Add content from: Hijacker on the Samsung Galaxy S10 with wireless injection

Author: HackTricks News Bot

src/SUMMARY.md

@@ -25,6 +25,7 @@
   - [Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks](generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
   - [Spoofing SSDP and UPnP Devices with EvilSSDP](generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md)
 - [Pentesting Wifi](generic-methodologies-and-resources/pentesting-wifi/README.md)
+  - [Enable Nexmon Monitor And Injection On Android](generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md)
   - [Evil Twin EAP-TLS](generic-methodologies-and-resources/pentesting-wifi/evil-twin-eap-tls.md)
 - [Phishing Methodology](generic-methodologies-and-resources/phishing-methodology/README.md)
   - [Clone a Website](generic-methodologies-and-resources/phishing-methodology/clone-a-website.md)

src/generic-methodologies-and-resources/pentesting-wifi/README.md

@@ -21,6 +21,12 @@ iwlist wlan0 scan #Scan available wifis
 
 ## Tools
 
+### Hijacker & NexMon (Android internal Wi-Fi)
+
+{{#ref}}
+enable-nexmon-monitor-and-injection-on-android.md
+{{#endref}}
+
 ### EAPHammer
 
 ```

src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md

@@ -0,0 +1,133 @@
+# Enable NexMon Monitor Mode & Packet Injection on Android (Broadcom chips)
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## Overview
+Most modern Android phones embed a Broadcom/Cypress Wi-Fi chipset that ships without 802.11 monitor mode or frame-injection capabilities.  The open-source NexMon framework patches the proprietary firmware to add those features and exposes them through a shared library (`libnexmon.so`) and a CLI helper (`nexutil`).  By pre-loading that library into the stock Wi-Fi driver, a rooted device can capture raw 802.11 traffic and inject arbitrary frames – eliminating the need for an external USB adapter.
+
+This page documents a fast workflow that takes a fully-patched Samsung Galaxy S10 (BCM4375B1) as an example, using:
+
+* NexMon Magisk module containing the patched firmware + `libnexmon.so`
+* Hijacker Android application to automate monitor-mode toggling
+* Optional Kali NetHunter chroot to run classic wireless tools (aircrack-ng, wifite, mdk4 …) directly against the internal interface
+
+The same technique applies to any handset that has a publicly available NexMon patch (Pixel 1, Nexus 6P, Galaxy S7/S8, etc.).
+
+---
+
+## Prerequisites
+* Android handset with a supported Broadcom/Cypress chipset (e.g. BCM4358/59/43596/4375B1)
+* Root with Magisk ≥ 24
+* BusyBox (most ROMs/NetHunter already include it)
+* NexMon Magisk ZIP or self-compiled patch providing:
+  * `/system/lib*/libnexmon.so`
+  * `/system/xbin/nexutil`
+* Hijacker ≥ 1.7 (arm/arm64) – https://github.com/chrisk44/Hijacker
+* (Optional) Kali NetHunter or any Linux chroot where you intend to run wireless tools
+
+---
+
+## Flashing the NexMon patch (Magisk)
+1. Download the ZIP for your exact device/firmware (example: `nexmon-s10.zip`).
+2. Open Magisk -> Modules -> Install from storage -> select the ZIP and reboot.
+   The module copies `libnexmon.so` into `/data/adb/modules/<module>/lib*/` and ensures SELinux labels are correct.
+3. Verify installation:
+   ```bash
+   ls -lZ $(find / -name libnexmon.so 2>/dev/null)
+   sha1sum $(which nexutil)
+   ```
+
+---
+
+## Configuring Hijacker
+Hijacker can toggle monitor mode automatically before running `airodump`, `wifite`, etc.  In **Settings -> Advanced** add the following entries (edit the library path if your module differs):
+
+```
+Prefix:
+LD_PRELOAD=/data/user/0/com.hijacker/files/lib/libnexmon.so
+
+Enable monitor mode:
+svc wifi disable; ifconfig wlan0 up; nexutil -s0x613 -i -v2
+
+Disable monitor mode:
+nexutil -m0; svc wifi enable
+```
+
+Enable “Start monitor mode on airodump start” so every Hijacker scan happens in native monitor mode (`wlan0` instead of `wlan0mon`).
+
+If Hijacker shows errors at launch, create the required directory on shared storage and reopen the app:
+```bash
+mkdir -p /storage/emulated/0/Hijacker
+```
+
+### What do those `nexutil` flags mean?
+* **`-s0x613`**   Write firmware variable 0x613 (FCAP_FRAME_INJECTION) → `1` (enable TX of arbitrary frames).
+* **`-i`**         Put interface in monitor mode (radiotap header will be prepended).
+* **`-v2`**        Set verbose level; `2` prints confirmation and firmware version.
+* **`-m0`**        Restore managed mode (used in the *disable* command).
+
+After running *Enable monitor mode* you should see the interface in monitor state and be able to capture raw frames with:
+```bash
+airodump-ng --band abg wlan0
+```
+
+---
+
+## Manual one-liner (without Hijacker)
+```bash
+# Enable monitor + injection
+svc wifi disable && ifconfig wlan0 up && nexutil -s0x613 -i -v2
+
+# Disable and return to normal Wi-Fi
+nexutil -m0 && svc wifi enable
+```
+
+If you only need passive sniffing, omit the `-s0x613` flag.
+
+---
+
+## Using `libnexmon` inside Kali NetHunter / chroot
+Stock user-space tools in Kali do not know about NexMon, but you can force them to use it via `LD_PRELOAD`:
+
+1. Copy the pre-built shared object into the chroot:
+   ```bash
+   cp /sdcard/Download/kalilibnexmon.so <chroot>/lib/
+   ```
+2. Enable monitor mode from the **Android host** (command above or through Hijacker).
+3. Launch any wireless tool inside Kali with the preload:
+   ```bash
+   sudo su
+   export LD_PRELOAD=/lib/kalilibnexmon.so
+   wifite -i wlan0        # or aircrack-ng, mdk4 …
+   ```
+4. When finished, disable monitor mode as usual on Android.
+
+Because the firmware already handles radiotap injection, user-space tools behave just like on an external Atheros adapter.
+
+---
+
+## Typical Attacks Possible
+Once monitor + TX is active you can:
+* Capture WPA(2/3-SAE) handshakes or PMKID with `wifite`, `hcxdumptool`, `airodump-ng`.
+* Inject deauthentication / disassociation frames to force clients to reconnect.
+* Craft arbitrary management/data frames with `mdk4`, `aireplay-ng`, Scapy, etc.
+* Build rogue APs or perform KARMA/MANA attacks directly from the phone.
+
+Performance on the Galaxy S10 is comparable to external USB NICs (~20 dBm TX, 2-3 M pps RX).
+
+---
+
+## Troubleshooting
+* `Device or resource busy` – make sure **Android Wi-Fi service is disabled** (`svc wifi disable`) before enabling monitor mode.
+* `nexutil: ioctl(PRIV_MAGIC) failed` – the library is not pre-loaded; double-check `LD_PRELOAD` path.
+* Frame injection works but no packets captured – some ROMs hard-block channels; try `nexutil -c <channel>` or `iwconfig wlan0 channel <n>`.
+* SELinux blocking library – set device to *Permissive* or fix module context: `chcon u:object_r:system_lib_file:s0 libnexmon.so`.
+
+---
+
+## References
+* [Hijacker on the Samsung Galaxy S10 with wireless injection](https://forums.kali.org/t/hijacker-on-the-samsung-galaxy-s10-with-wireless-injection/10305)
+* [NexMon – firmware patching framework](https://github.com/seemoo-lab/nexmon)
+* [Hijacker (aircrack-ng GUI for Android)](https://github.com/chrisk44/Hijacker)
+
+{{#include ../../banners/hacktricks-training.md}}

src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md

@@ -61,15 +61,15 @@ Java.perform(function () {
   });
 });
 ```
-Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks.  citeturn5search2turn5search0
+Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks.  
 
 ---
 
 ### Recent vulnerabilities worth hunting for in APKs
 
 | Year | CVE | Affected library | Notes |
 |------|-----|------------------|-------|
-|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| citeturn2search0|
+|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| |
 |2024|Multiple|OpenSSL 3.x series|Several memory-safety and padding-oracle issues. Many Flutter & ReactNative bundles ship their own `libcrypto.so`.|
 
 When you spot *third-party* `.so` files inside an APK, always cross-check their hash against upstream advisories. SCA (Software Composition Analysis) is uncommon on mobile, so outdated vulnerable builds are rampant.
@@ -92,7 +92,7 @@ When you spot *third-party* `.so` files inside an APK, always cross-check their
 
 ### References
 
-- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/)  citeturn5search0
-- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) citeturn2search0
+- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/)  
+- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) 
 
 {{#include ../../banners/hacktricks-training.md}}

src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md

@@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth
 
 ### Automated dynamic analysis with MobSF (no jailbreak)
 
-[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【turn6view0†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
+[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
 
 ```bash
 docker pull opensecurity/mobile-security-framework-mobsf:latest

src/pentesting-web/sql-injection/ms-access-sql-injection.md

@@ -141,7 +141,7 @@ Point the UNC path to:
 * a host that drops the TCP handshake after `SYN-ACK`
 * a firewall sinkhole
 
-The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. citeturn1search0
+The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. 
 
 ### Other Interesting functions
 
@@ -229,7 +229,7 @@ Mitigations (recommended even for legacy Classic ASP apps):
 * Block outbound SMB/WebDAV at the network boundary.
 * Sanitize / parameterise any part of a query that may end up inside an `IN` clause.
 
-The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. citeturn0search0
+The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. 
 
 ### .mdb Password Cracker