Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:13,200 --> 00:00:18,630 Hey, guys, welcome back to another episode on how to defend and to do with looking at how can we check 2 00:00:18,630 --> 00:00:21,390 if a mobile device has already been hacked. 3 00:00:21,600 --> 00:00:24,270 OK, so this is going to be a little more technical. 4 00:00:24,450 --> 00:00:31,350 OK, so we need some form of command line interface, define up the processes as well as the network 5 00:00:31,350 --> 00:00:38,130 elbaum connections that we're having from our mobile device all the way out onto the Internet or into 6 00:00:38,130 --> 00:00:41,130 some hacking server that is in control of all mobile devices. 7 00:00:41,940 --> 00:00:46,380 So the first thing we want to do is, of course, want to highlight over here, I have an Android device 8 00:00:46,380 --> 00:00:48,270 running on the left side of the screen, as you can see. 9 00:00:48,930 --> 00:00:54,390 And it can be the same for a physical Android device that you can do the same to. 10 00:00:54,420 --> 00:00:59,960 OK, so you can go ahead and plug in your Android device into a computer system which already has Android 11 00:00:59,990 --> 00:01:01,270 debark running. 12 00:01:01,530 --> 00:01:06,330 So if you're not sure what is Android debark, which we have a video tutorial on that, so do check 13 00:01:06,330 --> 00:01:07,260 it out on a channel. 14 00:01:08,010 --> 00:01:11,820 So what are we going to do now is to actually go ahead and open up command problem? 15 00:01:11,880 --> 00:01:12,980 OK, is it going to open it up? 16 00:01:13,230 --> 00:01:16,080 And of course, I'm going to zoom in a little more so it's easier for you to see. 17 00:01:17,040 --> 00:01:22,020 OK, so I'm going to put this as for in twenty eight, OK, so what we'll do now is to actually kick 18 00:01:22,020 --> 00:01:22,750 start EDB. 19 00:01:23,100 --> 00:01:29,100 So we will need a connection into the Android device or discus shell and we can issue some interesting 20 00:01:29,100 --> 00:01:31,710 commands to find out what's going on on the device. 21 00:01:31,770 --> 00:01:36,360 OK, on a background, on a background, I actually have a colonics machine running, so we'll look 22 00:01:36,360 --> 00:01:38,630 at what's normal and what is abnormal. 23 00:01:38,970 --> 00:01:42,150 What are some of the indicators that your phone has already been compromised? 24 00:01:42,570 --> 00:01:49,080 So first of all, you can go in, enter Adibi devices and it will show us a list of Android devices 25 00:01:49,080 --> 00:01:50,940 that are connected to your computer system. 26 00:01:51,200 --> 00:01:54,100 OK, so you could do the same for any form of operating system. 27 00:01:54,120 --> 00:02:00,600 So go ahead, enter AB Shell and this would bring us into the device itself. 28 00:02:00,630 --> 00:02:03,830 So now we are currently controlling the device on the left side. 29 00:02:03,840 --> 00:02:04,410 You can see. 30 00:02:05,070 --> 00:02:08,970 So of course, one of those things that we can do is to issue some commands and one of those commands 31 00:02:09,300 --> 00:02:10,430 is, of course, Nestande. 32 00:02:10,530 --> 00:02:16,680 So instead help us find out what are some of the elbow connection or establish connections that we have 33 00:02:17,040 --> 00:02:20,510 and a really important areas over here to really important areas over here. 34 00:02:20,820 --> 00:02:22,620 So we have here what is normal. 35 00:02:22,680 --> 00:02:26,680 OK, so we have an established connection, active Internet connections. 36 00:02:26,740 --> 00:02:28,560 OK, so over here, this is what we're seeing. 37 00:02:29,190 --> 00:02:29,570 All right. 38 00:02:29,940 --> 00:02:32,400 And what I'm going to do next is over here. 39 00:02:33,480 --> 00:02:38,540 I really have a malicious application installed into the device in the back door. 40 00:02:38,550 --> 00:02:40,220 I'm going to start up display. 41 00:02:40,290 --> 00:02:41,830 OK, so I'm going to go into terminal. 42 00:02:42,030 --> 00:02:43,320 OK, so this is colonics. 43 00:02:43,920 --> 00:02:48,240 I'm going down to MSF console to start up exploit and I'm going to open up. 44 00:02:48,450 --> 00:02:54,640 OK, a reverse shell from the device all the way into decolonize system. 45 00:02:54,660 --> 00:02:55,770 OK, so go ahead, enter. 46 00:03:00,250 --> 00:03:01,390 So I'm going to set to table now. 47 00:03:06,160 --> 00:03:11,460 OK, so I will, of course, enter DDR to find the IP address of two colleagues machine and set the 48 00:03:11,470 --> 00:03:12,040 alehouse. 49 00:03:14,050 --> 00:03:18,520 So, of course in this case, the IP address of our colleagues machine is one or two one six eight zero 50 00:03:18,820 --> 00:03:19,630 one zero six. 51 00:03:19,630 --> 00:03:25,630 Go ahead and hit enter and that enter show options to see all the listed options and go ahead and enter 52 00:03:25,630 --> 00:03:26,010 exploit. 53 00:03:26,100 --> 00:03:31,390 So basically what I'm doing here is to start up a hacking server that would then give us control of 54 00:03:31,390 --> 00:03:32,290 the Android device. 55 00:03:32,830 --> 00:03:39,940 So of course, once the Android device and the user has those applications running and the users clicked 56 00:03:39,940 --> 00:03:45,970 onto the malicious application, is sometimes what the hackers would do is they will use a legitimate 57 00:03:45,970 --> 00:03:49,120 application and beat this malicious software on top of it. 58 00:03:49,330 --> 00:03:53,320 And this would give them a instantaneous access into the mobile device. 59 00:03:53,320 --> 00:03:56,950 Giving them access to the geolocation dismisses everything. 60 00:03:57,340 --> 00:04:04,270 OK, so over here, what we're seeing is that we have a L port of four four four for this running. 61 00:04:04,270 --> 00:04:09,430 So it could be any other port numbers that hackers could be using to gain control of your device. 62 00:04:09,490 --> 00:04:09,850 All right. 63 00:04:10,190 --> 00:04:15,250 And if I go into command from now and if I enter, I enter up arrow. 64 00:04:15,280 --> 00:04:19,060 So I Antonet start once more, then we just increase the font size. 65 00:04:19,060 --> 00:04:20,950 So it's a little easier for you to see. 66 00:04:21,250 --> 00:04:22,100 Two thirty six. 67 00:04:22,150 --> 00:04:22,510 OK. 68 00:04:24,540 --> 00:04:29,490 So what I would do next is, again, the same issuing the same come in Internet stat. 69 00:04:30,390 --> 00:04:34,390 All right, and what we will see here, OK, if I scroll back up to the top again. 70 00:04:34,710 --> 00:04:34,980 All right. 71 00:04:35,010 --> 00:04:37,680 So unlike the earlier results that we got in. 72 00:04:37,920 --> 00:04:38,220 All right. 73 00:04:38,220 --> 00:04:41,480 So going back to the top, we can see a foreign address. 74 00:04:41,490 --> 00:04:41,740 All right. 75 00:04:41,770 --> 00:04:44,040 Of four four four four. 76 00:04:44,610 --> 00:04:46,770 OK, so we see that there is a connection. 77 00:04:47,050 --> 00:04:47,340 All right. 78 00:04:47,340 --> 00:04:49,910 Coming in from the device. 79 00:04:49,980 --> 00:04:51,340 OK, this is it. 80 00:04:51,360 --> 00:04:53,310 Elbow connection to a foreign address. 81 00:04:53,700 --> 00:04:56,010 And this is definitely something amiss. 82 00:04:56,160 --> 00:05:01,980 OK, so the other things we can look at for not just a network connection, which could be showing all 83 00:05:01,980 --> 00:05:03,690 the suspicious elbow connections. 84 00:05:03,900 --> 00:05:07,760 OK, so why would a mobile device have such a connection outwards? 85 00:05:08,130 --> 00:05:10,200 OK, so there's something to take note off. 86 00:05:10,200 --> 00:05:10,460 All right. 87 00:05:10,470 --> 00:05:14,730 As part of the investigation, whether a device has already been compromised. 88 00:05:15,240 --> 00:05:21,000 The second thing that we could take a look at is in terms of looking at the list of users, looking 89 00:05:21,000 --> 00:05:27,450 at the processes that are actually being run in the system so you can enter a top GOP enter on deck. 90 00:05:27,840 --> 00:05:34,810 And this will show us all the different processes to actually running inside the Android device in our 91 00:05:34,830 --> 00:05:35,250 case. 92 00:05:35,440 --> 00:05:38,320 OK, we have Shell running. 93 00:05:38,670 --> 00:05:39,060 All right. 94 00:05:39,270 --> 00:05:41,600 And we have all these number of uses over here. 95 00:05:41,640 --> 00:05:42,390 So we have root. 96 00:05:42,630 --> 00:05:44,570 We have a system, we have zero. 97 00:05:45,170 --> 00:05:49,370 We have all these different uses who are actually inside the environment right now. 98 00:05:49,410 --> 00:05:51,630 And of course, we have no idea what you're doing. 99 00:05:51,630 --> 00:05:51,840 Right. 100 00:05:51,850 --> 00:05:53,410 So we're trying to investigate what's going on. 101 00:05:53,940 --> 00:05:59,590 So, of course, I can go and enter a game talk and we can see all the different information. 102 00:05:59,620 --> 00:06:02,810 I mean, as well as the users, the processes are running and so on, so forth. 103 00:06:03,270 --> 00:06:10,380 So, of course, on the on our case over here, OK, what we're seeing is that there are certain processes 104 00:06:10,380 --> 00:06:14,090 that shouldn't be there, just the processes that are suspicious. 105 00:06:14,100 --> 00:06:17,580 And of course, in our case, if I go back to colonics, know if I had to shell. 106 00:06:18,300 --> 00:06:23,290 All right, this means that the hacker is having a command line interface into the device. 107 00:06:23,340 --> 00:06:23,690 All right. 108 00:06:23,700 --> 00:06:29,820 And for example, if a hacker who am I to get the username over here so we can see the username as you 109 00:06:29,820 --> 00:06:32,690 zero on a score, a one, two, three, four. 110 00:06:32,770 --> 00:06:37,980 OK, so in our case, when we go back to command from looking at a top, we can see over here, OK, 111 00:06:37,980 --> 00:06:43,530 we have a user, you zero, a one, three, four, and they have a shell. 112 00:06:43,830 --> 00:06:49,410 So if you think about it now, if you think about it from a mobile device perspective, why would a 113 00:06:49,410 --> 00:06:51,460 mobile device have a shell running? 114 00:06:51,900 --> 00:06:54,630 Why would a mobile device have a terminal running at all? 115 00:06:54,960 --> 00:07:01,140 OK, so this is another big indicator that your device could have already been compromised in a hacker 116 00:07:01,380 --> 00:07:03,690 is interfacing at a shell level. 117 00:07:04,090 --> 00:07:07,690 OK, so that can be another form of indicator of attack. 118 00:07:07,740 --> 00:07:09,390 OK, next. 119 00:07:10,020 --> 00:07:16,740 And the final sharing is, of course, in terms of looking at piece stands for processes they're running. 120 00:07:17,040 --> 00:07:23,940 So you can enter this will list all the processes inside the systems again and a capital A and we can 121 00:07:23,940 --> 00:07:27,660 see all of those different processes. 122 00:07:27,660 --> 00:07:28,770 They're running into the system. 123 00:07:28,770 --> 00:07:33,020 And of course, we're looking at it again for certain processes that shouldn't be there. 124 00:07:33,300 --> 00:07:39,390 So, for example, over here, OK, we have the common ones like com dot android and we have here Kamden 125 00:07:39,690 --> 00:07:40,300 deployed on state. 126 00:07:40,410 --> 00:07:46,740 Let's split, of course, is a hacking framework that we use and we have done a lot of lectures and 127 00:07:46,740 --> 00:07:47,480 tutorials on it. 128 00:07:47,610 --> 00:07:54,310 So that is going to be one suspicious indicator of suspicious indicators are going to be shell or a 129 00:07:54,330 --> 00:08:00,720 shell is also another suspicious indicator if it is being run as a process inside your mobile device. 130 00:08:00,760 --> 00:08:06,450 OK, so this is some of the processes and indicators of attacks that we can look at or indicate compromise 131 00:08:06,840 --> 00:08:07,680 that we can look at. 132 00:08:07,860 --> 00:08:14,010 OK, so there are many, many other ways for us to further filtering future down into what exactly is 133 00:08:14,010 --> 00:08:19,470 going on in the process, looking for what is considered normal and what is considered abnormal in those 134 00:08:19,470 --> 00:08:20,820 situations, in those cases. 135 00:08:21,240 --> 00:08:21,540 All right. 136 00:08:21,540 --> 00:08:25,770 And this is how we were able to detect when there was a cyber attack inside our system. 137 00:08:25,800 --> 00:08:29,370 OK, so with that, I hope you've learned something valuable in today's tutorial. 138 00:08:29,610 --> 00:08:33,690 And if you like what you just watch, remember, like sharing, subscribe to the channel so that you 139 00:08:33,690 --> 00:08:36,270 can be kept abreast of the latest cyber security. 140 00:08:36,660 --> 00:08:38,130 Thank you so much once again for watching. 14239