Android for Hackers: How to Scan Websites for Vulnerabilities Using an Android Phone Without Root

Auditing websites and discovering vulnerabilities can be a challenge. With RapidScan and UserLAnd combined, anyone with an unrooted Android phone can start hacking websites with a few simple commands.

RapidScan does an excellent job of automating the deployment of vulnerability scanners and website auditing software. It supports a large number of effective and noteworthy tools that make finding common website vulnerabilities extremely easy to detect. Coupled with an app like UserLAnd, it's possible to weaponize any inconspicuous Android phone into a full-featured web hacking device.

• Don't Miss: Top 10 Exploit Databases for Finding Vulnerabilities

Step 1: Install UserLAnd & Import Kali Repositories

UserLAnd is an Android app that allows users to quickly and effortlessly install Linux distributions on top of the Android operating system without rooting the device. This allows us to create a Debian operating system (OS) and import the Kali tool repositories to gain full access to some of the best website auditing and hacking tools. The full UserLAnd installation process has been covered in our guide on turning an Android phone into a hacking device.

• Full Guide: How to Turn Android into a Hacking Device Without Root

Disclaimer: UserLAnd does have limitations. Without root access, for example, some of the tools utilized by RapidScan are not fully supported. Certain Nmap and Nikto commands sometimes stall or break entirely. Be mindful of this while scanning. Simply press Ctrl + C to stop a particular scan and RapidScan will automatically continue to the next one. Similarly, Android's Wi-Fi interface can't be switched into monitor mode, so traditional Wi-Fi hacking tools like Aircrack-ng won't work.

Step 2: Install the RapidScan Dependencies

To get started, log in to the Kali or Debian operating system found in UserLAnd using either the built-in SSH functionality or using an SSH client like ConnectBot, then enter a root terminal to perform the following commands.

su

Next, it's a good idea to update the system so everything syncs up well.

apt update

Now, install the many hacking tools used by RapidScan with the below apt-get command. It's worth noting that all of the below tools aren't required to run RapidScan. When running RapidScan, if a particular tool isn't found to be installed, it will intuitively move on to another tool.

apt-get install python screen wapiti whatweb nmap golismero host wget uniscan wafw00f dirb davtest theharvester xsser dnsrecon fierce dnswalk whois sslyze lbd dnsenum dmitry davtest nikto dnsmap

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  docutils-common docutils-doc gir1.2-glib-2.0 libgirepository-1.0-1 libnet-netmask-perl libpaper-utils libpaper1
  libpython-all-dev libstring-random-perl libxml-writer-perl nmap-common python-all python-all-dev python-bson python-dbus
  python-docutils python-entrypoints python-gi python-gridfs python-keyring python-keyrings.alt python-pip python-pip-whl
The following packages will be upgraded:
  nmap nmap-common python-pkg-resources wget
4 upgraded, 45 newly installed, 0 to remove and 181 not upgraded.
Need to get 29.2 MB of archives.
After this operation, 96.9 MB of additional disk space will be used.
Do you want to continue? [Y/n] y

This installation process can take up to an hour depending on network speed and the Android's CPU. Be sure to keep the Android charged while packages are downloading and installing. While this is happening, let's have a look at which tools are being installed.

WhatWeb

WhatWeb is designed to identify website technologies and software version information. It includes over 1,750 plugins capable of recognizing blogger platforms, JavaScript libraries, web server fingerprints, and content management systems (CMS), to name a few.

DNSRecon

Domain name resolutions involve converting domain names (like wonderhowto.com) into an IP address that servers and computers can interpret. DNSRecon is a comprehensive domain name service (DNS) enumeration and reconnaissance tool. It's able to carry out the following advanced tasks, to give you an idea of its power.

• NS records for zone transfers checks
• Enumerate MX, SOA, NS, A, AAAA, and TXT records
• Perform common SRV record enumeration
• Check for wildcard resolution
• Brute-force subdomains with a supplied wordlist
• Identify cached DNS records for A, AAAA and CNAME Records

Nmap

Nmap is a port scanner and network exploration tool. It's a full-featured tool adept at finding shared servers, detecting CVEs, and performing a variety of advanced scanning techniques. As I mentioned previously, some of Nmap's features are not currently supported by UserLAnd. If you experience problems, be sure to open a new GitHub issue for assistance from the developers with this.

WAFW00F

A web application firewall (WAF) detects and blocks malicious traffic transmitting to and from the web server its protecting. WAFW00F is able to fingerprint and identify web application firewall technologies by sending the website an HTTP request and analyses the response. It can currently identify over 45 popular web application firewall solutions such as CloudFlare, Sucuri, ModSecurity, and Incapsula.

GoLismero

GoLismero is a web application framework that can audit websites and operating systems running Windows 10, Linux, and macOS (OS X).

DAVTest

Web Distributed Authoring and Versioning (WebDAV) is an extension of HTTP that enables web servers to behave like file servers. It allows sysadmins to create and edit files remotely. DAVTest audits WebDAV-enabled servers by uploading executable files and enumerating command execution vulnerabilities. Using DAVTest, penetration testers can quickly identify if a given WebDAV server is exploitable.

Uniscan

Uniscan is a simple tool created to discover remote and local file inclusion, as well as remote command execution vulnerabilities. It can also detect SQL and PHP CGI argument injections, crawl for hidden files and directories, and fingerprint web servers.

WHOIS

WHOIS is a search and response protocol that is used by a variety of software and websites for querying domain owner information. The whois command line tool is used to easily access domain owner contact details and IP address assignments for information gathering purposes.

DIRB

DIRB is a web application analysis and WebObject discovery tool that executes a dictionary-based attack against web servers.

Load Balance Detector (Lbd)

Load balancing refers to efficiently distributing incoming network traffic across a large pool (or "farm") of servers. To cost-efficiently provide consistent and reliable content to its visitors, large websites (like Facebook or Instagram) must use load-balancing solutions. Lbd attempts to detect if a given website employs a DNS or HTTP load balancing software by comparing server header responses.

Wapiti

Wapiti is a website and web application auditing injection tool. It supports both GET and POST HTTP methods, generates verbose vulnerability assessment reports, and allows custom HTTP headers. Wapiti is capable of detecting a vast amount of vulnerabilities such as:

• SQL and XPath injections
• Cross-Site Scripting (XSS) injection
• PHP command execution
• CRLF injection
• XML External Entity injection
• Server-Side Request Forgeries (SSRF)
• Apache .htaccess configuration bypasses
• Sensitive file and information disclosures
• Shellshock vulnerabilities

TheHarvester

TheHarvester is an open-source information gathering tool intended for penetration testers in the early stages of black-box and red team engagements. It features the ability to perform virtual host verifications, DNS enumeration, reverse domain searches, and IP lookups, as well as make Shodan queries.

XSSer

Cross-Site Scripter (XSSer) is an automation tool that attempts to detect and exploit cross-site scripting vulnerabilities in web applications and websites. It also includes several options for evading XSS detection filters.

SSLyze

Transport Layer Security (TLS; aka "SSL") is a cryptographic protocol designed to establish secure communications between computers operating over the internet. SSLyze analyzes the SSL configuration of a given website and reports misconfigurations and critical vulnerabilities.

DMitry

DMitry is an information gathering tool that tries to collect as much information about a host as possible. It gathers subdomain information, email addresses, uptime information, open port details, whois lookup responses, and much more.

Nikto

Nikto is a vulnerability scanner which performs a myriad of comprehensive tests against web servers. Among its many scanning features, it checks for outdated software, server misconfiguration, directory checks, weak HTTP headers, and has many available plugins for further enhancing its functionalities.

DNSmap

DNSmap is another DNS enumeration tool meant to be used during the information gathering phase of a penetration testing engagement. Subdomain brute-forcing is a common and effective technique for discovering additional servers and IPs controls by a target website or company.

• Don't Miss: Top 10 Things to Do After Installing Kali Linux

Step 3: Clone the RapidScan Repository

Now that we have a good idea of which tools RapidScan employs, let's clone the repository and start scanning websites.

git clone https://github.com/skavngr/rapidscan

Cloning into 'rapidscan'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 449 (delta 0), reused 1 (delta 0), pack-reused 446
Receiving objects: 100% (449/449), 2.37 MiB | 100.00 KiB/s, done.
Resolving deltas: 100% (261/261), done.

Then, change (cd) into the newly created rapidscan/ directory.

cd rapidscan/

And give it permission to execute in Kali.

chmod +x rapidscan.py

Step 4: Start Screen (Optional)

When using Android and UserLAnd for long, time-consuming scans, the SSH connection might unexpectedly break. SSH breakages may cause in-progress scans to terminate and fail — usually without saving the accumulated scan results. RapidScan could also continue to run in the background with no way of reconnecting to the session to view the progress.

Screen will allow terminal sessions to persist if the SSH connection suddenly disconnects. To start a new Screen session, simply type screen into the terminal.

screen

• Don't Miss: Scan Sites for Potential Vulnerabilities Using Vega in Kali Linux

Step 5: Start RapidScan

The RapidScan help options and legend can be viewed using the --help argument.

./rapidscan.py --help

`

                                  __         __
                                 /__)_   �_/(  _ _
                                / ( (//)/(/__)( (//)
                                     /
                     (The Multi-Tool Web Vulnerability Scanner)

Information:
------------
        ./rapidscan.py example.com: Scans the domain example.com
        ./rapidscan.py --update   : Updates the scanner to the latest version.
        ./rapidscan.py --help     : Displays this help context.
Interactive:
------------
        Ctrl+C: Skips current test.
        Ctrl+Z: Quits RapidScan.
Legends:
--------
        [�]: Scan process may take longer times (not predictable).
        [�]: Scan process may take less than 10 minutes.
        [�]: Scan process may take less than a minute or two.
Vulnerability Information:
--------------------------
         critical : Requires immediate attention as it may lead to compromise or service unavailability.
         high     : May not lead to an immediate compromise, but there are high chances of probability.
         medium   : Attacker may correlate multiple vulnerabilities of this type to launch a sophisticated attack.
         low      : Not a serious issue, but it is recommended to attend the finding.
         info     : Not classified as a vulnerability, simply an useful informational alert to be considered.

Finally, to scan a website, simply provide the target domain and RapidScan will handle the rest.

./rapidscan.py target.com

There are many tools featured in RapidScan. Depending on the network speed, target domain response time, and Android CPU, scanning a single website can take up to three hours to complete.

Step 6: Analyze RapidScan Vulnerability Reports

When RapidScan is done auditing the target domain, a report containing the results will be available in the rapidscan/ directory with the "RS-Vulnerability-Report" file name. Vulnerability reports can easily accumulate over 300 lines of data, so be sure to use the less command to view the file and not cat. Less will allow continuous scrolling of the report by tapping the Up and Down buttons.

less RS-Vulnerability-Report

The detailed output of each scan will be appended to the "RS-Vulnerability-Report" file. Scan error messages will also be included in the file indicating whether or not a particular tool's scan was successful.

That's all there is to it! RapidScan is a powerful automation tool that makes auditing websites simple. With a few commands, anyone can find common vulnerabilities and exploits using an unrooted Android device. If you have any questions or concerns, be sure to leave a comment below.

• Follow Null Byte on Twitter, Flipboard, and YouTube
• Sign up for Null Byte's weekly newsletter
• Follow WonderHowTo on Facebook, Twitter, Pinterest, and Flipboard