Meanwhile I think I've felt in love with Androguard. I love its Pythonic way handling things and its visualizations features. As many of you have noticed, you can run Androguard inside a Docker container. I've never used Docker before so it was about time. You can find some general information about the installation process on Arch Linux at this address.
Extensions¶
On my main pentest machine (kudoz to @blackarch) I've installed docker and followed these instructions. Here is my service file:
!cat /etc/systemd/system/docker.service
I've added myself to the docker group in order to be able to start docker as a regular user:
# sudo gpasswd -a cyneox docker
Afterwards make sure you enable the service:
# sudo systemctl enable docker
Now make sure you do a reboot (Windows style :D).
%%bash
# Check if docker is running
sudo systemctl start docker
ps -ax | grep docker
!docker info
Install Androguard¶
I could find 3 maintained dockerized Android images:
- https://github.com/adepasquale/docker-androguard
- https://github.com/dweinstein/dockerfile-androguard
- https://github.com/aikinci/androguard
The 2nd one started automatically androguard so you couldn't tweak the underlying system. So I've decided to look at @aikinci's androguard docker container.
!docker run -it -v ~/samples/:/root/samples/ honeynet/androguard
It must say that was pretty fast. And easy to do! In the end you'll get a root bash prompt. Since the image does not provide all the tools I need, you'll have to install them manually. After you have exited from the container you can attach it again. But first lets see which container are currently active:
!docker ps -a
Now you can re-attach to a specific container by using docker attach:
# docker attach de3fbe90bdde
[email protected]:~#
Now I've installed some additional packages:
[email protected]:~# apt-get install openssh-server ipython ipython-notebook vim
...
Now change the root password:
[email protected]:~# passwd
...
Start SSH server:
[email protected]:~# /etc/init.d/sshd start
...
Now most important: You'll have to commit your change to the image otherwise all changes will be lost on next start. On the maching running docker run:
# docker commit de3fbe90bdde
Network with docker¶
When started docker creates a new virtual interface on the host machine called docker0 (more):
!ifconfig docker0
As you can see docker choosed a subnet and assigned an IP address to that interface. What about the guest machine?
[email protected]:~# ifconfig -a
eth0 Link encap:Ethernet HWaddr 02:5b:c7:1e:a8:26
inet addr:172.17.0.2 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::5b:c7ff:fe1e:a826/64 Scope:Link
UP BROADCAST RUNNING MTU:1500 Metric:1
RX packets:2225 errors:0 dropped:0 overruns:0 frame:0
TX packets:1949 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:17216525 (17.2 MB) TX bytes:134553 (134.5 KB)
Can I reach the container within the host machine?
!ping -c 4 172.17.0.2
Looks good! Well before I go to the next steps let me show my current pentest setup.
Pentest setup¶
%%blockdiag
// <!-- collapse=True -->
blockdiag admin {
// A and B belong to first group.
group first_group {
label = "";
color = "#FFF";
Arch[label = "Arch Linux Host"];
group kvm_group {
label = "KVM/QEMU";
textcolor = "#FF0000";
color = "#EFEFEF";
KaliLinux[label = "Kali Linux"];
Windows[label = "Windows Pentest"];
shape = line;
style = dashed;
group blackarch {
label = "";
textcolor = "#FF0000";
color = "#EFEFEF";
BlackArch[label = "BlackArch Host"];
group docker {
// Set group-label
label = "";
// Set background-color to this group.
color = "#77FF77";
// Set textcolor to this group
textcolor = "#FF0000";
shape = line;
Docker;
Docker -> Androguard;
Docker -> Container1;
Docker -> ContainerX;
}
}
}
}
// E, F and G belong to second group.
Arch -> BlackArch;
Arch -> KaliLinux;
Arch -> Windows;
BlackArch -> Docker;
}
On my physical machine (Arch Linux Host) I run several QEMU instances:
- Kali Linux (Pentest)
- Windows (Pentest)
- BlackArch (Pentest)
A little bit of networking¶
Inside BlackArch I run docker which manages several containers. Regarding the networking part this is what I want to achieve:
- Be able to access
AndroguardfromArch Linux Host - Be able to access
AndroguardfromBlackArch Host - Be able to access the Internet from
Androguard
The first one is the most important to me, since I want to access the Androguard container directly - preferably through SSH. Since the Àndroguard machine gets a private IP address, it's obvious I can't access it - yet. The packets must be routed though BlackArch Host. Let's check IPv4 forwarding:
!sysctl net.ipv4.conf.all.forwarding
Ok for now. The Docker documentation states:
By default Docker containers can make connections to the outside world, but the outside world cannot connect to containers. Each outgoing connection will appear to originate from one of the host machine's own IP addresses thanks to an iptables masquerading rule on the host machine that the Docker server creates when it starts
After starting the Androguard container, let's check the firewall rules:
!sudo iptables -t nat -L
Having a futher look at the documentaton, I've found this:
More convenient is the -p SPEC or --publish=SPEC option which lets you be explicit about exactly which external port on the Docker server — which can be any port at all, not just those in the 49000–49900 block — you want mapped to which port in the container.
Now, let's stop the container and restart it again with the -p paramater:
!docker ps -a
%%bash
docker stop 534dc09cc451
docker rm 534dc09cc451
!docker ps -a
!docker run -t -i -p 22 honeynet/androguard
Now let's check iptables again:
!sudo iptables -t nat -L
As you can see in the last line all packets sent to localhost:49154 (which is BlackArch Host) will be forwarded to 172.17.0.4:22. Bingo! On Arch Linux Host I try to reach Androguard:
# telnet blackarch.local 49154
Trying 10.0.1.92...
Connected to blackarch.local.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
^C^C
Connection closed by foreign host.
Perfect!
Accessing IPython on Androguard¶
Now you could use port forwarding to access services on Androguard through the SSH tunnel. On the Androguard machine I usually start ipython-notebook to take notes etc. I usually run it as:
[email protected]:~/ipython# ipython notebook --no-browser --port 7000
2014-09-11 16:48:11.330 [NotebookApp] Created profile dir: u'/root/.ipython/profile_default'
2014-09-11 16:48:11.336 [NotebookApp] Using system MathJax
2014-09-11 16:48:11.350 [NotebookApp] Serving notebooks from local directory: /root/ipython
2014-09-11 16:48:11.350 [NotebookApp] The IPython Notebook is running at: http://127.0.0.1:7000/
2014-09-11 16:48:11.350 [NotebookApp] Use Control-C to stop this server and shut down all kernels (twice to skip confirmation).
...
On ArchLinux Host I run:
# ssh -L localhost:7777:localhost:7000 [email protected] -p 49154
[email protected]'s password:
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.2.0-37-generic x86_64)
* Documentation: https://help.ubuntu.com/
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
[email protected]:~#
As you can see I've successfully logged in into the Androguard machine through BlackArch Host using DNAT. On ArchLinux Host I can open the browser and point to http://localhost:7777 which connects to IPython on the Androguard machine.