How to find external ip address a payload uses to connect back to the attacker?

Question

I find myself targeted with a malicious .apk file. I am provided with some malicious files disguised as a genuine .apk.

I used apktool to decompile the file and collect some information about the attacker. I could find none (please point me how to find some info if any can be found)

Could you point me in the right direction as to find which ip does the payload uses to connect back to the attacker? And also monitor the attacker if I deliberately allow the attacker to get a meterpreter session.

What else can I do to make the attacker regret targeting me?

Note: I am aware of how to generate a payload, embed it to a genuine apk file and to use a meterpreter session to access data from the remote target.

score 1 · Answer 1 · edited Apr 13 '17 at 12:22

1

You can create a wireless hotspot using your laptop, connect your phone on the wireless created by your laptop and then use wireshark to capture traffic from your phone to the internet. Then you will be able to see all the IPs your phone is connecting to.

Here's some useful links:

edited Apr 13 '17 at 12:22

Community

1

answered Feb 08 '17 at 09:33

Ricardo Reimao

687
4
9

Ideally you'd do this from a test device and not from one that has any of your real personal data on it! Should go without saying but you are otherwise literally intentionally running malware on your device. – Matthew1471 Feb 08 '17 at 13:47
Ty Richardo. Will try that out. – wishchaser Feb 09 '17 at 02:00
@Mathew, I am well aware of that. – wishchaser Feb 09 '17 at 02:01

How to find external ip address a payload uses to connect back to the attacker?

1 Answers1