PwnPhone - Hacking using Mobile

The PWNPhone, is a phone which all security professionals can approve of, its not meant to actually be a phone, but instead a mobile hacking device.

This quick article covers how you can PWN, with a phone.

Don't believe me? The phone is built on top of Google/LG's Nexus 5 - codenamed hammerhead - you can pick one of these up for short of ￡50 for the top model because it's so old now.

Its not unknown that you can run Kali on a mobile device (using NetHunter, LinuxDeploy, even Termux has a variation), and you might even be thinking right now, yeah cool, but is the hardware supported, and also I can't do much hacking using a tiny mobile device.

Well, the hardware is definitely supported, NetHunter actually automates a lot of the install of various toolkits using the Kali chroot manager, and you could get an external keyboard.

I'm not really even a major fan of the Kali desktop distros (more of an arch guy), but dang, NetHunter on mobile is SWEET. I've tested a bit, I've managed to kick devices off my Wi-Fi networks using the aireplay-ng GUI, a little bluetooth hacking here and there, even turned it into a rubber ducky and executed various other HID attacks (that includes even powersploit, other scripting interpreters).

There's support for Social-Engineer Toolkit (SET) with predefined templates in a GUI, you can spin up reverse shells, a metasploit payload generator, Nmap, WPS attacks, Pineapple connector, MITM (wireless and wired) - a full framework, vulnerability scanning with Zanti, remember all of this is rapid with pretty decent GUI's.

The entirety of the CSploit project is alive and kicking on hammerhead devices AS WELL, these devices wireless cards support monitor mode thanks to Nexmon, you can even boot into a live ISO on the device to run as an OS on your main host or clone some RFID/NFC cards for access to buildings.

So, any gurus reading this thinking yeah cool so I might grab one to do some basic attacks, remember this is all backend supported by a working Kali terminal, that you can interact with directly using NetHunter terminal, so if you can get yourself a USB OTG cable and hook up an external device to do any other kind of attacks then it will absolutely work as well.

My interest in this field mostly lies in, you could take this to a pentest, and remain unspotted. You are absolutely not going to pull up a kali laptop in the middle of a bustling office, but the sight of someone on their phone is much less worrying. How about you need to plug your phone in to charge? You can execute pretty much any rubber ducky attack from the dialer with a *# shortcut with ducky hidden, maybe even some MITM?. You can write these payloads on the go without sticking a rubber ducky into a computer to write a custom one, this thing is about half the price of a genuine rubber ducky, yet it can do much more and be many times more convenient.

Be aware, to run HID attacks, and some other attacks that aren't native to the stock kernel you'll need to install a NetHunter kernel, which looks a bit like an ElementalX kernel with some tweaks, this adds all the kernel level support for these types of absolute assaults. Don't worry, these phones weren't shipped with the intention of all this. (I can add download links, I built one the other day)

Mind you, all of this requires root, but this phone is rootable very very easily if you are new to that. Installing a custom recovery (usually TWRP - Team Win Recovery Project), can be done over adb/fastboot, then when thats flashed, you just flash magisk/ custom NetHunter kernel on TWRP install/ custom zip flash.?

Make sure to run a backup of the bootloader and system before carrying out these flashes (when your system is in a stable state), you can do this via TWRP recovery, and it's basically an image you can boot right back into when you inevitably at some point brick the device. Bricking them is 50/50, you can follow install instructions to the letter and maybe the developer labelled the wrong zip, BRICKED, but that's easy to go back and rewind when you've got a backup.?

You can go even further by flashing some mods using Xposed Installer, now this framework is deeply-deeply embedded into android. It effectively modifies the system, and a lot of it can also be flashed with magisk itself using magisk modules. But a lot of the old ones still require Xposed, and Xposed has been around since what feels like the dawn of time, lots of the people who made these old modules have left the scene.

Drawbacks? Honestly not that many. Sure, it's not a PC, it doesn't have a huge dedicated graphics card, ram, or CPU. You wont be cracking many hashes before the sun sets, and you wont have an amazing amount of fun using the terminal, you'll have no fun messing around with an old android build (Android 6), it can be slow at times with some attacks and it feels like a red hot potato in your hand after others.?

But that's all because, it's not meant to be the be-all-end-all, its good for recon, its good for mitm, it's good for bluetooth, rfid, nfc, exploits, stealth, and a lot more, but anything that requires a solid amount of compute power, you may as well bring it home and use your behemoth PC to get the job done. It's a great companion, and sure, the phone probably is worth about ￡50, but the support it has received from the community is worth tenfold, and any of the tools and other mobile features I've mentioned usually cost a heck of a lot more individually or even combined.

I have not a clue why there is no writing on this, there is much more writing on these ￡300 devices that do not half of what I've just mentioned, and they're not even this stealthy. I can't see anything being more stealthy.?

If this receives interest, I'm happy to draw up guides on how exactly you can build something like this, it's exciting to me and I hope it's exciting to some of you. Who knows, maybe collaboratively we can draw some attention back to this area. Glad to see that the Kali community and seemingly even Offensive Security did themselves early on. Maybe we can bring it to the newer, basically-a-PC Samsung phones with 8G of RAM.?

That said, I've got a Samsung S21+ running custom Lineage OS and a custom kernel, yeah there's some improvement there, Lineage is de-Googled and has no tracking (yay privacy!), I'm away from the Samsung ecosystem, but there is ZERO support for any of these cool tools I've just mentioned above.?

Hopefully some others find this interesting, if you need a hand, ping me a message and I can point you in the right direction!?

- Cam