvent firewalls. The plus - we can perform our own internal penetration tests from anywhere in the world. To get to this point - it took a little work to get it configured just the way we wanted. One major hurdle with any Android pentesting platform is there is a special cable called OTG or "On the Go". This cable allows you to plug in USB peripherals such as a wireless or ethernet card into an Android device. One major downfall to OTG is it does NOT support data and charge at the same time. What this means is that you cannot charge the PwnPad and use for example a USB ethernet adapter. If you are doing an extended pentest and the battery which lasts around 6 to 8 hours won't cut it, this is a major problem. This also means if you have a powered USB Hub - that will work for all peripherals (i.e. plugging in multiple devices) but still does not allow for a charge or power draw. Fortunately there's a few work arounds for this. After extensive research there appears to be only two methods right now to accomplish charging and USB devices. The first method which is probably the easiest is buying the Nexus 7 Docking station. This has what are called Pogo Pins which allow you to charge the device and not take up a USB spot. This would require you to plug in the dock, place the pwnpad in the dock and use that for charging. Notice below using a wireless adapter for capturing packets on airodump while charging using the Pwnpad:
Note you can purchase the dock for $35 at Amazon here: Amazon Nexus 7 Dock
The second technique requires you to make some modifications and kernel patching. In this instance, PwnPad comes with the stock 4.2.1 Android version - you can stay on this. I moved to CyanogenMod 10.1 (4.2.2) nightlies for the Nexus 7. It's whatever you prefer. If you decide to move to Cyanogen (NOT REQUIRED) or you are using something else other than the Nexus 7 - there are a few things you will need to backup on your device before cutting over. First - Use Clockwork Recovery or TWRP to make a full backup of your image. First - grab an adb shell on the phone: Step 1. Turn USB debugging mode on your PwnPad (be sure to turn off when you are finished) Step 2. Download the Android Development Tools from here: Download Android Development Tools Here Step 3. Extract and navigate to sdk/platform-tools inside the folder. Step 4. Run ./adb shell and su to root. Backup the following directories on your PwnPad and move to /sdcard: Under system/bin - bootubuntu Under /data/app - Tar ball all of the apk's Under /data/local/ tarball the ubuntu folder Next download CyanogenMod and reboot into recovery either through CWR or TWRP (I prefer CWR).
Once CyanogenMod is installed, wipe data and cache. And go through the normal Android steps. Move all of the files back to the original area, and reboot - All of your apps and everything will be there. Note that at this point we would have lost packet injection because of the custom kernel patching going on with the stock PwnPad. Now onto getting power with a modified OTG cable. First - you will need to purchase or modify your OTG cable to make an OTG Y cable. Pictures listed here: OTG Y Cable. I ended up just purchasing one from Amazon - it appears to be the right one however won't know until Thursday: Purchase the OTG Y Cable from Amazon
Next once you have the OTG Y Cable you have to use Timur's kernel on Android to get the data and power to work at the same time. Essentially what happens is that the OTG cable provides data as normal but a second USB cable that spurs off the cable can be plugged in to either the wall or a USB powered hub which will allow charging and data. Note that when you flash Timur's kernel - you will loose packet injection capabilities. Head to the Timur kernel webpage and download the update file here. Once downloaded, move the zip file to your SDCARD and reboot into CWR or TWRP. Install update from zip, and reboot. You should now have a functioning data + charge capability. Note that in order to get packet injection to work properly, you will need the drivers for your specific wireless device (ath9k etc). We will be publishing a tutorial on this at a later date once we've done all of the testing. Note that I support the Pwnie Express folks and love what they've done, these same steps can be performed on pretty much any Android device - doesn't need to be a Nexus 7. I do recommend the PwnPad as the custom distribution and applications they've made are just awesome and kudos to them. The most ideal situation would be to have a completely separate charger on the Android device from the USB port. Most of the new popular tablets do not have this unfortunately and rely on OTG. Note that the charging through OTG Y cables is specific to the Nexus 7 - if you have the Nexus 10 they actually make a pogo cable that plugs into the wall which is perfect (none for the Nexus 7 other than dock). Have fun on that next Pentest!