Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-12-29 22:43:11 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/mobile-pentesting/android-app-pentesting/drozer-tutorial/README.md
Carlos Polop 6be43c15e9 Recreating repository history
2024-12-12 11:39:29 +01:00

337 lines
14 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Drozer Tutorial
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
<img src="../../../.gitbook/assets/i3.png" alt="" data-size="original">
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
## APKs to test
* [Sieve](https://github.com/mwrlabs/drozer/releases/download/2.3.4/sieve.apk) (from mrwlabs)
* [DIVA](https://payatu.com/wp-content/uploads/2016/01/diva-beta.tar.gz)
**Parts of this tutorial were extracted from the** [**Drozer documentation pdf**](https://labs.withsecure.com/content/dam/labs/docs/mwri-drozer-user-guide-2015-03-23.pdf)**.**
## Installation
Install Drozer Client inside your host. Download it from the [latest releases](https://github.com/mwrlabs/drozer/releases).
```bash
pip install drozer-2.4.4-py2-none-any.whl
pip install twisted
pip install service_identity
```
Download and install drozer APK from the [latest releases](https://github.com/mwrlabs/drozer/releases). At this moment it is [this](https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk).
```bash
adb install drozer.apk
```
### Starting the Server
Agent is running on port 31415, we need to [port forward](https://en.wikipedia.org/wiki/Port\_forwarding) to establish the communication between the Drozer Client and Agent, here is the command to do so:
```bash
adb forward tcp:31415 tcp:31415
```
Finally, **launch** the **application** and press the bottom "**ON**"
![](<../../../.gitbook/assets/image (459).png>)
And connect to it:
```bash
drozer console connect
```
## Interesting Commands
| **Commands** | **Description** |
| --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **Help MODULE** | Shows help of the selected module |
| **list** | Shows a list of all drozer modules that can be executed in the current session. This hides modules that you dont have appropriate permissions to run. |
| **shell** | Start an interactive Linux shell on the device, in the context of the Agent. |
| **clean** | Remove temporary files stored by drozer on the Android device. |
| **load** | Load a file containing drozer commands and execute them in sequence. |
| **module** | Find and install additional drozer modules from the Internet. |
| **unset** | Remove a named variable that drozer passes to any Linux shells that it spawns. |
| **set** | Stores a value in a variable that will be passed as an environmental variable to any Linux shells spawned by drozer. |
| **shell** | Start an interactive Linux shell on the device, in the context of the Agent |
| **run MODULE** | Execute a drozer module |
| **exploit** | Drozer can create exploits to execute in the decide. `drozer exploit list` |
| **payload** | The exploits need a payload. `drozer payload list` |
### Package
Find the **name** of the package filtering by part of the name:
```bash
dz> run app.package.list -f sieve
com.mwr.example.sieve
```
**Basic Information** of the package:
```bash
dz> run app.package.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
Process Name: com.mwr.example.sieve
Version: 1.0
Data Directory: /data/data/com.mwr.example.sieve
APK Path: /data/app/com.mwr.example.sieve-2.apk
UID: 10056
GID: [1028, 1015, 3003]
Shared Libraries: null
Shared User ID: null
Uses Permissions:
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.INTERNET
Defines Permissions:
- com.mwr.example.sieve.READ_KEYS
- com.mwr.example.sieve.WRITE_KEYS
```
Read **Manifest**:
```bash
run app.package.manifest jakhar.aseem.diva
```
**Attack surface** of the package:
```bash
dz> run app.package.attacksurface com.mwr.example.sieve
Attack Surface:
3 activities exported
0 broadcast receivers exported
2 content providers exported
2 services exported
is debuggable
```
* **Activities**: Maybe you can start an activity and bypass some kind of authorization that should be prevent you from launching it.
* **Content providers**: Maybe you can access private data or exploit some vulnerability (SQL Injection or Path Traversal).
* **Services**:
* **is debuggable**: [Learn more](./#is-debuggeable)
### Activities
An exported activity components “android:exported” value is set to **“true”** in the AndroidManifest.xml file:
```markup
<activity android:name="com.my.app.Initial" android:exported="true">
</activity>
```
**List exported activities**:
```bash
dz> run app.activity.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
com.mwr.example.sieve.FileSelectActivity
com.mwr.example.sieve.MainLoginActivity
com.mwr.example.sieve.PWList
```
**Start activity**:
Maybe you can start an activity and bypass some kind of authorization that should be prevent you from launching it.
{% code overflow="wrap" %}
```bash
dz> run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList
```
{% endcode %}
You can also start an exported activity from **adb**:
* PackageName is com.example.demo
* Exported ActivityName is com.example.test.MainActivity
```bash
adb shell am start -n com.example.demo/com.example.test.MainActivity
```
### Content Providers
This post was so big to be here so **you can** [**access it in its own page here**](exploiting-content-providers.md).
### Services
A exported service is declared inside the Manifest.xml:
{% code overflow="wrap" %}
```markup
<service android:name=".AuthService" android:exported="true" android:process=":remote"/>
```
{% endcode %}
Inside the code **check** for the \*\*`handleMessage`\*\*function which will **receive** the **message**:
![](<../../../.gitbook/assets/image (82).png>)
#### List service
```bash
dz> run app.service.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
com.mwr.example.sieve.AuthService
Permission: null
com.mwr.example.sieve.CryptoService
Permission: null
```
#### **Interact** with a service
```bash
app.service.send Send a Message to a service, and display the reply
app.service.start Start Service
app.service.stop Stop Service
```
#### Example
Take a look to the **drozer** help for `app.service.send`:
![](<../../../.gitbook/assets/image (1079).png>)
Note that you will be sending first the data inside "_msg.what_", then "_msg.arg1_" and "_msg.arg2_", you should check inside the code **which information is being used** and where.\
Using the `--extra` option you can send something interpreted by "_msg.replyTo"_, and using `--bundle-as-obj` you create and object with the provided details.
In the following example:
* `what == 2354`
* `arg1 == 9234`
* `arg2 == 1`
* `replyTo == object(string com.mwr.example.sieve.PIN 1337)`
```bash
run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --msg 2354 9234 1 --extra string com.mwr.example.sieve.PIN 1337 --bundle-as-obj
```
![](<../../../.gitbook/assets/image (647).png>)
### Broadcast Receivers
**In the Android basic info section you can see what is a Broadcast Receiver**.
After discovering this Broadcast Receivers you should **check the code** of them. Pay special attention to the **`onReceive`** function as it will be handling the messages received.
#### **Detect all** broadcast receivers
```bash
run app.broadcast.info #Detects all
```
#### Check broadcast receivers of an app
```bash
#Check one negative
run app.broadcast.info -a jakhar.aseem.diva
Package: jakhar.aseem.diva
No matching receivers.
# Check one positive
run app.broadcast.info -a com.google.android.youtube
Package: com.google.android.youtube
com.google.android.libraries.youtube.player.PlayerUiModule$LegacyMediaButtonIntentReceiver
Permission: null
com.google.android.apps.youtube.app.common.notification.GcmBroadcastReceiver
Permission: com.google.android.c2dm.permission.SEND
com.google.android.apps.youtube.app.PackageReplacedReceiver
Permission: null
com.google.android.libraries.youtube.account.AccountsChangedReceiver
Permission: null
com.google.android.apps.youtube.app.application.system.LocaleUpdatedReceiver
Permission: null
```
#### Broadcast **Interactions**
```bash
app.broadcast.info Get information about broadcast receivers
app.broadcast.send Send broadcast using an intent
app.broadcast.sniff Register a broadcast receiver that can sniff particular intents
```
#### Send a message
In this example abusing the [FourGoats apk](https://github.com/linkedin/qark/blob/master/tests/goatdroid.apk) Content Provider you can **send an arbitrary SMS** any non-premium destination **without asking** the user for permission.
![](<../../../.gitbook/assets/image (415).png>)
![](<../../../.gitbook/assets/image (573).png>)
If you read the code, the parameters "_phoneNumber_" and "_message_" must be sent to the Content Provider.
```bash
run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --component org.owasp.goatdroid.fourgoats.broadcastreceivers SendSMSNowReceiver --extra string phoneNumber 123456789 --extra string message "Hello mate!"
```
### Is debuggeable
A prodduction APK should never be debuggeable.\
This mean that you can **attach java debugger** to the running application, inspect it in run time, set breakpoints, go step by step, gather variable values and even change them.[ InfoSec institute has an excellent article](../exploiting-a-debuggeable-applciation.md) on digging deeper when you application is debuggable and injecting runtime code.
When an application is debuggable, it will appear in the Manifest:
```xml
<application theme="@2131296387" debuggable="true"
```
You can find all debuggeable applications with **Drozer**:
```bash
run app.package.debuggable
```
## Tutorials
* [https://resources.infosecinstitute.com/android-penetration-tools-walkthrough-series-drozer/#gref](https://resources.infosecinstitute.com/android-penetration-tools-walkthrough-series-drozer/#gref)
* [https://github.com/mgcfish/mobiletools/blob/master/\_posts/2016-08-01-Using-Drozer-for-application-security-assessments.md](https://github.com/mgcfish/mobiletools/blob/master/\_posts/2016-08-01-Using-Drozer-for-application-security-assessments.md)
* [https://www.hackingarticles.in/android-penetration-testing-drozer/](https://www.hackingarticles.in/android-penetration-testing-drozer/)
* [https://medium.com/@ashrafrizvi3006/how-to-test-android-application-security-using-drozer-edc002c5dcac](https://medium.com/@ashrafrizvi3006/how-to-test-android-application-security-using-drozer-edc002c5dcac)
## More info
* [https://blog.dixitaditya.com/android-pentesting-cheatsheet/](https://blog.dixitaditya.com/android-pentesting-cheatsheet/)
<img src="../../../.gitbook/assets/i3.png" alt="" data-size="original">
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
Reference in a new issue View git blame Copy permalink