Android Application Security Testing using zANTI?
Updated: Jul 8, 2018
zANTI is a penetration testing toolkit developed by Zimperium Mobile Security for cyber security professionals. Basically, it allows you to simulate malicious attacks on a network. With the help of zANTI, you will be able to perform various types of operations such as MITM attacks, MAC address spoofing, scanning, password auditing, vulnerability checks and much more. In short, this android toolkit is a perfect companion of hackers.
What can you do using zANTI ?
Change device’s MAC address.
Create a malicious WiFi hotspot.
Hijack HTTP sessions.
Modify HTTP requests and responses.
Check a device for shellshock and SSL poodle vulnerability.
Before installing Zanti your Phone must be rooted .In case your phone is not rooted search in the site you will find how to root android its very easy.
How To Use zANTI:
3. Enter your email address and then check the "I accept Zimperium's EULA" box. Then tap on "Start Now". A pop-up window will appear: 4
4. If you want to join zNetwork, tap on "Enable", otherwise tap on "Skip". Wait for some seconds, it will display a screen as shown below:
5. Tap on "Skip" and then enable zANTI (simply check the "I am fully authorized to perform penetration testings on the network" box):
6. Tap on "Finish". You will see a screen as shown below
Now, let's talk about the program modules......
Mac changer allows you to change your WiFi Media Access Control (MAC) Address.
How To Use Mac Changer:
1. Use the navigation key (or swipe from the left). You will see a screen as shown below.
2. Tap on "MAC Changer"
3. Tap on "Set new MAC Address". Wait for few seconds, you will get a new MAC address!
If you want to use a custom MAC address, turn off "Generate Random" and then type the MAC address you want. Then tap on "Set new Mac Address".
Moving onto the next one.....
It allows you to create a WiFi hotspot and control your network traffic.
How To Use zTether:
Note: Before using zTether, you must turn off the WiFi on your device.
1. Tap on "zTether". You will see a screen as shown below.
2. Turn on "Tether Control" and then allow users to connect to your network. Once you got at least one user on your network, you can start playing with the traffic!
3. If you got a user on your network, tap on the first (Logged Requests) "View" to see all the HTTP requests made by the user(s) on your network. It may contain passwords and other sensitive information (See the image below).
You can tap on any logged activity to get more details (sessions, passwords, requests and user agents):
If you want to hijack an HTTP session, just tap on a session. It will open up the victim's session on your device.
Use the second "View" (Logged Images) to see all the images that are transmitted on your network. This includes all images requested by the users (see the image below).
Moving onto the next program module....
It allows you to modify HTTP requests and responses on your network. It is basically an interactive mode that can allow you to edit and send each request and response.
How To Use zPacketEditor:
First, tap on "zPacketEditor" and then turn on the module. You will see the live requests and responses there (1). If you want to edit a particular request or response, swipe it to the right (2). After the edit, you can tap on "Send" button (3).
Moving onto the next functionality....
SSL Strip is a type of Man In the Middle Attack that forces victim's browser into using HTTP instead of HTTPS (SSL Strip is turned on by default).
Note: Websites using HSTS (HTTP Strict Transport Security) are immune to SSL Strip attacks.
Moving onto the next one......
It allows you to redirect all HTTP traffic to a site or server. For example, If you turn on the "Redirect HTTP", it will redirect all HTTP traffic to Zimperium servers (default configuration). But if you want to forward all the traffic to a particular site, tap on the settings icon, you will see an area to enter a URL (see the image below). Enter a URL in the field and then again tap on the settings icon.
Now moving onto my favorite MITM module....
It enables you to replace website images (victim's web browser) with your own image. In order to replace images, first, tap on the settings icon and then tap on "Select Image":
After selecting an image from your device, tap on the settings icon (see the image below):
Now, the users will see the selected image everywhere on the web!
Moving onto the next one.....
It allows you to intercept and download all specified files to the SD card. For example, if you want to capture pdf files, you have to tap on the settings icon and then select the .pdf from the menu. Then turn on "Capture Download".
Intercept Download allows you to replace a downloaded file with a specified file. In order to intercept and replace victim's downloaded files, you have to tap on the settings icon. Then tap on "Select File" to select a file:
After selecting the file, tap on the settings button again and then turn on "Intrecept Download".
It enables you to insert specified HTML codes into web pages. If you want to display an alert box saying "zANTI Test", just turn on the "Insert HTML" module. But if you want to insert your own codes into the web pages, you have to tap on the settings icon and then enter your HTML codes. Then tap on settings icon again.
It allows you to monitor WiFi strength, name and MAC address.
It enables you to run an HTTP server on your android device. All you have to do is tap on "HTTP server" and then turn on that program module:
Note: You can also create directories and store files on the server.
Now it's time to go back to the main window.
At the top of the screen, you can see 4 functions. The first one shows the devices found on the target network (history). The second one is used to map/remap the network. Third one is a search function that can be used to search a particular device. Last one is an "Add Host" function that is used to add a particular host to the current network.
How To Scan a Target Device?
First, select a device on your network (just tap on it). You will see a screen as shown below:
Then tap on "Scan". You will see the below screen:
You can change the "Scan Type" if you want. You can also run a script while scanning the target, all you have to do is select the required script from the "Execute Script" menu. It also includes a function called "Smart Scanning", for identifying vulnerabilities of the target device.
After setting the scan options, tap on "Go" to start scanning the device. When the scan completes, zANTI will show a notification as shown below:
You can get the scan report by tapping on "Nmap Scans" (see the image below):
How to Establish Connection to a Device?
Follow the below procedures:
1. Select the target device, then tap on "Connect to Remote Port". You will see a screen as shown below:
2. Tap on any port, ConnectBot will connect your device to the host.
Password Complexity Audit
It is a program module that you can use to analyze the password strength. That means it can help you to strengthen your system security.
Here is how to do password complexity audit using zANTI:
1. Select the device you want to audit. Then tap on "Password complex audit". You will see a screen as shown below:
How To Perform MITM Attack?
Performing Man In The Middle attack with the help of zANTI is easier than anything. Follow the below procedures to perform MITM attack: 1. Select the target and then tap on "Man in the Middle". You will see a similar window as in "zTether" (Except the "MITM method"):
The program module named "MITM method" is used to select your favorite MITM technique. Two methods are available: ARP (Address Resolution Protocol) and ICMP (Internet Control Message Protocol).
You may ask "what is the difference between these two methods?" Here is the answer:
ARP MITM attack works by spoofing MAC address within the LAN. That is, the attacker's machine acts as the target device and router at the same time.
From the view of the Router - Attackers machine is the user's machine.
From the view of victim's computer - Attackers machine is the router.
ICMP MITM attack works by spoofing an ICMP redirect message to the router. The spoofed message re-routes the victim's traffic through an attacker-controlled router.