Hello everybody and in this post I will show you how you can actually automate the entire process of hacking unrooted Android and iOS devices.
So yes we can hack unrooted device by using Metasploit payload
let's start
installing tool
right now let's see what we can do with the Android attacks, for example. So if I just open up my terminal first, type in the root password. And what I want to do right now is go to the Firefox. So just open up your Firefox. The tool is called venom I believe, or something like that. I already have it installed so I will not install it, but I will show you from where you can get it. It is on github. So you just do this simple git clone and then the link.git, and you just run the program. It is very simple. So, venom github right here, and you go to the first link as it says right here, github venom Metasploit shellcode generator. It is a very simple tool to use. So just copy the link and git clone it to your directory
permissions
. As we can see, download/install. The first part you need to do is git clone this link right here, then set files execution permissions to...so first change directory to the venom, and then sudo chmod - R + x all files. This star right here stands for all files .sh. And also do that for Python files. If you do not have dependencies installed you can run the ./setup.sh, and then after that you can run the main tool.
shell code generator
So, if you do not have all the dependencies installed and if you do not download the files to already be executable, you need to follow these four steps. Or basically these three steps. The fourth one is just running the tool. So, once you do that, you should be good to go. Let me just find where I downloaded it... or we can just locate venom, simple as that. So locate venom...or maybe it's not. Okay, so if it is in PythonFiles. Okay, so cd home/user/Desktop/PythonFiles/ venom. So, here you will have these same files right here. If you already ran the entire installation process, all you need to do is run this venom.sh file. So you do that with /vencom.sh, and this will open up the shell code generator.
IP address
Now the first thing that it will ask you is to input your IP address. Now, if you do not know your IP address you can just check it with ifconfig. I know mine, so it is 192.168.1.65, click here enter, and it will open this welcome box right here with the banner. Press enter to continue, we press enter. It will ask us which shellcode do we want to generate. Now as we can see right here it doesn't only generate the Android and iOS payload, you can also also generate the Linux, Windows and multi-os payloads. Now since we already covered all of the other ones, we will just cover the Android ones and iOS. So just click here 4 which stands for basically both of these. So just click 4 as a category number. It will say loading Android | iOS agents.
Msfconsole
Now since I don't have the iOS mobile phone with me, I will go with the Android attack. So choose agent number, agent number 1 is the Android, so just check here 1. It will ask you for your IP address once again since it is specifying it in the meterpreter as the LHOST, which is your listening IP address, which is in my case is 192.168.1.15. And right now we specify the listening port to be for 444. And the payload output name, example shell code. So we can name it anything we want. Let's just name it as they say, so shellcode. And this will open up this shell code generator which will generate the shell code for us. As we can see, some of these settings down below are LPORT a LHOST that we set, and the payload that we use is android/meterpreter/reverse_tcp.
Metasploit framework
Now you might notice that you can actually use this payload in the Metasploit framework as well. So you do not have to automate this process with this tool if you do not want to. It is just a lot easier since it does everything for you. You can create the payload with msfvenom, and then run the multi handler as a listener on your Metasploit framework console, and perform the same steps as we did with the Windows exploits, for example. So you just set these options right here, and check the payload to be android /meterpreter/reverse_tcp. So, let's see what it tells us right here. Payload stored in home/user, okay so it made our shell code. It is in this directory right here as the shellcode.apk, which is basically the application which is going to run on our Android device. So what we want to do right here, is do we want to set up a multi handler by default, or Apache 2 malicious URL. So what we want to do is basically set up Apache 2. Or you can go with the multi handler as well. I will go with the Apache 2 right now, and it will start up by default our listening. As we can see right here it set all the options, the LHOST, the LPORT D, the android/ meterpreter/reverse_tcp, and it has started the reverse_tcp handler on 192.168.1.65, which is my IP address. So if we go right here and visit my Apache 2 on my IP address, my Apache 2 web server, so 192.168.1.65, and we go right here, as we can see as soon as
payload ready ( shellcode.apk )
I typed in my IP address, it asks me to download the shellcode.apk file. Now of course I will not download it on my laptop since it won't really work, but we can see that the download is automated. So as soon as you visit this, the process of the downloading is automatic. So, you can basically spoof the local area network and make everyone redirect to this page, and maybe some of them will actually download this program. But, that is not that smart of an attack. So let us actually I will now open, oops, I will now open the application from my mobile phone. So let me open up my mobile phone. I will type in the IP address, I will visit it, and as soon as I do it says this type of file can harm your device. Do you want to keep shellcode.apk? Now maybe if you were able to perform some social engineering attack, maybe they will click here ok, and shellcode.apk downloaded in home.
testing payload
Now you can't see what I am doing on my mobile phone, but currently I am downloading the application. Now the most suspicious part right here is when it asks, do you want to install this application? It will get access to modify system settings, take pictures and videos, modify your contacts, read your contacts, access all of the stuff, record audio, read you text messages, modify or delete the contents of your SD card, directly call phone numbers. So that is everything that we can do with this application. And if they click install, and install the application, it will say that the application, or the mobile phone doesn't recognize this producer of this application. You just click OK and open the application. And as we can see, as soon as I clicked open we got the meterpreter session 1 open. So, in order to check out what your available option are with the Android payload, you just type here, whoops not getuid, you type here help. Let us enlarge this window so we can see it a little bit better, and you can see we get some of the additional components, we get some of the more options than in the previous exploit, such as check root, dump call log, so we can get the call log. Dump contacts, dump SMS, we can read all of the SMS messages.
Geolocate, send SMS. So we can actually send SMS. If you just type right here send_sms, it will tell you the syntax for sending the SMS. So the send_sms - d for the destination number, so just select the destination number, and - d for the target number. So you can actually send the SMS message from that phone to someone. And this is the - t for the SMS body text, as it says right here, so this is the message itself. You can also play the audio, which we can do on Windows as well, and all of this is the same as before. Grab screen shot, shell execute, getuid, so you can see that I really am on a mobile phone. As we can see, server user name, this is the name of the mobile user currently. And you can do all of this stuff if you wanted to. You can record microphone, you can go into shell local time, so basically these are the more, well basically these are the important commands, or the new commands, that we didn't cover.
These are the same as in other exploits. As we can see, the Android commands are right here, and you might want to actually check out some of these. We will not be actually going through them, there is really no point. You just click here the name of one of those, and it will give you the syntax to run it, and you just run that. So, that would be about it for this venom.sh tool. I hope you enjoyed it, and I hope I see you in the next tutorial. Bye!