Password cracking on Android

From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search

Summary

This article briefly describes how you can use the unused processing power of your Android phone to crack passwords using John the Ripper (JtR).

Requirements

  • Android Phone (Custom builds)
  • Enable USB-Debugging in the Android Developer options
  • Host with Android Debug Bridge (ADB) installed (Guide)
  • Optionally: Terminal Emulator installed on Android (e.g. Termux)

Procedure

Unlike hashcat, JtR is very flexible and can be installed on almost any platform. It is also very easy to get John the Ripper to run on Android. Generic builds for ARM, x86 and MIPS processor architectures can be found on the Openwall wiki. A rooted device is not needed but a place in the filesystem with write permission. This is in most cases: /data/local, /data/tmp or /data/local/tmp/. Note that those folders are cleared after a restart. Termux terminal emulation tool with its built-in package manager pkg and apt may be used to download and install John, but this works rather badly in some scenario.

Note: USB-Debugging must be enabled on the Android device!

Download and extract the John the Ripper Android binaries from the host device. Then open the binaries folder in a terminal window on the host device.

  • Start ADB Deamon
Host$ adb devices
   List of devices attached
   1c5c667023047ece	device
  • Get Android device CPU architecture
Host$ adb shell getprop ro.product.cpu.abi
   arm64-v8a
  • Copy files to a writable space on the Android device
Host$ adb push $JOHN_ANDROID/user/. /data/local/tmp
    user/./: 8 files pushed. 19.1 MB/s (7436597 bytes in 0.370s)
Host$ adb push $JOHN_ANDROID/libs/$ARCHITECTURE/john /data/local/tmp
    libs/arm64-v8a/john: 1 file pushed. 12.5 MB/s (236032 bytes in 0.018s)
Important: Continue with the appropriate section, depending on whether the Android device is rooted or not.

Rooted Android

Note: Since Android mounts /mnt/sdcard with the 'noexec' mount option the included binary is more usable on so-called "rooted" systems.
  • On your Android device launch some terminal application and become root (by executing su);
  • Remount /system read-write:
Android$ mount -o remount,rw /system
  • Copy 'john' from the supplied 'libs' directory (based on your cpu-arch) to /system/xbin/:
Android$ cp /data/local/tmp/libs/$ARCHITECTURE/john /system/xbin/
  • Fix the permissions and remount /system to be read-only
Android$ chmod 0755 /system/xbin/john
Android$ mount -o remount,ro /system
  • Drop root's privileges by exiting the shell.
  • Benchmark to test the 'installation'
Android$ john --test

Non-Rooted Android

  • Start an android shell
Host$ adb shell
Note: Alternatively a terminal emulator like Termux can be used.
  • Done. Change permissions and run.
Android$ cd /data/local/tmp
Android$ chmod +x ./* && ./john
  • Benchmark to test the 'installation'
Android$ ./john --test

Tested Devices

Courses

References