maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md

129 lines
6.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Wezesha NexMon Monitor Mode & Packet Injection kwenye Android (chips za Broadcom)
{{#include ../../banners/hacktricks-training.md}}
## Muhtasari
Simu nyingi za kisasa za Android zina chip ya Wi-Fi ya Broadcom/Cypress ambayo inakuja bila uwezo wa monitor mode wa 802.11 au frame-injection. Mfumo wa wazi wa NexMon unarekebisha firmware ya miliki ili kuongeza vipengele hivyo na kuviweka wazi kupitia maktaba ya pamoja (`libnexmon.so`) na msaidizi wa CLI (`nexutil`). Kwa kuingiza maktaba hiyo kwenye dereva wa Wi-Fi wa kawaida, kifaa kilichopandishwa haki kinaweza kukamata trafiki ya 802.11 na kuingiza frames zisizo na mipaka kuondoa hitaji la adapter ya USB ya nje.
Ukurasa huu unadokeza mchakato wa haraka unaotumia Samsung Galaxy S10 iliyorekebishwa kikamilifu (BCM4375B1) kama mfano, ukitumia:
* Moduli ya NexMon Magisk inayojumuisha firmware iliyorekebishwa + `libnexmon.so`
* Programu ya Hijacker ya Android ili kuharakisha kubadilisha monitor-mode
* Kali NetHunter chroot ya hiari ili kukimbia zana za kawaida za wireless (aircrack-ng, wifite, mdk4 …) moja kwa moja dhidi ya interface ya ndani
Teknolojia hiyo hiyo inatumika kwa simu yoyote ambayo ina patch ya NexMon inayopatikana hadharani (Pixel 1, Nexus 6P, Galaxy S7/S8, n.k.).
---
## Masharti
* Simu ya Android yenye chipset ya Broadcom/Cypress inayoungwa mkono (mfano: BCM4358/59/43596/4375B1)
* Root na Magisk ≥ 24
* BusyBox (ROM nyingi/NetHunter tayari zinajumuisha)
* NexMon Magisk ZIP au patch iliyojitengeneza inayotoa:
* `/system/lib*/libnexmon.so`
* `/system/xbin/nexutil`
* Hijacker ≥ 1.7 (arm/arm64) [https://github.com/chrisk44/Hijacker](https://github.com/chrisk44/Hijacker)
* (Hiari) Kali NetHunter au chroot yoyote ya Linux ambapo unakusudia kukimbia zana za wireless
---
## Kuweka patch ya NexMon (Magisk)
1. Pakua ZIP kwa kifaa/chip yako sahihi (mfano: `nexmon-s10.zip`).
2. Fungua Magisk -> Moduli -> Sakinisha kutoka kwenye hifadhi -> chagua ZIP na upige rebooti.
Moduli inakopya `libnexmon.so` kwenye `/data/adb/modules/<module>/lib*/` na kuhakikisha lebo za SELinux ni sahihi.
3. Thibitisha usakinishaji:
```bash
ls -lZ $(find / -name libnexmon.so 2>/dev/null)
sha1sum $(which nexutil)
```
---
## Kuweka Hijacker
Hijacker inaweza kubadilisha monitor mode kiotomatiki kabla ya kukimbia `airodump`, `wifite`, n.k. Katika **Settings -> Advanced** ongeza entries zifuatazo (hariri njia ya maktaba ikiwa moduli yako inatofautiana):
```
Prefix:
LD_PRELOAD=/data/user/0/com.hijacker/files/lib/libnexmon.so
Enable monitor mode:
svc wifi disable; ifconfig wlan0 up; nexutil -s0x613 -i -v2
Disable monitor mode:
nexutil -m0; svc wifi enable
```
Wezesha "Anza hali ya ufuatiliaji wakati airodump inaanza" ili kila skana ya Hijacker ifanyike katika hali ya ufuatiliaji asilia (`wlan0` badala ya `wlan0mon`).
Ikiwa Hijacker inaonyesha makosa wakati wa uzinduzi, tengeneza saraka inayohitajika kwenye hifadhi ya pamoja na fungua tena programu:
```bash
mkdir -p /storage/emulated/0/Hijacker
```
### What do those `nexutil` flags mean?
* **`-s0x613`** Andika variable ya firmware 0x613 (FCAP_FRAME_INJECTION) → `1` (wezesha TX ya fremu za kawaida).
* **`-i`** Weka interface katika hali ya ufuatiliaji (kichwa cha radiotap kitaongezwa).
* **`-v2`** Weka kiwango cha maelezo; `2` inachapisha uthibitisho na toleo la firmware.
* **`-m0`** Rejesha hali ya usimamizi (inayotumika katika amri ya *disable*).
Baada ya kuendesha *Enable monitor mode* unapaswa kuona interface katika hali ya ufuatiliaji na uweze kukamata fremu za kawaida kwa:
```bash
airodump-ng --band abg wlan0
```
---
## Manual one-liner (bila Hijacker)
```bash
# Enable monitor + injection
svc wifi disable && ifconfig wlan0 up && nexutil -s0x613 -i -v2
# Disable and return to normal Wi-Fi
nexutil -m0 && svc wifi enable
```
Ikiwa unahitaji tu sniffing ya passively, acha bendera `-s0x613`.
---
## Kutumia `libnexmon` ndani ya Kali NetHunter / chroot
Zana za kawaida za mtumiaji katika Kali hazijui kuhusu NexMon, lakini unaweza kuzilazimisha kuzitumia kupitia `LD_PRELOAD`:
1. Nakili kituo kilichojengwa tayari ndani ya chroot:
```bash
cp /sdcard/Download/kalilibnexmon.so <chroot>/lib/
```
2. Wezesha hali ya ufuatiliaji kutoka kwa **Android host** (amri hapo juu au kupitia Hijacker).
3. Anzisha zana yoyote ya wireless ndani ya Kali na preload:
```bash
sudo su
export LD_PRELOAD=/lib/kalilibnexmon.so
wifite -i wlan0 # au aircrack-ng, mdk4 …
```
4. Unapomaliza, zima hali ya ufuatiliaji kama kawaida kwenye Android.
Kwa sababu firmware tayari inashughulikia kuingiza radiotap, zana za mtumiaji zinafanya kazi kama kwenye adapter ya Atheros ya nje.
---
## Mashambulizi ya Kawaida Yanayowezekana
Mara tu hali ya ufuatiliaji + TX inapoanzishwa unaweza:
* Kukamata WPA(2/3-SAE) handshakes au PMKID kwa kutumia `wifite`, `hcxdumptool`, `airodump-ng`.
* Kuingiza frames za kuondoa uthibitisho / kutenganisha ili kulazimisha wateja kuungana tena.
* Kuunda frames za usimamizi/data za kiholela kwa kutumia `mdk4`, `aireplay-ng`, Scapy, nk.
* Kujenga AP za uasi au kufanya mashambulizi ya KARMA/MANA moja kwa moja kutoka kwenye simu.
Utendaji kwenye Galaxy S10 ni sawa na NICs za USB za nje (~20 dBm TX, 2-3 M pps RX).
---
## Kutatua Matatizo
* `Device or resource busy` hakikisha **huduma ya Wi-Fi ya Android imezimwa** (`svc wifi disable`) kabla ya kuwezesha hali ya ufuatiliaji.
* `nexutil: ioctl(PRIV_MAGIC) failed` maktaba haijapakiwa awali; angalia tena njia ya `LD_PRELOAD`.
* Kuingiza frame kunafanya kazi lakini hakuna pakiti zilizokamatwa baadhi ya ROMs zinaweza kuzuia vituo; jaribu `nexutil -c <channel>` au `iwconfig wlan0 channel <n>`.
* SELinux inazuia maktaba weka kifaa kuwa *Permissive* au kurekebisha muktadha wa moduli: `chcon u:object_r:system_lib_file:s0 libnexmon.so`.
---
## Marejeleo
* [Hijacker on the Samsung Galaxy S10 with wireless injection](https://forums.kali.org/t/hijacker-on-the-samsung-galaxy-s10-with-wireless-injection/10305)
* [NexMon firmware patching framework](https://github.com/seemoo-lab/nexmon)
* [Hijacker (aircrack-ng GUI for Android)](https://github.com/chrisk44/Hijacker)
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink