From d7ea021f770050611cbed1e68444916bf4543505 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 11 Jul 2025 12:41:44 +0000 Subject: [PATCH] Add content from: Hijacker on the Samsung Galaxy S10 with wireless injection --- src/SUMMARY.md | 1 + .../pentesting-wifi/README.md | 6 + ...nexmon-monitor-and-injection-on-android.md | 133 ++++++++++++++++++ .../reversing-native-libraries.md | 8 +- .../ios-pentesting-without-jailbreak.md | 2 +- .../sql-injection/ms-access-sql-injection.md | 4 +- 6 files changed, 147 insertions(+), 7 deletions(-) create mode 100644 src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md diff --git a/src/SUMMARY.md b/src/SUMMARY.md index a8361fb1f0b..93b6e3273ec 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -25,6 +25,7 @@ - [Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks](generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) - [Spoofing SSDP and UPnP Devices with EvilSSDP](generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md) - [Pentesting Wifi](generic-methodologies-and-resources/pentesting-wifi/README.md) + - [Enable Nexmon Monitor And Injection On Android](generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md) - [Evil Twin EAP-TLS](generic-methodologies-and-resources/pentesting-wifi/evil-twin-eap-tls.md) - [Phishing Methodology](generic-methodologies-and-resources/phishing-methodology/README.md) - [Clone a Website](generic-methodologies-and-resources/phishing-methodology/clone-a-website.md) diff --git a/src/generic-methodologies-and-resources/pentesting-wifi/README.md b/src/generic-methodologies-and-resources/pentesting-wifi/README.md index 058c31a91a4..1f7a9b1660f 100644 --- a/src/generic-methodologies-and-resources/pentesting-wifi/README.md +++ b/src/generic-methodologies-and-resources/pentesting-wifi/README.md @@ -21,6 +21,12 @@ iwlist wlan0 scan #Scan available wifis ## Tools +### Hijacker & NexMon (Android internal Wi-Fi) + +{{#ref}} +enable-nexmon-monitor-and-injection-on-android.md +{{#endref}} + ### EAPHammer ``` diff --git a/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md b/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md new file mode 100644 index 00000000000..2ee072b1270 --- /dev/null +++ b/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md @@ -0,0 +1,133 @@ +# Enable NexMon Monitor Mode & Packet Injection on Android (Broadcom chips) + +{{#include ../../banners/hacktricks-training.md}} + +## Overview +Most modern Android phones embed a Broadcom/Cypress Wi-Fi chipset that ships without 802.11 monitor mode or frame-injection capabilities. The open-source NexMon framework patches the proprietary firmware to add those features and exposes them through a shared library (`libnexmon.so`) and a CLI helper (`nexutil`). By pre-loading that library into the stock Wi-Fi driver, a rooted device can capture raw 802.11 traffic and inject arbitrary frames – eliminating the need for an external USB adapter. + +This page documents a fast workflow that takes a fully-patched Samsung Galaxy S10 (BCM4375B1) as an example, using: + +* NexMon Magisk module containing the patched firmware + `libnexmon.so` +* Hijacker Android application to automate monitor-mode toggling +* Optional Kali NetHunter chroot to run classic wireless tools (aircrack-ng, wifite, mdk4 …) directly against the internal interface + +The same technique applies to any handset that has a publicly available NexMon patch (Pixel 1, Nexus 6P, Galaxy S7/S8, etc.). + +--- + +## Prerequisites +* Android handset with a supported Broadcom/Cypress chipset (e.g. BCM4358/59/43596/4375B1) +* Root with Magisk ≥ 24 +* BusyBox (most ROMs/NetHunter already include it) +* NexMon Magisk ZIP or self-compiled patch providing: + * `/system/lib*/libnexmon.so` + * `/system/xbin/nexutil` +* Hijacker ≥ 1.7 (arm/arm64) – https://github.com/chrisk44/Hijacker +* (Optional) Kali NetHunter or any Linux chroot where you intend to run wireless tools + +--- + +## Flashing the NexMon patch (Magisk) +1. Download the ZIP for your exact device/firmware (example: `nexmon-s10.zip`). +2. Open Magisk -> Modules -> Install from storage -> select the ZIP and reboot. + The module copies `libnexmon.so` into `/data/adb/modules//lib*/` and ensures SELinux labels are correct. +3. Verify installation: + ```bash + ls -lZ $(find / -name libnexmon.so 2>/dev/null) + sha1sum $(which nexutil) + ``` + +--- + +## Configuring Hijacker +Hijacker can toggle monitor mode automatically before running `airodump`, `wifite`, etc. In **Settings -> Advanced** add the following entries (edit the library path if your module differs): + +``` +Prefix: +LD_PRELOAD=/data/user/0/com.hijacker/files/lib/libnexmon.so + +Enable monitor mode: +svc wifi disable; ifconfig wlan0 up; nexutil -s0x613 -i -v2 + +Disable monitor mode: +nexutil -m0; svc wifi enable +``` + +Enable “Start monitor mode on airodump start” so every Hijacker scan happens in native monitor mode (`wlan0` instead of `wlan0mon`). + +If Hijacker shows errors at launch, create the required directory on shared storage and reopen the app: +```bash +mkdir -p /storage/emulated/0/Hijacker +``` + +### What do those `nexutil` flags mean? +* **`-s0x613`** Write firmware variable 0x613 (FCAP_FRAME_INJECTION) → `1` (enable TX of arbitrary frames). +* **`-i`** Put interface in monitor mode (radiotap header will be prepended). +* **`-v2`** Set verbose level; `2` prints confirmation and firmware version. +* **`-m0`** Restore managed mode (used in the *disable* command). + +After running *Enable monitor mode* you should see the interface in monitor state and be able to capture raw frames with: +```bash +airodump-ng --band abg wlan0 +``` + +--- + +## Manual one-liner (without Hijacker) +```bash +# Enable monitor + injection +svc wifi disable && ifconfig wlan0 up && nexutil -s0x613 -i -v2 + +# Disable and return to normal Wi-Fi +nexutil -m0 && svc wifi enable +``` + +If you only need passive sniffing, omit the `-s0x613` flag. + +--- + +## Using `libnexmon` inside Kali NetHunter / chroot +Stock user-space tools in Kali do not know about NexMon, but you can force them to use it via `LD_PRELOAD`: + +1. Copy the pre-built shared object into the chroot: + ```bash + cp /sdcard/Download/kalilibnexmon.so /lib/ + ``` +2. Enable monitor mode from the **Android host** (command above or through Hijacker). +3. Launch any wireless tool inside Kali with the preload: + ```bash + sudo su + export LD_PRELOAD=/lib/kalilibnexmon.so + wifite -i wlan0 # or aircrack-ng, mdk4 … + ``` +4. When finished, disable monitor mode as usual on Android. + +Because the firmware already handles radiotap injection, user-space tools behave just like on an external Atheros adapter. + +--- + +## Typical Attacks Possible +Once monitor + TX is active you can: +* Capture WPA(2/3-SAE) handshakes or PMKID with `wifite`, `hcxdumptool`, `airodump-ng`. +* Inject deauthentication / disassociation frames to force clients to reconnect. +* Craft arbitrary management/data frames with `mdk4`, `aireplay-ng`, Scapy, etc. +* Build rogue APs or perform KARMA/MANA attacks directly from the phone. + +Performance on the Galaxy S10 is comparable to external USB NICs (~20 dBm TX, 2-3 M pps RX). + +--- + +## Troubleshooting +* `Device or resource busy` – make sure **Android Wi-Fi service is disabled** (`svc wifi disable`) before enabling monitor mode. +* `nexutil: ioctl(PRIV_MAGIC) failed` – the library is not pre-loaded; double-check `LD_PRELOAD` path. +* Frame injection works but no packets captured – some ROMs hard-block channels; try `nexutil -c ` or `iwconfig wlan0 channel `. +* SELinux blocking library – set device to *Permissive* or fix module context: `chcon u:object_r:system_lib_file:s0 libnexmon.so`. + +--- + +## References +* [Hijacker on the Samsung Galaxy S10 with wireless injection](https://forums.kali.org/t/hijacker-on-the-samsung-galaxy-s10-with-wireless-injection/10305) +* [NexMon – firmware patching framework](https://github.com/seemoo-lab/nexmon) +* [Hijacker (aircrack-ng GUI for Android)](https://github.com/chrisk44/Hijacker) + +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md index 03213da5080..ea060841d8a 100644 --- a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md +++ b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md @@ -61,7 +61,7 @@ Java.perform(function () { }); }); ``` -Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks. citeturn5search2turn5search0 +Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks. --- @@ -69,7 +69,7 @@ Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) | Year | CVE | Affected library | Notes | |------|-----|------------------|-------| -|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| citeturn2search0| +|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| | |2024|Multiple|OpenSSL 3.x series|Several memory-safety and padding-oracle issues. Many Flutter & ReactNative bundles ship their own `libcrypto.so`.| When you spot *third-party* `.so` files inside an APK, always cross-check their hash against upstream advisories. SCA (Software Composition Analysis) is uncommon on mobile, so outdated vulnerable builds are rampant. @@ -92,7 +92,7 @@ When you spot *third-party* `.so` files inside an APK, always cross-check their ### References -- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/) citeturn5search0 -- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) citeturn2search0 +- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/) +- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) {{#include ../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md index 004d7bf0e0e..791da2761f0 100644 --- a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md +++ b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md @@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth ### Automated dynamic analysis with MobSF (no jailbreak) -[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【turn6view0†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB: +[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB: ```bash docker pull opensecurity/mobile-security-framework-mobsf:latest diff --git a/src/pentesting-web/sql-injection/ms-access-sql-injection.md b/src/pentesting-web/sql-injection/ms-access-sql-injection.md index 913a7a03f98..5b9778a7ad4 100644 --- a/src/pentesting-web/sql-injection/ms-access-sql-injection.md +++ b/src/pentesting-web/sql-injection/ms-access-sql-injection.md @@ -141,7 +141,7 @@ Point the UNC path to: * a host that drops the TCP handshake after `SYN-ACK` * a firewall sinkhole -The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. citeturn1search0 +The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. ### Other Interesting functions @@ -229,7 +229,7 @@ Mitigations (recommended even for legacy Classic ASP apps): * Block outbound SMB/WebDAV at the network boundary. * Sanitize / parameterise any part of a query that may end up inside an `IN` clause. -The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. citeturn0search0 +The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. ### .mdb Password Cracker