Related
My situation:
In my company we have about 30+ handsets currently running Android (standard and custom ROMs from XDA). The handsets include HTC Desire HD, HD2, Desire S and Desire Z. The users cannot be trusted not to brick the phones if they are allowed to download apps and modify them in anyway (not to mention they are business phones so shouldn't have facebook etc on them any way).
I've heard about admin tools which allow control of handsets remotely.
Requirements:
So, if possible, what i would like does something along the lines of...:
1: Blocks further apps from being added to the handset without a password
2: A lock to keep as many of the settings as is originally provided (wallpaper etc)
3: A master admin tool which i can remotely manage all the handsets from (download requested and approved apps, wipe, lock, locate and reset the phones if lost...etc)
What i have done before to stop the users adding further apps is register my email address to Android Market on all the phones, then changed the password using my desktop). While this stops new apps from being downloaded from the market, it does mean i cannot remotely roll out approved apps as they are no longer signed in to the account.
Is there anything out there which does any/all/some of the above?
Is there one tool which can manage all these tasks? Or will it have to be seperate apps like Norton Mobile Security (such as) etc?
Can anyone get their heads around this?
Thanks!
The market lets you download apps to a phone.
Lookout Security does all of the security tasks you want.
Thanks, that would take care of the remote wiping, locating and locking.
Does Android provide any corporate setup for administration of lots of handsets? Surely this is a niche in the market for some devs to jump on if there isn't something like that already.
And i know Android Market allows you to remotely download apps to multiple phones but i want to make it impossible to download through the phone itself. (so i can add apps but the user can't)
Something that performs like MFormation Enterprise Manager but avoiding the $20k price tag! (a tall order i know)
Sonic_Sonar said:
Something that performs like MFormation Enterprise Manager but avoiding the $20k price tag! (a tall order i know)
Click to expand...
Click to collapse
Hello,
Have you found any apps that fit your needs? Do you use them? If no, is your organization still interesting in mobile device management service?
I'm asking because I'm working for http://bloove.com (personal phone management service) and we're going to expand our offer to small and medium companies.
This new service will combine existing contact, sms, phone log and bookmark backup for personal phone with MDM features like centralized app management, location and wipe service etc.
We're looking for early adopters who will have a chance to add their custom requirements to the service and get this service for free for up to six months.
Please let me know if you're interested and want to discuss this further.
Thank you,
Rostislav
[email protected]
Please use the Q&A Forum for questions Thanks
Moving to Q&A
I did something like this ...
I first installed openssh server, plus a script that checks a specific URL for remote access needs (had to do it that way since my carrier blocks connections on all ports).
The server side is a simple php script that you call like this: check.php?deviceid=[ID]. The script checks a DB to see if there is anything new for that device ID and acts accordingly. I implemented three features: Tunnel, Script, Install APK. So, If I want to install an APK to all devices, I just upload it on our webserver, and on the MySQL DB I add devices id = all, action=install, file=/apks/whatever.apk. If, for instance, I want to do something more complex on certain devices, I add: id = all, action=script, file=/apks/whatever.sh. I write the script, then all phones check for updates on this check.php every 5 minutes, if they find a script, they'll download and execute. If it's an APK, they'll download and install. If I insert a line with deviceID=[deviceid], action=tunnel, file=[PORT NUMBER], then the phone will SSH into a remote server and do a reverse port forward, on [PORT NUMBER]. Then I can just SSH into localhost:[PORTNUMBER] on the server, and I'll have a terminal inside the phone to do whatever I need.
This doesn't address the restrictions issue, but it does allow you to control the phones however you want.
Regards,
Almafuerte.
I have done some reading and observed some Android Wifi tools which could be useful to you guys.
I know some of you guys already know about some of these apps whiles others don't.
My First Wifi Tool is Dsploit.
Introducing dSploit
dSploit is an Android network analysis and penetration suite which aims to offer to IT security experts/geeks the most complete and advanced professional toolkit to perform network security assesments on a mobile device. Once dSploit is started, you will be able to easily map your network, fingerprint alive hosts operating systems and running services, search for known vulnerabilities, crack logon procedures of many tcp protocols, perform man in the middle attacks such as password sniffing ( with common protocols dissection ), real time traffic manipulation, etc, etc . This application is still in beta stage, a stable release will be available as soon as possible, but expect some crash or strange behaviour until then, in any case, feel free to submit an issue on GitHub.
Here are some screen shots http://www.dsploit.net/images/shots/1.png
http://www.dsploit.net/images/shots/2.png
And A Walk through Video http://youtu.be/HrQl1cG2Hq0
And you could visit their website http://www.dsploit.net/
My srecond Wifi tool I wanna Show you Guys is Anti-Android Network Toolkit
What is Anti?
ZImperium LTD is proud to annonce Android Network Toolkit - Anti.
Anti consists of 2 parts: The Anti version itself and extendable plugins. Upcoming updates will add functionality, plugins or vulnerabilities/exploits to Anti
Using Anti is very intuitive - on each run, Anti will map your network, scan for active devices and vulnerabilities, and will display the information accordingly: Green led signals an 'Active device', Yellow led signals "Available ports", and Red led signals "Vulnerability found". Also, each device will have an icon representing the type of the device. When finished scanning, Anti will produce an automatic report specifying which vulnerabilities you have or bad practices used, and how to fix each one of them.
This App is Kind of a paid App. But you can get the free version from here http://zantiapp.com/anti.html
Here is a link to the walk through video http://youtu.be/tKW-XV59-gk
My third Wifi Tool is Wifi Kill
Its an application for killing wifi connections, that is preventing users on that network from getting to their websites.
I couldnt find the website for this app. (Seems they dont have any). But you could download it from
Here : http://mediafire.com/?ue5itmf89w5h4x2
Here is a link to the walk through video http://www.youtube.com/watch?v=MtaPF6NcOeo
My third Wifi Tool is Droid Sheep.
Its Actually in Two forms
DroidSheep [Root] is an Android app for Security analysis in wireless networks and capturing facebook, twitter, linkedin and other accounts.
DroidSheep Guard is another Android app for monitoring Androids ARP-table. It tries to detect ARP-Spoofing on the network, such as an attack by DroidSheep, FaceNiff and other software.
For Some reasons, the Doidsheep[Root] cant be downloaded from their website which is this http://droidsheep.de/
But dont worry you can find it here at http://depositfiles.com/files/ektsufdkl
On the other hand, DroidSheep Guard can be found at the playstore
https://play.google.com/store/apps/...h.droidsheep.guard.free&feature=search_result
The next one is Android Netspoof
Description
Network Spoofer lets you change websites on other people’s computers from an Android phone. After downloading simply log onto a Wifi network, choose a spoof to use and press start.
Please note that there is no intention for Network Spoofer to include any malicious features. This application is a fun demonstration of how vulnerable home networks are to simple attacks, with permission of the network owner - DO NOT attempt to use Network Spoofer on any corporate or other non-residential networks (eg. at school, university). It becomes very obvious when Network Spoofer is being used on a Network, and use of Network Spoofer will be considered malicious hacking by network administrators.
It can be downloaded from here http://sourceforge.net/projects/netspoof/files/latest/download
There is another App called AoutoProxy
Description
The most complete proxier on the Market. Autoproxy allows you to use Market, Gmail, maps or surf the web even behind the proxy from your home/school/office.
It works by creating a transparent/intercepting proxier running on your phone that redirects web traffic to your proxy. Other apps don't have to be aware there is a proxy!
All outgoing traffic is captured, formatted and transmitted through your network's proxy. That means it works with market, all browsers, gmail, maps, and others.
This is App is a paid app but they have got the light version.
here is a link to it https://play.google.com/store/apps/details?id=com.mgranja.autoproxy&hl=en
FaceNiff
FaceNiff is an Android app that allows you to sniff and intercept web session profiles over the WiFi that your mobile is connected to.
It is possible to hijack sessions only when WiFi is not using EAP, but it should work over any private networks (Open/WEP/WPA-PSK/WPA2-PSK)
It's kind of like Firesheep for android. Maybe a bit easier to use (and it works on WPA2!).
*** ROOTED PHONE *** is required. Please note that if webuser uses SSL this application won't work.
This application due to its nature is very phone-dependant so please let me know if it won't work for You
Use with stock browser (might not work with other)
Legal notice: this application is for educational purposes only. Do not try to use it if it's not legal in your country.
I do not take any responsibility for anything you do using this application. Use at your own risk
It can be downloaded from here http://faceniff.ponury.net/download.php
I will Be updating the list frequently.
UPDATE
So as i said, i would be updating this and guess what i have kept my promise.
There is this App called Intercepter-NG its another android wifi tool i find useful.
Intercepter-NG is a multifunctional network toolkit for various types of IT specialists. It has functionality of
several famous separate tools and more over offers a good and unique alternative of Wireshark for android.
The main features are:
* network discovery with OS detection
* network traffic analysis
* passwords recovery
* files recovery
Runs on Android >=2.3.3 with root+busybox
Looks better on high resolution, but completely comfortable on 480x720.
It can be downloaded from the playstore https://play.google.com/store/apps/...t#?t=W251bGwsMSwxLDEsInN1LnNuaWZmLmNlcHRlciJd
Another important Wifi tool for android is Wifi WOlf
- PCMag.com Editors' Choice award winner for network utilities
If you are a network administrator or a network engineer that has any WiFi / wireless on your network then you already know that you need a good WiFi network monitoring / analyzer tool or toolkit to properly manage and analyze inside your wireless network. Without the proper network tools you have no way to determine proper functionality of your WiFi network or identify security risk that comes with having wireless technology inside of your enterprise corporate LAN. As a network administrator or engineer you already have many other responsibilities with your network such as managing servers, routers, switches, workstations, inventory management, asset management, bandwidth monitoring, troubleshooting... the list is long. Make sure you have a tool that makes your wireless network management easier!
- Active Passive Pre-Deployment and Site Survey and WiFi Analyzer network tools for wireless professionals. Works on 802.11 N, G, B, and A networks (Depends on device)
Quickly perform wifi site surveys by simply double tapping on floor plan to register samples
2.4Ghz and 5Ghz wifi analyzer fully supported in all wireless tools
WiFi Heatmapper
WiFi AP Edge Map
WiFi Channel Map
WiFi Stumbler
WiFi Analyzer
Access point filters allow you to analyze AP edge individually
Wireless security filters identify and analyze secure and non-secure (WEP, Ad-Hoc, Open) wireless networks
Sub-filters allow you to filter out weak WiFi coverage areas
Network Icons for mapping out your hardware
Export all views for email or printing
Export and Import all surveys for backup or to share with other techs using Wolf WiFi Pro
Create multiple sites
Supports and analyze broadcast and hidden SSIDs (once known to device)
Complete help documentation at www.wolfwifi.com and videos on www.youtube.com
-WiFi Scanner and analyzer with summary view and detailed view
-Channel Graph displays and analyze channels in use to easily identify congestion
-Signal Tracker helps you track down access points and adjust antennas
-802.11 A/B/G/N support (depends on device)
It can also be downloaded from the store https://play.google.com/store/apps/...nByaXNpbmdhcHBzLmFuZHJvaWQud29sZndpZmlwcm8iXQ..
And one more thing, The app WifiKIll can also be used to redirect web pages to a specific site.
you can do so by first knowing the sites IP Address, then u open the wifi kill app and go to settings the select rejection method drop policy + redirect to.......
Afterwards click on redirect to IP and insert the Ip of the site you want to redirect to.
Note that None of these Apps are mine and all these apps require root, also i am not the cause of any damages these apps could do to your phone. Thanks
Enjoy:fingers-crossed:
But If you have any questions with these apps or questions on how to install any of them, feel free to ask.
Thanks once more.
DroidSheep link is broken
Turbokat said:
DroidSheep link is broken
Click to expand...
Click to collapse
Its not broken, just choose regular download and wait for the countdown to complete.
Sent from my myTouch 4g using xda app-developers app
here you guys might like this as well.
https://app.box.com/s/1h0mdqynmb5lcz0gasbf
Another tool for site survey
There is another free android tool for heat maps creation - "WiFi Maps Light", available on GOOGLE PLAY, documentation can be found on app's official site.
you gonna want for sure bcmon.apk if you want to get your wifi crack on. crack wep and wpa/wpa2-wps natively in rooted android rom.
http://bcmon.blogspot.com/
https://bcmon.googlecode.com/files/bcmon.apk
https://code.google.com/p/bcmon/
thisworks on a lot of devices i have it working on a samsung galaxy nexus sprint, htc glacier, samsung galaxy s2, nexus 7-2012-grouper, and a couple others. no need for custom rom even just root and youre golden
Commented to follow on this wonderful index
Sent from my E151
Network Toolbox for Android
Another great tool I came across recently is Network Toolbox for Android:
play .google .com/store/apps/details?id=com.appsropos.whois
It includes a bunch of handy admin tools including Whois, RBL checks, DNS and ARIN lookups, Ping, Port Scan, find external IP, Geo Location for Ip addresses, CIDR calculator, Email server tester, and much more! :good:
mark.worth.666 said:
Another great tool I came across recently is Network Toolbox for Android:
play.google .com/store/apps/details?id=com.appsropos.whois
It includes a bunch of handy admin tools including Whois, RBL checks, DNS and ARIN lookups, Ping, Port Scan, find external IP, Geo Location for Ip addresses, CIDR calculator, Email server tester, and much more! :good:
Click to expand...
Click to collapse
asdfghjkl
ktetreault14 said:
asdfghjkl
Click to expand...
Click to collapse
Trying to push it up?
Sent from my HTC Desire HD using XDA Free mobile app
mickeyasamoah said:
Trying to push it up?
Sent from my HTC Desire HD using XDA Free mobile app
Click to expand...
Click to collapse
yes lmao. i haven't found a reliable app for all the wifi tinkering and what not
A bit of help maybe please on Zimperium's anti
I had dsploit installed and stupidly uninstalled it because now I cannot find the last version apk anywhere.
Anyway, I installed Z's ANTI. Everything seemed to go OK. My android is rooted and superuser rights were granted to the app.
My problem is that when it runs a network scan it recognizes my router but no open ports and that seems to be the end of it.
Any advice?
silvanet said:
I had dsploit installed and stupidly uninstalled it because now I cannot find the last version apk anywhere.
Anyway, I installed Z's ANTI. Everything seemed to go OK. My android is rooted and superuser rights were granted to the app.
My problem is that when it runs a network scan it recognizes my router but no open ports and that seems to be the end of it.
Any advice?
Click to expand...
Click to collapse
Me too. I found zanti (dsploit) difficult to use. I would wish to have guides for learning purpose.
Sent from my XT1033 using XDA Free mobile app
I've tried various man in the middle hacks on my laptop with the new zAnti. Its actually very cool
Don't download droid sheep from here (virus)!! I looked at the md5 hash and it did not match the ones of the last 3 versions (the md5 hashes are on http://droidsheep.de/?page_id=23) and also android warned me and blocked the installation
Download the one on https://forum.xdadevelopers.com/showthread.php?t=1539105 from the comment of user "Dlll" i verified the md5 and it matched the version 14 on http://droidsheep.de/?page_id=23 (verify it yourself if you don't trust me)
Stay safe
How to verify?
Graciasz
Muchos gracias ?
An interesting read
Closing Open Holes
#JDevil#
With the spread of Hackers and Hacking incidents, the time has come, when not only system administrators of servers of big companies, but also people who connect to the Internet by dialing up into their ISP, have to worry about securing their system. It really does not make much difference whether you have a static IP or a dynamic one, if your system is connected to the Internet, then there is every chance of it being attacked.
This manual is aimed at discussing methods of system security analysis and will shed light on as to how to secure your standalone (also a system connected to a LAN) system.
Open Ports: A Threat to Security?
Now, which option is used to display all open connections on the local machine. It also returns the remote system to which we are connected to, the port numbers of the remote system we are connected to (and the local machine) and also the type and state of connection we have with the remote system.
For Example,
C:\windows>netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP ankit:1031 dwarf.box.sk:ftp ESTABLISHED
TCP ankit:1036 dwarf.box.sk:ftp-data TIME_WAIT
TCP ankit:1043 banners.egroups.com:80 FIN_WAIT_2
TCP ankit:1045 mail2.mtnl.net.inop3 TIME_WAIT
TCP ankit:1052 zztop.boxnetwork.net:80 ESTABLISHED
TCP ankit:1053 mail2.mtnl.net.inop3 TIME_WAIT
UDP ankit:1025 *:*
UDP ankit:nbdatagram *:*
Now, let us take a single line from the above output and see what it stands for:
Proto Local Address Foreign Address State
TCP ankit:1031 dwarf.box.sk:ftp ESTABLISHED
Now, the above can be arranged as below:
Protocol: TCP (This can be Transmission Control Protocol or TCP, User Datagram Protocol or UDP or sometimes even, IP or Internet Protocol.)
Local System Name: ankit (This is the name of the local system that you set during the Windows setup.)
Local Port opened and being used by this connection: 1031
Remote System: dwarf.box.sk (This is the non-numerical form of the system to which we are connected.)
Remote Port: ftp (This is the port number of the remote system dwarf.box.sk to which we are connected.)
State of Connection: ESTABLISHED
Netstat? with the ? argument is normally used, to get a list of open ports on your own system i.e. on the local system. This can be particularly useful to check and see whether your system has a Trojan installed or not. Yes, most good Antiviral software are able to detect the presence of Trojans, but, we are hackers, and need to software to tell us, whether we are infected or not. Besides, it is more fun to do something manually than to simply click on the ?Scan? button and let some software do it.
The following is a list of Trojans and the port numbers which they use, if you Netstat yourself and find any of the following open, then you can be pretty sure, that you are infected.
Port 12345(TCP) Netbus
Port 31337(UDP) Back Orifice
For complete list, refer to the Tutorial on Trojans at: hackingtruths.box.sk/trojans.txt
----
Now, the above tutorial resulted in a number of people raising questions like: If the 'netstat -a' command shows open ports on my system, does this mean that anyone can connect to them? Or, How can I close these open ports? How do I know if an open port is a threat to my system's security of not? Well, the answer to all these question would be clear, once you read the below paragraph:
Now, the thing to understand here is that, Port numbers are divided into three ranges:
The Well Known Ports are those from 0 through 1023. This range or ports is bound to the services running on them. By this what I mean is that each port usually has a specific service running on it. You see there is an internationally accepted Port Numbers to Services rule, (refer RFC 1700 Here) which specifies as to on what port number a particular service runs. For Example, By Default or normally FTP runs on Port 21. So if you find that Port 21 is open on a particular system, then it usually means that that particular system uses the FTP Protocol to transfer files. However, please note that some smart system administrators delibrately i.e. to fool lamers run fake services on popular ports. For Example, a system might be running a fake FTP daemon on Port 21. Although you get the same interface like the FTP daemon banner, response numbers etc, however, it actually might be a software logging your prescence and sometimes even tracing you!!!
The Registered Ports are those from 1024 through 49151. This range of port numbers is not bound to any specific service. Actually, Networking utlites like your Browser, Email Client, FTP software opens a random port within this range and starts a communication with the remote server. A port number within this range is the reason why you are able to surf the net or check your email etc.
If you find that when you give the netstat -a command, then a number of ports within this range are open, then you should probably not worry. These ports are simply opened so that you can get your software applications to do what you want them to do. These ports are opened temporarily by various applications to perform tasks. They act as a buffer transfering packets (data) received to the application and vis-a-versa. Once you close the application, then you find that these ports are closed automatically. For Example, when you type www.hotmail.com in your browser, then your browser randomly chooses a Registered Port and uses it as a buffer to communicate with the various remote servers involved.
The Dynamic and/or Private Ports are those from 49152 through 65535. This range is rarely used, and is mostly used by trojans, however some application do tend to use such high range port numbers. For Example,Sun starts their RPC ports at 32768.
So this basically brings us to what to do if you find that Netstat gives you a couple of open ports on your system:
1. Check the Trojan Port List and check if the open port matches with any of the popular ones. If it does then get a trojan Removal and remove the trojan.
2. If it doesn't or if the Trojan Remover says: No trojan found, then see if the open port lies in the registered Ports range. If yes, then you have nothing to worry, so forget about it.
***********************
HACKING TRUTH: A common technique employed by a number of system administrators, is remapping ports. For example, normally the default port for HTTP is 80. However, the system administrator could also remap it to Port 8080. Now, if that is the case, then the homepage hosted at that server would be at:
http://domain.com:8080 instead of
http://domain.com:80
The idea behind Port Remapping is that instead of running a service on a well known port, where it can easily be exploited, it would be better to run it on a not so well known port, as the hacker, would find it more difficult to find that service. He would have to port scan high range of numbers to discover port remapping.
The ports used for remapping are usually pretty easy to remember. They are choosen keeping in mind the default port number at which the service being remapped should be running. For Example, POP by default runs on Port 110. However, if you were to remap it, you would choose any of the following: 1010, 11000, 1111 etc etc
Some sysadmins also like to choose Port numbers in the following manner: 1234,2345,3456,4567 and so on... Yet another reason as to why Port Remapping is done, is that on a Unix System to be able to listen to a port under 1024, you must have root previledges.
************************
Firewalls
Use of Firewalls is no longer confined to servers or websites or commerical companies. Even if you simply dial up into your ISP or use PPP (Point to Point Protocol) to surf the net, you simply cannot do without a firewall. So what exactly is a firewall?
Well, in non-geek language, a firewall is basically a shield which protects your system from the untrusted non-reliable systems connected to the Internet. It is a software which listens to all ports on your system for any attempts to open a connection and when it detects such an attempt, then it reacts according to the predefined set of rules. So basically, a firewall is something that protects the network(or systen) from the Internet. It is derived from the concept of firewalls used in vehicles which is a barrier made of fire resistant material protecting the vehicle in case of fire.
Now, for a better 'according to the bible' defination of a firewall: A firewall is best described as a software or hardware or both Hardware and Software packet filter that allows only selected packets to pass through from the Internet to your private internal network. A firewall is a system or a group of systems which guard a trusted network( The Internal Private Network from the untrusted network (The Internet.)
NOTE: This was a very brief desciption of what a firewall is, I would not be going into the details of their working in this manual.
Anyway,the term 'Firewalls', (which were generally used by companies for commerical purposes) has evolved into a new term called 'Personal Firewalls'. Now this term is basically used to refer to firewalls installed on a standalone system which may or may not be networked i.e. It usually connects to an ISP. Or in other words a personal firewall is a firewall used for personal use.
Now that you have a basic desciption as to what a firewall is, let us move on to why exactly you need to install a Firewall? Or, how can not installing a firewall pose a threat to the security of your system?
You see, when you are connected to the Internet, then you have millions of other untrusted systems connected to it as well. If somehow someone found out your IP address, then they could do probably anything to your system. They could exploit any vulnerability existing in your system, damage your data, and even use your system to hack into other computers.
Finding out someone'e IP Address is not very difficult. Anybody can find out your IP, through various Chat Services, Instant Messengers (ICQ, MSN, AOL etc), through a common ISP and numerous other ways. Infact finding out the IP Address of a specific person is not always the priority of some hackers.
What I mean to say by that is that there are a number of Scripts and utilities available which scan all IP addresses between a certain range for predefined common vulnerabilities. For Example, Systems with File Sharing Enabled or a system running an OS which is vulnerable to the Ping of Death attack etc etc As soon as a vulnerable system is found, then they use the IP to carry out the attacks.
The most common scanners look for systems with RAT's or Remote Administration Tools installed. They send a packet to common Trojan ports and display whether the victim's system has that Trojan installed or not. The 'Scan Range of IP Addresses' that these programs accept are quite wide and one can easily find a vulnerable system in the matter of minutes or even seconds.
Trojan Horses like Back Orifice provide remote access to your system and can set up a password sniffer. The combination of a back door and a sniffer is a dangerous one: The back door provides future remote access, while the sniffer may reveal important information about you like your other Passwords, Bank Details, Credit Card Numbers, Social Security Number etc If your home system is connected to a local LAN and the attacker manages to install a backdoor on it, then you probably have given the attacker the same access level to your internal network, as you have. This wouls also mean that you will have created a back door into your network that bypasses any firewall that may be guarding the front door.
You may argue with me that as you are using a dial up link to your ISP via PPP, the attacker would be able to access your machine only when you are online. Well, yes that is true, however, not completely true. Yes, it does make access to your system when you reconnect, difficult, as you have a dynamic Internet Protocol Address. But, although this provides a faint hope of protection, routine scanning of the range of IP's in which your IP lies, will more often than not reveal your current Dynamic IP and the back door will provide access to your system.
*******************
HACKING TRUTH: Microsoft Says: War Dialer programs automatically scan for modems by trying every phone number within an exchange. If the modem can only be used for dial-out connections, a War Dialer won't discover it. However, PPP changes the equation, as it provides bidirectional transportmaking any connected system visible to scanners?and attackers.
*******************
So how do I protect myself from such Scans and unsolicitated attacks? Well, this is where Personal Firewalls come in. They just like their name suggests, protect you from unsolicitated connection probes, scans, attacks.
They listen to all ports for any connection requests received (from both legitimate and fake hosts) and sent (by applications like Browser, Email Client etc.) As soon as such an instance is recorded, it pops up a warning asking you what to do or whether to allow the connection to initiate or not. This warning message also contains the IP which is trying to initiate the connection and also the Port Number to which it is trying to connect i.e. the Port to which the packet was sent. It also protects your system from Port Scans, DOS Attacks, Vulnerability attacks etc. So basically it acts as a shield or a buffer which does not allow your system to communicate with the untrusted systems directly.
Most Personal Firewalls have extensive logging facilities which allows you to track down the attackers. Some popular firewalls are:
ZoneAlarm: The easiest to setup and manage firewall. Get it for free at: www.zonelabs.com
Once you have installed a firewall on your system, you will often get a number of Warnings which might seem to be as if someone is trying to break into your system, however, they are actually bogus messages, which are caused by either your OS itself or due to the process called Allocation of Dynamic IP's. For a details description of these two, read on.
Many people complain that as soon as they dial into their ISP, their firewall says that such and such IP is probing Port X. What causes them?
Well, this is quite common. The cause is that somebody hung up just before you dialed in and your ISP assigned you the same IP address. You are now seeing the remains of communication with the previous person. This is most common when the person to which the IP was assigned earlier was using ICQ or chat programs, was connected to a Game Server or simply turned off his modem before his communication with remote servers was complete.
You might even get a message like: Such and Such IP is trying to initaite a Netbios Session on Port X. This again is extrememly common. The following is an explanation as to why it happens, which I picked up a couple of days ago: NetBIOS requests to UDP port 137 are the most common item you will see in your firewall reject logs. This comes about from a feature in Microsoft's Windows: when a program resolves an IP address into a name, it may send a NetBIOS query to IP address. This is part of the background radiation of the Internet, and is nothing to be concerned about.
What Causes them? On virtually all systems (UNIX, Macintosh, Windows), programs call the function 'gethostbyaddr()' with the desired address. This function will then do the appropriate lookup, and return the name. This function is part of the sockets API. The key thing to remember about gethostbyaddr() is that it is virtual. It doesn't specify how it resolves an address into a name. In practice, it will use all available mechanisms. If we look at UNIX, Windows, and Macintosh systems, we see the following techniques:
DNS in-addr.arpa PTR queries sent to the DNS server
NetBIOS NodeStatus queries sent to the IP address
lookups in the /etc/hosts file
AppleTalk over IP name query sent to the IP address
RPC query sent to the UNIX NIS server
NetBIOS lookup sent to the WINS server
Windows systems do the /etc/hosts, DNS, WINS, and NodeStatus techniques. In more excruciating detail, Microsoft has a generic system component called a naming service. All the protocol stacks in the system (NetBIOS, TCP/IP, Novel IPX, AppleTalk, Banyan, etc.) register the kinds of name resolutions they can perform. Some RPC products will likewise register an NIS naming service. When a program requests to resolve an address, this address gets passed onto the generic naming service. Windows will try each registered name resolution subsystem sequentially until it gets an answer.
(Side note: User's sometimes complained that accessing Windows servers is slow. This is caused by installing unneeded protocol stacks that must timeout first before the real protocol stack is queried for the server name.).
The order in which it performs these resolution steps for IP addresses can be configured under the Windows registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider.
Breaking Through Firewalls
Although Firewalls are meant to provide your complete protection from Port Scan probes etc there are several holes existing in popular firewalls, waiting to be exploited. In this issue, I will discuss a hole in ZoneAlarm Version 2.1.10 to 2.0.26, which allows the attacker to port scan the target system (Although normally it should stop such scans.)
If one uses port 67 as the source port of a TCP or UDP scan, ZoneAlarm will let the packet through and will not notify the user. This means, that one can TCP or UDP port scan a ZoneAlarm protected computer as if there were no firewall there IF one uses port 67 as the source port on the packets.
Exploit:
UDP Scan:
You can use NMap to port scan the host with the following command line:
nmap -g67 -P0 -p130-140 -sU 192.168.128.88
(Notice the -g67 which specifies source port).
TCP Scan:
You can use NMap to port scan the host with the following command line:
nmap -g67 -P0 -p130-140 -sS 192.168.128.88
(Notice the -g67 which specifies source port).
JDevil
Nice tutorial! Thanks!...But while having a look at the topic I had to smile... Vulnerabilities sounds better.
Lol exactly hahhahahah , thanks for the kind words
Sent from my SAMSUNG-SGH-I317 using xda app-developers app
Pretty amazing read, I'm impressed. What OS do you you on your home PC jeremyandroid? just curious?
js663k1 said:
Pretty amazing read, I'm impressed. What OS do you you on your home PC jeremyandroid? just curious?
Click to expand...
Click to collapse
Kali Linux, been a while bro, still got your badge I'm signature hahahha nice ,even though I havnt done anything in a long time but papers .
I recently started looking into the data applications, especially the free ones send to the net.
I wanted to know if they leak personal data to their coders.
Therefore i decided to redirect connections through a proxy software on my computer.
I installed http://www.charlesproxy.com/ and added their ssl ca to the trusted certificates on my cellphone.
It was quite intresting to see what kind of requests certain apps make to the internet, especially when you look inside the ssl encrypted connections.
I then found out that some connections seemed to be missing from that analysis, not enough traffic showed up in the proxy compared to the network activity.
So i used https://play.google.com/store/apps/details?id=lv.n3o.shark and the resulting file was quite a few times bigger.
It contained connections to other ports than 80/443 which i saw in charles.
So my questions are: Does Android ignore the proxy for non http(s) requests?
How can i redirect EVERY request to my computer and strip the ssl from it to look inside?
I suspect some of the applications to use basic stuff like json, xmpp and xml but cannot proof it currently.
As a beginner, i might also be using the wrong tools.
You may be able to run tcpdump on your router to see what exactly your phone is connecting to, then see if it corresponds to your proxy traffic.
that does not help to look inside the ssl encrypted tunnel unfortunately
Open question to all, especially if you frequent establishments with open wifi --- What if any security do you use? I'd hope some kind of Firewall, possibly private VPN? And more importantly have you actually verified it provides you with any kind of security?
My issue is this - No matter what I do, cellphones leak data like a waterfall. Seems basically impossible to tell the damn devices to stop broadcasting to the world. Don't call home to clients1.google.com (or any incarnation thereof, and there are many). Don't enable bonjour / zeroconf. Etc.
I literally have no browser installed yet I noticed connecting to open Wifi with portals bring up some kind of browser. Does it store cookies? Does it leak my device id, model, serial # .. IMESI? (believe it or not some applications try to stuff that in an HTTP header).
One of the biggest reasons I ever rooted my phones is I've tried rootless firewalls, they do nothing but have a nice gui.
It's bloody infuriating.