rachidmaft
commented
2 years ago Can I do it from android phone an scan another. With Termux
Open Sebastian-Cerga opened 3 years ago
rachidmaft
commented
2 years ago Can I do it from android phone an scan another. With Termux
MissiegoBeats
commented
2 years ago I did all of this and I get this error when running mvt-android download-apks --output ... --all-checks --serial ...:5555 (I tried doing adb shell pm list packages and got response from my android...):
18:25:29 INFO [mvt.android.download_apks] Retrieving list of installed packages...
CRITICAL [mvt.android.modules.adb.base] No device found. Make sure it is connected and
unlocked.
I'm working on kali linux (virtualbox)
Sebastian-Cerga
commented
2 years ago I did all of this and I get this error when running mvt-android download-apks --output ... --all-checks --serial ...:5555 (I tried doing adb shell pm list packages and got response from my android...): 18:25:29 INFO [mvt.android.download_apks] Retrieving list of installed packages... CRITICAL [mvt.android.modules.adb.base] No device found. Make sure it is connected and unlocked. I'm working on kali linux (virtualbox)
You need to fix your adb connection with the phone. You might have forgotten to allow it from your developer settings on the device or your phone does not allow wireless adb. :(
Can someone update the docs/wiki with something similar to this?
NOTE: If you recently restarted your Phone probably Pegasus has been removed already, so you will find no traces when using the MVT forensics tool. //Read more about MVT: https://docs.mvt.re/en/latest/index.html
--Installation of MVT in a Linux environment (Debian) which is running on your Internet connected Windows 10 machine:
//If (/Once) you have an updated Windows Machine, create a temporary folder where you want to dump the files from you Phone that you will check for Pegasus traces, for example: "C:\Pegasus", so you need some free space on the "C:" drive. mkdir c:\Pegasus
//Install WSL 2.0 and the related dependencies as you will need this to run a Linux instance from within your Windows 10 machine. (Go to Manual Install steps). https://docs.microsoft.com/en-us/windows/wsl/install-win10#manual-installation-steps
Short recap of the WSL guide: //Run this command dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart //Run this command dism.exe /online /enable-feature /featurename:VirtualMachinePlatform /all /norestart Download and install this: https://wslstorestorage.blob.core.windows.net/wslblob/wsl_update_x64.msi wsl --set-default-version 2 (you can stop with the WSL guide and restart your Windows 10 Machine - you don't need Windows Terminal, that's for more advanced users than you probably are)
//Install Debian for WSL (or your other desired distro, but I tested with Debian on 17.08.2021). //You don't need a Microsoft account to download install the disto. Once the files are downloaded/installed a Linux window (with command line interface) will prompt you to create an user/password. //Enter what you wish, ex. "mvtuser" with pwd "mvt", but remember when running "sudo" or "system administrator" commands in Linux, the user/pwd can be requested, so remember what you create at this step. https://www.microsoft.com/en-us/p/debian/9msvkqc78pk6
//If you've closed the Debian window you can open it again by running these wsl commands in a "Command Prompt" or "PowerShell" or "Windows Terminal" application: ' start disto //In my case to start Debian I'd run "wsl -d debian" wsl -d "distro name" or simply by running "Debian" from the Windows "Start" menu like you would any normal Windows Application
//Once in Debian enviroment you can use the "exit" command or the close window BUT if you do so the Linux instance will still be running in the background. //To close it you need to run a wsl terminate or wsl shutdown command from a Windows "Command Prompt" ' terminate distro wsl -t "distro name" ' shutdown distro wsl -d "distro name" --shutdown
' list available distros to see if they are running or stopped wsl --list --verbose ' shutdown all distros wsl --shutdown
+Go to the open DEBIAN instance (which is winodw with a command line interface where commands can be entered). //Optional - If you want to use the temporary "C:\Pegasus" then that is already mounted and you can skip this, but if your desired drive (say you don't want to save the temporary files in "C:\Pegasus" but on a new drive, for example, "E:\Pegasus" which was not mounted already, you need to first mount "E:" for to be available in Debian. Follow these instructions for that, by just use "C:\Pegagus" and don't complicate your life, will ya? https://docs.microsoft.com/en-us/windows/wsl/wsl2-mount-disk
//Update Debian repository list by writing this command (enter password when prompted). sudo apt update
//Install Python (to be able to run the scripts) on the Debian machine sudo apt install python3 python3-pip libusb-1.0-0 sqlite3
//Install MVT on the Debian machine //More info on MVT: https://docs.mvt.re/en/latest/install.html#mvt-on-windowsa and run these commands one by one.
export PATH=$PATH:~/.local/bin
pip3 install mvt
//Copy all rows up to "lsb-release", it's one command split on multiple rows. sudo apt-get install \ apt-transport-https \ ca-certificates \ curl \ gnupg \ lsb-release
//Install Docker on the Debian machine (you'll need another docker install procedure for other distros) https://docs.docker.com/engine/install/debian/
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
//Copy both rows at the same time, it's one command split in two rows. echo \ "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian \ $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update sudo apt-get install docker-ce docker-ce-cli containerd.io
//Install ADB (Android Debuge Bridge - to be able to connect to the phone - it's a Google Official Tool) //More info on ADB: https://developer.android.com/studio/command-line/adb
sudo apt-get install adb
//Check Debian adb version as it is most likely older than the newest one available in the latest Google Android SDK adb version //In my case that was 1.0.39
+Go back to your Win10 machine //You need the same version of "adb" on your Windows machine as the one on the Debian machine //I recommend you download the official SDK and get the "adb.exe" & adb*.dll files from that zip file rather than downloading from another source. //You can use the site: http://adbcommand.com/client - a site which tells you which adb version was released when, I don't recommend you download adb from here, but just check which offical SDK should have it and then download the official platform-tools file from the archive. //To download your Android SDK Platform Tools file for Windows you can get the latest from here: https://dl.google.com/android/repository/platform-tools-latest-windows.zip, or, most likely you will need an older SDK version. //In my case i needed adb 1.0.39 which was released in June 2017 (http://adbcommand.com/client) > equivalent of (https://developer.android.com/studio/releases/platform-tools) v26 which i got from https://dl.google.com/android/repository/platform-tools_r26.0.0-windows.zip //(If you run this guide at a later date, you will probably be able to get other versions from http://dl.google.com/android/repository/platform-tools_rXX-windows.zip by replacing XX with your needed platform version). //After downloading platform-tools, extract the contents of the ZIP file into an easily accessible folder (such as C:\platform-tools). //Open Windows Explorer and browse to where you extracted the contents of this ZIP file //Then open up a Command Prompt from the same directory that contains the adb.exe file. This can be done by holding Shift and Right-clicking within the folder then click the “Open command window here” option. (Some Windows 10 users may see “PowerShell” instead of “command window”.)
+On Android Phone //Make sure you have Developer Tools enabled on your Android Device and "Wireless ADB Debugging" active. //If you don't have Developer menu availabe in your Android Setting find and press seven times on the Build number (location of the "Build number" information differs according to vendor, see some examples below). Google Pixel: Settings > System > About phone > Build number Samsung Galaxy S8 and later: Settings > About phone > Software information > Build number LG G6 and later: Settings > About phone > Software info > Build number HTC U11 and later: Settings > About > Software information > More > Build number OnePlus 5T and later: Settings > About phone > Build number //You will get some messages "You are now X steps away from being a developer" and after you see the "You are now a developer!" message a the menu will now be available.
--Connect your phone and connect the Linux Distro to it (unfortunately WSL (the Linux instances) do not support USB devices yet, so we need to use a trick to connect via the WIFI to the Windows adb server which has the USB connection in Windows enviroment).
+On Win10 connect the Android Phone via an USB cable //RUN ADB on a custom port by running this command in the cmd or powershell window opened earlier adb tcpip 5555
//On the Android device you need authorize the connection. Check the "always" box as well so that you are not asked about this connection in the future. //Find your Android device IP address (make sure you're connected to the same WIFI network and write the android device ip down). Find that in "About Phone" or "Phone Status"
+On the Debian machine run this command adb connect [android device ip]:5555
//Optional, if you haven't already authorized the device before, on the Android device you need authorize this connection as well. Check the always box again. adb kill-server adb connect [android device ip]:5555
//Optional - an easy check if you have an adb connection via WSL would be to list the connected devices or the Android packages found on the connected devices: adb devices -l or adb shell pm list packages
--Running MVT
//Finally Run MVT by replacing "192.168.1.20" with your android device ip. Each APK (application package) from your Android Device will be copied on your filesystem to the "C:\Pegasus" directory mvt-android download-apks --output /mnt/c/Pegasus --all-checks --serial 192.168.1.20:5555 //if you ant to use "E:/Pegasus" for the temporary files then replace /mnt/c/Pegasus with /mnt/e/Pegasus.
//It will take a while for the files to copy. //If nothing suspicious shows up in the result, most likely Pegasus was not present on your machine or you rebooted and it was wiped clean. If there are traces detected or malware detected research on your own what to do next.
+On Windows Machine you can close the Debian instance by running this command: wsl -d debian --shutdown
//Close the Win10 ADB Bridge as well adb kill-server
--bonus SMS Check. //If you want to check your SMS for suspicious links then you'll need to do this on the Debian machine, details here: https://docs.mvt.re/en/latest/android/backup.html
//Create a backup of your SMSs - don't worry, only of the SMS app so you can set whatever password for the backup you want. adb backup com.android.providers.telephony //Optional, Install Java if you don't have it already (probably not if you are following this guide) sudo apt install default-jdk //Get Android Backup Extractor curl -LJO https://github.com/nelenkov/android-backup-extractor/releases/download/20210809062417-4c55371/abe.jar //If the backup is encrypted, the password will be asked by Android Backup Extractor to decrypt the file. java -jar abe.jar unpack backup.ab backup.tar tar xvf backup.tar //You can then extract SMSs containing links with MVT: mvt-android check-backup --output . . //Install JTBL - A simple cli tool to print JSON data as a table in the terminal. pip3 install jtbl //Print the contents of the SMS's on your screen. cat sms.json | jtbl //Write the SMS List in your Pegasus Folder cat sms.json | jtbl > "/mnt/c/Pegasus/SMS List.txt" cp sms.json "/mnt/c/Pegasus/SMS List.json" //Delete files rm abe.jar rm -r apps rm backup.ab rm backup.tar rm sms.json
//But it doesn't really matter if you're an idiot who installed SMS controlling malware: https://theconversation.com/how-hackers-can-use-message-mirroring-apps-to-see-all-your-sms-texts-and-bypass-2fa-security-165817
--Optional, Removing all of these tools and WSL/Debian
//Optional, you can delete the Pegasus temp folder you created and files contained within from a "Command Prompt"/"PowerShell" rmdir c:\Pegasus /s /q or simply delete the folder from Windows Explorer
//Optional, you can unistall the Linux distro Open "Apps & Features" section from "Windows Settings", search for "Debian" or whatever distro you used and Unistall it. or Search in the Start menu for "Debian" right click and select "Uninstall"
//Optional, you can disable Windows Subsystem for Linux (a restart will be needed at a later time) Dism /online /Disable-Feature /featurename:VirtualMachinePlatform /all /norestart and Uninstall "Windows Subsystem for Linux Update" from "Apps & Features" section of "Windows Settings", as this you also no longer need and now you can restart your PC.