Before you startFirst of all, you need root privileges. Otherwise, some functions of the installed utilities won’t be available or may malfunction. This is especially actual for Android 10 and up.
The privilege escalation procedure is unique for each smartphone model and Android version. I use an oldie-goodie Samsung Galaxy S6 (SM-G920F) with Android 7.0 Nougat; this OS includes a special
I am also going to use
In addition, I recommend installing the tsu utility that grants the ability to execute commands on behalf of root. If, for some reason, it doesn’t work on your device, check
infoImportant: if you use Magisk as the root method (too bad, there is no alternative for the majority of modern devices), make sure to allow root access for Termux in the settings and add Termux to exceptions for Magisk Hide.
Also, I strongly recommend to update the list of packages as you do with desktop versions of Kali.
Code:
$ apt-get update
Kali NetHunterIf you device is
Installing MetasploitAs you are well aware, Metasploit Framework is a tool designed to create exploits and execute them on remote target machines.
You only need two commands to install Metasploit Framework (MSF) on Android 7 and up:
Code:
$ pkg install unstable-repo$ pkg install metasploit
To install MSF on Android 5.x.x-6.x.x, use the following commands:
Code:
$ curl -LO
warningIf not specified otherwise, the above commands must be executed on behalf of an ordinary user; if you execute them on behalf of root, sever problems may occur.
For instance, if apt is run on behalf of root, SELinux contexts may become faulty, thus, making it impossible to install the required packages.
The MSF installation can take a while. Don’t close the Termux session until it is complete!
warningNever update MSF manually by editing
Code:
$PREFIX/opt/metasploit
: this may cause problems with dependencies.To make sure that everything works properly, I run Metasploit:
Code:
$ msfconsole
Installing ngrok
Prior to continuing, make sure that your phone is connected to the Internet (i.e. Mobile Data is on) and Mobile Hotspot is active.
First of all, update the packages and install Python 2:
Code:
$ pkg update && pkg upgrade && pkg install python2
Next, you have to
After the registration, you will be transferred to your account page where you have to find and copy your AuthToken as shown on the screenshot below.
Code:
$ cd /sdcard/Downloads
Type
Code:
ls |grep ngrok
to make sure that the archive is there. Then unpack it:
Code:
$ unzip ngrok-stable-linux-arm.zip
After that, enter
Code:
ls |grep ngrok
and check whether the ngrok executable file has appeared. If it’s not there, go to the directory containing it prior to making the next step:
Code:
$ cd ngrok-stable-linux-arm
and move the executable file to the Termux home directory:
Code:
$ mv -v ngrok /$HOME
Check the new file location and go to that folder using the
Code:
cd
and
Code:
ls
commands.Now you have to set the flag that makes the file executable:
Code:
$ chmod +x ngrok
and run it for the first time:
Code:
$ ./ngrok
Remember the AuthToken you have copied earlier? Paste it into the command below so that ngrok knows who uses it:
Code:
$ ./ngrok authtoken <token>
Then launch the server:
Code:
$ ./ngrok http 80
You will see the Ngrok screen like the one shown below.
Installing sqlmapAccording to its
The installation is as easy as a piece of cake. You can either install the stable version (1.4.3) or the newest one (1.4.5.34). To install version 1.4.3, enter:
Code:
$ pkg install sqlmap
To run the utility, type the command:
Code:
$ sqlmap -u <URL>
Code:
$ git clone
Then go to the folder containing sqlmap:
Code:
$ cd sqlmap
Using
Code:
python2
, run sqlmap with the same mandatory parameter:
Code:
$ python2 sqlmap.py -u <URL>
Installing aircrack-ngAircrack-ng is a network software suite used to detect wireless networks, intercept their traffic, and audit WEP and WPA/WPA2-PSK encryption keys.
Its installation is not that simple. I suppose you are aware how difficult it is to switch the Wi-Fi adapter of your smartphone to the monitoring mode. Official Termux repositories include the iwconfig utility that manages wireless networks, and you have to install it:
First, install auxiliary utilities:
Code:
$ pkg install root-repo
Now you can install iwconfig and other tools required to work with wireless networks:
Code:
$ pkg install wireless-tools
The iw utility must be installed separately:
Code:
$ pkg install iw
Now you have to log into the system with root privileges and create a monitor instance:
Code:
$ tsu$ iw phy0 interface add mon0 type monitor
Then check your adapters and their statuses:
Code:
$ iwconfig
If anything is displayed incorrectly, check whether Wi-Fi is enabled and make sure that your device is not connected to a Wi-Fi network.
Deploy the monitor:
Code:
$ ifconfig mon0 up
Of course, not all Android devices support the monitoring mode. Use the bcmon app to check whether your phone can do this or not. In addition, bcmon enables the monitoring mode on compatible Broadcom chips (Nexus and some other devices). For other phones, you have to buy a USB-OTG adapter and connect to it a Wi-Fi adapter supported by the desktop version of Kali. You will also have to rebuild the kernel to add the required drivers to it. If you are not skilled in kernel building, check the respective forums, for instance,
Then you can install aircrack-ng:
Code:
$ pkg install aircrack-ng
To review the short manual, type:
Code:
$ man aircrack-ng
Code:
$ airodump-ng -i mon0
Voila! Now you can intercept traffic of open access points, send to them deauth frames to disconnect annoying neighbors various devices from the Internet, and capture handshakes required to crack passwords.
Installing NmapNmap is a network scanning utility that finds open ports, performs tracerouting, and checks for vulnerabilities using NSE scripts. More information on this topic can be found in the article
In my case, the Nmap capacity is slightly reduced because I use the version ported to Android. It is available in official Termux repositories:
Code:
$ pkg install nmap
To review the short manual, type:
Code:
$ nmap
$ nmap -T4 -A -v
Installing fully featured Kali Linux on your phoneKali NetHunter can be installed on some phones, but this goes beyond the scope of this article. I am going to install an image of a fully featured Kali on my phone and connect to its desktop via VNC. This Kali Linux image allows to use programs that cannot be run in Termux (e.g. BeEF-XSS).
First of all, download from Google Play the following apps: LinuxDeploy (allows to install Linux distributions on Android devices), BusyBox (a suite of essential utilities), and VNC Viewer (the VNC client). It does not matter that, in reality, this machine will run at 127.0.0.1.
Next, download a
Code:
/storage/emulated/0
folder on your mobile device. Then rename it into
Code:
linux.img
.Google Play offers plenty of BusyBox varieties from various manufacturers. Many devices require specific BusyBox versions; otherwise, some utilities won’t work properly on them. I used the
Code:
/su/xbin
. Remember this directory: you will need it to update the operating environment.Now go to LinuxDeploy, press the distribution configuration icon in the lower right part of the screen, and select the Kali Linux distribution. The architecture should be configured automatically; if it’s not, try
Code:
armhf
.
In the very end, you will find settings pertaining to the deployment of SSH and VNC servers; their boxes must be checked. If you don’t need graphics, SSH will suffice. Then download
Code:
127.0.0.1
. To avoid downloading extra apps, you can use
Code:
openssh-client
directly in Termux: just open one more Termux tab for it.If you need graphics, check the respective box; I am going to explain how to connect to the Kali desktop via VNC a bit later.
Code:
PATH
variable, specify the path to the folder where BusyBox has installed its packages.
To configure the container, go to the main page, press the menu button in the upper right corner, and select “Configure”.
Now you can start the container by pressing the respective button below. Check whether any strings displayed at the start include the word “fail”. If such strings exist, make sure that you have correctly specified
Code:
PATH
of the operating environment and properly configured the container. If everything seems to be correct, try doing it all over again using the
Code:
armhf
architecture.Open VNC Viewer or any other VNC client, add a connection to localhost (127.0.0.1) and give it a name. Then connect, confirm that you want to continue using the unencrypted connection and enter the user password you have earlier specified in LinuxDeploy.
Success! It’s up and running!
To test the system, I use the command:
Code:
$ nmap -A -v <IP>
The
Code:
-A
parameter instructs Nmap to scan the OS, identify its version, use scripts, and perform tracerouting. The
Code:
-v
parameter is used to display more details in the output.See scan results on the screenshot below.
The privilege escalation procedure is unique for each smartphone model and Android version. I use an oldie-goodie Samsung Galaxy S6 (SM-G920F) with Android 7.0 Nougat; this OS includes a special
You must be registered for see links
allowing users to gain root privileges. If your phone model and/or OS version are different, I suggest searching online for an instruction applicable to your device.I am also going to use
You must be registered for see links
, an easy-to-use and powerful terminal that supports many features of the Linux environment. Termux allows to execute commands in the proper environment and save time and effort on configuring this environment.In addition, I recommend installing the tsu utility that grants the ability to execute commands on behalf of root. If, for some reason, it doesn’t work on your device, check
You must be registered for see links
for the script that provides sudo for Termux. Note that Termux needs root privileges from the very beginning in order to perform required operations.infoImportant: if you use Magisk as the root method (too bad, there is no alternative for the majority of modern devices), make sure to allow root access for Termux in the settings and add Termux to exceptions for Magisk Hide.
Also, I strongly recommend to update the list of packages as you do with desktop versions of Kali.
Code:
$ apt-get update
Kali NetHunterIf you device is
You must be registered for see links
by Kali NetHunter, use this platform. Kali Linux developers created it specifically for Android phones. NetHunter includes many useful programs from the desktop version of Kali. The images are available on
You must be registered for see links
. Overall, this toolkit is more powerful than the Termux-based one.Installing MetasploitAs you are well aware, Metasploit Framework is a tool designed to create exploits and execute them on remote target machines.
You only need two commands to install Metasploit Framework (MSF) on Android 7 and up:
Code:
$ pkg install unstable-repo$ pkg install metasploit
To install MSF on Android 5.x.x-6.x.x, use the following commands:
Code:
$ curl -LO
You must be registered for see links
gunzip metasploit_5.0.65-1_all.deb.gz$ dpkg -i metasploit_5.0.65-1_all.deb$ apt -f installwarningIf not specified otherwise, the above commands must be executed on behalf of an ordinary user; if you execute them on behalf of root, sever problems may occur.
For instance, if apt is run on behalf of root, SELinux contexts may become faulty, thus, making it impossible to install the required packages.
The MSF installation can take a while. Don’t close the Termux session until it is complete!
warningNever update MSF manually by editing
Code:
$PREFIX/opt/metasploit
: this may cause problems with dependencies.To make sure that everything works properly, I run Metasploit:
Code:
$ msfconsole
You must be registered for see images
Metasploit FrameworkAs you can see, 2014 exploits are now at your disposal.Installing ngrok
You must be registered for see links
is a crossplatform utility designed to create secure tunnels from publicly accessible points to local network services. In addition, ngrok intercepts traffic and saves it in logs for subsequent analysis.Prior to continuing, make sure that your phone is connected to the Internet (i.e. Mobile Data is on) and Mobile Hotspot is active.
First of all, update the packages and install Python 2:
Code:
$ pkg update && pkg upgrade && pkg install python2
Next, you have to
You must be registered for see links
a ngrok account.After the registration, you will be transferred to your account page where you have to find and copy your AuthToken as shown on the screenshot below.
You must be registered for see images
AuthToken for ngrokThen
You must be registered for see links
ngrok for Linux systems with the ARM architecture.
You must be registered for see images
Downloading ngrokGo to Termux and find the directory containing the downloaded ngrok archive, for instance:Code:
$ cd /sdcard/Downloads
Type
Code:
ls |grep ngrok
to make sure that the archive is there. Then unpack it:
Code:
$ unzip ngrok-stable-linux-arm.zip
After that, enter
Code:
ls |grep ngrok
and check whether the ngrok executable file has appeared. If it’s not there, go to the directory containing it prior to making the next step:
Code:
$ cd ngrok-stable-linux-arm
and move the executable file to the Termux home directory:
Code:
$ mv -v ngrok /$HOME
Check the new file location and go to that folder using the
Code:
cd
and
Code:
ls
commands.Now you have to set the flag that makes the file executable:
Code:
$ chmod +x ngrok
and run it for the first time:
Code:
$ ./ngrok
Remember the AuthToken you have copied earlier? Paste it into the command below so that ngrok knows who uses it:
Code:
$ ./ngrok authtoken <token>
Then launch the server:
Code:
$ ./ngrok http 80
You will see the Ngrok screen like the one shown below.
You must be registered for see images
NgrokTerrific! Now you are ready to attack any target!Installing sqlmapAccording to its
You must be registered for see links
, sqlmap is an open-source penetration testing tool that automates the detection and exploitation of SQL injection flaws and takeover of database servers.The installation is as easy as a piece of cake. You can either install the stable version (1.4.3) or the newest one (1.4.5.34). To install version 1.4.3, enter:
Code:
$ pkg install sqlmap
To run the utility, type the command:
Code:
$ sqlmap -u <URL>
You must be registered for see images
Sqlmap 1.4.3To install the latest version that is still in development, clone the
You must be registered for see links
:Code:
$ git clone
You must be registered for see links
Then go to the folder containing sqlmap:
Code:
$ cd sqlmap
Using
Code:
python2
, run sqlmap with the same mandatory parameter:
Code:
$ python2 sqlmap.py -u <URL>
You must be registered for see images
Sqlmap 1.4.5.34Now your smartphone can access more than half of all databases present on the Internet! Use this powerful tool in a wise and ethical way; otherwise, you may get in trouble with the law!Installing aircrack-ngAircrack-ng is a network software suite used to detect wireless networks, intercept their traffic, and audit WEP and WPA/WPA2-PSK encryption keys.
Its installation is not that simple. I suppose you are aware how difficult it is to switch the Wi-Fi adapter of your smartphone to the monitoring mode. Official Termux repositories include the iwconfig utility that manages wireless networks, and you have to install it:
First, install auxiliary utilities:
Code:
$ pkg install root-repo
Now you can install iwconfig and other tools required to work with wireless networks:
Code:
$ pkg install wireless-tools
The iw utility must be installed separately:
Code:
$ pkg install iw
Now you have to log into the system with root privileges and create a monitor instance:
Code:
$ tsu$ iw phy0 interface add mon0 type monitor
Then check your adapters and their statuses:
Code:
$ iwconfig
If anything is displayed incorrectly, check whether Wi-Fi is enabled and make sure that your device is not connected to a Wi-Fi network.
Deploy the monitor:
Code:
$ ifconfig mon0 up
Of course, not all Android devices support the monitoring mode. Use the bcmon app to check whether your phone can do this or not. In addition, bcmon enables the monitoring mode on compatible Broadcom chips (Nexus and some other devices). For other phones, you have to buy a USB-OTG adapter and connect to it a Wi-Fi adapter supported by the desktop version of Kali. You will also have to rebuild the kernel to add the required drivers to it. If you are not skilled in kernel building, check the respective forums, for instance,
You must be registered for see links
. Chances are high that you find there a ready-to-use Kali build with the required kernel.Then you can install aircrack-ng:
Code:
$ pkg install aircrack-ng
To review the short manual, type:
Code:
$ man aircrack-ng
You must be registered for see images
Aircrack-ngTime to launch airodump-ng:Code:
$ airodump-ng -i mon0
Voila! Now you can intercept traffic of open access points, send to them deauth frames to disconnect annoying neighbors various devices from the Internet, and capture handshakes required to crack passwords.
Installing NmapNmap is a network scanning utility that finds open ports, performs tracerouting, and checks for vulnerabilities using NSE scripts. More information on this topic can be found in the article
You must be registered for see links
.In my case, the Nmap capacity is slightly reduced because I use the version ported to Android. It is available in official Termux repositories:
Code:
$ pkg install nmap
To review the short manual, type:
Code:
$ nmap
You must be registered for see images
NmapFor intense scanning, I use the following parameters:$ nmap -T4 -A -v
Installing fully featured Kali Linux on your phoneKali NetHunter can be installed on some phones, but this goes beyond the scope of this article. I am going to install an image of a fully featured Kali on my phone and connect to its desktop via VNC. This Kali Linux image allows to use programs that cannot be run in Termux (e.g. BeEF-XSS).
First of all, download from Google Play the following apps: LinuxDeploy (allows to install Linux distributions on Android devices), BusyBox (a suite of essential utilities), and VNC Viewer (the VNC client). It does not matter that, in reality, this machine will run at 127.0.0.1.
Next, download a
You must be registered for see links
. I used the full version with the ext4 file system suitable for the ARM architecture (fifth file from the top). You have to extract the image 5.5 GB in size from the archive and place it into the Code:
/storage/emulated/0
folder on your mobile device. Then rename it into
Code:
linux.img
.Google Play offers plenty of BusyBox varieties from various manufacturers. Many devices require specific BusyBox versions; otherwise, some utilities won’t work properly on them. I used the
You must be registered for see links
and installed its files to Code:
/su/xbin
. Remember this directory: you will need it to update the operating environment.Now go to LinuxDeploy, press the distribution configuration icon in the lower right part of the screen, and select the Kali Linux distribution. The architecture should be configured automatically; if it’s not, try
Code:
armhf
.
You must be registered for see images
SettingsThen change the user password (it’s located below).In the very end, you will find settings pertaining to the deployment of SSH and VNC servers; their boxes must be checked. If you don’t need graphics, SSH will suffice. Then download
You must be registered for see links
and connect to your Kali machine located at the addressCode:
127.0.0.1
. To avoid downloading extra apps, you can use
Code:
openssh-client
directly in Termux: just open one more Termux tab for it.If you need graphics, check the respective box; I am going to explain how to connect to the Kali desktop via VNC a bit later.
You must be registered for see images
SSH and VNCTime to set up the operating environment. In the settings of theCode:
PATH
variable, specify the path to the folder where BusyBox has installed its packages.
You must be registered for see images
Operating environmentAnd update the operating environment (the button below).To configure the container, go to the main page, press the menu button in the upper right corner, and select “Configure”.
Now you can start the container by pressing the respective button below. Check whether any strings displayed at the start include the word “fail”. If such strings exist, make sure that you have correctly specified
Code:
PATH
of the operating environment and properly configured the container. If everything seems to be correct, try doing it all over again using the
Code:
armhf
architecture.Open VNC Viewer or any other VNC client, add a connection to localhost (127.0.0.1) and give it a name. Then connect, confirm that you want to continue using the unencrypted connection and enter the user password you have earlier specified in LinuxDeploy.
Success! It’s up and running!
You must be registered for see images
Kali and NmapOf course, this distribution is pretty old, but its soft is still operational: as you can see, Nmap is running smoothly.To test the system, I use the command:
Code:
$ nmap -A -v <IP>
The
Code:
-A
parameter instructs Nmap to scan the OS, identify its version, use scripts, and perform tracerouting. The
Code:
-v
parameter is used to display more details in the output.See scan results on the screenshot below.
You must be registered for see images
Nmap resultsConclusionsNow your portable device can crack databases, scan networks, intercept traffic, and perform many other attacks. Use these powers only for ethical purposes and may the Force be with you!