OMG Cable - Android Reverse Shell - Payload & Detections
Вставка
- Опубліковано 13 січ 2022
- Hak5 -- Cyber Security Education, Inspiration, News & Community since 2005
____________________________________________
SHOW NOTES:
Testing was done on out of box Android devices with default settings.
O.MG Cable: hak5.org/omg
Payload:
hak5.org/blogs/payloads/andro...
github.com/hak5/omg-payloads/...
____________________________________________
Founded in 2005, Hak5's mission is to advance the InfoSec industry. We do this through our award winning educational podcasts, leading pentest gear, and inclusive community - where all hackers belong. - Наука та технологія
Amazing payload and appreciate covering the detections also!
Always top, thanks 👌🏼
Good stuff. I'm going to have to get one of these :)
Thats why one of the first things to do with a new android device, to toggle off data transfer via usb and just allow it for recharging, unless you actually need it. Just like with wlan on any "smart"-phone, toggle it off when not in use and unallow the automatic connection to any wlan-network even those you deem save. Does a lot for your personal and professional safety, with minimal effort and zero cost.
This isn’t using data transfer.
Uhm yes, you are totaly right, it uses peripheral usb access ... so toggle that off too.
@@hermesvoeglein535 now you’ve blocked the ability to do it with an external device. But with a bit more time someone can do it manually. Android really just needs to prompt for passcode for high risk activities, the same way iOS has done for years.
who needs a phone...my nokia 3310 hammer edition is doing well
@@simonstergaard Is Nokia the hardest phone in the world? The world's 'most indestructible phone' - Iconic Nokia 3310 is coming back.
Thanks guys
Magnificent...
Lit
Int80, what is the name of your band? Ah, got it at the end: "Dual-Core". Thanks.
Interesting
Appreciate the shout out!!
My boy 🖖🙏
Woo
Doesn't Android 12 show notification when you access camera or location ?
Does this payload bypass these security measures ?
Android 12 does, and I don't think this would do anything about that since they didn't account for that, but you could always add some code to go in their settings and turn that off so yeah
Hello, u make it all seem so easy, it's been 5 yrs, that my phone has been hacked, been through 100s of phone and changed providers but some how they hack into it and get into my my bank accounts and don't know how they hide their transactions, am tracked every move I make and continue to break into my home, text friends as well and become victims as well... Where can I go to get help with this issue as law inforcement seem not to be much help without proof
Omg!! What if you think you may have used a hacked charger?How do you find out on your phone and how do you get it off your phone?? What if you plugged the USB c into laptop and USB into chsrger?
dont u need to have usb debugging on in settings?
I have the same questions unless the apk can do that
does it still need to be connected to a computer for it to work or can you just have it plugged into a charger
2:45 in the video
@@O.MG-MG thank you
the cable is the computer
Where do you get the O.M.G. software? Is there an app to use once remote access has been achieved with the target device?
You use Hak5’s C2 service.
Shipping restrictions: I am in South Africa and i need a OMG cable for android. How do i bypass shipping restrictions to certain regions of the world. I dont even understand why shipping restrictions. Please help
What happened to Nullbytes he hasn't made a videos in a while
I'm okay
What if you have disabled Chrome. Does this still work?
Its not that simple if you are beginner. Firstly this will work only if you are in same network and if you are not in same network you need to set up a server which can be accessed publicly and send the data to server.
Setting up an internet accessible server should be well within the capabilities of someone doing security work.
@@O.MG-MG Linode anyone?
Hey, I've been a target by some psycho who's been using a cable and r.a.t against Me to ddoss and drain my assets and rob my house. Is there anyway to reverse the connection and use a honey pot from the infected device
How can you identify a OMG cable Android please?
Does anything of this work with turned off screen?
So this means a phone has to be unlocked to deliver the payload correct? Just plugging it in is not enough
yes
Yes it needs to be unlocked to inject the payload
If it was able to work while locked you may aswell use a rubber ducky the whole point of these cables are for the social engineering part of an attack like leaving this ordinary looking charging cable in a target building
How do you do it without showing the process on the phone? Like as a daemon
Is there any way to make remote control persistent? The connection will be lost every time the phone is turned off.
Thanks guys. Do anti malware apps help against these hacks
Mostly no, because the anti malware hat for itself very little privileges. Regular anti malware on mobile can't do much.
The omg cable mimics a keyboard so that's a big no. Just a natural feature for android to plug and play auto.
@@salpertia I second this. There's pretty much no way for devices to protect against HID attacks because the attack is literally used to mimic what a human would be doing on that device there's no way for the device to distinguish between human input or HID input. That being said if a hacker gets physical access you have been pwned the worst way possible
@@CokesAndTokes so.... not even updating the ios or doing a factory reset helps? its just a game over?
@LinguistsCorner 9 times out of 10 no, It's unfixable. Along as phones allow a keyboard to be connected this attack will remain a threat.
you write that script or came across it,.,,?>
I want to purchase one but it's price....
To be a HID does OTG have to be active?
Obviously yes
I am pretty possitive this is happening to my family can you please help us reverse it and make it stop please it's ruining my life
Does it matter if the phone screen is locked?
Hi guys I have the same cable as the one in the video. My one is the Plus, I should be able to save up to 200 payloads according to the website but on the device i can only save 7 does anyone know how to save more?
The plus does not offer 200 payloads. That is reserved for the Elite version that won't be out until next year.
i finally found that song from kanga
Can this be used to pull the userdata with root access?
unless the phone is rooted no you don't have root access in an android phone.
@@georgedhmosxakhs2498 i have tried rooting for an year but unsuccessful. Do you have way i could try
@@pranaythammineni256 One way to do it is by flashing TWRP recovery image into your phone and after that flashing through TWRP, Magisk root apk to install sudo command into your android device. If you are total beginner i will advice you not to do it, because you could damage your phone if you screw it up.
@@georgedhmosxakhs2498 not that beginner but i do have a spare phone. i want to learn rooting that phone soo
@@georgedhmosxakhs2498 actually am not able to unlock bootloader thats where am struck
Mr Robot style.
Is it possible to send commands to burn or or delete totally?
Yes u can
Is it illigal to buy it ?
this does not even touch the question what protocol the cable is using to manipulate the phone
It's just a HID style attack. You can plug a physical keyboard into an android phone and type commands to get the same result.
The payloads are posted for anyone who wants to step through every detail.
@@youtubegaveawaymychannelname Yeah but you can control it remotely... That's the difference.
that music tho whats the name ?
Dual Core - Fear & Chaos
ua-cam.com/video/ra0HChk1oEc/v-deo.html
These people are evil and should be sentenced to 10 years in federal prison
Lolwut?