diff --git a/src/SUMMARY.md b/src/SUMMARY.md index a8361fb1f0b..93b6e3273ec 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -25,6 +25,7 @@ - [Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks](generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) - [Spoofing SSDP and UPnP Devices with EvilSSDP](generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md) - [Pentesting Wifi](generic-methodologies-and-resources/pentesting-wifi/README.md) + - [Enable Nexmon Monitor And Injection On Android](generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md) - [Evil Twin EAP-TLS](generic-methodologies-and-resources/pentesting-wifi/evil-twin-eap-tls.md) - [Phishing Methodology](generic-methodologies-and-resources/phishing-methodology/README.md) - [Clone a Website](generic-methodologies-and-resources/phishing-methodology/clone-a-website.md) diff --git a/src/generic-methodologies-and-resources/pentesting-wifi/README.md b/src/generic-methodologies-and-resources/pentesting-wifi/README.md index 058c31a91a4..1f7a9b1660f 100644 --- a/src/generic-methodologies-and-resources/pentesting-wifi/README.md +++ b/src/generic-methodologies-and-resources/pentesting-wifi/README.md @@ -21,6 +21,12 @@ iwlist wlan0 scan #Scan available wifis ## Tools +### Hijacker & NexMon (Android internal Wi-Fi) + +{{#ref}} +enable-nexmon-monitor-and-injection-on-android.md +{{#endref}} + ### EAPHammer ``` diff --git a/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md b/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md new file mode 100644 index 00000000000..2ee072b1270 --- /dev/null +++ b/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md @@ -0,0 +1,133 @@ +# Enable NexMon Monitor Mode & Packet Injection on Android (Broadcom chips) + +{{#include ../../banners/hacktricks-training.md}} + +## Overview +Most modern Android phones embed a Broadcom/Cypress Wi-Fi chipset that ships without 802.11 monitor mode or frame-injection capabilities. The open-source NexMon framework patches the proprietary firmware to add those features and exposes them through a shared library (`libnexmon.so`) and a CLI helper (`nexutil`). By pre-loading that library into the stock Wi-Fi driver, a rooted device can capture raw 802.11 traffic and inject arbitrary frames – eliminating the need for an external USB adapter. + +This page documents a fast workflow that takes a fully-patched Samsung Galaxy S10 (BCM4375B1) as an example, using: + +* NexMon Magisk module containing the patched firmware + `libnexmon.so` +* Hijacker Android application to automate monitor-mode toggling +* Optional Kali NetHunter chroot to run classic wireless tools (aircrack-ng, wifite, mdk4 …) directly against the internal interface + +The same technique applies to any handset that has a publicly available NexMon patch (Pixel 1, Nexus 6P, Galaxy S7/S8, etc.). + +--- + +## Prerequisites +* Android handset with a supported Broadcom/Cypress chipset (e.g. BCM4358/59/43596/4375B1) +* Root with Magisk ≥ 24 +* BusyBox (most ROMs/NetHunter already include it) +* NexMon Magisk ZIP or self-compiled patch providing: + * `/system/lib*/libnexmon.so` + * `/system/xbin/nexutil` +* Hijacker ≥ 1.7 (arm/arm64) – https://github.com/chrisk44/Hijacker +* (Optional) Kali NetHunter or any Linux chroot where you intend to run wireless tools + +--- + +## Flashing the NexMon patch (Magisk) +1. Download the ZIP for your exact device/firmware (example: `nexmon-s10.zip`). +2. Open Magisk -> Modules -> Install from storage -> select the ZIP and reboot. + The module copies `libnexmon.so` into `/data/adb/modules//lib*/` and ensures SELinux labels are correct. +3. Verify installation: + ```bash + ls -lZ $(find / -name libnexmon.so 2>/dev/null) + sha1sum $(which nexutil) + ``` + +--- + +## Configuring Hijacker +Hijacker can toggle monitor mode automatically before running `airodump`, `wifite`, etc. In **Settings -> Advanced** add the following entries (edit the library path if your module differs): + +``` +Prefix: +LD_PRELOAD=/data/user/0/com.hijacker/files/lib/libnexmon.so + +Enable monitor mode: +svc wifi disable; ifconfig wlan0 up; nexutil -s0x613 -i -v2 + +Disable monitor mode: +nexutil -m0; svc wifi enable +``` + +Enable “Start monitor mode on airodump start” so every Hijacker scan happens in native monitor mode (`wlan0` instead of `wlan0mon`). + +If Hijacker shows errors at launch, create the required directory on shared storage and reopen the app: +```bash +mkdir -p /storage/emulated/0/Hijacker +``` + +### What do those `nexutil` flags mean? +* **`-s0x613`** Write firmware variable 0x613 (FCAP_FRAME_INJECTION) → `1` (enable TX of arbitrary frames). +* **`-i`** Put interface in monitor mode (radiotap header will be prepended). +* **`-v2`** Set verbose level; `2` prints confirmation and firmware version. +* **`-m0`** Restore managed mode (used in the *disable* command). + +After running *Enable monitor mode* you should see the interface in monitor state and be able to capture raw frames with: +```bash +airodump-ng --band abg wlan0 +``` + +--- + +## Manual one-liner (without Hijacker) +```bash +# Enable monitor + injection +svc wifi disable && ifconfig wlan0 up && nexutil -s0x613 -i -v2 + +# Disable and return to normal Wi-Fi +nexutil -m0 && svc wifi enable +``` + +If you only need passive sniffing, omit the `-s0x613` flag. + +--- + +## Using `libnexmon` inside Kali NetHunter / chroot +Stock user-space tools in Kali do not know about NexMon, but you can force them to use it via `LD_PRELOAD`: + +1. Copy the pre-built shared object into the chroot: + ```bash + cp /sdcard/Download/kalilibnexmon.so /lib/ + ``` +2. Enable monitor mode from the **Android host** (command above or through Hijacker). +3. Launch any wireless tool inside Kali with the preload: + ```bash + sudo su + export LD_PRELOAD=/lib/kalilibnexmon.so + wifite -i wlan0 # or aircrack-ng, mdk4 … + ``` +4. When finished, disable monitor mode as usual on Android. + +Because the firmware already handles radiotap injection, user-space tools behave just like on an external Atheros adapter. + +--- + +## Typical Attacks Possible +Once monitor + TX is active you can: +* Capture WPA(2/3-SAE) handshakes or PMKID with `wifite`, `hcxdumptool`, `airodump-ng`. +* Inject deauthentication / disassociation frames to force clients to reconnect. +* Craft arbitrary management/data frames with `mdk4`, `aireplay-ng`, Scapy, etc. +* Build rogue APs or perform KARMA/MANA attacks directly from the phone. + +Performance on the Galaxy S10 is comparable to external USB NICs (~20 dBm TX, 2-3 M pps RX). + +--- + +## Troubleshooting +* `Device or resource busy` – make sure **Android Wi-Fi service is disabled** (`svc wifi disable`) before enabling monitor mode. +* `nexutil: ioctl(PRIV_MAGIC) failed` – the library is not pre-loaded; double-check `LD_PRELOAD` path. +* Frame injection works but no packets captured – some ROMs hard-block channels; try `nexutil -c ` or `iwconfig wlan0 channel `. +* SELinux blocking library – set device to *Permissive* or fix module context: `chcon u:object_r:system_lib_file:s0 libnexmon.so`. + +--- + +## References +* [Hijacker on the Samsung Galaxy S10 with wireless injection](https://forums.kali.org/t/hijacker-on-the-samsung-galaxy-s10-with-wireless-injection/10305) +* [NexMon – firmware patching framework](https://github.com/seemoo-lab/nexmon) +* [Hijacker (aircrack-ng GUI for Android)](https://github.com/chrisk44/Hijacker) + +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file