Building an (Evil) Android Phone Bot Army

 Building an (Evil) Android Phone Bot Army


Why?

So, like you, I have a bunch of old, mostly-working phones. These are small, capable, computers that could be doing something - something good or evil πŸ™‚. What if I could somehow build them into a parallel compute cluster to break up large jobs into smaller pieces? Sounded like fun.

What?

Well, my first job was figuring out how to send tasks to the phones. My phones all run Android, so something ssh-based could work. How does one allow ssh into an Android phone? There are many ways, but the method I finally landed on was UserLAnd. Userland allows you to run a number of Linux distros on top of Android without rooting your phone. You can then access that distro via ssh or vnc. Very nice.


My next job was figuring out how to send tasks in parallel to multiple phones. My first thought was to use Ansible which is great at sending jobs/compliance checks to multiple machines. Ansible runs serially though. Oh, well. After some DuckDuckGo-ing, I found the multi-OS parallel command which does exactly what I want. 



And finally, what job do I want to parallelize? Many options, but I landed on the resource-intensive hashcat for cracking password hashes (passwords I already knew).



This makes our inventory:
  • Extra Android phones
  • The UserLAnd app on each phone
  • hashcat installed in UserLAnd on each phone
  • A "controller" OS that can run the parallel command (almost any)

How?

Install UserLAnd on each phone

Install the UserLAnd app on the phone. Choose a linux Distribution (I chose Ubuntu). You will be asked for a username and password and whether access should be vnc or ssh. Choose ssh.

Set up password-less ssh from the controller to each phone

You can use this password-less ssh tutorial I wrote a while back. The hardest part is finding the IP address of each phone as UserLAnd does not allow the "ip a" command to run. I looked at the DHCP table on my router to find the IP addresses of my phones.



Install hashcat on each phone

Now that you have password-less ssh set up on each phone, ssh to each phone and type "apt install hashcat"




Install parallel on the controller


Find the install instructions for parallel for your controller OS on the parallel web site and install parallel. For Ubuntu/Debian Linux, "sudo apt -y install parallel". For MacOS, "brew install parallel". For Windows, don't bother πŸ™‚

Collect all the hashcat parts needed on the controller

So, we are going to need a password dictionary file for cracking and a list of passwords to crack. The most common password dictionary file is rockyou.txt. You can download that file here on Kaggle among other places.

For passwords to crack, I wanted a list that wasn't too easy and wasn't too hard. I decided to build my own list of passwords that ended in a number and a special character. hashcat has a "dictionary + mask" mode that can be used to brute force these types of passwords. Passwords like "SpongeBob01!". First, I slimmed down the rockyou dictionary file to just passwords including "01!" using

grep 01! rockyou.txt > rockyou01.txt

That gave me 482 passwords to crack. I would rather have 480 to split evenly in 4 pieces so I ran this:

head -n 480 rockyou01.txt > rockyou480.txt

Now I have exactly 480 passwords to crack across 4 bots. To create the 480 MD5 hashes to crack, I used a little vi-fu to turn that list of passwords into a shell script (rockyou01.sh) to create 480 hashes. That shell script looks like this:

#!/bin/bash
echo -n 'zoey101!' | md5sum | tr -d ' -'
echo -n '9801!Jmc' | md5sum | tr -d ' -'
echo -n 'woody101!' | md5sum | tr -d ' -'
echo -n 'tigger101!' | md5sum | tr -d ' -'
echo -n 'shotgun01!' | md5sum | tr -d ' -'
echo -n 'seria101!' | md5sum | tr -d ' -'
echo -n 'rocky101!' | md5sum | tr -d ' -'
[snip]

I then ran "rockyou01.sh > rockyou01_480.md5" The top of that file looks like this:

$ head rockyou01_480.md5
f4b7dc4fa32a3e2aa6516fa08f2096ff
2e3e2ea1a34fc71ebdc45165444f4533
353b97a58a7e33300ce2cc1f2222b555
95d0ac3e58389faa9ab3c281309fcd66
87d3a7272bf293c97e45e69cde87ab57
60c8800eefaf6caebfdcd0ea4b230324
ef8af08f43dcc58f4a283d8e17deb1c6
f3104289cb3c8646aeea917375df4dc7
2d4492e766d99d10726948ffec74ef26
3f9d6897898b49716c4c7d02fcb2c21f


To make the cracking a little faster, I thinned down the enormous rockyou.txt to just passwords with the characters a-zA-Z. Here is how I did that with our friend grep:

$ grep -i -E "^[a-z](?:_?[a-z]+)*$" rockyou.txt > rockyou_azAZ.txt
$ wc -l rockyou_azAZ.txt
 4168380 rockyou_azAZ.txt

Now I have a whole bunch of password prefizes that I can brute force add numbers and special charcaters to the end of.  For instance, I now have these common Sponge Bob password prefixes:

SpongebobRules
SpongeboB
SpongeBOB
SponGebOB
SPONGEbob
SPONGEBOB_SCOOBY
SPONGEBOBSWIFEY
SPONGEBOBSQUARE
SPONGEBOBJOANNA
SPONGEBOBFAN
SPONGEBOBALDAY
PATRICKaNdSPOngeBoB



Experiment with Parallelizing hashcat

I learned a lot about how hashcat works while experimenting with splitting up hashcat across multiple computers. At first I thought splitting the number of hashes across multiple computers would be faster. Surely cracking 120 hashes would be faster than cracking 480 hashes. Nope. Same exact time. It turns out that the time spent is the time hashing each of the 4,168,380 passwords in the rockyou_azAZ.txt dictionary and testing against each of the hashes. Comparing 4M passwords to 120 hashes takes just as long as comparing 4M passwords to 480 hashes.


Here are the timing comparisons of "hashcat -m 0 -a 6 rockyou01_480.md5 [dictionary_file] ?d?d?s"
  • Entire rockyou_azAZ.txt password file processed on one bot: 
    • $ cat serial_hashcat.sh 
    • #!/bin/bash
    • #
    • #Bot Army
    • #prox-bot-01: 192.168.1.150
    • #prox-bot-02: 192.168.1.106
    • #prox-bot-03: 192.168.1.114
    • #prox-bot-04: 192.168.1.179

    • #scp hashcat files to bots
    • echo "Sending split dictionary files to bots..."
    • scp rockyou_azAZ.txt dennis@192.168.1.150:~/

    • #scp all hashes to bots
    • echo "Sending all hashes to crack to bots..."
    • scp rockyou01_480.md5 dennis@192.168.1.150:~/

    • #Clear any found passwords on bots
    • echo "Clearing any found passwords on bots..."
    • ssh dennis@192.168.1.150 "rm ~/.hashcat/hashcat.potfile"

    • #Run parallel
    • parallel -j 1 < serial_input.txt
    • $ cat serial_input.txt 
    • ssh dennis@192.168.1.150 "hashcat --quiet -m 0 -a 6 rockyou01_480.md5 rockyou_azAZ.txt ?d?d?s"
    •  
    • $ time ./serial_hashcat.sh
    • Sending split dictionary files to bots...
    • rockyou_azAZ.txt   100%   39MB   4.8MB/s   00:08  
    •   
    • Sending all hashes to crack to bots...
    • rockyou01_480.md5  100%   16KB 867.4KB/s   00:00    

    • Clearing any found passwords on bots...
    • If you use programs that use GNU Parallel to process data for an article in a scientific publication, please cite:
    • Tange, O. (2023, April 22). GNU Parallel 20230422 ('Grand Jury'). Zenodo. https://doi.org/10.5281/zenodo.7855617
    • real    32m21.195s (1,941s)
    • user    0m0.919s
    • sys     0m1.114s

  • Password file, rockyouazAZ.txt, split in 4 equal pieces and sent to 4 bots:
    • $ wc -l rockyou_azAZ.txt 
    •  4168380 rockyou_azAZ.txt
    •  
    • $ split -l 1042095 rockyou_azAZ.txt rockyou_split_

    • $ wc -l rockyou_split_*
    •  1042095 rockyou_split_aa
    •  1042095 rockyou_split_ab
    •  1042095 rockyou_split_ac
    •  1042095 rockyou_split_ad
    •  4168380 total
    • $ cat parallel_hashcat.sh 
    • #!/bin/bash
    • #
    • #Bot Army
    • #prox-bot-01: 192.168.1.150
    • #prox-bot-02: 192.168.1.106
    • #prox-bot-03: 192.168.1.114
    • #prox-bot-04: 192.168.1.179

    • #scp hashcat files to bots
    • echo "Sending split dictionary files to bots..."
    • scp rockyou_split_aa dennis@192.168.1.150:~/
    • scp rockyou_split_ab dennis@192.168.1.106:~/
    • scp rockyou_split_ac dennis@192.168.1.114:~/
    • scp rockyou_split_ad dennis@192.168.1.179:~/

    • #scp all hashes to bots
    • echo "Sending all hashes to crack to bots..."
    • scp rockyou01_480.md5 dennis@192.168.1.150:~/
    • scp rockyou01_480.md5 dennis@192.168.1.106:~/
    • scp rockyou01_480.md5 dennis@192.168.1.114:~/
    • scp rockyou01_480.md5 dennis@192.168.1.179:~/

    • #Clear any found passwords on bots
    • echo "Clearing any found passwords on bots..."
    • ssh dennis@192.168.1.150 "rm ~/.hashcat/hashcat.potfile"
    • ssh dennis@192.168.1.106 "rm ~/.hashcat/hashcat.potfile"
    • ssh dennis@192.168.1.114 "rm ~/.hashcat/hashcat.potfile"
    • ssh dennis@192.168.1.179 "rm ~/.hashcat/hashcat.potfile"

    • #Run parallel
    • parallel -j 4 < parallel_input.txt
    • $ cat parallel_input.txt 
    • ssh dennis@192.168.1.150 "hashcat --quiet -m 0 -a 6 rockyou01_480.md5 rockyou_split_aa ?d?d?s"
    • ssh dennis@192.168.1.106 "hashcat --quiet -m 0 -a 6 rockyou01_480.md5 rockyou_split_ab ?d?d?s"
    • ssh dennis@192.168.1.114 "hashcat --quiet -m 0 -a 6 rockyou01_480.md5 rockyou_split_ac ?d?d?s"
    • ssh dennis@192.168.1.179 "hashcat --quiet -m 0 -a 6 rockyou01_480.md5 rockyou_split_ad ?d?d?s"
    • $ time ./parallel_hashcat.sh 
    • Sending split dictionary files to bots...
    • rockyou_split_aa    100% 9144KB   9.3MB/s   00:00    
    • rockyou_split_ab    100%   10MB   9.1MB/s   00:01    
    • rockyou_split_ac    100%   10MB   6.2MB/s   00:01    
    • rockyou_split_ad    100%   10MB   6.6MB/s   00:01
    •     
    • Sending all hashes to crack to bots...
    • rockyou01_480.md5    100%   16KB 645.6KB/s   00:00    
    • rockyou01_480.md5    100%   16KB 722.2KB/s   00:00    
    • rockyou01_480.md5    100%   16KB 809.0KB/s   00:00    
    • rockyou01_480.md5    100%   16KB 799.2KB/s   00:00    

    • Clearing any found passwords on bots...
    •  
    • If you use programs that use GNU Parallel to process data for an article in a scientific publication, please cite:
    • Tange, O. (2023, April 22). GNU Parallel 20230422 ('Grand Jury'). Zenodo. https://doi.org/10.5281/zenodo.7855617
    • real    9m31.025s (571s)
    • user    0m1.218s
    • sys     0m0.806s
    •  
    • That is 3.4 times faster. I call that a win!



Display the passwords cracked

Hashcat stores all cracked hashes in a file called "hashcat.potfile". We can also use the "hashcat --show" command using the same syntax used for cracking. For instance on bot-01, running:

$ hashcat --show -m 0 -a 6 rockyou01_480.md5 rockyou_split_aa ?d?d?s
87d3a7272bf293c97e45e69cde87ab57:shotgun01!
0e3a5a5c8294e49c919a7e651c406d3f:damian01!
6c6b74b8bcf5d771508a63e138cc821c:cheer01!
85176cebcb84ce62d8ffc9eaa45c4836:River01!
a332233d395c415a99c6b16a2348c129:Password01!
de5356b6dfd334d6f306ad01cb03096f:yeroc01!
727999e4f0194d441961f995830e0aa7:wil01!
2df21e4da45ab1d84dbf0161240fd467:what01!
f4606ded47bf1715476eb334cfa190f3:welkom01!
d25c929d155ebde63a699ecb36580576:wanadoo01!
[Snip]
e5df7afcc587cb4ccbf6dacae086fdbf:Daniel01!
4532a3b45f2522a70844265f7fd6ba8d:Chris01!
4a4e408e611202c9ea468ce43284f2cf:Change01!
9b3d8e24f351047945e8e2f816e78679:Buterfly01!
861a4744bbe9d548cb0df1f14f42bf3b:Bowling01!
656851233892e68810759f94dc096745:Bacon01!
562d1aa26c887a754eeb97c13f846c20:BUBBY01!
1d7cab45255315ac71d251a42105ca1a:Angeles01!
dab2be68119cd19f75c1cd60ce96c452:Amanda01!
af9492665323b4f9d6b2becec77b9858:Adam01!

Thank You

Well, that was fun. I always figured there was something very geeky, and slightly evil, that I could do with all those unused phones. Thanks for taking the time to read this post. I welcome your comments as well as other ideas for a cell phone bot army.

Comments

Dan Sheldon said…
Very nicely done, and no cats were traumatized as a result!
Dennis Faucher said…
It's hard to beat a laser-guided cat bot, but I'll keep at it...