Hack Any Phone with Rubber Ducky & Metasploit – Android & iOS Exploits - video Dailymotion

CyberMind Lab

⚠️ Can a USB cable hack your phone? Yes — and here’s how.  In this ethical hacking tutorial, we demonstrate a real-world attack using Metasploit + Rubber Ducky + the infamous Hak5 OMG Cable. Learn how attackers can deploy payloads into Android and iOS devices — and more importantly, how to protect yourself.  🔧 What you’ll learn: • How Metasploit and MSFvenom craft remote access payloads • How hackers use Rubber Ducky USBs and OMG Cables to automate exploits • Real-world device demo (Android & iPhone) • Protection tips: disable USB debugging, OTG lockdown, and endpoint monitoring  💡 This video is for educational purposes only. Never attack a device you don’t own or have written permission to test.  #RubberDucky #Metasploit #PhoneHacking #OMGCable #EthicalHacking #CyberSecurity #AndroidHacking #iPhoneHack #Hak5Tools     #RubberDucky   #Metasploit   #MSFvenom   #OMGCable   #KaliLinux   #EthicalHacking   #CyberSecurity   #Hak5   #AndroidHacking   #iOSHack   #PhoneSecurity   #PayloadInjection   #USBHack   #RedTeamTools   #InfoSec       #EthicalHacking   #CyberSecurity   #CyberAwareness   #TryHackMe   #HackTheBox   #KaliLinux   #NmapTutorial   #BurpSuite   #Pentesting   #CyberDefense   #HackingForBeginners   #LearnHacking   #InfoSec   #WhiteHatHacker   #CyberMindLab   #USCyberSecurity   #SecurityTools   #CTFChallenges   #HackingLegally   #TechEducation

Transcript

00:00In this video, I'm going to show you how I can remotely control an Android phone.

00:05If you install software, or I use a special cable, an OMG cable, to get that phone to

00:12download and install software, I can remotely control the phone, I can read your SMSs, I

00:16can send SMSs from the phone to another phone, which I'll demonstrate.

00:19May this video be a warning to both you and your family why you shouldn't download untrusted

00:24software and run untrusted software on devices such as your phone or your laptop.

00:30Before we get started, I want to make it clear that this video is for educational purposes

00:37only and to make you aware of the potential vulnerabilities in a device such as an Android

00:43phone.

00:44It's really important that you don't download untrusted software onto your devices because

00:49it can have devastating consequences.

00:52Don't just trust any software and download it.

00:54Also, be aware that just because it looks like a standard cable doesn't mean that it

00:59is a standard cable.

01:01I'm going to show you in this video how a cable that looks like a standard USB cable

01:06or an iPhone cable can be a malicious cable and not what it looks like.

01:10Okay, let's get started with the video.

01:12Even though these two cables may look the same, one of them is an OMG cable that allows me

01:18to send keystrokes to a phone.

01:20It acts like a normal cable but has a lot of power.

01:23Here, I've got a Samsung S22.

01:24I'm not going to touch the phone.

01:25I'm running software in the cloud and notice what I can do.

01:30I can send a message from the cloud to this phone to get that phone to send a message to

01:35this phone.

01:36So what I'll do here is use the command send SMS and let's call this fake SMS and press

01:41enter.

01:42I'll go to messages and as you can see there fake SMS was received by this phone.

01:47Let's try it again.

01:48This is a test SMS from Android.

01:53Press enter.

01:54Once again, I'm connecting to a server in the cloud.

01:57It's sending a message to this phone.

02:00I'm remotely controlling this phone, which is then sending a message via SMS to my iPhone

02:06because I've been able to install malicious software on the Android device.

02:10I find it amazing that Android allows you to download and install this kind of software.

02:14Let's hope they lock Android down a lot more so that this type of thing is not possible.

02:19Please note in this example, it's showing up as main activity on the phone.

02:24In a previous video, I showed you how I could log keystrokes on a Windows 11 computer when

02:28software was downloaded and run on a Windows 11 laptop.

02:31Use the link below to see that video.

02:33Now, you can do many things here.

02:34As an example, if I type sysinfo, you can see that this phone is running Android 12.

02:40If I go to settings on the phone, you can see that the version being used here is Android

02:4412.

02:45I can read SMSs remotely.

02:47So if I use the command dump SMS, those messages are saved to this file on the server.

02:53And I could use the command cat and I can read those SMS messages.

02:58I sent an SMS saying extremely important message.

03:00Do not share with anyone.

03:02Very confidential message.

03:03Do not show anyone.

03:04Here is a one-time password from 3, which is the cell phone provider in this example.

03:09Here is my number, which we'll hide for this video so that I don't get a whole bunch of

03:13spam messages.

03:14As you can see, messages were received by this phone.

03:17I could send a message back saying, hello from iPhone.

03:21So send those messages back to the phone.

03:24You can see here, hello from iPhone.

03:26On my server once again, I could dump those SMSs.

03:30I'll read that file on the server, cat, control V. Here are the messages, hello from iPhone.

03:37Here you can see the message, this is a test SMS from Android, fake SMS.

03:41Let's call the phone.

03:44I'll kill the call.

03:45Let's dump the call log.

03:47What I'm going to do here is use the command dump call log.

03:50Here's the file that's created and I'll cat that information.

03:54And you can see this call was missed by the phone.

03:57Okay, but how do you get the software on the phone?

04:00Now, there are various ways to do this.

04:01You could use a phishing website.

04:03So you could trick the user into going to a website and then downloading the software

04:06and installing it, but they have to agree to install software that hasn't been verified.

04:11So you've got to really do some social engineering to get to the user to install the software.

04:16What we're going to do in this demonstration is use an OMG cable.

04:19If you haven't seen these before, these are made by Hack5.

04:23Well, MG is actually the creator, but he sells these cables with Hack5.

04:27This is a standard lightning cable, but here is a OMG cable.

04:33So you probably can't see the difference between those two cables.

04:36One is an OMG cable.

04:37One is a standard cable.

04:40Very difficult to see the difference.

04:42They are essentially the same.

04:43They act like normal cables, but have a AP inside them that you can connect to using Wi-Fi.

04:50And they can send keystrokes to a device such as a phone.

04:54If I plug this in to a phone, as an example, I could charge that phone normally, acts like a normal cable.

05:01But what it allows me to do is send keystrokes to the phone to get to the phone to do something.

05:08So as an example, I could plug this cable in to that phone.

05:12I'll just leave it here unconnected just to make the point that I'm not going to touch the cable.

05:17What I can do is connect to an access point in the cable.

05:21So from my computer, I'm going to connect to the OMG cable that's running an access point.

05:26And what I'm going to do is connect to an IP address 192.168.4.1.

05:30I've covered some of the OMG functionality in separate videos.

05:33Let's have a look at this video as an example where I send keystrokes to the phone to get it to take a photo or do other things.

05:40But what I'm going to do here is I'm going to load a pre-configured payload.

05:44I've created this payload.

05:47You can find this payload on GitHub.

05:48Use the link below.

05:49It may or may not work for your particular phone.

05:52In this example, this payload has been created for a Samsung S22 phone.

05:56You may need to adjust, especially the timers.

05:58What we're basically doing is sending keystrokes to the device and then there's delays between the keystrokes.

06:06I've made them fairly large so that it doesn't go too quickly on the video.

06:09But also if you make them too quick, it can break your script.

06:12So you may have to play around with the timers to get this to work.

06:16What we're basically doing is getting the device to download a malicious APK file from a server.

06:22The server is running on Linode, who I want to thank for sponsoring this video.

06:26You can use the link below to get $100 60-day credit so that you can try this for yourself.

06:32I've already got the server running.

06:33Here it is.

06:34So Metasploit Ubuntu APK server.

06:37And you'll notice that's the IP address listed in the string that's going to be sent to the phone to download the malicious APK.

06:44What we're using here is Metasploit and MSF Venom to create a malicious APK file,

06:50which is then downloaded to the phone, gets the phone to connect to my server.

06:54And then I can type various commands, which I've demonstrated.

06:57So I've got Metasploit running, and I'll simply type run to run the software.

07:01I'll start my Python server.

07:03My Python HTTP server is listing on port 8000.

07:06I've got my payload running.

07:07It's listing on port 444 under this IP address.

07:10In the script running on the OMG cable, that's the IP address that we're going to point to.

07:15Port 8000, because of the Python server, we're going to download the OMG APK file.

07:19Okay, so let's see if it actually works.

07:21I'm not going to touch the cable.

07:22I'll move this keyboard away.

07:24All I'm going to do is click run.

07:26Payload is running on the OMG cable.

07:28It opens up a web browser.

07:30There you go.

07:31Connects to the server.

07:32It downloads the APK file.

07:35I've once again put long delays in the script to make sure that this works

07:40and to make sure that it doesn't go too quickly.

07:42Installs the file.

07:43We're told that it's blocked by Play Protect, but we're going to send keystrokes to tell it

07:50to run it anyway and install it and then open up the file.

07:55It then allows that app to access everything on the phone, basically.

08:00And there you go.

08:07Script has completed.

08:08We can see that a connection was made to the server.

08:11Now we can type various commands.

08:13I can type ifconfig.

08:14That gives me the IP address of the device.

08:17There's WLAN zero.

08:19There's the IP address of the device.

08:21Now if the session breaks, just type run to run it again.

08:24The software should automatically connect.

08:27If it doesn't, just run it manually again.

08:29So let's type sysinfo.

08:31We can see that this is an Android 12 phone.

08:33Let's dump the SMSs again.

08:35So we'll use the command dump SMS.

08:38We're told that the SMSs are dumped to that file.

08:41So Alice on the server.

08:43Let's do L.

08:44The file is this one.

08:46So cat that file.

08:48You can see that there was an outgoing message called this is a fake SMS.

08:51You can see that I topped up this phone.

08:55So I put 10 pounds on it.

08:56You can see that I sent.

08:58This is a very confidential message.

08:59This is a test message.

09:00We could dump the call log.

09:03So call log.

09:04That's the name of the file.

09:06So I'll cat that.

09:08And you can see various calls were made to this phone.

09:11Okay, but we can also send SMSs from the phone once again.

09:15So another test SMS from Metasploit.

09:21And there you go.

09:22Another test SMS from Metasploit.

09:25Just to make the point, let's say, last message.

09:30Now remember, I'm sending it from a host on the internet.

09:34It's sending a message to that phone.

09:36That phone is then sending an SMS to this phone.

09:39Last message.

09:40We shouldn't be able to do this on an Android phone.

09:42It shouldn't accept applications such as this.

09:45Default behavior should be to block all these types of applications.

09:48Do not download software from the internet that you don't trust.

09:52Don't just download an APK and run it on your phone.

09:55Because someone could do stuff like this where they can read the messages on your phone.

09:59They can do things on your phone that they shouldn't be able to do.

10:02If you enjoyed this video, please like it.

10:04I want to wish you all the very best.

10:06See you next time.

10:07See you next time.

10:08See you next time.

10:09See you next time.

10:10See you next time.

10:11See you next time.

10:12See you next time.

10:13See you next time.

10:14See you next time.

10:15See you next time.

10:16See you next time.

10:17See you next time.

10:18See you next time.

10:19See you next time.

10:20See you next time.

10:21See you next time.

10:22See you next time.

10:23See you next time.

10:24See you next time.

10:25See you next time.

10:26See you next time.

10:27See you next time.

10:28See you next time.

10:29See you next time.

10:30See you next time.

10:31See you next time.

10:32See you next time.

10:33See you next time.

Hack Any Phone with Rubber Ducky & Metasploit – Android & iOS Exploits

Category

Transcript

Be the first to comment

Recommended