How to Create a Lab for Android Hacking ? Pentesting Android

As Android-benefit bug hunters and hackers, we need a well-designed environment to work when we detect exploitation and seek risk. This could mean a virtual Android operating system or a network dedicated to capturing applications and making a central human attack.

There are many ways to set up a paint lab. Virtual Locations for Android are made possible by projects like VirtualBox, OSBoxes, and Androidx86. And there are a few benefits to building a visible Android OS within your Kali machine.

Virtual machines (VMs) are very easy to assemble and restore to a state where they accidentally or break an Android fixable fix. Also, it gives us the ability to increase the CPU and RAM to higher than Android devices can. For example, you may have built a virtual Android OS with 32 GB of RAM. While this price is surprisingly high and unreasonable, it will actually allow us to keep multiple programs and services running simultaneously.

On the other hand, some readers may not have the resources available (e.g., RAM, CPU) for running Android VM. Another area we can set up requires a virtual Android device and a dedicated Wi-Fi network. Of course, we can simply connect Kali and our Android device to our home Wi-Fi network, but using Kali as a Wi-Fi hotspot and transferring all Android data via Kali allows us to easily take data sent to and from the original device.

There are many simple things about using the Android OS visual, but it does not compare at all with a real virtual phone that can provide real-world simulations of how Android will respond to specific applications or hacking. For that reason, surfing the visible Android is my favorite method. But I will show you how to quickly set both and let you decide which one best meets your needs.

Option 1: Virtual Android Environment (VirtualBox Lab)

OSBoxes offers pre-configured Linux applications for our convenience. Using virtual OSBoxes Android devices for VirtualBox, we can have an active Android operating system with just a few clicks.

Step 1: Download the Android image

Navigate to the Android x86 download page on the Oboxes site to capture the latest 64-bit Android image of VirtualBox.

At the time of this writing, OSBoxes only supports up to Android 7.1 Nougat version. Android Oreo (version 8.1) will be available soon. Students with more technical understanding of ISO installation can directly navigate to the Android-x86 website and capture Oreo ISO not previously specified as OSBoxes images.

Step 2: Extract the VirtualBox Disk Image

When the compressed Android-x86_7.1_r1-VB-64bit.7z file (or any version you have selected) has finished downloading, remove the VirtualBox Disk Image (VDI) using the 7z command below. Unzipping a .7z file can take several minutes. When done, the new 64bit / directory will be available in your Downloads / directory.

Step 3: Configure Android VM settings

Open VirtualBox on your Kali system, and create a new virtual machine using the "New" button. If you do not have VirtualBox, you can download it for free from its website. On the first page, call it "Android," and select "Linux" as the Version with Linux 2.6 64-bit version. Click on "Next" to continue.

Set memory (RAM) to at least 1,024 MB. Click on "Next" to continue.

Select the "Use hard disk disk" option available in Hard disk settings, then select Android VDI in the 64bit / directory that we downloaded earlier. Click on "Create" to continue.

After that, with the new Android VM selected in the list of devices in VirtualBox, click on "Settings," then on the "System" tab, then adjust Boot Order for "Hard Disk" to be the first option and Device Identification is set to "PS / 2 Mouse."

On the "Network" Settings tab, set "Adapter 1" as "Bridged Adapter" and set the Adapter type in the "Advanced" menu to "PCnet-FAST III." This will allow Android VM to connect to your Wi-Fi router and retrieve its IP address.

When you're done, click "OK," and start Android VM. After about 60 seconds, the operating system will start, and we will be able to access the new Android OS to pentesting.

In blocked mode, other devices on the Wi-Fi network will be able to capture and interact with the Android OS. We can make human attacks in the middle against the OS as if it were a visual tool on a Wi-Fi network. Below is an example of a human attack in the area carried out using MITMf.

We see that the Android device (, running Chrome version 50, sent a POST request containing an email address and password in plain text.

Option 2: Dedicated Wi-Fi Hotspot and Hardware

This method requires a dedicated (visible) Android device to pierce and open an external Wi-Fi adapter to create a hotspot. The idea is, Kali will successfully build a Wi-Fi hotspot to which the Android device connects. All the information going to and from Android will be easily seen without any kind of attack by the average person. This is easy for bug bounty hunters using tools like Burp Suite or Wireshark to check packages at a very granular level.

If you don't have an Android phone around that you can use as a piercing device, Amazon has many cheap options available for the test phone, which will be a valuable asset for your security tool.

Step 1: Create a new Wi-Fi Hotspot

To start, turn off Kali and connect Kali-compatible wireless network adapter to the system. Open the "Network Connection" menu, click the "+" icon to add a "Wi-Fi" connection, and select "Create."

Network connection settings vary slightly between different versions of Kali. I'm using the XFCE4 version but all models have a network manager that can create Wi-Fi hotspots using the same steps.

Step 2: Configure Hotspot and password

A new Edit window will appear. Required fields are SSID, Mode, and Device. Be sure to use "Hotspot" mode and select the device (most likely wlan0) for your Wi-Fi adapter. If you do not know the name of the network adapter, you can use ifconfig to retrieve it. The Wi-Fi network name (SSID) can be anything you want; I'm using "Bhat Aasim" for this show.

Next, click on the "Wi-Fi Security" tab and enter a strong password.

Click "Save" when you're done, and Kali should create a Wi-Fi hotspot for "Bhat Aasim". This can be verified using ifconfig in the forum.

Notice inet address This is a new internal address system used by devices that connect to your "Bhat Aaim" Wi-Fi network. When you connect Android to the network, it will automatically find the address

At this point, we can open Wireshark and start downloading data on the wlan0 interface to see packets going to or from Android. There is a direct connection between Android and Kali so that your "Bhat Aasim" network does not overwhelm network traffic from other devices on your external network ( Other piercing tools like Burp Suite can be customized with Android to find and modify all applications.

Let the Penetration Testing Begins

There are advantages to both. If you can afford RAM and CPU, the visual environment of Android may be the best option for you. If Hardware resources are limited and you have an unused Android device to commit to, the second option may be your preferred option. In any case, you are encouraged to try both methods and learn what works best for you.

If you have any questions, please feel free to leave a comment below.

Post a Comment