API tools faq
paste
WhosYourDaddySec

Android Exploitation via PRoot Userlands, PKI Manipulation, and TLS Reconnaissance

WhosYourDaddySec
Oct 20th, 2025
110
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 18.54 KB | None | 0 0
raw download clone embed print report
  1. Mobile Offensive Informatics Framework
  2.  
  3. A Turnkey Guide to Non-Root Android Exploitation via PRoot Userlands, PKI Manipulation, and TLS Reconnaissance
  4.  
  5. Written and Researched by: Michael S. Errington
  6.  
  7. Version 4.20 | Published Date: October 15, 2025
  8.  
  9.  
  10. This documentation details the Mobile Offensive Informatics Framework, an advanced suite of Bash scripts engineered for conducting sophisticated informatics operations on non-root Android devices through Termux. By harnessing PRoot—a user-space implementation of chroot—the framework establishes isolated Linux userland environments, facilitating the manipulation of Public Key Infrastructure (PKI) trust anchors, Transport Layer Security (TLS) protocols, and certificate forging without jeopardizing host system integrity. The framework amalgamates the Termux Proot Userland Manager for environment orchestration, the PKI Manager for hierarchical Certificate Authority (CA) operations, and the TLS Downloader for certificate extraction and reconnaissance, delivering a self-contained, turnkey solution for reconnaissance, forging, and simulated adversarial attacks.
  11.  
  12. A pivotal advancement lies in the framework's capacity to democratize high-value offensive techniques, substantially reducing the expertise threshold required for executing complex maneuvers such as man-in-the-middle (MitM) attacks via forged certificates or TLS protocol exploitation. Traditionally, these operations demanded profound knowledge of cryptographic tools, system administration, and privileged access—often necessitating rooted devices or desktop environments. The framework abstracts these intricacies into intuitive command-line interfaces and automated workflows, empowering operators with varying skill levels, including novices, to perform elite-level tasks directly from mobile platforms. This paradigm shift not only enhances accessibility but also underscores the evolving landscape of mobile cybersecurity, where smartphones serve as potent vectors for informatics-driven attacks.
  13.  
  14. Drawing from iterative refinements across multiple versions, this documentation consolidates all prior enhancements, including extended PKI functionalities for certificate copying and forging, TLS extensions for comprehensive chain analysis, and integrations for protocol manipulation. With a candid detailed exposition, it provides a publish-ready resource replete with technical breakdowns, practical examples, and strategic insights, ensuring users can deploy and leverage the framework effectively.
  15.  
  16. The Mobile Offensive Informatics Framework evolved from rudimentary Termux scripts into a sophisticated toolkit, addressing the limitations of non-root Android environments. Initial versions focused on basic PRoot userland management, inspired by the need for isolated Linux simulations on mobile devices. Subsequent iterations incorporated PKI operations, enabling certificate issuance and verification within sandboxes. The TLS Downloader emerged as a reconnaissance extension, extracting and parsing certificate chains for forensic analysis. Later enhancements added forging capabilities, allowing operators to replicate and alter certificates for adversarial simulations. This progression reflects broader trends in mobile cybersecurity, where tools like PRoot and OpenSSL empower on-device operations without compromising device security or requiring root privileges.
  17.  
  18. Comparatively, frameworks like Kali NetHunter or desktop-based tools (e.g., Burp Suite for TLS interception) demand rooted devices or external hardware, limiting mobility. The Mobile Offensive Informatics Framework distinguishes itself through its non-root, script-based approach, integrating PRoot for isolation, OpenSSL for cryptography, and automated workflows for accessibility. Research by me, highlights how such tools lower entry barriers, enabling "script kiddie" to expert-level transitions in offensive informatics.
  19.  
  20. The Mobile Offensive Informatics Framework comprises three interdependent Bash scripts, each serving a distinct yet synergistic role in enabling informatics tasks on Android via Termux. These scripts operate within PRoot-created userlands, which emulate full Linux distributions as non-root processes, providing a sandboxed arena for high-risk activities like PKI manipulation and TLS analysis.
  21.  
  22. - Termux Proot Userland Manager (`userland_manager.sh`): The foundational component, responsible for provisioning and managing PRoot environments. It downloads pre-built root filesystems (e.g., Ubuntu Focal, Debian Buster, Alpine), registers instances in a SQLite database, and facilitates interactive or command-line access. Key functionalities include verification of userland integrity, customization of mount bindings (e.g., exposing host directories like `/dev` or `$HOME`), and persistence of configurations. This manager ensures isolation, preventing operations from affecting the host Android system, while supporting fakeroot modes for simulated root privileges essential for cryptographic tasks.
  23.  
  24. - PKI Manager (`pki_manager.sh`): An extension tailored for PKI informatics, automating the creation and management of hierarchical CA structures. It generates root and intermediate Certificate Authorities, issues server and client certificates with Subject Alternative Names (SANs), handles revocation via Certificate Revocation Lists (CRLs), and supports data signing/verification. Outputs are formatted in PEM, Base64, and PKCS#12 for interoperability. Advanced features include CSR signing for external requests, enabling certificate forging by re-issuing or modifying extracted chains. This component integrates seamlessly with userlands, leveraging OpenSSL for all cryptographic operations and ensuring secure storage with restrictive permissions (e.g., 600 for private keys).
  25.  
  26. - TLS Downloader (`tls_downloader.sh`): A reconnaissance-centric tool for extracting and dissecting TLS certificate chains from HTTPS endpoints. Utilizing OpenSSL's `s_client`, it captures full chains, parses extensions (e.g., keyUsage, subjectAltName), verifies against CA bundles, and fetches revocation data (CRLs and OCSP responses). It also performs HTTP header analysis, negotiates TLS sessions to log protocols and ciphers, and optionally crawls websites for additional intelligence. Outputs include split certificate files, JSON summaries with fingerprints, and SHA-256 hash inventories, facilitating forensic examination and integration with PKI forging workflows.
  27.  
  28. Collectively, the framework supports a linear workflow: (1) Deploy isolated userlands via the manager; (2) Extract certificates from targets using the TLS downloader; (3) Manipulate or forge certificates within the PKI manager; and (4) Simulate or execute attacks, such as MitM, within the sandbox. This turnkey design emphasizes informatics— the study and manipulation of information systems—through cryptography, networking, and protocol analysis, while prioritizing portability, automation, and security. Extensions from prior versions include advanced forging techniques (e.g., altering SANs for impersonation), protocol fuzzing integrations, and mobile-specific optimizations for on-the-go operations.
  29.  
  30. The framework's core philosophy is accessibility: By abstracting complex commands into scripts, it transforms esoteric tasks (e.g., OpenSSL CA management) into executable workflows, reducing the cognitive load on operators. For instance, forging a certificate chain for a MitM attack—once requiring manual key generation, CNF configuration, and signing—now involves a single command sequence. This not only accelerates operations but also mitigates errors, as scripts handle dependencies, error checking, and logging.
  31.  
  32. Deploying the Mobile Offensive Informatics Framework requires careful preparation to ensure compatibility and functionality on non-root Android devices. The following prerequisites are essential:
  33.  
  34. - Hardware and Software Requirements: An Android device running version 7.0 (Nougat) or higher, equipped with at least 2 GB RAM and 4 GB storage for userlands and outputs. Termux, the terminal emulator, must be installed—preferably the F-Droid variant (version 0.118 or later) to avoid Google Play Store limitations on package installations. No rooting is necessary, as PRoot circumvents this by simulating chroot environments.
  35.  
  36. - Package Dependencies: Termux's `pkg` manager must be accessible for installing core tools. Required packages include `proot` (for userland isolation), `proot-distro` (for streamlined distribution management), `wget` and `curl` (for downloads), `tar` and `coreutils` (for file operations), `openssl` (for cryptography), `sqlite3` (for database persistence), `findutils`, `util-linux`, `grep`, `sed`, `xxd` (for data manipulation), `dnsutils`, `inetutils`, `iputils-ping`, and `procps` (for networking and system monitoring). The framework auto-installs these via `pkg` during setup, but manual verification ensures reliability.
  37.  
  38. - Permissions and Storage: Grant Termux access to external storage via Android settings (Settings > Apps > Termux > Permissions > Storage). Allocate at least 1-2 GB free space for userland images (e.g., Ubuntu ~500 MB) and outputs. Bind mounts require this access to share directories between host and userland.
  39.  
  40. - Network and Connectivity: A stable internet connection is mandatory for downloading userland images, certificate chains, CRLs, OCSP data, and website content. Cellular data suffices, but Wi-Fi is recommended for larger downloads. Firewall or VPN configurations may interfere; ensure Termux can resolve DNS and perform HTTPS requests.
  41.  
  42. - Knowledge and Skills: While the framework minimizes expertise, basic familiarity with Linux command-line interfaces is beneficial. Understanding of PKI concepts (e.g., CAs, X.509 certificates), TLS (e.g., handshakes, extensions), and networking (e.g., DNS, HTTP) aids interpretation of outputs. However, automation handles most complexities, making it suitable for novices transitioning to advanced topics.
  43.  
  44. - Userland-Specific Additions: Within PRoot environments (e.g., Debian or Ubuntu), install `openssl`, `curl`, and `wget` via the distribution's package manager (`apt`). This ensures full functionality for PKI and TLS operations.
  45.  
  46. Failure to meet these prerequisites may result in errors, such as PRoot bind failures or OpenSSL command issues. The framework includes checks and auto-installation to mitigate this.
  47.  
  48. Installation of the Mobile Offensive Informatics Framework is streamlined for turnkey deployment, requiring minimal manual intervention. Follow these steps:
  49.  
  50. 1. Acquire Scripts: Download `userland_manager.sh`, `pki_manager.sh`, and `tls_downloader.sh` from the authors main account to Termux's `$HOME` directory. Use `wget` or `curl` if necessary: `wget https://example.com/userland_manager.sh`.
  51.  
  52. 2. Grant Executability: Execute `chmod +x userland_manager.sh pki_manager.sh tls_downloader.sh` to make the scripts runnable.
  53.  
  54. 3. Launch Manager and Auto-Setup: Run `./userland_manager.sh`. Upon startup, select "Run Auto Setup" (option 1) from the menu. This process:
  55. - Updates Termux packages via `pkg update`.
  56. - Installs prerequisites (e.g., `proot`, `openssl`).
  57. - Downloads default userlands (Ubuntu Focal, Debian Buster, Alpine) from URLs like GitHub's proot-distro repository.
  58. - Extracts and registers instances in `$HOME/.termux-proot-userlands/images/`.
  59. - Initializes SQLite database (`instances.db`) with tables for instance metadata (id, name, distro, path, bind_home, created_at).
  60. - Verifies userlands by executing commands like `uname -a` and parsing `/etc/os-release`.
  61. - Displays a tabulated list of installed instances.
  62.  
  63. 4. Configure Persistence: The config file `$HOME/.termux-proot-userlands/config.ini` stores settings (e.g., `AUTO_BINDS="/dev,/proc,/sys,$HOME:$HOME"`). Edit this for customizations.
  64.  
  65. 5. Integrate Extensions: From the manager menu, select "Enter Instance Shell (Fakeroot)" for a userland (e.g., Ubuntu). Inside:
  66. - Install dependencies: `apt update && apt install -y openssl curl wget`.
  67. - Copy PKI and TLS scripts: `cp /path/to/scripts/* .` (adjust paths via binds).
  68. - Initialize PKI: `./pki_manager.sh init`. This creates `$HOME/pki/` with subdirectories (root, intermediate, leaf, export) and generates root CA (4096-bit RSA, CN="Termux Root CA", validity 10 years) and intermediate CA (3072-bit, CN="Termux Intermediate CA", validity 5 years).
  69. - Test TLS: `./tls_downloader.sh https://example.com`. Outputs to `$HOME/target_output/`, including cert chains and JSON summaries.
  70.  
  71. 6. Post-Setup Verification: Run `./userland_manager.sh --verify ubuntu-focal` to confirm userland integrity. Check logs in `$HOME/.termux-proot-userlands/logs/manager.log` for errors.
  72.  
  73. Setup typically completes in 10-20 minutes, depending on download speeds. Logs and error files (e.g., `Act1.txt`, `error_log.txt`) provide diagnostics.
  74.  
  75. The framework's features are modular, with each script contributing specialized capabilities. Extensions from prior versions enhance forging, analysis, and integration.
  76.  
  77. Termux Proot Userland Manager
  78. - Auto Setup and Verification: Downloads and validates userlands; supports custom catalogs via `CATALOG_URL` array.
  79. - Instance Management: Create from catalog (e.g., select Ubuntu, name instance); list/export/import/delete with SQLite tracking.
  80. - Shell Access: Normal shell for basic ops; fakeroot (`-0` flag) for root-simulated tasks like certificate generation.
  81. - Customization: Set binds (e.g., expose `/dev` for hardware), proot flags (e.g., `--kill-on-exit`), and verify toggles.
  82. - CLI Integration: Flags like `--export <name> <file>` for automation; menu with arrow/number navigation.
  83. - Extensions: Generates Docker ISOs for userland deployment; creates rootfs archives for PKI integration.
  84.  
  85. PKI Manager
  86. - CA Hierarchy: `init` sets up root/intermediate with OpenSSL CNFs defining policies (e.g., loose for flexible DNs) and extensions (v3_ca with pathlen:1 for root).
  87. - Certificate Operations: `issue-server <CN> [SAN]` generates server certs (2048-bit RSA, SHA-256); `issue-client` for clients; outputs PEM/Base64/PKCS#12.
  88. - Forging and Manipulation: `sign-csr <csr> <type> [SAN]` signs external CSRs, enabling re-issuance of extracted certs with modifications (e.g., evil SANs for MitM).
  89. - Revocation and Validation: `revoke <cert>` updates index; `gen-crl` creates PEM/Base64 CRL; `verify <cert>` checks chains.
  90. - Cryptographic Tools: `gen-keypair <CN> [url]` creates RSA pairs, uploads pubs; `sign-data`/`verify-data` for integrity.
  91. - Connections: `connect <CN> <url>` tests mTLS; `setup-chain <CN> <url>` end-to-end: issues cert, generates keys, connects.
  92. - Security: Umask 077; chmod 700 on dirs; Base64 encoding for certs.
  93.  
  94. TLS Downloader
  95. - Target Processing: Accepts URLs/hosts; enforces HTTPS; extracts host/port.
  96. - Chain Extraction: `openssl s_client` with `-showcerts` grabs chains; awk splits into `cert_00.pem` (leaf), etc.; converts to DER.
  97. - Analysis: `openssl x509` parses subjects/issuers/serial/fingerprints; describes extensions (basicConstraints, keyUsage, SAN, etc.); verifies vs. Termux CA bundle.
  98. - Revocation Handling: Parses AIA for OCSP/CRL URLs; fetches CRL (DER to PEM); queries OCSP with issuer/cert.
  99. - Protocol Insights: Logs negotiated protocol/cipher/ALPN; captures HEAD/GET headers via `curl`.
  100. - Recon Features: Downloads robots.txt/sitemap.xml; optional `wget` crawl (recursive, depth-limited, rate-controlled).
  101. - Output Management: JSON with timestamps/targets/fingerprints/paths; SHA-256 hashes; logs/errors.
  102. - Options: `--insecure` skips validation; `--ignore-robots` for crawling; `--max-depth`/`--rate` for limits.
  103.  
  104. Integrated Extensions and Workflows
  105. - Certificate Copying: TLS extracts chains; PKI imports via CSR signing for replication.
  106. - Forging: Alter extracted certs (e.g., change CN) in PKI for impersonation.
  107. - Protocol Manipulation: Forge certs with weak extensions; test in userland for fuzzing.
  108. - Mobile Optimizations: On-device execution; export for cross-platform use.
  109. - Advanced Integrations: Docker ISO generation for VM deployment; key uploads for service auth.
  110.  
  111. Termux Proot Userland Manager
  112. - Structure: Shebang `#!/usr/bin/env bash`; sets `IFS=$'\n\t'`, `set -euo pipefail` for safety.
  113. - Globals: `WORKDIR="$HOME/.termux-proot-userlands"`; arrays for catalogs/URLs.
  114. - Functions: `log()` timestamps to file; `init_db()` creates SQLite table; `fetch_image()` downloads/extracts; `proot_cmd()` executes in userland.
  115. - Menu System: `draw_menu()` renders options; `read_key()` handles input; loop processes selections.
  116. - PRoot Mechanics: Args like `-r <rootfs> -b <bind>`; fakeroot adds `-0 --link2symlink`.
  117.  
  118. PKI Manager
  119. - Structure: Umask 077; mkdirs with perms.
  120. - CA Setup: `init_root()` generates key/cert with `openssl genpkey`/`req`/`ca`; CNF defines v3_ca.
  121. - Issuance: `issue_server()` creates CSR, signs with intermediate; adds SAN via extfile.
  122. - Forging: `sign_csr()` uses extfile for custom SANs; `revoke_cert()` updates index.txt.
  123. - Ops: `gen_crl()` calls `openssl ca -gencrl`; `verify_chain()` uses `openssl verify`.
  124. - Security: Private keys 600; exports Base64-encoded.
  125.  
  126. TLS Downloader
  127. - Structure: Banner with colors; logging to files.
  128. - Tools: `require_tools()` installs via `pkg`.
  129. - Args: `parse_args()` sets variables; `confirm_scope()` requires "AGREE".
  130. - Ops: `grab_tls_chain()` uses `openssl s_client`; `describe_certs()` parses with `x509 -text`.
  131. - Extensions: `extract_aia_crl()` fetches data; `crawler()` with `wget` flags.
  132. - Output: `write_summary()` JSON; `finalize()` logs completion.
  133.  
  134. Key Technical Insights: PRoot translates syscalls; OpenSSL handles crypto; scripts use timeouts/errors for robustness.
  135.  
  136. Usage Scenarios and Best Practices
  137.  
  138. - PKI Forging Lab: Extract certs from `https://bank.com`; forge with `sign-csr` for MitM testing.
  139. - TLS Recon: Analyze chain for weak ciphers; forge compliant certs.
  140. - Protocol Attacks: Simulate MitM with forged chains; crawl for vuln endpoints.
  141. - Mobile Offense: Pentest from phone; export results.
  142. - Best Practices: Fakeroot for ops; backup PKI; verify certs; ethical use; monitor logs.
  143.  
  144. Enhancement: Lowering Skill Levels for High-Value Attacks from Mobile Non-Root Platforms
  145.  
  146. The framework revolutionizes offensive informatics by automating elite tasks, enabling novices to execute high-value attacks. Traditionally expert-domain operations like PKI forging or TLS exploitation are now script-driven, reducing barriers on mobile devices. PRoot eliminates root needs, allowing smartphone-based attacks without specialized hardware. This democratization fosters accessibility, though it raises ethical concerns—operators must adhere to laws.
  147.  
  148. Disclaimer: For educational/research use only. Author Michael S. Errington disclaims liability for misuse. Comply with laws.
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!