Why certificates should be signed for android?

Download 6,34 Mb. Pdf ko'rish
bet	201/203
Sana	10.01.2024
Hajmi	6,34 Mb.
	#134102

1 ... 195 196 197 198 199 200 201 202 203

Bog'liq
Linux This Book Includes 4 Manuscripts The Underground Bible

Why certificates should be signed for android?
Installing signed applications is a mandatory thing in iOS however android
doesn't have that restriction. But from the latest versions of android google
made things difficult for hackers.
In the past with the help of remote execution hackers used to install trojans
and worms with malicious content with a click. However, nowadays it has
become a lot difficult because the user needs to grant the permissions
manually. For this reason, you need to even polish your social engineering
skills before trying to send the exploit to the victim. Make them believe
with your words that this is a necessary application that needs to be

installed. That's what all hackers do to manipulates things for their
exploitation.
We have a wide variety of signing tools like jar signer in the Metasploit
interface. Select any one of them and use the following command
root @ examplelinux : msfvenom signer -ssh 23.2.2.1
The signer tool has the following attributes which will be explained in the
next section in detail:
a) Type of certificate
There are a lot of certificate signs that need to be reviewed. You can use
either an SHA way or by RSA way.
b) -verify
This command will make the tool to verify the app with the certification
that the user has selected.
Now after verification, you need to use aligning tools that can mix up the
exploit that you have developed with the apk tool.
c) align
Aligning is a process of inserting the exploit into the application. There are
a lot of exploits that are available in the Metasploit database. Or you can
even create an own shell script that can send back information to our server.
For the visual demonstration of this topic we will explain about a shell
script that performs the following functions:
a) The shell script should collect all the user contacts that are present on the
phone.
b) The shell script should identify any new messages that are received and
should send them to the Metasploit server.
Few might have got a doubt about how the Metasploit server works. It
consists of a URL that is inserted into the exploit and we need to enter the

same URL into the browser in that network. In this way, we can access all
the information that is being sent to the server.
d) Packing
After aligning the exploit into an app, you need to repackage it so that the
apk looks perfectly normal. There is maybe a small marginal change in the
size of the apk. To get undetected by the antiviruses you may use additional
security options that can spoof the phone security.
You can use the following command to package the apk and exploit:
root @ example : pack location seems.ap k
After packaging the app, you should find a smart social engineering
technique to send it to the victim's system. You can use an email with a rar
file to send it to the phone. And when the victim successfully installs the
application on his phone the app starts running in the background and will
send all of the required data to the Metasploit server.
That's it about the exploit and its implementation using the Metasploit
interface console. In the next chapter, we will give a brief introduction
about the network sniffing tool known as wire shark and end this chapter.

Download 6,34 Mb.

1 ... 195 196 197 198 199 200 201 202 203

Download 6,34 Mb.

Pdf ko'rish