Mobile Pentesting

Now we can flash this ROM and Magisk (root app) onto the phone. Assuming the phone has an unlocked bootloader and TWRP recovery installed.

• Power off the phone
• Hold volume-up + power
• TWRP boots
• Go to: Wipe
  • Swipe to Factory Reset
  • Format Data -> Yes
• Go to: Advanced
  • ADB Sideload
    • Select wipe cache & dalvik
    • Slide to start ADB Sideload
• On the PC side go to the directory of the newly created ROM
  • Type: adb sideload PixelExperience_lavender_10.0-20200130-0720-UNOFFICIAL.zip
• When ROM installation finishes go back and sideload Magisk
  • Type: adb sideload Magisk.zip
• Now reboot the phone
• First boot could take some time. Be patient

After the phone boots go through the usual setup (wifi, google account etc) then go to magiskmanager.com to download and install Magisk Manager.

So what we’ve achieved so far is that we have a rooted Android phone with the proper modules installed. Next we need to install Termux and the Kali Nethunter chroot to take advantage of the huge pentesting software collection Kali offers. Although i’m only going to use Wifite and Bettercap in this example.

Install Termux through the Google Playstore and start it up

In Termux first update

pkg update

Then install the root-repo

pkg install root-repo

Now we can load the wireless modules

tsudo /system/bin/modprobe -d /vendor/lib/modules/ ath9k-htc
tsudo /system/bin/modprobe -d /vendor/lib/modules/ mt7601u

To load the modules at Termux startup create a script called m.sh

pkg install nano
nano m.sh

Insert the following code into m.sh

#!/bin/bash

export PATH=&PATH:/system/bin/

modules="/vendor/lib/modules/"

tsudo modprobe -d $modules ath9k-htc
tsudo modprobe -d $modules rt2800usb
tsudo modprobe -d $modules mt7601u

Make m.sh executable and edit bashrc

chmod +x m.sh
nano ~/.bashrc

Add this line to bashrc

bash m.sh