Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:13,200 --> 00:00:18,630
Hey, guys, welcome back to another episode on how to defend and to do with looking at how can we check
2
00:00:18,630 --> 00:00:21,390
if a mobile device has already been hacked.
3
00:00:21,600 --> 00:00:24,270
OK, so this is going to be a little more technical.
4
00:00:24,450 --> 00:00:31,350
OK, so we need some form of command line interface, define up the processes as well as the network
5
00:00:31,350 --> 00:00:38,130
elbaum connections that we're having from our mobile device all the way out onto the Internet or into
6
00:00:38,130 --> 00:00:41,130
some hacking server that is in control of all mobile devices.
7
00:00:41,940 --> 00:00:46,380
So the first thing we want to do is, of course, want to highlight over here, I have an Android device
8
00:00:46,380 --> 00:00:48,270
running on the left side of the screen, as you can see.
9
00:00:48,930 --> 00:00:54,390
And it can be the same for a physical Android device that you can do the same to.
10
00:00:54,420 --> 00:00:59,960
OK, so you can go ahead and plug in your Android device into a computer system which already has Android
11
00:00:59,990 --> 00:01:01,270
debark running.
12
00:01:01,530 --> 00:01:06,330
So if you're not sure what is Android debark, which we have a video tutorial on that, so do check
13
00:01:06,330 --> 00:01:07,260
it out on a channel.
14
00:01:08,010 --> 00:01:11,820
So what are we going to do now is to actually go ahead and open up command problem?
15
00:01:11,880 --> 00:01:12,980
OK, is it going to open it up?
16
00:01:13,230 --> 00:01:16,080
And of course, I'm going to zoom in a little more so it's easier for you to see.
17
00:01:17,040 --> 00:01:22,020
OK, so I'm going to put this as for in twenty eight, OK, so what we'll do now is to actually kick
18
00:01:22,020 --> 00:01:22,750
start EDB.
19
00:01:23,100 --> 00:01:29,100
So we will need a connection into the Android device or discus shell and we can issue some interesting
20
00:01:29,100 --> 00:01:31,710
commands to find out what's going on on the device.
21
00:01:31,770 --> 00:01:36,360
OK, on a background, on a background, I actually have a colonics machine running, so we'll look
22
00:01:36,360 --> 00:01:38,630
at what's normal and what is abnormal.
23
00:01:38,970 --> 00:01:42,150
What are some of the indicators that your phone has already been compromised?
24
00:01:42,570 --> 00:01:49,080
So first of all, you can go in, enter Adibi devices and it will show us a list of Android devices
25
00:01:49,080 --> 00:01:50,940
that are connected to your computer system.
26
00:01:51,200 --> 00:01:54,100
OK, so you could do the same for any form of operating system.
27
00:01:54,120 --> 00:02:00,600
So go ahead, enter AB Shell and this would bring us into the device itself.
28
00:02:00,630 --> 00:02:03,830
So now we are currently controlling the device on the left side.
29
00:02:03,840 --> 00:02:04,410
You can see.
30
00:02:05,070 --> 00:02:08,970
So of course, one of those things that we can do is to issue some commands and one of those commands
31
00:02:09,300 --> 00:02:10,430
is, of course, Nestande.
32
00:02:10,530 --> 00:02:16,680
So instead help us find out what are some of the elbow connection or establish connections that we have
33
00:02:17,040 --> 00:02:20,510
and a really important areas over here to really important areas over here.
34
00:02:20,820 --> 00:02:22,620
So we have here what is normal.
35
00:02:22,680 --> 00:02:26,680
OK, so we have an established connection, active Internet connections.
36
00:02:26,740 --> 00:02:28,560
OK, so over here, this is what we're seeing.
37
00:02:29,190 --> 00:02:29,570
All right.
38
00:02:29,940 --> 00:02:32,400
And what I'm going to do next is over here.
39
00:02:33,480 --> 00:02:38,540
I really have a malicious application installed into the device in the back door.
40
00:02:38,550 --> 00:02:40,220
I'm going to start up display.
41
00:02:40,290 --> 00:02:41,830
OK, so I'm going to go into terminal.
42
00:02:42,030 --> 00:02:43,320
OK, so this is colonics.
43
00:02:43,920 --> 00:02:48,240
I'm going down to MSF console to start up exploit and I'm going to open up.
44
00:02:48,450 --> 00:02:54,640
OK, a reverse shell from the device all the way into decolonize system.
45
00:02:54,660 --> 00:02:55,770
OK, so go ahead, enter.
46
00:03:00,250 --> 00:03:01,390
So I'm going to set to table now.
47
00:03:06,160 --> 00:03:11,460
OK, so I will, of course, enter DDR to find the IP address of two colleagues machine and set the
48
00:03:11,470 --> 00:03:12,040
alehouse.
49
00:03:14,050 --> 00:03:18,520
So, of course in this case, the IP address of our colleagues machine is one or two one six eight zero
50
00:03:18,820 --> 00:03:19,630
one zero six.
51
00:03:19,630 --> 00:03:25,630
Go ahead and hit enter and that enter show options to see all the listed options and go ahead and enter
52
00:03:25,630 --> 00:03:26,010
exploit.
53
00:03:26,100 --> 00:03:31,390
So basically what I'm doing here is to start up a hacking server that would then give us control of
54
00:03:31,390 --> 00:03:32,290
the Android device.
55
00:03:32,830 --> 00:03:39,940
So of course, once the Android device and the user has those applications running and the users clicked
56
00:03:39,940 --> 00:03:45,970
onto the malicious application, is sometimes what the hackers would do is they will use a legitimate
57
00:03:45,970 --> 00:03:49,120
application and beat this malicious software on top of it.
58
00:03:49,330 --> 00:03:53,320
And this would give them a instantaneous access into the mobile device.
59
00:03:53,320 --> 00:03:56,950
Giving them access to the geolocation dismisses everything.
60
00:03:57,340 --> 00:04:04,270
OK, so over here, what we're seeing is that we have a L port of four four four for this running.
61
00:04:04,270 --> 00:04:09,430
So it could be any other port numbers that hackers could be using to gain control of your device.
62
00:04:09,490 --> 00:04:09,850
All right.
63
00:04:10,190 --> 00:04:15,250
And if I go into command from now and if I enter, I enter up arrow.
64
00:04:15,280 --> 00:04:19,060
So I Antonet start once more, then we just increase the font size.
65
00:04:19,060 --> 00:04:20,950
So it's a little easier for you to see.
66
00:04:21,250 --> 00:04:22,100
Two thirty six.
67
00:04:22,150 --> 00:04:22,510
OK.
68
00:04:24,540 --> 00:04:29,490
So what I would do next is, again, the same issuing the same come in Internet stat.
69
00:04:30,390 --> 00:04:34,390
All right, and what we will see here, OK, if I scroll back up to the top again.
70
00:04:34,710 --> 00:04:34,980
All right.
71
00:04:35,010 --> 00:04:37,680
So unlike the earlier results that we got in.
72
00:04:37,920 --> 00:04:38,220
All right.
73
00:04:38,220 --> 00:04:41,480
So going back to the top, we can see a foreign address.
74
00:04:41,490 --> 00:04:41,740
All right.
75
00:04:41,770 --> 00:04:44,040
Of four four four four.
76
00:04:44,610 --> 00:04:46,770
OK, so we see that there is a connection.
77
00:04:47,050 --> 00:04:47,340
All right.
78
00:04:47,340 --> 00:04:49,910
Coming in from the device.
79
00:04:49,980 --> 00:04:51,340
OK, this is it.
80
00:04:51,360 --> 00:04:53,310
Elbow connection to a foreign address.
81
00:04:53,700 --> 00:04:56,010
And this is definitely something amiss.
82
00:04:56,160 --> 00:05:01,980
OK, so the other things we can look at for not just a network connection, which could be showing all
83
00:05:01,980 --> 00:05:03,690
the suspicious elbow connections.
84
00:05:03,900 --> 00:05:07,760
OK, so why would a mobile device have such a connection outwards?
85
00:05:08,130 --> 00:05:10,200
OK, so there's something to take note off.
86
00:05:10,200 --> 00:05:10,460
All right.
87
00:05:10,470 --> 00:05:14,730
As part of the investigation, whether a device has already been compromised.
88
00:05:15,240 --> 00:05:21,000
The second thing that we could take a look at is in terms of looking at the list of users, looking
89
00:05:21,000 --> 00:05:27,450
at the processes that are actually being run in the system so you can enter a top GOP enter on deck.
90
00:05:27,840 --> 00:05:34,810
And this will show us all the different processes to actually running inside the Android device in our
91
00:05:34,830 --> 00:05:35,250
case.
92
00:05:35,440 --> 00:05:38,320
OK, we have Shell running.
93
00:05:38,670 --> 00:05:39,060
All right.
94
00:05:39,270 --> 00:05:41,600
And we have all these number of uses over here.
95
00:05:41,640 --> 00:05:42,390
So we have root.
96
00:05:42,630 --> 00:05:44,570
We have a system, we have zero.
97
00:05:45,170 --> 00:05:49,370
We have all these different uses who are actually inside the environment right now.
98
00:05:49,410 --> 00:05:51,630
And of course, we have no idea what you're doing.
99
00:05:51,630 --> 00:05:51,840
Right.
100
00:05:51,850 --> 00:05:53,410
So we're trying to investigate what's going on.
101
00:05:53,940 --> 00:05:59,590
So, of course, I can go and enter a game talk and we can see all the different information.
102
00:05:59,620 --> 00:06:02,810
I mean, as well as the users, the processes are running and so on, so forth.
103
00:06:03,270 --> 00:06:10,380
So, of course, on the on our case over here, OK, what we're seeing is that there are certain processes
104
00:06:10,380 --> 00:06:14,090
that shouldn't be there, just the processes that are suspicious.
105
00:06:14,100 --> 00:06:17,580
And of course, in our case, if I go back to colonics, know if I had to shell.
106
00:06:18,300 --> 00:06:23,290
All right, this means that the hacker is having a command line interface into the device.
107
00:06:23,340 --> 00:06:23,690
All right.
108
00:06:23,700 --> 00:06:29,820
And for example, if a hacker who am I to get the username over here so we can see the username as you
109
00:06:29,820 --> 00:06:32,690
zero on a score, a one, two, three, four.
110
00:06:32,770 --> 00:06:37,980
OK, so in our case, when we go back to command from looking at a top, we can see over here, OK,
111
00:06:37,980 --> 00:06:43,530
we have a user, you zero, a one, three, four, and they have a shell.
112
00:06:43,830 --> 00:06:49,410
So if you think about it now, if you think about it from a mobile device perspective, why would a
113
00:06:49,410 --> 00:06:51,460
mobile device have a shell running?
114
00:06:51,900 --> 00:06:54,630
Why would a mobile device have a terminal running at all?
115
00:06:54,960 --> 00:07:01,140
OK, so this is another big indicator that your device could have already been compromised in a hacker
116
00:07:01,380 --> 00:07:03,690
is interfacing at a shell level.
117
00:07:04,090 --> 00:07:07,690
OK, so that can be another form of indicator of attack.
118
00:07:07,740 --> 00:07:09,390
OK, next.
119
00:07:10,020 --> 00:07:16,740
And the final sharing is, of course, in terms of looking at piece stands for processes they're running.
120
00:07:17,040 --> 00:07:23,940
So you can enter this will list all the processes inside the systems again and a capital A and we can
121
00:07:23,940 --> 00:07:27,660
see all of those different processes.
122
00:07:27,660 --> 00:07:28,770
They're running into the system.
123
00:07:28,770 --> 00:07:33,020
And of course, we're looking at it again for certain processes that shouldn't be there.
124
00:07:33,300 --> 00:07:39,390
So, for example, over here, OK, we have the common ones like com dot android and we have here Kamden
125
00:07:39,690 --> 00:07:40,300
deployed on state.
126
00:07:40,410 --> 00:07:46,740
Let's split, of course, is a hacking framework that we use and we have done a lot of lectures and
127
00:07:46,740 --> 00:07:47,480
tutorials on it.
128
00:07:47,610 --> 00:07:54,310
So that is going to be one suspicious indicator of suspicious indicators are going to be shell or a
129
00:07:54,330 --> 00:08:00,720
shell is also another suspicious indicator if it is being run as a process inside your mobile device.
130
00:08:00,760 --> 00:08:06,450
OK, so this is some of the processes and indicators of attacks that we can look at or indicate compromise
131
00:08:06,840 --> 00:08:07,680
that we can look at.
132
00:08:07,860 --> 00:08:14,010
OK, so there are many, many other ways for us to further filtering future down into what exactly is
133
00:08:14,010 --> 00:08:19,470
going on in the process, looking for what is considered normal and what is considered abnormal in those
134
00:08:19,470 --> 00:08:20,820
situations, in those cases.
135
00:08:21,240 --> 00:08:21,540
All right.
136
00:08:21,540 --> 00:08:25,770
And this is how we were able to detect when there was a cyber attack inside our system.
137
00:08:25,800 --> 00:08:29,370
OK, so with that, I hope you've learned something valuable in today's tutorial.
138
00:08:29,610 --> 00:08:33,690
And if you like what you just watch, remember, like sharing, subscribe to the channel so that you
139
00:08:33,690 --> 00:08:36,270
can be kept abreast of the latest cyber security.
140
00:08:36,660 --> 00:08:38,130
Thank you so much once again for watching.
14239
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.