Sign in Subscribe
Android

Building an (Evil) Android Phone Bot Army

Dennis Faucher

8 min read

Building an (Evil) Android Phone Bot Army

Why?

So, like you, I have a bunch of old, mostly-working phones. These are small, capable, computers that could be doing something - something good or evil 🙂. What if I could somehow build them into a parallel compute cluster to break up large jobs into smaller pieces? Sounded like fun.


What?

Well, my first job was figuring out how to send tasks to the phones. My phones all run Android, so something ssh-based could work. How does one allow ssh into an Android phone? There are many ways, but the method I finally landed on was UserLAnd. Userland allows you to run a number of Linux distros on top of Android without rooting your phone. You can then access that distro via ssh or vnc. Very nice.


My next job was figuring out how to send tasks in parallel to multiple phones. My first thought was to use Ansible which is great at sending jobs/compliance checks to multiple machines. Ansible runs serially though. Oh, well. After some DuckDuckGo-ing, I found the multi-OS parallel command which does exactly what I want. 

And finally, what job do I want to parallelize? Many options, but I landed on the resource-intensive hashcat for cracking password hashes (passwords I already knew).

This makes our inventory:

  • Extra Android phones
  • The UserLAnd app on each phone
  • hashcat installed in UserLAnd on each phone
  • A "controller" OS that can run the parallel command (almost any)

How?

Install UserLAnd on each phone

Install the UserLAnd app on the phone. Choose a linux Distribution (I chose Ubuntu). You will be asked for a username and password and whether access should be vnc or ssh. Choose ssh.

Set up password-less ssh from the controller to each phone

You can use this password-less ssh tutorial I wrote a while back. The hardest part is finding the IP address of each phone as UserLAnd does not allow the "ip a" command to run. I looked at the DHCP table on my router to find the IP addresses of my phones.

Install hashcat on each phone

Now that you have password-less ssh set up on each phone, ssh to each phone and type "apt install hashcat"

Install parallel on the controller

Find the install instructions for parallel for your controller OS on the parallel web site and install parallel. For Ubuntu/Debian Linux, "sudo apt -y install parallel". For MacOS, "brew install parallel". For Windows, don't bother 🙂

Collect all the hashcat parts needed on the controller

So, we are going to need a password dictionary file for cracking and a list of passwords to crack. The most common password dictionary file is rockyou.txt. You can download that file here on Kaggle among other places.For passwords to crack, I wanted a list that wasn't too easy and wasn't too hard. I decided to build my own list of passwords that ended in a number and a special character. hashcat has a "dictionary + mask" mode that can be used to brute force these types of passwords. Passwords like "SpongeBob01!". First, I slimmed down the rockyou dictionary file to just passwords including "01!" usinggrep 01! rockyou.txt > rockyou01.txtThat gave me 482 passwords to crack. I would rather have 480 to split evenly in 4 pieces so I ran this:head -n 480 rockyou01.txt > rockyou480.txtNow I have exactly 480 passwords to crack across 4 bots. To create the 480 MD5 hashes to crack, I used a little vi-fu to turn that list of passwords into a shell script (rockyou01.sh) to create 480 hashes. That shell script looks like this:#!/bin/bashecho -n 'zoey101!' | md5sum | tr -d ' -'echo -n '9801!Jmc' | md5sum | tr -d ' -'echo -n 'woody101!' | md5sum | tr -d ' -'echo -n 'tigger101!' | md5sum | tr -d ' -'echo -n 'shotgun01!' | md5sum | tr -d ' -'echo -n 'seria101!' | md5sum | tr -d ' -'echo -n 'rocky101!' | md5sum | tr -d ' -'[snip]I then ran "rockyou01.sh > rockyou01_480.md5" The top of that file looks like this:$ head rockyou01_480.md5f4b7dc4fa32a3e2aa6516fa08f2096ff2e3e2ea1a34fc71ebdc45165444f4533353b97a58a7e33300ce2cc1f2222b55595d0ac3e58389faa9ab3c281309fcd6687d3a7272bf293c97e45e69cde87ab5760c8800eefaf6caebfdcd0ea4b230324ef8af08f43dcc58f4a283d8e17deb1c6f3104289cb3c8646aeea917375df4dc72d4492e766d99d10726948ffec74ef263f9d6897898b49716c4c7d02fcb2c21f

To make the cracking a little faster, I thinned down the enormous rockyou.txt to just passwords with the characters a-zA-Z. Here is how I did that with our friend grep:$ grep -i -E "^[a-z](?:_?[a-z]+)*$" rockyou.txt > rockyou_azAZ.txt$ wc -l rockyou_azAZ.txt 4168380 rockyou_azAZ.txtNow I have a whole bunch of password prefizes that I can brute force add numbers and special charcaters to the end of.  For instance, I now have these common Sponge Bob password prefixes:SpongebobRulesSpongeboBSpongeBOBSponGebOBSPONGEbobSPONGEBOB_SCOOBYSPONGEBOBSWIFEYSPONGEBOBSQUARESPONGEBOBJOANNASPONGEBOBFANSPONGEBOBALDAYPATRICKaNdSPOngeBoB

Experiment with Parallelizing hashcat

I learned a lot about how hashcat works while experimenting with splitting up hashcat across multiple computers. At first I thought splitting the number of hashes across multiple computers would be faster. Surely cracking 120 hashes would be faster than cracking 480 hashes. Nope. Same exact time. It turns out that the time spent is the time hashing each of the 4,168,380 passwords in the rockyou_azAZ.txt dictionary and testing against each of the hashes. Comparing 4M passwords to 120 hashes takes just as long as comparing 4M passwords to 480 hashes.


Here are the timing comparisons of "hashcat -m 0 -a 6 rockyou01_480.md5 [dictionary_file] ?d?d?s"

  • Entire rockyou_azAZ.txt password file processed on one bot: 
    • $ cat serial_hashcat.sh 
    • #!/bin/bash
    • #
    • #Bot Army
    • #prox-bot-01: 192.168.1.150
    • #prox-bot-02: 192.168.1.106
    • #prox-bot-03: 192.168.1.114
    • #prox-bot-04: 192.168.1.179
    • #scp hashcat files to bots
    • echo "Sending split dictionary files to bots..."
    • scp rockyou_azAZ.txt [email protected]:~/
    • #scp all hashes to bots
    • echo "Sending all hashes to crack to bots..."
    • scp rockyou01_480.md5 [email protected]:~/
    • #Clear any found passwords on bots
    • echo "Clearing any found passwords on bots..."
    • ssh [email protected] "rm ~/.hashcat/hashcat.potfile"
    • #Run parallel
    • parallel -j 1 < serial_input.txt
    • $ cat serial_input.txt 
    • ssh [email protected] "hashcat --quiet -m 0 -a 6 rockyou01_480.md5 rockyou_azAZ.txt ?d?d?s"
    •  
    • $ time ./serial_hashcat.sh
    • Sending split dictionary files to bots...
    • rockyou_azAZ.txt   100%   39MB   4.8MB/s   00:08  
    •   
    • Sending all hashes to crack to bots...
    • rockyou01_480.md5  100%   16KB 867.4KB/s   00:00    
    • Clearing any found passwords on bots...
    • If you use programs that use GNU Parallel to process data for an article in a scientific publication, please cite:
    • Tange, O. (2023, April 22). GNU Parallel 20230422 ('Grand Jury'). Zenodo. https://doi.org/10.5281/zenodo.7855617
    • real    32m21.195s (1,941s)
    • user    0m0.919s
    • sys     0m1.114s

  • Password file, rockyouazAZ.txt, split in 4 equal pieces and sent to 4 bots:
    • $ wc -l rockyou_azAZ.txt 
    •  4168380 rockyou_azAZ.txt
    •  
    • $ split -l 1042095 rockyou_azAZ.txt rockyou_split_
    • $ wc -l rockyou_split_*
    •  1042095 rockyou_split_aa
    •  1042095 rockyou_split_ab
    •  1042095 rockyou_split_ac
    •  1042095 rockyou_split_ad
    •  4168380 total
    • $ cat parallel_hashcat.sh 
    • #!/bin/bash
    • #
    • #Bot Army
    • #prox-bot-01: 192.168.1.150
    • #prox-bot-02: 192.168.1.106
    • #prox-bot-03: 192.168.1.114
    • #prox-bot-04: 192.168.1.179
    • #scp hashcat files to bots
    • echo "Sending split dictionary files to bots..."
    • scp rockyou_split_aa [email protected]:~/
    • scp rockyou_split_ab [email protected]:~/
    • scp rockyou_split_ac [email protected]:~/
    • scp rockyou_split_ad [email protected]:~/
    • #scp all hashes to bots
    • echo "Sending all hashes to crack to bots..."
    • scp rockyou01_480.md5 [email protected]:~/
    • scp rockyou01_480.md5 [email protected]:~/
    • scp rockyou01_480.md5 [email protected]:~/
    • scp rockyou01_480.md5 [email protected]:~/
    • #Clear any found passwords on bots
    • echo "Clearing any found passwords on bots..."
    • ssh [email protected] "rm ~/.hashcat/hashcat.potfile"
    • ssh [email protected] "rm ~/.hashcat/hashcat.potfile"
    • ssh [email protected] "rm ~/.hashcat/hashcat.potfile"
    • ssh [email protected] "rm ~/.hashcat/hashcat.potfile"
    • #Run parallel
    • parallel -j 4 < parallel_input.txt
    • $ cat parallel_input.txt 
    • ssh [email protected] "hashcat --quiet -m 0 -a 6 rockyou01_480.md5 rockyou_split_aa ?d?d?s"
    • ssh [email protected] "hashcat --quiet -m 0 -a 6 rockyou01_480.md5 rockyou_split_ab ?d?d?s"
    • ssh [email protected] "hashcat --quiet -m 0 -a 6 rockyou01_480.md5 rockyou_split_ac ?d?d?s"
    • ssh [email protected] "hashcat --quiet -m 0 -a 6 rockyou01_480.md5 rockyou_split_ad ?d?d?s"
    • $ time ./parallel_hashcat.sh 
    • Sending split dictionary files to bots...
    • rockyou_split_aa    100% 9144KB   9.3MB/s   00:00    
    • rockyou_split_ab    100%   10MB   9.1MB/s   00:01    
    • rockyou_split_ac    100%   10MB   6.2MB/s   00:01    
    • rockyou_split_ad    100%   10MB   6.6MB/s   00:01
    •     
    • Sending all hashes to crack to bots...
    • rockyou01_480.md5    100%   16KB 645.6KB/s   00:00    
    • rockyou01_480.md5    100%   16KB 722.2KB/s   00:00    
    • rockyou01_480.md5    100%   16KB 809.0KB/s   00:00    
    • rockyou01_480.md5    100%   16KB 799.2KB/s   00:00    
    • Clearing any found passwords on bots...
    •  
    • If you use programs that use GNU Parallel to process data for an article in a scientific publication, please cite:
    • Tange, O. (2023, April 22). GNU Parallel 20230422 ('Grand Jury'). Zenodo. https://doi.org/10.5281/zenodo.7855617
    • real    9m31.025s (571s)
    • user    0m1.218s
    • sys     0m0.806s
    •  
    • That is 3.4 times faster. I call that a win!

Display the passwords cracked

Hashcat stores all cracked hashes in a file called "hashcat.potfile". We can also use the "hashcat --show" command using the same syntax used for cracking. For instance on bot-01, running:$ hashcat --show -m 0 -a 6 rockyou01_480.md5 rockyou_split_aa ?d?d?s87d3a7272bf293c97e45e69cde87ab57:shotgun01!0e3a5a5c8294e49c919a7e651c406d3f:damian01!6c6b74b8bcf5d771508a63e138cc821c:cheer01!85176cebcb84ce62d8ffc9eaa45c4836:River01!a332233d395c415a99c6b16a2348c129:Password01!de5356b6dfd334d6f306ad01cb03096f:yeroc01!727999e4f0194d441961f995830e0aa7:wil01!2df21e4da45ab1d84dbf0161240fd467:what01!f4606ded47bf1715476eb334cfa190f3:welkom01!d25c929d155ebde63a699ecb36580576:wanadoo01![Snip]e5df7afcc587cb4ccbf6dacae086fdbf:Daniel01!4532a3b45f2522a70844265f7fd6ba8d:Chris01!4a4e408e611202c9ea468ce43284f2cf:Change01!9b3d8e24f351047945e8e2f816e78679:Buterfly01!861a4744bbe9d548cb0df1f14f42bf3b:Bowling01!656851233892e68810759f94dc096745:Bacon01!562d1aa26c887a754eeb97c13f846c20:BUBBY01!1d7cab45255315ac71d251a42105ca1a:Angeles01!dab2be68119cd19f75c1cd60ce96c452:Amanda01!af9492665323b4f9d6b2becec77b9858:Adam01!

Thank You

Well, that was fun. I always figured there was something very geeky, and slightly evil, that I could do with all those unused phones. Thanks for taking the time to read this post. I welcome your comments as well as other ideas for a cell phone bot army.