mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-29 22:43:11 +00:00
338 lines
14 KiB
Markdown
338 lines
14 KiB
Markdown
|
# Drozer Tutorial
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary>Support HackTricks</summary>
|
|||
|
|
|||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|||
|
|
|||
|
</details>
|
|||
|
{% endhint %}
|
|||
|
|
|||
|
<img src="../../../.gitbook/assets/i3.png" alt="" data-size="original">
|
|||
|
|
|||
|
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
|||
|
|
|||
|
{% embed url="https://go.intigriti.com/hacktricks" %}
|
|||
|
|
|||
|
## APKs to test
|
|||
|
|
|||
|
* [Sieve](https://github.com/mwrlabs/drozer/releases/download/2.3.4/sieve.apk) (from mrwlabs)
|
|||
|
* [DIVA](https://payatu.com/wp-content/uploads/2016/01/diva-beta.tar.gz)
|
|||
|
|
|||
|
**Parts of this tutorial were extracted from the** [**Drozer documentation pdf**](https://labs.withsecure.com/content/dam/labs/docs/mwri-drozer-user-guide-2015-03-23.pdf)**.**
|
|||
|
|
|||
|
## Installation
|
|||
|
|
|||
|
Install Drozer Client inside your host. Download it from the [latest releases](https://github.com/mwrlabs/drozer/releases).
|
|||
|
|
|||
|
```bash
|
|||
|
pip install drozer-2.4.4-py2-none-any.whl
|
|||
|
pip install twisted
|
|||
|
pip install service_identity
|
|||
|
```
|
|||
|
|
|||
|
Download and install drozer APK from the [latest releases](https://github.com/mwrlabs/drozer/releases). At this moment it is [this](https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk).
|
|||
|
|
|||
|
```bash
|
|||
|
adb install drozer.apk
|
|||
|
```
|
|||
|
|
|||
|
### Starting the Server
|
|||
|
|
|||
|
Agent is running on port 31415, we need to [port forward](https://en.wikipedia.org/wiki/Port\_forwarding) to establish the communication between the Drozer Client and Agent, here is the command to do so:
|
|||
|
|
|||
|
```bash
|
|||
|
adb forward tcp:31415 tcp:31415
|
|||
|
```
|
|||
|
|
|||
|
Finally, **launch** the **application** and press the bottom "**ON**"
|
|||
|
|
|||
|
![](<../../../.gitbook/assets/image (459).png>)
|
|||
|
|
|||
|
And connect to it:
|
|||
|
|
|||
|
```bash
|
|||
|
drozer console connect
|
|||
|
```
|
|||
|
|
|||
|
## Interesting Commands
|
|||
|
|
|||
|
| **Commands** | **Description** |
|
|||
|
| --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
|
|||
|
| **Help MODULE** | Shows help of the selected module |
|
|||
|
| **list** | Shows a list of all drozer modules that can be executed in the current session. This hides modules that you don’t have appropriate permissions to run. |
|
|||
|
| **shell** | Start an interactive Linux shell on the device, in the context of the Agent. |
|
|||
|
| **clean** | Remove temporary files stored by drozer on the Android device. |
|
|||
|
| **load** | Load a file containing drozer commands and execute them in sequence. |
|
|||
|
| **module** | Find and install additional drozer modules from the Internet. |
|
|||
|
| **unset** | Remove a named variable that drozer passes to any Linux shells that it spawns. |
|
|||
|
| **set** | Stores a value in a variable that will be passed as an environmental variable to any Linux shells spawned by drozer. |
|
|||
|
| **shell** | Start an interactive Linux shell on the device, in the context of the Agent |
|
|||
|
| **run MODULE** | Execute a drozer module |
|
|||
|
| **exploit** | Drozer can create exploits to execute in the decide. `drozer exploit list` |
|
|||
|
| **payload** | The exploits need a payload. `drozer payload list` |
|
|||
|
|
|||
|
### Package
|
|||
|
|
|||
|
Find the **name** of the package filtering by part of the name:
|
|||
|
|
|||
|
```bash
|
|||
|
dz> run app.package.list -f sieve
|
|||
|
com.mwr.example.sieve
|
|||
|
```
|
|||
|
|
|||
|
**Basic Information** of the package:
|
|||
|
|
|||
|
```bash
|
|||
|
dz> run app.package.info -a com.mwr.example.sieve
|
|||
|
Package: com.mwr.example.sieve
|
|||
|
Process Name: com.mwr.example.sieve
|
|||
|
Version: 1.0
|
|||
|
Data Directory: /data/data/com.mwr.example.sieve
|
|||
|
APK Path: /data/app/com.mwr.example.sieve-2.apk
|
|||
|
UID: 10056
|
|||
|
GID: [1028, 1015, 3003]
|
|||
|
Shared Libraries: null
|
|||
|
Shared User ID: null
|
|||
|
Uses Permissions:
|
|||
|
- android.permission.READ_EXTERNAL_STORAGE
|
|||
|
- android.permission.WRITE_EXTERNAL_STORAGE
|
|||
|
- android.permission.INTERNET
|
|||
|
Defines Permissions:
|
|||
|
- com.mwr.example.sieve.READ_KEYS
|
|||
|
- com.mwr.example.sieve.WRITE_KEYS
|
|||
|
```
|
|||
|
|
|||
|
Read **Manifest**:
|
|||
|
|
|||
|
```bash
|
|||
|
run app.package.manifest jakhar.aseem.diva
|
|||
|
```
|
|||
|
|
|||
|
**Attack surface** of the package:
|
|||
|
|
|||
|
```bash
|
|||
|
dz> run app.package.attacksurface com.mwr.example.sieve
|
|||
|
Attack Surface:
|
|||
|
3 activities exported
|
|||
|
0 broadcast receivers exported
|
|||
|
2 content providers exported
|
|||
|
2 services exported
|
|||
|
is debuggable
|
|||
|
```
|
|||
|
|
|||
|
* **Activities**: Maybe you can start an activity and bypass some kind of authorization that should be prevent you from launching it.
|
|||
|
* **Content providers**: Maybe you can access private data or exploit some vulnerability (SQL Injection or Path Traversal).
|
|||
|
* **Services**:
|
|||
|
* **is debuggable**: [Learn more](./#is-debuggeable)
|
|||
|
|
|||
|
### Activities
|
|||
|
|
|||
|
An exported activity component’s “android:exported” value is set to **“true”** in the AndroidManifest.xml file:
|
|||
|
|
|||
|
```markup
|
|||
|
<activity android:name="com.my.app.Initial" android:exported="true">
|
|||
|
</activity>
|
|||
|
```
|
|||
|
|
|||
|
**List exported activities**:
|
|||
|
|
|||
|
```bash
|
|||
|
dz> run app.activity.info -a com.mwr.example.sieve
|
|||
|
Package: com.mwr.example.sieve
|
|||
|
com.mwr.example.sieve.FileSelectActivity
|
|||
|
com.mwr.example.sieve.MainLoginActivity
|
|||
|
com.mwr.example.sieve.PWList
|
|||
|
```
|
|||
|
|
|||
|
**Start activity**:
|
|||
|
|
|||
|
Maybe you can start an activity and bypass some kind of authorization that should be prevent you from launching it.
|
|||
|
|
|||
|
{% code overflow="wrap" %}
|
|||
|
```bash
|
|||
|
dz> run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList
|
|||
|
```
|
|||
|
{% endcode %}
|
|||
|
|
|||
|
You can also start an exported activity from **adb**:
|
|||
|
|
|||
|
* PackageName is com.example.demo
|
|||
|
* Exported ActivityName is com.example.test.MainActivity
|
|||
|
|
|||
|
```bash
|
|||
|
adb shell am start -n com.example.demo/com.example.test.MainActivity
|
|||
|
```
|
|||
|
|
|||
|
### Content Providers
|
|||
|
|
|||
|
This post was so big to be here so **you can** [**access it in its own page here**](exploiting-content-providers.md).
|
|||
|
|
|||
|
### Services
|
|||
|
|
|||
|
A exported service is declared inside the Manifest.xml:
|
|||
|
|
|||
|
{% code overflow="wrap" %}
|
|||
|
```markup
|
|||
|
<service android:name=".AuthService" android:exported="true" android:process=":remote"/>
|
|||
|
```
|
|||
|
{% endcode %}
|
|||
|
|
|||
|
Inside the code **check** for the \*\*`handleMessage`\*\*function which will **receive** the **message**:
|
|||
|
|
|||
|
![](<../../../.gitbook/assets/image (82).png>)
|
|||
|
|
|||
|
#### List service
|
|||
|
|
|||
|
```bash
|
|||
|
dz> run app.service.info -a com.mwr.example.sieve
|
|||
|
Package: com.mwr.example.sieve
|
|||
|
com.mwr.example.sieve.AuthService
|
|||
|
Permission: null
|
|||
|
com.mwr.example.sieve.CryptoService
|
|||
|
Permission: null
|
|||
|
```
|
|||
|
|
|||
|
#### **Interact** with a service
|
|||
|
|
|||
|
```bash
|
|||
|
app.service.send Send a Message to a service, and display the reply
|
|||
|
app.service.start Start Service
|
|||
|
app.service.stop Stop Service
|
|||
|
```
|
|||
|
|
|||
|
#### Example
|
|||
|
|
|||
|
Take a look to the **drozer** help for `app.service.send`:
|
|||
|
|
|||
|
![](<../../../.gitbook/assets/image (1079).png>)
|
|||
|
|
|||
|
Note that you will be sending first the data inside "_msg.what_", then "_msg.arg1_" and "_msg.arg2_", you should check inside the code **which information is being used** and where.\
|
|||
|
Using the `--extra` option you can send something interpreted by "_msg.replyTo"_, and using `--bundle-as-obj` you create and object with the provided details.
|
|||
|
|
|||
|
In the following example:
|
|||
|
|
|||
|
* `what == 2354`
|
|||
|
* `arg1 == 9234`
|
|||
|
* `arg2 == 1`
|
|||
|
* `replyTo == object(string com.mwr.example.sieve.PIN 1337)`
|
|||
|
|
|||
|
```bash
|
|||
|
run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --msg 2354 9234 1 --extra string com.mwr.example.sieve.PIN 1337 --bundle-as-obj
|
|||
|
```
|
|||
|
|
|||
|
![](<../../../.gitbook/assets/image (647).png>)
|
|||
|
|
|||
|
### Broadcast Receivers
|
|||
|
|
|||
|
**In the Android basic info section you can see what is a Broadcast Receiver**.
|
|||
|
|
|||
|
After discovering this Broadcast Receivers you should **check the code** of them. Pay special attention to the **`onReceive`** function as it will be handling the messages received.
|
|||
|
|
|||
|
#### **Detect all** broadcast receivers
|
|||
|
|
|||
|
```bash
|
|||
|
run app.broadcast.info #Detects all
|
|||
|
```
|
|||
|
|
|||
|
#### Check broadcast receivers of an app
|
|||
|
|
|||
|
```bash
|
|||
|
#Check one negative
|
|||
|
run app.broadcast.info -a jakhar.aseem.diva
|
|||
|
Package: jakhar.aseem.diva
|
|||
|
No matching receivers.
|
|||
|
|
|||
|
# Check one positive
|
|||
|
run app.broadcast.info -a com.google.android.youtube
|
|||
|
Package: com.google.android.youtube
|
|||
|
com.google.android.libraries.youtube.player.PlayerUiModule$LegacyMediaButtonIntentReceiver
|
|||
|
Permission: null
|
|||
|
com.google.android.apps.youtube.app.common.notification.GcmBroadcastReceiver
|
|||
|
Permission: com.google.android.c2dm.permission.SEND
|
|||
|
com.google.android.apps.youtube.app.PackageReplacedReceiver
|
|||
|
Permission: null
|
|||
|
com.google.android.libraries.youtube.account.AccountsChangedReceiver
|
|||
|
Permission: null
|
|||
|
com.google.android.apps.youtube.app.application.system.LocaleUpdatedReceiver
|
|||
|
Permission: null
|
|||
|
```
|
|||
|
|
|||
|
#### Broadcast **Interactions**
|
|||
|
|
|||
|
```bash
|
|||
|
app.broadcast.info Get information about broadcast receivers
|
|||
|
app.broadcast.send Send broadcast using an intent
|
|||
|
app.broadcast.sniff Register a broadcast receiver that can sniff particular intents
|
|||
|
```
|
|||
|
|
|||
|
#### Send a message
|
|||
|
|
|||
|
In this example abusing the [FourGoats apk](https://github.com/linkedin/qark/blob/master/tests/goatdroid.apk) Content Provider you can **send an arbitrary SMS** any non-premium destination **without asking** the user for permission.
|
|||
|
|
|||
|
![](<../../../.gitbook/assets/image (415).png>)
|
|||
|
|
|||
|
![](<../../../.gitbook/assets/image (573).png>)
|
|||
|
|
|||
|
If you read the code, the parameters "_phoneNumber_" and "_message_" must be sent to the Content Provider.
|
|||
|
|
|||
|
```bash
|
|||
|
run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --component org.owasp.goatdroid.fourgoats.broadcastreceivers SendSMSNowReceiver --extra string phoneNumber 123456789 --extra string message "Hello mate!"
|
|||
|
```
|
|||
|
|
|||
|
### Is debuggeable
|
|||
|
|
|||
|
A prodduction APK should never be debuggeable.\
|
|||
|
This mean that you can **attach java debugger** to the running application, inspect it in run time, set breakpoints, go step by step, gather variable values and even change them.[ InfoSec institute has an excellent article](../exploiting-a-debuggeable-applciation.md) on digging deeper when you application is debuggable and injecting runtime code.
|
|||
|
|
|||
|
When an application is debuggable, it will appear in the Manifest:
|
|||
|
|
|||
|
```xml
|
|||
|
<application theme="@2131296387" debuggable="true"
|
|||
|
```
|
|||
|
|
|||
|
You can find all debuggeable applications with **Drozer**:
|
|||
|
|
|||
|
```bash
|
|||
|
run app.package.debuggable
|
|||
|
```
|
|||
|
|
|||
|
## Tutorials
|
|||
|
|
|||
|
* [https://resources.infosecinstitute.com/android-penetration-tools-walkthrough-series-drozer/#gref](https://resources.infosecinstitute.com/android-penetration-tools-walkthrough-series-drozer/#gref)
|
|||
|
* [https://github.com/mgcfish/mobiletools/blob/master/\_posts/2016-08-01-Using-Drozer-for-application-security-assessments.md](https://github.com/mgcfish/mobiletools/blob/master/\_posts/2016-08-01-Using-Drozer-for-application-security-assessments.md)
|
|||
|
* [https://www.hackingarticles.in/android-penetration-testing-drozer/](https://www.hackingarticles.in/android-penetration-testing-drozer/)
|
|||
|
* [https://medium.com/@ashrafrizvi3006/how-to-test-android-application-security-using-drozer-edc002c5dcac](https://medium.com/@ashrafrizvi3006/how-to-test-android-application-security-using-drozer-edc002c5dcac)
|
|||
|
|
|||
|
## More info
|
|||
|
|
|||
|
* [https://blog.dixitaditya.com/android-pentesting-cheatsheet/](https://blog.dixitaditya.com/android-pentesting-cheatsheet/)
|
|||
|
|
|||
|
<img src="../../../.gitbook/assets/i3.png" alt="" data-size="original">
|
|||
|
|
|||
|
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
|||
|
|
|||
|
{% embed url="https://go.intigriti.com/hacktricks" %}
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary>Support HackTricks</summary>
|
|||
|
|
|||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|||
|
|
|||
|
</details>
|
|||
|
{% endhint %}
|