Saturday, January 10, 2015

How to hack Android device using Metasploit

I've got in touch with Metasploit framework, the well-known software for penetration tests (in other words, hacking) and whatnot. You can do a lot of funky stuff with it, here's a quick way to exploit an Android device using it.

For educational purposes only.

To do this, you'll need a Metasploit Framework (you can use Kali Linux as a workspace).
Basically what you do, is that you create a backdoor APK file and send it to the device. The victim then opens and installs the file.

What happens next is that Metasploit starts a reverse handler along with a payload handler. It estabilishes the connection and launches Meterpreter. Meterpreter is a powerful tool with a plenty of awesome functions. Let's check some of them right in the beginning.

  • shell
As the command suggest, this will launch the shell on the target. If the victim uses a Linux-based system, like Android, and it's rooted, you can easily take full control over the device. Using commands like su, rm /system and others will brick the device right away.

  • webcam_list
This command returns a list of all available webcams on the target.

  • webcam_snap
Takes a picture from the target and saves it to your disc (to your current workspace by default).

There are many more commands in Meterpreter, check HERE.

Back to hackz.

What we do next is the execution of msfpayload reverse_tcp with LHOST and finally creating an APK file. When the APK file is created, we can send it to the victim or arrange it somewhere, spread it to the world and whatanot.

Then we do some more funky stuff and start the meterpreter session.
By using sessions command, we can view active sessions (victim x attacker).

Using the command sesssion -i [number of session] we open the active session and start using the meterpreter  command listed above. Pretty easy!

And here's a quick YouTube video I found. Check it out for more information. Happy hacking!

No comments:

Post a Comment