Create Your Own Network Exploitation Multitool: A Step-by-Step Guide (Part 2)
This guide will focus on developing a tool that can interfere with devices on a network — specifically intercepting data. This part (Part 2) will describe the tools you can install.
DISCLAIMER: THIS ARTICLE IS ONLY FOR EDUCATIONAL PURPOSES. I AM NOT LIABLE FOR ANY ACTIONS YOU TAKE. DO NOT PERFORM NETWORK EXPLOITATION ATTACKS ON NETWORKS WITHOUT PROPER PERMISSIONS. I DO NOT CONDONE NETWORK ATTACKS ON PUBLIC OR PRIVATE NETWORKS.
If you haven’t read part 1 yet, you probably should! Check it out here.
Network exploitation is super interesting. We’re all under the impression that our data makes it from one side of the world to the other, safely, without any issues. While that’s mostly true, you can get your data stolen before it even makes that long trip to the other side of the world.
Anyways, this tutorial is going to explain (and show) how easy some of these attacks can be.
“Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench.” — Gene Spafford
Anyways, the first tutorial (the hard part) clearly (I hope?) detailed how you can take an android device and root it so that you have complete freedom with the device. After achieving “complete freedom” (rooting your device), you’ll be able to use the network adapter for whatever you wish.
Who’s my arms dealer?
The first tutorial clearly explained that rooting your device is difficult to do because, well, you really shouldn’t be rooting your device. Rooting your device opens the possibility for certain apps on your phone to spy on you, steal data, and spread malware without any ability to stop it. You might want to uninstall DeepSeek once you root your phone (I’m kidding).
But the answer to the question of “who’s my arms dealer,” is just any site that’s credible and has apps downloaded by many people. If you’re downloading APK files off of Pirate Bay, you’re better off just downloading DeepSeek (I’m kidding). My “arms dealer” of choice is NetHunter Store.
NetHunter Store is a pretty credible repository for penetration testing tools that you can install on your android device. As the screenshot shows, NetHunter Store lets you download many tools, some of which that aren’t “cyberweapons” so to speak. Even if you’re not a script kiddie, there are many tools on here which you may find useful.
Note: One specific thing you could do is fully install Kali Linux onto your phone. However, I wanted more freedom with the apps I could install and decided against it. You can install Kali Linux on your device using Kali NetHunter.
Isn’t NetHunter Store so much cooler than Google Play store?
The Basic Tools
I can’t just put you all onto the network exploitation tools immediately. I instead want to showcase some general tools that are actually useful (and not just tools that you can use to perform office pranks).
Termux
Termux is an absolutely wonderful tool that lets you use a Linux terminal on your phone. I’ve personally used this many times for when I’ve needed to connect to my Raspberry Pi via SSH, needed to ping a device, or had to run a quick script. Through Termux you can run Python scripts, Java applets, C++, and even run an Apache website.
You’ll be able to use Termux without rooting your device too! I have it on my regular phone and it’s great. However, don’t expect to have access to sudo unless you root your phone.
bVNC Pro
I find this tool super useful. I work with Raspberry Pis often, and it’s super handy to be able to connect to the Pi and quickly see the Pi headless display on my phone. Having a tool that lets you handle VNC connections is a must for me, at least.
aRDP Pro
This is also great. I have an RDP service running on my PC, and this app lets me connect to my computer when I need access to some specific files. You should see the faces of my friends when I show them a Windows 11 desktop on an Android from the Mesozoic era.
Cooler Tools
Termux is great and all, but it can be a bit annoying to run a script for every use case. Instead, we can just download some specific apps that run penetration tests easily.
zANTI
This tool is a great tool for doing genuine network testing and hardening on a private network. It helps find vulnerabilities in your network and also helps with identifying other devices on your network. This tool is a bit underground, but useful, nonetheless. Honestly, I don’t use it too often, because I use a better alternative (which I’ll get to later in this article!).
WHID Injector
This tool is just hilarious to have on my burner phone. People ask me constantly why the hell I have an app with a weed logo on my home screen, and I’m not too sure what to tell them.
Anyways, WHID Injector is the type of tool you might find in Mr. Robot or Watchdogs 2. This tool is probably used for infiltrating corporate data centers or super computers, and I don’t really know why any normal person would need this. But it’s cool anyways! Not too sure why I decided to install it on my phone. But what does it do?
WHID Injector is a Wi-Fi enabled HID injector. It’s basically a small ESP32 (or some other microcontroller) that can connect to a device through USB. These little pen drives act (and show up) as a keyboard/mouse peripheral device on the host machine, and the host allows these pen drives to control the keyboard and mouse registers as needed. A mal actor can then connect to these USB microcontrollers over Wi-Fi and execute keyboard shortcuts/commands on the host device as they wish.
Plugging this device into a machine can basically provide you RCE (remote code execution) — a very high level of access to a host. However, achieving this feat would require physical access to the machine you’re trying to attack. The WHID injector app basically allows you to remote control these WHIDs from afar so you can do hacking sprees on-the-go.
Rucky
This tool is just like WHID injector, except the keyboard/mouse emulation occurs on your phone instead of those microcontrollers. You just connect your phone to the host and run something called “DuckyScript,” which executes a series of keyboard shortcuts/operations on the host machine.
Unfortunately, Rucky ended up not being supported for my phone. Hopefully you have better luck!
Orbot
Why would someone need Tor on their phone? That question is beyond me. Anyways, Orbot (Android Onion Routing Robot) provides a frontend to the Tor binary and gives you an HTTP proxy that you can use to connect to the Tor SOCKS interface.
I do not condone the use or access of onion websites/darknet sites! Do not let curiosity take the best of you, because if you do, there’s a slight chance you’ll get hunted down and sent to a red room. Stay safe on there and use a secure browser.
WiGLE WiFi Wardriving
Ever heard of the WiGLE database? Yeah, me neither. Anyways, the WiGLE WiFi Wardriving kit lets you access the WiGLE database to geolocate certain WiFi, Bluetooth, and cellular signals using Android devices. Might be useful if you’re trying to find someone’s location.
cSploit
This is the tool I’ve been gatekeeping. cSploit is a fully functional network exploitation multitool that lets users conduct live attacks on their respective networks.
“In other words, don’t be stupid, don’t be an asshole, and use this tool responsibly and legally.” — cSploit Developer Team
As shown above, cSploit performs powerful host discovery. This is honestly really useful, because I’m able to quickly find the IP address of my Raspberry Pi when it automatically connects to my target network (this is what I use instead of zANTI). But let’s be honest, that’s not what we’re here for.
The most useful (and interesting) tool in my opinion is the MITM suite. Using a classic MITM attack, cSploit is able to redirect your HTTP traffic to another host, listen for site sessions, and even replace content on your webpage. Terrifying!
Here’s some other modules in cSploit that could be useful:
- Simple Sniff: Redirects victim’s traffic to you and saves it to a PCAP file for future analysis!
- Password Sniffer: Specifically searches for passwords for FTP, SSH, IMAP, and other protocols over the network.
- DNS Spoofing: Supposed to perform a DNS poisoning attack and redirect users to a fake website when they request one. I never was able to get this module to work, but it was cool, nonetheless. Maybe someone reading this article will have better luck.
- Session Hijacker: Listens for cookies on the network and allows you to see what websites your victim is using. Only works for certain websites!
- Replace Text/Images: It does exactly what you think it does.
cSploit Limitations
No point in using cSploit unless you understand where it fails. If cSploit was really this powerful, we’d have some problems a lot bigger than what we have right now.
Luckily, the existence of MITM attacks was discovered fairly early in the birth of the internet, and some geniuses decided to invent SSL/TLS certificates.
For those of you unaware of what a SSL certificate is, don’t worry! An SSL certificate is basically a digital file made up of a long string of characters. It’s used to cryptographically prove the integrity of a webpage (or any media you get from the internet). SSL also encrypts the information you send to and from a site (like passwords, credit card numbers, or messages) so that people like me can’t snipe it.
These certificates validate the contents of a webpage and help your browser identify if the site content has changed. If the site content has been altered, the certificate will no longer be valid cryptographically, and your browser will usually try to stop you from accessing the page. You’ve probably seen this before:
When this shows up on your screen, you’re probably visiting a site that has a misconfigured SSL certificate (which is most likely the case) or you’re actually facing an MITM attack (which is unlikely). Either way, when the browser tells you that your connection isn’t private, it’s not lying.
When we use the “replace text/images” module on cSploit, we perform SSL Stripping, and we downgrade the user’s connection to HTTP. Once we bring them down to HTTP, we’re able to modify the site content. At this point in time, you’d receive the “your connection is not secure” message from the browser, because the certificate is not valid at all.
Why am I telling you all of this? Well, it’s because cSploit has this limitation. You can’t go around performing MITM attacks on all your co-workers because victims will be hit by the “your connection is not secure” message from the browser. However, some people (I’ve definitely done this before) choose to ignore the message and navigate to the website anyways by clicking the “I trust this website” button. If they end up doing that, well, they can pay the consequences.
cSploit MiTM Demo (Watch my demo video here!)
Replacing content on a page
When I was first playing around with this tool, I was script-kidding around and replacing the images on my browser with stupid memes. But think about it, you have the ability to change any content on a webpage. This means we can perform JavaScript injection on a webpage.
With the ability to inject JavaScript into a webpage, our attack plane just got significantly larger. While you could go writing your own JavaScript payloads to inject, some people have got to doing that already.
Here’s my repository of JavaScript payloads compatible with cSploit. To be honest, I think a few of the payloads here don’t work. But I’m plugging this here anyways because I want more followers on GitHub.
BeEF
BeEF is a tool I looked into a while ago that could be applied here. BeEF (The Browser Exploitation Framework) allows attackers to “hook” a browser and proceed with a series of attacks through the JavaScript injected into a page. BeEF is basically just my suite of JavaScript payloads, but much more sophisticated.
Unfortunately, BeEF also has its limitations. Many modern web browsers are immune to the attacks you can perform on BeEF, so it might seem a bit useless. Additionally, BeEF can only hook browsers on the same network as you (It might be possible by punching a hole through the NAT). I personally have not been able to be implement BeEF hooking with JavaScript injection, but hopefully someone reading this article can achieve it.
Conclusion
Jailbreaking and using these cybertools is for sure fun, and a great way to get into cybersecurity. I really wanted to cover some niche cybersecurity topics in this article — there’s not many articles out there telling you the best tools to install on a rooted android device. I hope you enjoyed reading this and I hope we can make the internet a safer place (even if this article seems counterintuitive!).
With great power comes great responsibility.
