Android tasker network recon

go back / p4p1


Created on Tue 01 Nov 2022



I get jealous of iphone users. Always sexy designs and full of spyware. I'm joking, I really couldn't care about phones but I do care a lot about customizing/ricing my stuff and between me starting to port all of my config on linux to it's own distro I really wanted for the past few months to build my own "phone OS" of some sort.

I thought to achieve such automation madness I needed to start looking at android alternatives like pinephone or just reverting back to lineageOS. It will sound strange coming from me but for now I am just not bothered in dumping my phone OS again. I will soon I think since this project to be honest.

Today waiting for my pizza to arrive I was messing with android widgets and I found something pretty cool that I have on my phone that I just didn't realise the termux shortcut widget.

Seeing this my brain started thinking, what if I did a shortcut to ssh to my server and port forward all of the admin stuff I use to manage xss_bomb (my little pet project I've been working on for 2 years). After building that I though wow I could do a lot more cool stuff like map a network automatically trigger stuff and just push termux to the limits of pentesting. Then after picking up the pizza I remembered I could auto trigger stuff with tasker 🤓!

In this blog post I will go through how to setup everything to basically have the same functionality on your phone 👹 You can think of this as a wireless covert shark jack.

Termux

The first thing needed is the termux script that will do the nmap scan. You should download termux using fdroid and get the tasker and API termux plug-in. Inside of termux make sure you have downloaded nmap and ifconifg since those are needed to setup everything to work ^^. You will then need to create in the $HOME of termux a folder called $HOME/.termux/tasker/ and paste the following script in a file:

          
  #!/bin/bash
  # scan-net.sh
  # Created on: Tue 01 Nov 2022 10:32:34 PM GMT
  #
  #  ____   __  ____  __
  # (  _ \ /. |(  _ \/  )
  #  )___/(_  _))___/ )(
  # (__)    (_)(__)  (__)
  #
  # Description:

  val=$(ifconfig 2> /dev/null | grep -A 2 wlan0 | awk '/inet /{print $2}')
  sub=$(echo $val | cut -d'.' -f1,2,3)

  termux-notification -c "starting nmap on $sub.0-255"
  nmap -p 80 -oN "$HOME/loot/output-$sub" -vvv $sub.0-255
  termux-notification -c "net scan finished"
          
        

Now I personally have it setup with the script inside of $HOME/.shortcuts and symlinked inside of the $HOME/.termux/tasker so that if after being connected I want to re-run the task I can. To quickly explain what the script does. It first starts by getting the IP of the wlan0 interface (aka wifi) then it removed the end of the ip.

Example

If my ip is 192.168.0.1 then the first two lines retrieve the 192.168.0 bit and saved that inside of the $sub variable.

The script then notifies the phone that the scan started then nmap runs saving it's output in $HOME/loot/output-$sub and then we notify the end of the task.

Tasker

What's pretty cool with tasker is that we can use the output of the previous command and just do a quick pop-up to display all of the information on the screen when scanning is done. Note that everything on tasker is GUI based so it is a bit of a hassle but can be done quickly because of it's amazing import/export functionality open this page on your phone and click the following link After going through the prompt on your phone tasker should look like this:

Now if you named the .sh file something different you will need to edit the task and change with your file name. First navigate to tasks and select the net-scan-nmap task:

you then need to navigate to the termux config where the file path is set:

Click on the edit button:

Modify the file name:

In action

I recorded a little video of me running this on my test network at home to showcase it all in action:


Hopefully this little project was inspiring tasker is really cool I feel like so many possibilities opened up from just this little project and I'm sure someone can do better than me and use this in a more covert way. Just having a reverse ssh connection could allow you to plant a phone that auto connects to the wifi and when the phone is dropped in a hotel room or just returned to reception for "Lost an Found" for example could give you an amazing attack surface.

Categories
p4p1-arch
arch linux iso

A linux distribution with my entire config pre-installed. Great for learning linux and pentesting with a steep learning curve.

repo
Book a phishing campaign
arch linux iso

You can book a phishing campaign from me on your organisation by contacting me.

contact@leosmith.xyz
Questions / Feedback
For any questions or feedback you can contact me on contact@leosmith.xyz