1 00:00:00,810 --> 00:00:01,652 Instructor: Welcome back. 2 00:00:01,652 --> 00:00:04,470 So we managed to hack the Android device. 3 00:00:04,470 --> 00:00:05,880 In the previous video, 4 00:00:05,880 --> 00:00:08,400 you saw that it isn't really practical 5 00:00:08,400 --> 00:00:11,880 unless the target really wants to download that application 6 00:00:11,880 --> 00:00:15,270 but we will leave that on the side of a social engineering. 7 00:00:15,270 --> 00:00:18,690 We successfully hacked it using our payload. 8 00:00:18,690 --> 00:00:20,970 Now we want to see a different method 9 00:00:20,970 --> 00:00:25,020 that we can use in order to infect the Android device. 10 00:00:25,020 --> 00:00:28,260 Now to do this, there is one cool tool that we can download 11 00:00:28,260 --> 00:00:30,720 which is called Evil Droid. 12 00:00:30,720 --> 00:00:32,940 It pretty much automates everything that we did 13 00:00:32,940 --> 00:00:34,740 in the previous video for us. 14 00:00:34,740 --> 00:00:37,710 In case you're lazy, you can just run the Evil Droid tool 15 00:00:37,710 --> 00:00:40,080 and it'll perform the payload creation setting 16 00:00:40,080 --> 00:00:42,930 up of the server and all of that by itself. 17 00:00:42,930 --> 00:00:45,210 So let's see how that would work. 18 00:00:45,210 --> 00:00:47,310 If I go and open the Firefox 19 00:00:47,310 --> 00:00:51,363 and I simply just type Evil Droid in my search bar. 20 00:00:52,530 --> 00:00:54,958 So the first thing that should pop up 21 00:00:54,958 --> 00:00:56,130 should be a GitHub link. 22 00:00:56,130 --> 00:00:58,920 We want to click on that, and as usual 23 00:00:58,920 --> 00:01:01,620 we want to download this tool through GitHub. 24 00:01:01,620 --> 00:01:04,956 In order to do that, we're going to copy the link 25 00:01:04,956 --> 00:01:09,480 and once we copy the link, we want to go to our desktop 26 00:01:09,480 --> 00:01:14,287 and type Git clone, and then the link name, press enter. 27 00:01:15,720 --> 00:01:18,630 This will download the tool for us, and once it downloads 28 00:01:18,630 --> 00:01:19,463 we're going to check 29 00:01:19,463 --> 00:01:21,600 out what are the files that we get with this tool. 30 00:01:21,600 --> 00:01:24,150 So let's right away change the directory 31 00:01:24,150 --> 00:01:27,180 to this tool and type ls. 32 00:01:27,180 --> 00:01:28,920 So we have the change log 33 00:01:28,920 --> 00:01:31,020 we have the actual tool right here. 34 00:01:31,020 --> 00:01:32,850 We have something called icons 35 00:01:32,850 --> 00:01:35,760 and that is something that we're going to check out later. 36 00:01:35,760 --> 00:01:39,783 We have readme.md and we have the tools right here. 37 00:01:40,680 --> 00:01:44,340 So I'm not sure if this evil droid is an executable file. 38 00:01:44,340 --> 00:01:45,270 Let's give it a try. 39 00:01:45,270 --> 00:01:49,170 It says permission denied, so it might actually 40 00:01:49,170 --> 00:01:52,140 require root privileges in order to run. 41 00:01:52,140 --> 00:01:56,650 Let's try it with pseudo, pseudo and then evil droid 42 00:01:56,650 --> 00:01:58,263 enter the root password, 43 00:01:59,430 --> 00:02:01,953 and it will tell us Command not found. 44 00:02:02,850 --> 00:02:06,480 Let's first try to make this an executable 45 00:02:06,480 --> 00:02:10,380 and if I type Ls once again, now it's changed colors 46 00:02:10,380 --> 00:02:13,203 so let's try to run it with pseudo privileges. 47 00:02:14,400 --> 00:02:17,370 Once it starts, it'll tell us checking for internet 48 00:02:17,370 --> 00:02:20,490 it is connected, it'll check for dependencies, 49 00:02:20,490 --> 00:02:23,820 and if there is anything or any tool that it needs but 50 00:02:23,820 --> 00:02:27,930 that it couldn't find, it is going to install it by default 51 00:02:27,930 --> 00:02:30,270 so you don't really have to do anything. 52 00:02:30,270 --> 00:02:33,240 As you can see, we are missing this Aapt 53 00:02:33,240 --> 00:02:36,030 and it is installing it for us. 54 00:02:36,030 --> 00:02:37,470 Let's wait for a few seconds 55 00:02:37,470 --> 00:02:40,920 in order for this to finish, and once it finishes 56 00:02:40,920 --> 00:02:43,140 it should prompt you with this window right here 57 00:02:43,140 --> 00:02:46,650 that says Execute framework and services. 58 00:02:46,650 --> 00:02:47,760 We want to click here. 59 00:02:47,760 --> 00:02:51,397 Yes, and this will start the Apache2 service for us 60 00:02:51,397 --> 00:02:56,310 and it'll start the Postgres SQL service also for us, 61 00:02:56,310 --> 00:02:57,330 the Apache 2 is used 62 00:02:57,330 --> 00:03:00,249 in order to transfer the payload the same way we did 63 00:03:00,249 --> 00:03:02,490 we did in the previous video, and the Postgres is used 64 00:03:02,490 --> 00:03:04,620 in order to load the MSF console exploits 65 00:03:04,620 --> 00:03:06,450 and payloads faster. 66 00:03:06,450 --> 00:03:09,750 Once we click on that, it will lead us to the main menu. 67 00:03:09,750 --> 00:03:12,450 So we have a couple options right here. 68 00:03:12,450 --> 00:03:14,730 We have the option to create the application 69 00:03:14,730 --> 00:03:18,990 or the apk file with the MSF One which is MSF. 70 00:03:18,990 --> 00:03:22,290 We have the option to backdoor APK original 71 00:03:22,290 --> 00:03:25,860 with the old method and to backdoor APK original. 72 00:03:25,860 --> 00:03:27,480 With the new method 73 00:03:27,480 --> 00:03:31,920 we can bypass antivirus APK with the help of Icon Change 74 00:03:31,920 --> 00:03:36,090 but most of the anti devices don't even have an antivirus 75 00:03:36,090 --> 00:03:39,360 so you can try this on your own just to see how 76 00:03:39,360 --> 00:03:43,410 it would look like with payload having the icon changed. 77 00:03:43,410 --> 00:03:45,150 After that, we can start the listener 78 00:03:45,150 --> 00:03:47,280 for our payload and we can clean all 79 00:03:47,280 --> 00:03:51,150 of the files that we created using the C command. 80 00:03:51,150 --> 00:03:53,580 So what we're going to try this time is we're 81 00:03:53,580 --> 00:03:56,040 going to just create the regular payload. 82 00:03:56,040 --> 00:03:58,230 It'll automatically find our IP address 83 00:03:58,230 --> 00:04:00,150 and it'll print it right here. 84 00:04:00,150 --> 00:04:02,820 We want to click on, okay, keep in mind 85 00:04:02,820 --> 00:04:05,130 that it also gives you your public IP address 86 00:04:05,130 --> 00:04:08,770 in case you want to actually infect the device over WAN 87 00:04:10,110 --> 00:04:12,720 but this time we are still attacking a target 88 00:04:12,720 --> 00:04:14,550 inside of our local area network. 89 00:04:14,550 --> 00:04:17,250 So I'm just going to click on, okay, the port. 90 00:04:17,250 --> 00:04:19,720 I'm going to type it to be 5555 91 00:04:20,970 --> 00:04:24,510 and I'm going to name the payload Evil APK. 92 00:04:24,510 --> 00:04:27,003 Let's just leave it on that and click on okay. 93 00:04:28,110 --> 00:04:30,570 Now, the next option that it gives us is which type 94 00:04:30,570 --> 00:04:32,220 of payload we want to create. 95 00:04:32,220 --> 00:04:34,920 Keep in mind, all of these payloads are Android payloads 96 00:04:34,920 --> 00:04:36,420 so you can just give it a try 97 00:04:36,420 --> 00:04:38,310 for each and every one of them. 98 00:04:38,310 --> 00:04:41,910 I'm just going to go with the regular Android Meterpreter 99 00:04:41,910 --> 00:04:45,450 reverse TCP, the same one that we used before. 100 00:04:45,450 --> 00:04:47,280 All of these others would work as well 101 00:04:47,280 --> 00:04:50,580 so if you want to create another one, you can give it a try. 102 00:04:50,580 --> 00:04:53,700 Once you select the payload, click on, okay 103 00:04:53,700 --> 00:04:55,017 it'll generate the payload 104 00:04:55,017 --> 00:04:58,590 and it'll do all of these things automatically. 105 00:04:58,590 --> 00:04:59,880 Once it creates the payload 106 00:04:59,880 --> 00:05:01,710 it'll give us an update right here. 107 00:05:01,710 --> 00:05:06,060 That AK payload was created under this location right here. 108 00:05:06,060 --> 00:05:08,970 Let's click on, okay, and after that 109 00:05:08,970 --> 00:05:10,710 it gives us an option to choose 110 00:05:10,710 --> 00:05:14,382 whether we want to start the multi handler with MSF Console. 111 00:05:14,382 --> 00:05:17,250 With the help of this tool, it'll do all 112 00:05:17,250 --> 00:05:20,200 of these things automatically, so let's just click on, okay 113 00:05:21,060 --> 00:05:24,630 it'll load up our multi handler, and while it does that 114 00:05:24,630 --> 00:05:26,310 what we're going to do with the help 115 00:05:26,310 --> 00:05:30,090 of a second terminal is we're going to navigate back 116 00:05:30,090 --> 00:05:33,570 to the slash home slash mr hacker slash desktop 117 00:05:33,570 --> 00:05:37,020 then change to the Evil Droid application, and here 118 00:05:37,020 --> 00:05:41,100 we're going to have our payload right in this directory. 119 00:05:41,100 --> 00:05:44,400 So let's change it to Evil APK type LS 120 00:05:44,400 --> 00:05:46,470 and here is our payload. 121 00:05:46,470 --> 00:05:49,980 Let's move the payload to our Apache 2 web directory 122 00:05:49,980 --> 00:05:54,980 so pseudo MV, and then Evil APK to the VAR www slash html. 123 00:05:57,060 --> 00:06:01,530 Okay, once that is done, let's go back to our evil droid 124 00:06:01,530 --> 00:06:04,170 and here we can see that our multi handler set 125 00:06:04,170 --> 00:06:07,110 up the reverse connection for us automatically. 126 00:06:07,110 --> 00:06:09,630 Let's go and download the payload. 127 00:06:09,630 --> 00:06:12,660 We do it the same way that we did in the previous video 128 00:06:12,660 --> 00:06:15,450 and hopefully if we did everything correctly 129 00:06:15,450 --> 00:06:19,530 we should have a connection back inside of our MSF console. 130 00:06:19,530 --> 00:06:20,940 Let's load the page. 131 00:06:20,940 --> 00:06:25,940 Let's refresh the page, and here is our evilapk.apk file. 132 00:06:26,130 --> 00:06:27,393 Let's run it. 133 00:06:30,420 --> 00:06:34,440 We want to download it, open it as usual. 134 00:06:34,440 --> 00:06:35,910 We want to go through the steps 135 00:06:35,910 --> 00:06:39,273 and install the payload on the Android device. 136 00:06:44,400 --> 00:06:49,380 Let's click on open, and if we go back 137 00:06:49,380 --> 00:06:52,110 here is our interpreter connection. 138 00:06:52,110 --> 00:06:54,240 Now let's give a try to the command 139 00:06:54,240 --> 00:06:56,310 crashed our connection in the last video 140 00:06:56,310 --> 00:06:58,413 which is app under score list, 141 00:07:00,030 --> 00:07:02,250 and this time it actually works. 142 00:07:02,250 --> 00:07:03,390 We can see a list 143 00:07:03,390 --> 00:07:06,150 of all of the applications that are installed 144 00:07:06,150 --> 00:07:07,800 on this Android device 145 00:07:07,800 --> 00:07:10,320 and we can also use these other commands 146 00:07:10,320 --> 00:07:12,810 in order to run some of the applications 147 00:07:12,810 --> 00:07:17,223 in order to install or uninstall a certain application. 148 00:07:18,150 --> 00:07:20,980 If we go and type, for example, Check Root 149 00:07:24,660 --> 00:07:27,330 it will tell us device is rooted, but of course 150 00:07:27,330 --> 00:07:28,950 this is just a virtual machine 151 00:07:28,950 --> 00:07:32,040 and you can test all these commands also 152 00:07:32,040 --> 00:07:34,890 on an Android device in case you have one. 153 00:07:34,890 --> 00:07:37,590 Nonetheless, we performed a second way 154 00:07:37,590 --> 00:07:39,090 of attacking the target, 155 00:07:39,090 --> 00:07:42,420 and in the next video we're going to see an advanced way 156 00:07:42,420 --> 00:07:45,960 of tricking the user into installing our application. 157 00:07:45,960 --> 00:07:47,790 We're going to inject our payload 158 00:07:47,790 --> 00:07:51,573 into another application and make it execute that way.