Merge pull request #1097 from HackTricks-wiki/update_Hijacker_on_the_Samsung_Galaxy_S10_with_wireless_i_20250711_123906

Hijacker on the Samsung Galaxy S10 with wireless injection
2025-10-10 18:36:50 +00:00 · 2025-07-13 20:01:48 +02:00 · 2025-07-13 20:01:48 +02:00 · 56a15d52b9
commit 56a15d52b9
parent ec810eb93d 50413dd66a
3 changed files with 140 additions and 0 deletions
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@ -25,6 +25,7 @@
  - [Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks](generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
  - [Spoofing SSDP and UPnP Devices with EvilSSDP](generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md)
 - [Pentesting Wifi](generic-methodologies-and-resources/pentesting-wifi/README.md)
+  - [Enable Nexmon Monitor And Injection On Android](generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md)
  - [Evil Twin EAP-TLS](generic-methodologies-and-resources/pentesting-wifi/evil-twin-eap-tls.md)
 - [Phishing Methodology](generic-methodologies-and-resources/phishing-methodology/README.md)
  - [Clone a Website](generic-methodologies-and-resources/phishing-methodology/clone-a-website.md)
--- a/src/generic-methodologies-and-resources/pentesting-wifi/README.md
+++ b/src/generic-methodologies-and-resources/pentesting-wifi/README.md
@ -21,6 +21,12 @@ iwlist wlan0 scan #Scan available wifis

 ## Tools

+### Hijacker & NexMon (Android internal Wi-Fi)
+
+{{#ref}}
+enable-nexmon-monitor-and-injection-on-android.md
+{{#endref}}
+
 ### EAPHammer

 ```
--- a/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md
+++ b/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md
@ -0,0 +1,133 @@
+# Enable NexMon Monitor Mode & Packet Injection on Android (Broadcom chips)
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## Overview
+Most modern Android phones embed a Broadcom/Cypress Wi-Fi chipset that ships without 802.11 monitor mode or frame-injection capabilities.  The open-source NexMon framework patches the proprietary firmware to add those features and exposes them through a shared library (`libnexmon.so`) and a CLI helper (`nexutil`).  By pre-loading that library into the stock Wi-Fi driver, a rooted device can capture raw 802.11 traffic and inject arbitrary frames – eliminating the need for an external USB adapter.
+
+This page documents a fast workflow that takes a fully-patched Samsung Galaxy S10 (BCM4375B1) as an example, using:
+
+* NexMon Magisk module containing the patched firmware + `libnexmon.so`
+* Hijacker Android application to automate monitor-mode toggling
+* Optional Kali NetHunter chroot to run classic wireless tools (aircrack-ng, wifite, mdk4 …) directly against the internal interface
+
+The same technique applies to any handset that has a publicly available NexMon patch (Pixel 1, Nexus 6P, Galaxy S7/S8, etc.).
+
+---
+
+## Prerequisites
+* Android handset with a supported Broadcom/Cypress chipset (e.g. BCM4358/59/43596/4375B1)
+* Root with Magisk ≥ 24
+* BusyBox (most ROMs/NetHunter already include it)
+* NexMon Magisk ZIP or self-compiled patch providing:
+  * `/system/lib*/libnexmon.so`
+  * `/system/xbin/nexutil`
+* Hijacker ≥ 1.7 (arm/arm64) – https://github.com/chrisk44/Hijacker
+* (Optional) Kali NetHunter or any Linux chroot where you intend to run wireless tools
+
+---
+
+## Flashing the NexMon patch (Magisk)
+1. Download the ZIP for your exact device/firmware (example: `nexmon-s10.zip`).
+2. Open Magisk -> Modules -> Install from storage -> select the ZIP and reboot.
+   The module copies `libnexmon.so` into `/data/adb/modules/<module>/lib*/` and ensures SELinux labels are correct.
+3. Verify installation:
+   ```bash
+   ls -lZ $(find / -name libnexmon.so 2>/dev/null)
+   sha1sum $(which nexutil)
+   ```
+
+---
+
+## Configuring Hijacker
+Hijacker can toggle monitor mode automatically before running `airodump`, `wifite`, etc.  In **Settings -> Advanced** add the following entries (edit the library path if your module differs):
+
+```
+Prefix:
+LD_PRELOAD=/data/user/0/com.hijacker/files/lib/libnexmon.so
+
+Enable monitor mode:
+svc wifi disable; ifconfig wlan0 up; nexutil -s0x613 -i -v2
+
+Disable monitor mode:
+nexutil -m0; svc wifi enable
+```
+
+Enable “Start monitor mode on airodump start” so every Hijacker scan happens in native monitor mode (`wlan0` instead of `wlan0mon`).
+
+If Hijacker shows errors at launch, create the required directory on shared storage and reopen the app:
+```bash
+mkdir -p /storage/emulated/0/Hijacker
+```
+
+### What do those `nexutil` flags mean?
+* **`-s0x613`**   Write firmware variable 0x613 (FCAP_FRAME_INJECTION) → `1` (enable TX of arbitrary frames).
+* **`-i`**         Put interface in monitor mode (radiotap header will be prepended).
+* **`-v2`**        Set verbose level; `2` prints confirmation and firmware version.
+* **`-m0`**        Restore managed mode (used in the *disable* command).
+
+After running *Enable monitor mode* you should see the interface in monitor state and be able to capture raw frames with:
+```bash
+airodump-ng --band abg wlan0
+```
+
+---
+
+## Manual one-liner (without Hijacker)
+```bash
+# Enable monitor + injection
+svc wifi disable && ifconfig wlan0 up && nexutil -s0x613 -i -v2
+
+# Disable and return to normal Wi-Fi
+nexutil -m0 && svc wifi enable
+```
+
+If you only need passive sniffing, omit the `-s0x613` flag.
+
+---
+
+## Using `libnexmon` inside Kali NetHunter / chroot
+Stock user-space tools in Kali do not know about NexMon, but you can force them to use it via `LD_PRELOAD`:
+
+1. Copy the pre-built shared object into the chroot:
+   ```bash
+   cp /sdcard/Download/kalilibnexmon.so <chroot>/lib/
+   ```
+2. Enable monitor mode from the **Android host** (command above or through Hijacker).
+3. Launch any wireless tool inside Kali with the preload:
+   ```bash
+   sudo su
+   export LD_PRELOAD=/lib/kalilibnexmon.so
+   wifite -i wlan0        # or aircrack-ng, mdk4 …
+   ```
+4. When finished, disable monitor mode as usual on Android.
+
+Because the firmware already handles radiotap injection, user-space tools behave just like on an external Atheros adapter.
+
+---
+
+## Typical Attacks Possible
+Once monitor + TX is active you can:
+* Capture WPA(2/3-SAE) handshakes or PMKID with `wifite`, `hcxdumptool`, `airodump-ng`.
+* Inject deauthentication / disassociation frames to force clients to reconnect.
+* Craft arbitrary management/data frames with `mdk4`, `aireplay-ng`, Scapy, etc.
+* Build rogue APs or perform KARMA/MANA attacks directly from the phone.
+
+Performance on the Galaxy S10 is comparable to external USB NICs (~20 dBm TX, 2-3 M pps RX).
+
+---
+
+## Troubleshooting
+* `Device or resource busy` – make sure **Android Wi-Fi service is disabled** (`svc wifi disable`) before enabling monitor mode.
+* `nexutil: ioctl(PRIV_MAGIC) failed` – the library is not pre-loaded; double-check `LD_PRELOAD` path.
+* Frame injection works but no packets captured – some ROMs hard-block channels; try `nexutil -c <channel>` or `iwconfig wlan0 channel <n>`.
+* SELinux blocking library – set device to *Permissive* or fix module context: `chcon u:object_r:system_lib_file:s0 libnexmon.so`.
+
+---
+
+## References
+* [Hijacker on the Samsung Galaxy S10 with wireless injection](https://forums.kali.org/t/hijacker-on-the-samsung-galaxy-s10-with-wireless-injection/10305)
+* [NexMon – firmware patching framework](https://github.com/seemoo-lab/nexmon)
+* [Hijacker (aircrack-ng GUI for Android)](https://github.com/chrisk44/Hijacker)
+
+{{#include ../../banners/hacktricks-training.md}}