hacktricks/mobile-pentesting/android-app-pentesting/adb-commands.md
2023-04-25 20:35:28 +02:00

446 lines
12 KiB
Markdown

<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
</details>
**Adb is usually located in:**
```bash
#Windows
C:\Users\<username>\AppData\Local\Android\sdk\platform-tools\adb.exe
#MacOS
/Users/<username>/Library/Android/sdk/platform-tools/adb
```
**Information obtained from:** [**http://adbshell.com/**](http://adbshell.com)
# Connection
```
adb devices
```
This will list the connected devices; if "_**unathorised**_" appears, this means that you have to **unblock** your **mobile** and **accept** the connection.
This indicates to the device that it has to start and adb server in port 5555:
```
adb tcpip 5555
```
Connect to that IP and that Port:
```
adb connect <IP>:<PORT>
```
If you get an error like the following in a Virtual Android software (like Genymotion):
```
adb server version (41) doesn't match this client (36); killing...
```
It's because you are trying to connect to an ADB server with a different version. Just try to find the adb binary the software is using (go to `C:\Program Files\Genymobile\Genymotion` and search for adb.exe)
## Several devices
Whenever you find **several devices connected to your machine** you will need to **specify in which one** you want to run the adb command.
```bash
adb devices
List of devices attached
10.10.10.247:42135 offline
127.0.0.1:5555 device
```
```bash
adb -s 127.0.0.1:5555 shell
x86_64:/ # whoami
root
```
## Port Tunneling
In case the **adb** **port** is only **accessible** from **localhost** in the android device but **you have access via SSH**, you can **forward the port 5555** and connect via adb:
```bash
ssh -i ssh_key username@10.10.10.10 -L 5555:127.0.0.1:5555 -p 2222
adb connect 127.0.0.1:5555
```
# Packet Manager
## Install/Uninstall
### adb install \[option] \<path>
```
adb install test.apk
```
```
adb install -l test.apk forward lock application
```
```
adb install -r test.apk replace existing application
```
```
adb install -t test.apk allow test packages
```
```
adb install -s test.apk install application on sdcard
```
```
adb install -d test.apk allow version code downgrade
```
```
adb install -p test.apk partial application install
```
### adb uninstall \[options] \<PACKAGE>
```
adb uninstall com.test.app
```
```
adb uninstall -k com.test.app Keep the data and cache directories around after package removal.
```
## Packages
Prints all packages, optionally only those whose package name contains the text in \<FILTER>.
### adb shell pm list packages \[options] \<FILTER-STR>
```
adb shell pm list packages <FILTER-STR>
```
```
adb shell pm list packages -f <FILTER-STR> #See their associated file.
```
```
adb shell pm list packages -d <FILTER-STR> #Filter to only show disabled packages.
```
```
adb shell pm list packages -e <FILTER-STR> #Filter to only show enabled packages.
```
```
adb shell pm list packages -s <FILTER-STR> #Filter to only show system packages.
```
```
adb shell pm list packages -3 <FILTER-STR> #Filter to only show third party packages.
```
```
adb shell pm list packages -i <FILTER-STR> #See the installer for the packages.
```
```
adb shell pm list packages -u <FILTER-STR> #Also include uninstalled packages.
```
```
adb shell pm list packages --user <USER_ID> <FILTER-STR> #The user space to query.
```
### adb shell pm path \<PACKAGE>
Print the path to the APK of the given .
```
adb shell pm path com.android.phone
```
### adb shell pm clear \<PACKAGE>
Delete all data associated with a package.
```
adb shell pm clear com.test.abc
```
# File Manager
### adb pull \<remote> \[local]
Download a specified file from an emulator/device to your computer.
```
adb pull /sdcard/demo.mp4 ./
```
### adb push \<local> \<remote>
Upload a specified file from your computer to an emulator/device.
```
adb push test.apk /sdcard
```
# Screencapture/Screenrecord
### adb shell screencap \<filename>
Taking a screenshot of a device display.
```
adb shell screencap /sdcard/screen.png
```
### adb shell screenrecord \[options] \<filename>
Recording the display of devices running Android 4.4 (API level 19) and higher.
```
adb shell screenrecord /sdcard/demo.mp4
adb shell screenrecord --size <WIDTHxHEIGHT>
adb shell screenrecord --bit-rate <RATE>
adb shell screenrecord --time-limit <TIME> #Sets the maximum recording time, in seconds. The default and maximum value is 180 (3 minutes).
adb shell screenrecord --rotate # Rotates 90 degrees
adb shell screenrecord --verbose
```
(press Ctrl-C to stop recording)
**You can download the files (images and videos) using **_**adb pull**_
# Shell
### adb shell
Get a shell inside the device
```
adb shell
```
### adb shell \<CMD>
Execute a command inside the device
```
adb shell ls
```
## pm
The following commands are executed inside of a shell
```bash
pm list packages #List installed packages
pm path <package name> #Get the path to the apk file of tha package
am start [<options>] #Start an activity. Whiout options you can see the help menu
am startservice [<options>] #Start a service. Whiout options you can see the help menu
am broadcast [<options>] #Send a broadcast. Whiout options you can see the help menu
input [text|keyevent] #Send keystrokes to device
```
# Processes
If you want to get the PID of the process of your application you can execute:
```
adb shell ps
```
And search for your application
Or you can do
```
adb shell pidof com.your.application
```
And it will print the PID of the application
# System
```
adb root
```
Restarts the adbd daemon with root permissions. Then, you have to conenct again to the ADB server and you will be root (if available)
```
adb sideload <update.zip>
```
flashing/restoring Android update.zip packages.
# Logs
## Logcat
To **filter the messages of only one application**, get the PID of the application and use grep (linux/macos) or findstr (windows) to filter the output of logcat:
```
adb logcat | grep 4526
adb logcat | findstr 4526
```
### adb logcat \[option] \[filter-specs]
```
adb logcat
```
Notes: press Ctrl-C to stop monitor
```
adb logcat *:V lowest priority, filter to only show Verbose level
```
```
adb logcat *:D filter to only show Debug level
```
```
adb logcat *:I filter to only show Info level
```
```
adb logcat *:W filter to only show Warning level
```
```
adb logcat *:E filter to only show Error level
```
```
adb logcat *:F filter to only show Fatal level
```
```
adb logcat *:S Silent, highest priority, on which nothing is ever printed
```
### adb logcat -b \<Buffer>
```
adb logcat -b radio View the buffer that contains radio/telephony related messages.
```
```
adb logcat -b event View the buffer containing events-related messages.
```
```
adb logcat -b main default
```
```
adb logcat -c Clears the entire log and exits.
```
```
adb logcat -d Dumps the log to the screen and exits.
```
```
adb logcat -f test.logs Writes log message output to test.logs .
```
```
adb logcat -g Prints the size of the specified log buffer and exits.
```
```
adb logcat -n <count> Sets the maximum number of rotated logs to <count>.
```
## dumpsys
dumps system data
### adb shell dumpsys \[options]
```
adb shell dumpsys
```
adb shell dumpsys meminfo
```
adb shell dumpsys battery
```
Notes: A mobile device with Developer Options enabled running Android 5.0 or higher.
```
adb shell dumpsys batterystats collects battery data from your device
```
Notes: [Battery Historian](https://github.com/google/battery-historian) converts that data into an HTML visualization. **STEP 1** _adb shell dumpsys batterystats > batterystats.txt_ **STEP 2** _python historian.py batterystats.txt > batterystats.html_
```
adb shell dumpsys batterystats --reset erases old collection data
```
adb shell dumpsys activity
# Backup
Backup an android device from adb.
```bash
adb backup [-apk] [-shared] [-system] [-all] -f file.backup
# -apk -- Include APK from Third partie's applications
# -shared -- Include removable storage
# -system -- Include system Applciations
# -all -- Include all the applications
adb shell pm list packages -f -3 #List packages
adb backup -f myapp_backup.ab -apk com.myapp # backup on one device
adb restore myapp_backup.ab # restore to the same or any other device
```
If you want to inspect the content of the backup:
```bash
( printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" ; tail -c +25 myapp_backup.ab ) | tar xfvz -
```
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
</details>