installed. That's what all hackers do to manipulates things for their
exploitation.
We have a wide variety of signing tools like
jar signer in the Metasploit
interface. Select any one of them and use the following command
root @ examplelinux : msfvenom signer -ssh 23.2.2.1
The signer tool has the following attributes which will be explained in the
next section in detail:
a) Type of certificate
There are a lot of certificate signs that need to be reviewed. You can use
either an SHA way or by RSA way.
b) -verify
This command will make the tool to verify the
app with the certification
that the user has selected.
Now after verification, you need to use aligning tools that can mix up the
exploit that you have developed with the apk tool.
c) align
Aligning is a process of inserting the exploit into the application. There are
a lot of exploits that are available in the Metasploit database. Or you can
even create an own shell script that can send back information to our server.
For the visual demonstration of this topic we
will explain about a shell
script that performs the following functions:
a) The shell script should collect all the user contacts that are present on the
phone.
b) The shell script should identify any new messages that are received and
should send them to the Metasploit server.
Few might have got a doubt about how the Metasploit server works. It
consists of a URL that is inserted into the exploit and we need to enter the
same URL into the browser in that network. In this way, we can access all
the information that is being sent to the server.
d) Packing
After aligning the exploit into an app, you need to repackage it so that the
apk looks perfectly normal. There is maybe a small marginal change in the
size of the apk. To get undetected by the antiviruses you may use additional
security options that can spoof the phone security.
You can use the following command to package the apk and exploit:
root @ example : pack location seems.ap k
After packaging the app, you should find
a smart social engineering
technique to send it to the victim's system. You can use an email with a rar
file to send it to the phone. And when the victim successfully installs the
application on his phone the app starts running in the background and will
send all of the required data to the Metasploit server.
That's it about the exploit and its implementation using the Metasploit
interface console.
In the next chapter, we will give a brief introduction
about the network sniffing tool known as wire shark and end this chapter.
