Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,340 --> 00:00:06,140
In this video, I'd like to show you how to embed evil code into Android apps.
2
00:00:06,240 --> 00:00:12,880
So that when the app is executed on an Android device, the user will see a normal app or normal game
3
00:00:12,880 --> 00:00:17,480
that they can use but at the same time our backdoor will run at the background
4
00:00:17,660 --> 00:00:22,820
and will have full control over that Android device, whether it's a phone, a tablet
5
00:00:22,920 --> 00:00:24,660
or anything that runs Android.
6
00:00:25,240 --> 00:00:30,480
Now doing this is actually not very hard and the first step is you want to go
7
00:00:30,480 --> 00:00:34,700
and download the application that you want the target person to see,
8
00:00:34,880 --> 00:00:38,340
so you want to social engineer them to install that application.
9
00:00:38,540 --> 00:00:44,260
You can use any application you want, so you can just use an application for a restaurant, for example,
10
00:00:44,400 --> 00:00:48,420
and then social engineer your target to install that app to get a certain offer
11
00:00:48,880 --> 00:00:53,340
or you can just backdoor a game and then pretend to be the target person's friend
12
00:00:53,500 --> 00:00:57,040
and send them that game saying, "Oh, look at my new app or new game."
13
00:00:57,820 --> 00:01:02,320
I'm going to go to this website which is called apkmirror.com to download my apk.
14
00:01:02,400 --> 00:01:06,240
Now there's a lot of websites that allow you to do that, but I choose to use this one
15
00:01:06,720 --> 00:01:10,760
and I'm gonna look for a very simple game called Flappy Bird and you've probably heard of it.
16
00:01:14,240 --> 00:01:17,280
You can see I have the game in here, I'm gonna click on it
17
00:01:18,180 --> 00:01:21,480
and then I'm gonna scroll down and download the apk.
18
00:01:26,100 --> 00:01:29,580
I'm going to click OK to save it and that's it it's saved for me.
19
00:01:29,880 --> 00:01:31,800
So, I'm gonna close this
20
00:01:33,140 --> 00:01:39,900
and if I go to my files, you'll see I'm in my Downloads already and I can see the file right here.
21
00:01:40,460 --> 00:01:45,080
Now I'm going to rename this and I'm just gonna call it 'flappy bird'.
22
00:01:47,060 --> 00:01:48,440
Okay, now this is all good.
23
00:01:49,260 --> 00:01:52,000
Now we can go ahead and generate our backdoor.
24
00:01:53,480 --> 00:01:58,500
We can use TheFatRat to do that and we seen how to install and use TheFatRat before,
25
00:01:58,920 --> 00:02:04,860
but before I do that you need to configure Kali to use Java 8 by default
26
00:02:05,460 --> 00:02:10,420
because by default Kali will use the latest version of Java available
27
00:02:10,660 --> 00:02:17,080
and the latest version cannot be used to recompile the backdoor that we're going to create.
28
00:02:17,900 --> 00:02:25,460
So to change the default version of Java used by Kali you need to type 'update alternatives'
29
00:02:25,960 --> 00:02:30,980
and we're going to say I want to 'config' the 'java' version,
30
00:02:31,640 --> 00:02:32,780
so I'm gonna hit Enter
31
00:02:33,900 --> 00:02:38,900
and as you can see it can list all the Java versions available in Kali Linux
32
00:02:39,460 --> 00:02:46,280
and as you can see we have a star beside the auto mode which we'll choose Java 10 by default.
33
00:02:48,400 --> 00:02:55,300
So what I want to do is I'm going to enter number two to set Kali to use Java 8 by default.
34
00:02:55,960 --> 00:02:59,780
So, all we're gonna do is just enter number 2 and hit Enter.
35
00:03:00,880 --> 00:03:03,980
This will configure Kali to use Java 8 by default
36
00:03:04,100 --> 00:03:10,000
and this way we'll be able to use Kali to decompile the existing apk that we just downloaded
37
00:03:10,220 --> 00:03:15,740
and then inject a backdoor into it and recompile it to an 'apk' again.
38
00:03:17,000 --> 00:03:20,200
Now TheFatRat is going to do all of this for us, like I said.
39
00:03:20,580 --> 00:03:27,460
So, I'm going to navigate to the directory where I have it installed, which is an opt, TheFatRat
40
00:03:29,000 --> 00:03:33,440
and then we're gonna run it as usual by doing ./fatrat.
41
00:03:38,300 --> 00:03:43,700
Now, I want to generate an Android backdoor, so that's going to be number five here
42
00:03:45,880 --> 00:03:51,980
and the first thing it's asking me for my IP address as you can see it's automatically suggesting
43
00:03:51,980 --> 00:03:54,720
that my IP address is this, which is correct.
44
00:03:55,140 --> 00:04:00,560
If you're not sure about your IP address, you can split the screen, run 'ifconfig' and see the IP
45
00:04:00,660 --> 00:04:01,940
and we've seen this before.
46
00:04:02,600 --> 00:04:08,020
And you can probably notice that my IP right now is different than the NAT network IP.
47
00:04:08,400 --> 00:04:15,220
This is because I'm going to be targeting an android device connected to my Wi-Fi network.
48
00:04:15,740 --> 00:04:23,520
Therefore, I set my network settings, so if we go here, go to devices go to network
49
00:04:23,520 --> 00:04:30,540
and click on network settings, you'll see I have the network settings set to use a bridged adapter.
50
00:04:31,160 --> 00:04:37,340
So, basically what I have right now is my host machine and my target Android device
51
00:04:37,340 --> 00:04:45,020
connected both the same Wi-Fi network and this virtual machine Kali is said to use a bridged adapter.
52
00:04:45,020 --> 00:04:50,680
That's why it's getting an IP that is within the subnet of the Wi-Fi network
53
00:04:50,680 --> 00:04:56,160
and this way I'll be able to hack any computer connected to my Wi-Fi network.
54
00:04:57,360 --> 00:05:01,200
Now, you can also run this attack and all the other attacks that you seen so far
55
00:05:01,200 --> 00:05:04,140
on computers connected to different networks,
56
00:05:04,560 --> 00:05:07,240
but we're going to talk about that later on in the course.
57
00:05:07,440 --> 00:05:12,520
For now, we're just gonna focus on hacking computers connected to the same network
58
00:05:12,520 --> 00:05:14,140
or to the NAT network.
59
00:05:15,320 --> 00:05:20,700
So I'm gonna put the IP as shown in here, which is 192.168.0.38,
60
00:05:22,380 --> 00:05:28,680
then it's asking me for the port that I want to use on my payload and I'm gonna set this to '8080'.
61
00:05:30,080 --> 00:05:33,860
Now, it's asking me for the app or the game that I want to backdoor
62
00:05:34,300 --> 00:05:41,000
and as we seen before this is in my Downloads and it's called flappybird.apk
63
00:05:42,540 --> 00:05:48,420
So we're gonna set the path root/Downloads/flappybird.apk.
64
00:05:49,380 --> 00:05:54,660
I'm gonna hit Enter and it's going to ask me what payload do I want to use,
65
00:05:55,040 --> 00:06:00,380
we're going to use android/meterpreter/reverse_http, so I'm gonna put number 1,
66
00:06:02,660 --> 00:06:07,780
then it's gonna ask me for the method that it should use to backdoor the apk
67
00:06:08,020 --> 00:06:10,980
and we're going to use number one for the latest method
68
00:06:11,720 --> 00:06:17,780
and now TheFatRat is going to first of all create an 'apk' backdoor, decompile the app,
69
00:06:17,860 --> 00:06:24,520
decompile the backdoor, inject the app into the backdoor, sign the new backdoored app
70
00:06:24,520 --> 00:06:30,520
and then generate an apk that when executed it'll run the apps that we selected,
71
00:06:30,800 --> 00:06:35,380
but at the same time it'll run our backdoor in the background.
72
00:06:36,640 --> 00:06:42,500
So now the backdoor is generated and as you can see it's giving us the path where the backdoor is stored.
73
00:06:43,300 --> 00:06:48,080
So I'm gonna copy this and then it's asking me if I want to start the listener
74
00:06:48,360 --> 00:06:51,140
and I'm gonna say no because I'm gonna do this manually.
75
00:06:52,080 --> 00:06:53,140
So, that's it we're done.
76
00:06:53,140 --> 00:06:58,420
I'm gonna hit Enter and I'm gonna enter '17' to exit TheFatRat.
77
00:07:00,500 --> 00:07:07,400
Now, I want to copy the backdoor that we just generated to my evil files directory,
78
00:07:07,560 --> 00:07:12,840
but I also want to rename it so we know we can use the 'cp' command to copy,
79
00:07:13,240 --> 00:07:19,080
but we can use the 'mv' command to move, so we're going to move a file to another place
80
00:07:19,080 --> 00:07:20,980
and rename it in the process.
81
00:07:21,520 --> 00:07:28,940
So the file that I want to move is stored in here and it's called app_backdoor.apk
82
00:07:29,640 --> 00:07:37,660
and first of all I want to move this to my var/www/html/evil-files
83
00:07:37,660 --> 00:07:41,740
and I want to call it flappybird.apk.
84
00:07:43,240 --> 00:07:47,580
So, the syntax of this command is very similar to the 'cp' command.
85
00:07:47,980 --> 00:07:51,180
First, you give it the file that you want to move
86
00:07:51,180 --> 00:07:58,200
and second you give it the location where you want to move the file to, follow it by the new file name.
87
00:07:58,620 --> 00:08:07,040
So now when I move this file the app_backdoor.apk, when it goes into my var/www/evil-files,
88
00:08:07,180 --> 00:08:11,340
it'll actually be renamed to flappybird.apk.
89
00:08:12,800 --> 00:08:18,700
So I'm gonna hit Enter and that's moved there and now we're ready to go and test the backdoor,
90
00:08:19,280 --> 00:08:23,253
but before we run it as you know, because we're using a reverse connection,
91
00:08:23,260 --> 00:08:27,680
we need to listen for incoming connections and I spent a full lecture
92
00:08:27,680 --> 00:08:31,440
showing you how to do that using Meatasploit's multi handler.
93
00:08:31,540 --> 00:08:35,100
So, first I'm gonna do 'msfconsole' to run Metasploit
94
00:08:36,440 --> 00:08:40,280
and I've already configured my handler to use the right options.
95
00:08:40,280 --> 00:08:42,341
If you don't remember how to do this,
96
00:08:42,341 --> 00:08:46,140
please go back and refer to the lecture where I show how to use it.
97
00:08:47,000 --> 00:08:51,280
So, right now I'm only gonna do show options to show you the right options,
98
00:08:51,880 --> 00:08:57,560
so like we did before you can see that I'm using an exploit multi handler to listen for incoming connections
99
00:08:57,860 --> 00:09:03,280
and I set my payload to android/meterpreter/reverse_http,
100
00:09:03,280 --> 00:09:06,360
the same payload that I picked when I generated the back door
101
00:09:06,460 --> 00:09:11,680
and this is always the same idea, we always pick in the handler the same payload that we pick
102
00:09:11,820 --> 00:09:13,400
when we generate the back door.
103
00:09:14,660 --> 00:09:20,440
You can also see that I set my LHOST to 192.168.0.38 and the port to '8080',
104
00:09:20,620 --> 00:09:24,920
again, the same options that I said when I created my backdoor.
105
00:09:25,640 --> 00:09:28,680
So I'm just going to exploit to listen for incoming connections now
106
00:09:29,180 --> 00:09:30,860
and that's it we're good to go.
107
00:09:31,040 --> 00:09:35,520
Now let's go to the Android device, download the backdoor and see if it works.
108
00:09:36,520 --> 00:09:42,500
Now, right here I have my HTC One device, it's a real Android device, this is not a virtual machine
109
00:09:42,860 --> 00:09:46,700
and this device is connected to my network.
110
00:09:47,400 --> 00:09:49,360
So I'm gonna go to my browser
111
00:09:50,420 --> 00:09:57,260
and I'm just going to download the file, so I want to go to 192.168.0.38
112
00:09:57,480 --> 00:10:04,860
and I want to download the file from evil-files/flappybird.apk.
113
00:10:09,060 --> 00:10:14,960
Now as you can see the file is downloaded so I'm gonna go from here
114
00:10:15,460 --> 00:10:19,100
and install the file, so I'm just gonna click it to install it
115
00:10:20,680 --> 00:10:24,560
then it's going to show me all the permissions that the file is asking for,
116
00:10:24,560 --> 00:10:28,040
so I'm just going to scroll down and click on install.
117
00:10:29,780 --> 00:10:35,580
Now as you can see we have a normal icon for Flappy Bird and if the now the app is installed.
118
00:10:35,580 --> 00:10:38,840
So you can open it from here or click on done, I'm just going to do done
119
00:10:39,360 --> 00:10:42,260
and then I'm just going to go on all my applications
120
00:10:43,260 --> 00:10:47,580
and you can see I have the app installed here and it's called Flappy Bird.
121
00:10:47,860 --> 00:10:50,280
So, I'm just gonna tap that to run the app
122
00:10:52,020 --> 00:10:55,920
and you see that I'm gonna just gonna get a normal game, that I can play.
123
00:11:01,560 --> 00:11:09,440
Okay, but if we go back to the Kali machine, you'll see that we got a 'meterpreter' session
124
00:11:09,600 --> 00:11:16,760
from the target device, from the target Android device and I can just do 'sysinfo' to confirm that
125
00:11:17,800 --> 00:11:21,900
and as you can see now I managed to gain full access to this Android device.
126
00:11:22,340 --> 00:11:27,500
Now I can access the camera access the mics and messages, access the files
127
00:11:27,500 --> 00:11:33,720
and do anything I want on that device and we managed to do this using a legitimate app
128
00:11:33,720 --> 00:11:36,780
and we injected our code in that app.
129
00:11:37,940 --> 00:11:42,300
So this opens a huge number of attack strategies you can pretend to be a friend
130
00:11:42,300 --> 00:11:46,740
and send an app to the person, you can pretend to be Facebook for example until the person
131
00:11:46,750 --> 00:11:51,460
there is a new update and download it, you can pretend to be a local restaurant
132
00:11:51,460 --> 00:11:57,380
and send the flyer into the house and ask the person to download a file using a QR code.
133
00:11:57,380 --> 00:12:02,060
There is a huge number of ways to use this to hack into your target.
134
00:12:02,540 --> 00:12:04,600
For now we're not talking about delivery methods,
135
00:12:04,600 --> 00:12:07,640
so yeah I just want to show you the whole technique behind it
136
00:12:07,780 --> 00:12:13,060
and as you can see we can hack into any Android phone using any app that we want.
14353
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.