Full Report
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app. It offers a simple and easy UI to use these tools without typing commands in a console and copy & pasting MAC addresses. Features of Hijacker Reaver For Android Wifi Hacker App […]
Analysis Summary
# Tool/Technique: Hijacker (Reaver For Android Wifi Hacker App)
## Overview
Hijacker is a native Graphical User Interface (GUI) application designed for Android that bundles several powerful Wi-Fi auditing and hacking tools, including Reaver, Aircrack-ng suite components (Airodump-ng), and MDK3. Its primary purpose is to simplify complex wireless attacks by providing an easy-to-use interface, eliminating the need for manual command-line entry and MAC address switching.
## Technical Details
- Type: Tool (Hacking Utility/Framework Wrapper)
- Platform: Android (Requires ARM architecture, custom firmware/drivers like Nexmon or bcmon, and root access)
- Capabilities: Wi-Fi information gathering, WPS cracking (Reaver), denial of service (MDK3), packet capture, and password cracking support.
- First Seen: January 3, 2018 (Date of article publication referencing the tool).
## MITRE ATT&CK Mapping
Since Hijacker is an offensive security/hacking tool designed to exploit external networks, the mapping focuses on Reconnaissance, Impact, and Credential Access related to wireless infrastructure.
- **TA0043 - Impact**
- **T1486 - Data Encrypted for Impact (Potential Indirect)**: While not directly encrypting data, denial of service attacks prevent legitimate access to the network.
- **T1498 - Network Denial of Service (DoS)**
- **T1498.002 - Service Denial**: Utilizing MDK3 Beacon Flooding and Authentication DoS.
- **TA0048 - Inhibit System Recovery** (Related to DoS disrupting network availability)
- **TA0046 - Collection**
- **T1560 - Archive Collected Data**: Saving captured packets in `.cap` files.
- **T1564 - Hide Artifacts**: Running the application in the background.
- **TA0001 - Reconnaissance**
- **T1595 - Active Scanning**: Scanning for BSSIDs, SSIDs, and associated clients.
- **T1595.003 - Network Service Scanning**: Identifying active access points and their capabilities.
## Functionality
### Core Capabilities
- **Information Gathering:** Viewing nearby access points (APs) and stations (clients), including hidden ones. It gathers statistics, reads beacon packets, identifies manufacturers via OUI lookup, and monitors signal strength.
- **Packet Capture:** Ability to save captured Wi-Fi traffic into `.cap` files for later offline analysis/cracking.
- **WPS/WEP Cracking Prerequisites:** Capturing WPA handshakes or gathering Initialization Vectors (IVs) needed for WEP cracking.
### Advanced Features
- **WPS Attacks:** Execution of **Reaver for Android**, specifically supporting the **pixie-dust attack** (requires NetHunter chroot and external adapter).
- **Denial of Service (DoS):** Utilizing MDK3 for:
- **Beacon Flooding:** Broadcasting numerous fake SSIDs.
- **Authentication DoS:** Targeting specific or all nearby APs to disrupt connections.
- **Client Deauthentication:** Forcibly disconnecting clients from a target network.
- **Automated Monitor Mode:** Includes functionality or management utilities (like Nexmon drivers for BCM4339) to automatically enable and disable monitor mode on the wireless adapter.
- **Offline Cracking Integration:** Ability to crack captured `.cap` files using a local wordlist.
- **User Experience Enhancements:** Clipboard integration for MAC addresses, persistent alias settings for devices, and background operation with optional notifications.
## Indicators of Compromise
*Note: As this is a legitimate, though offensively-used, open-source tool, IOCs are generally file-based or behavioral rather than fixed network indicators.*
- File Hashes: (Not provided in the article, but the APK is `Hijacker-release-v1.4-stable.3.apk`)
- File Names: `Hijacker-release-v1.4-stable.3.apk`, `Hijacker-v1.4-stable.zip`
- Registry Keys: N/A (Android application)
- Network Indicators: N/A (Tool operates locally, but captured traffic could be analyzed later)
- Behavioral Indicators:
- Launching of associated binaries (Aircrack-ng, Reaver, MDK3) from a non-standard location (e.g., within the app's sandboxed directory).
- Excessive wireless traffic associated with beacon flooding or deauthentication frames.
- System requests for root privileges upon startup or execution of core functions.
## Associated Threat Actors
The article does not explicitly name sophisticated threat actor groups. This tool is primarily associated with penetration testers, security researchers, and individual hackers utilizing Android platforms for recreational or practical Wi-Fi auditing/hacking activities.
## Detection Methods
- **Signature-based detection:** Detection of the specific APK file hash (`Hijacker-release-v1.4-stable.3.apk`).
- **Behavioral detection:** Monitoring for applications requesting root access for intensive network stack manipulation or for processes executing command-line utilities like `reaver` or `mdk3` outside standard security tool locations.
- **YARA rules:** Custom YARA rules could target strings or binary structures unique to the bundled tools within the application package.
## Mitigation Strategies
- **Prevention Measures:** Ensure Android devices used for production or sensitive operations do not have root access.
- **Hardware Security:** Limit the use of vulnerable chipsets (like BCM4339/BCM4330) or ensure drivers are strictly controlled if monitoring mode is required.
- **Configuration Hardening:** Disable WPS on all network infrastructure, as this attack vector is central to the tool’s functionality (Pixie-Dust/Reaver).
- **Network Monitoring:** Employ WIDS/WIPS solutions that flag high rates of deauthentication or disassociation frames aimed at legitimate clients.
## Related Tools/Techniques
- **Reaver:** Core WPS cracking utility bundled within Hijacker.
- **Aircrack-ng Suite:** Includes Airodump-ng for packet sniffing.
- **MDK3:** Used extensively for denial of service and basic Wi-Fi manipulation.
- **Nexmon/bcmon:** Custom firmware/drivers required to enable monitor mode on Android's internal wireless chipsets, crucial for operating Hijacker.
- **Wifite:** Referenced as an alternative mass cracking tool.
- **Fern Wifi Cracker:** Referenced tool.
- **Infernal Twin:** Referenced tool.