hello , now i reached the point of having a live meterpreter to the victim's phone , can i access their photos and download it ?
and can i access passwords ( facebook / instagram ) or anything like that , and if not , can i plant a keylogger or something alike into their phone so i can achieve the same results of getting passwords ?
and 2 more questions , does " download " command need " rooted android " to work ? cause it keeps give me an error but it dosent give an error when uploading .
is there is anyway to extract whatsapp messages/media without root ?
all mentioned above without root , sorry for being talktive and thanks alot for listening to a noob beginner :)
9 Responses
Do you know how it works? Because I can say "yes" to some of your questions.. You should read about metasploit and iphone devices.
yeah i do know how it works but im having troubles with it , and im hacking android not iphone devices ( i think its impossible to hack an iphone probably ) but which of my questions you can say yes to ?
and can you refer me any articles that would help ?
Since Android is a Linux derivative, you can use nearly any Linux command.
ABDO whats why I was asking you if you knew how it works
i have read guys but i still didnt get any answer to my questions .
You dont need root for most android meterpreter commands. There's also documentation for most of them up on the web if you dig a little.
Yes, you can download pictures and any file on the phone's storage by using the "download" command as you have been. If you know how to traverse the linux directory structure via command line, you can do the same in the meterpreter shell (as OTW said, Android is basically linux).
Passwords, of any kind (especially sites like facebook), are not stored on the device, so you wont be able to dump them. For future learning, I would suggest you develop a basic understanding of how authentication works in different contexts (local hashes vs. web-application server-side hashes etc).
Keylogging functionality is not yet a feature of the android meterpreter command set like it is in the Windows one. You'll have to code your own or depend on other utilities for that one.
I'm not personally familiar with how whatsapp media is stored, but if its local you can dump it. I vaguely remember dumping whatsapp texts a bit ago with "dumpsms" (but I may be wrong).
Your go-to's for most android meterpreter commands will probably be:
dumpsms
dumpcontacts
dumpcalllog
webcamlist
webcamsnap
recordmic
Remember, search engines are your friend.
thank you so much , but can i ask you , what if i infected two or more devices with my malicious apk , when i set the listener , which will work and which wont if both of them are on ? this part is just kinda confusing , thank you again.
EDIT : when i try to download a photo , it always gives me an error of operation failed , while other commands work well . ???
Setup separate VM servers to listen for each target (one per victim).
If you can't download the photo, I'm afraid you're SOL for that particular device. Some commands will work on some, and not on others. There's no privilege escalation functionality built-in to the android meterpreter (and even if there was, it would be patched in a second).
As you progress and hit roadblocks like these, you'll soon realize how limiting it is to rely on frameworks. They have their uses and can be really convenient, but think of it this way: the easier it becomes to attack something, the easier it becomes to defend against. The road to greatness is paved with hours and hours of coding. Get to it.
Happy hacking
That was gold!
Share Your Thoughts