Post

Android Audit with Ghost

The EntySec Ghost Framework offers a powerful suite of commands and functions specifically tailored for Android penetration testing, making it a valuable tool for security professionals and ethical hackers focused on Android device security. Here’s a detailed look at some of its core commands and functions, and how they can be applied in security assessments:

Key Commands and Functions

  • Connection Management Commands
    • connect - Connects to a target Android device’s IP address via the Android Debug Bridge (ADB) if the ADB service is enabled on the device.
    • disconnect - Disconnects from the connected device, allowing testers to terminate the connection quickly.
    • devices - Lists all devices currently connected to Ghost Framework, displaying information such as IP addresses and connection statuses.
1
2
3
4
5
6
7
8
9
10
11
12
(ghost)> connect 192.168.2.101
[*] Connecting to 192.168.1.101...
[+] Connected to 192.168.1.101!

[i] Type devices to list all connected devices.
[i] Type interact 0 to interact this device.
(ghost)> devices

Connected Devices:

    ID    Host             Port
    0     192.168.1.101    5555

These commands form the core of the framework, enabling testers to establish and terminate connections to Android devices.

  • Device Information Retrieval Commands
    • battery - Shows the battery status of the connected device, which can be useful in determining device activity.
    • network - Displays network-related information, such as IP addresses, MAC addresses, and network type (Wi-Fi, cellular, etc.), giving insights into the device’s connectivity.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
(ghost)> interact 0
[*] Interacting with device 0...
[+] Interactive connection spawned!

[*] Loading device modules...
[i] Modules loaded: 13
(ghost: 192.168.1.101)> help

Core Commands:

    Command    Description
    clear      Clear terminal window.
    exit       Exit console.
    help       Show all available commands.
    quit       Exit console.
    source     Execute specific file as source.


Manage Commands:

    Command       Description
    download      Download file from device.
    keyboard      Interact with device keyboard.
    list          List directory contents.
    network       Retrieve network informations.
    openurl       Open URL on device.
    press         Press device button by keycode.
    screenshot    Take device screenshot.
    shell         Execute shell command on device.
    sleep         Put device into sleep mode.
    upload        Upload file to device.

Press Enter for more, 'a' for all, 'q' to quit:

These commands help testers understand the target device’s setup and network environment, providing a foundational overview before further testing.

  • File System Access and Management Commands
    • list - Lists files and directories in the specified path on the Android device.
    • cd - Changes the current working directory on the target device, allowing testers to navigate through the file system.
    • download - Pulls files from the target Android device to the local system.
    • upload - Uploads files from the local system to the target Android device.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
(ghost: 192.168.1.101)> list /

Directory /:

    Name                           Mode     Size       Modification Time
    .                              16877    4096       1970-01-01 01:00:19
    ..                             16877    4096       1970-01-01 01:00:19
    Reserve0                       16877    16384      1970-01-01 01:00:00
    acct                           16749    0          1970-01-01 01:00:06
    bin                            41380    11         2008-12-31 16:00:00
    bugreports                     41380    50         2008-12-31 16:00:00
    cache                          16888    4096       2008-12-31 16:03:01
    charger                        41380    13         2008-12-31 16:00:00
    config                         16877    0          1970-01-01 01:00:01
    d                              41380    17         2008-12-31 16:00:00
    data                           16889    4096       2008-12-31 16:03:03
    default.prop                   41344    23         2008-12-31 16:00:00
    dev                            16877    1560       1970-01-01 01:00:11
    etc                            41380    11         2008-12-31 16:00:00
    file_contexts.bin              33188    763704     2008-12-31 16:00:00
    init                           33256    1711440    2008-12-31 16:00:00
    init.environ.rc                33256    1139       2008-12-31 16:00:00
    init.rc                        33256    29580      2008-12-31 16:00:00
    init.recovery.sun50iw6p1.rc    33256    328        2008-12-31 16:00:00
    init.usb.configfs.rc           33256    7690       2008-12-31 16:00:00
    init.usb.rc                    33256    5646       2008-12-31 16:00:00
Press Enter for more, 'a' for all, 'q' to quit:

These commands are essential for file exploration, providing access to data stored on the device, which can be critical when assessing sensitive information exposure.

Practical Applications in Security Testing

  • Network Security Testing: Ghost Framework can test the security of the ADB protocol, especially if the device is inadvertently exposed to public networks.
  • Application Security Assessment: By listing installed applications and their versions, testers can identify outdated or potentially vulnerable apps, which could be exploited.
  • Forensic Analysis: Ghost Framework’s remote access capabilities enable real-time forensic analysis of an Android device’s file system and active applications, which can be useful for incident response.

It’s essential to remember that while Ghost Framework is a powerful tool, it is meant strictly for authorized testing. Unauthorized access to Android devices is illegal and unethical. Always obtain explicit consent before performing any penetration testing, and ensure compliance with relevant laws and regulations.

Final Notes

Ghost Framework offers deep, hands-on interaction with Android devices, providing security professionals a robust toolkit for analyzing Android security. The framework’s capabilities underscore the importance of securing Android devices, especially by disabling the ADB service on devices that don’t require it and by applying security patches regularly to close known vulnerabilities.

This post is licensed under CC BY 4.0 by the author.