mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 14:10:41 +00:00
384 lines
10 KiB
Markdown
384 lines
10 KiB
Markdown
|
||
|
||
<details>
|
||
|
||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||
|
||
Other ways to support HackTricks:
|
||
|
||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|
||
|
||
|
||
**Adb is usually located in:**
|
||
|
||
```bash
|
||
#Windows
|
||
C:\Users\<username>\AppData\Local\Android\sdk\platform-tools\adb.exe
|
||
|
||
#MacOS
|
||
/Users/<username>/Library/Android/sdk/platform-tools/adb
|
||
```
|
||
|
||
**Information obtained from:** [**http://adbshell.com/**](http://adbshell.com)
|
||
|
||
# Connection
|
||
|
||
```
|
||
adb devices
|
||
```
|
||
|
||
This will list the connected devices; if "_**unathorised**_" appears, this means that you have to **unblock** your **mobile** and **accept** the connection.
|
||
|
||
This indicates to the device that it has to start and adb server in port 5555:
|
||
|
||
```
|
||
adb tcpip 5555
|
||
```
|
||
|
||
Connect to that IP and that Port:
|
||
|
||
```
|
||
adb connect <IP>:<PORT>
|
||
```
|
||
|
||
If you get an error like the following in a Virtual Android software (like Genymotion):
|
||
|
||
```
|
||
adb server version (41) doesn't match this client (36); killing...
|
||
```
|
||
|
||
It's because you are trying to connect to an ADB server with a different version. Just try to find the adb binary the software is using (go to `C:\Program Files\Genymobile\Genymotion` and search for adb.exe)
|
||
|
||
## Several devices
|
||
|
||
Whenever you find **several devices connected to your machine** you will need to **specify in which one** you want to run the adb command.
|
||
|
||
```bash
|
||
adb devices
|
||
List of devices attached
|
||
10.10.10.247:42135 offline
|
||
127.0.0.1:5555 device
|
||
```
|
||
|
||
```bash
|
||
adb -s 127.0.0.1:5555 shell
|
||
x86_64:/ # whoami
|
||
root
|
||
```
|
||
|
||
## Port Tunneling
|
||
|
||
In case the **adb** **port** is only **accessible** from **localhost** in the android device but **you have access via SSH**, you can **forward the port 5555** and connect via adb:
|
||
|
||
```bash
|
||
ssh -i ssh_key username@10.10.10.10 -L 5555:127.0.0.1:5555 -p 2222
|
||
adb connect 127.0.0.1:5555
|
||
```
|
||
|
||
# Packet Manager
|
||
|
||
## Install/Uninstall
|
||
|
||
### adb install \[option] \<path>
|
||
|
||
```bash
|
||
adb install test.apk
|
||
|
||
adb install -l test.apk # forward lock application
|
||
|
||
adb install -r test.apk # replace existing application
|
||
|
||
adb install -t test.apk # allow test packages
|
||
|
||
adb install -s test.apk # install application on sdcard
|
||
|
||
adb install -d test.apk # allow version code downgrade
|
||
|
||
adb install -p test.apk # partial application install
|
||
```
|
||
|
||
### adb uninstall \[options] \<PACKAGE>
|
||
|
||
```bash
|
||
adb uninstall com.test.app
|
||
|
||
adb uninstall -k com.test.app Keep the data and cache directories around after package removal.
|
||
```
|
||
|
||
## Packages
|
||
|
||
Prints all packages, optionally only those whose package name contains the text in \<FILTER>.
|
||
|
||
### adb shell pm list packages \[options] \<FILTER-STR>
|
||
|
||
```bash
|
||
adb shell pm list packages <FILTER-STR>
|
||
|
||
adb shell pm list packages -f <FILTER-STR> #See their associated file.
|
||
|
||
adb shell pm list packages -d <FILTER-STR> #Filter to only show disabled packages.
|
||
|
||
adb shell pm list packages -e <FILTER-STR> #Filter to only show enabled packages.
|
||
|
||
adb shell pm list packages -s <FILTER-STR> #Filter to only show system packages.
|
||
|
||
adb shell pm list packages -3 <FILTER-STR> #Filter to only show third party packages.
|
||
|
||
adb shell pm list packages -i <FILTER-STR> #See the installer for the packages.
|
||
|
||
adb shell pm list packages -u <FILTER-STR> #Also include uninstalled packages.
|
||
|
||
adb shell pm list packages --user <USER_ID> <FILTER-STR> #The user space to query.
|
||
```
|
||
|
||
### adb shell pm path \<PACKAGE>
|
||
|
||
Print the path to the APK of the given .
|
||
|
||
```bash
|
||
adb shell pm path com.android.phone
|
||
```
|
||
|
||
### adb shell pm clear \<PACKAGE>
|
||
|
||
Delete all data associated with a package.
|
||
|
||
```bash
|
||
adb shell pm clear com.test.abc
|
||
```
|
||
|
||
# File Manager
|
||
|
||
### adb pull \<remote> \[local]
|
||
|
||
Download a specified file from an emulator/device to your computer.
|
||
|
||
```bash
|
||
adb pull /sdcard/demo.mp4 ./
|
||
```
|
||
|
||
### adb push \<local> \<remote>
|
||
|
||
Upload a specified file from your computer to an emulator/device.
|
||
|
||
```bash
|
||
adb push test.apk /sdcard
|
||
```
|
||
|
||
# Screencapture/Screenrecord
|
||
|
||
### adb shell screencap \<filename>
|
||
|
||
Taking a screenshot of a device display.
|
||
|
||
```bash
|
||
adb shell screencap /sdcard/screen.png
|
||
```
|
||
|
||
### adb shell screenrecord \[options] \<filename>
|
||
|
||
Recording the display of devices running Android 4.4 (API level 19) and higher.
|
||
|
||
```bash
|
||
adb shell screenrecord /sdcard/demo.mp4
|
||
adb shell screenrecord --size <WIDTHxHEIGHT>
|
||
adb shell screenrecord --bit-rate <RATE>
|
||
adb shell screenrecord --time-limit <TIME> #Sets the maximum recording time, in seconds. The default and maximum value is 180 (3 minutes).
|
||
adb shell screenrecord --rotate # Rotates 90 degrees
|
||
adb shell screenrecord --verbose
|
||
```
|
||
|
||
(press Ctrl-C to stop recording)
|
||
|
||
**You can download the files (images and videos) using **_**adb pull**_
|
||
|
||
# Shell
|
||
|
||
### adb shell
|
||
|
||
Get a shell inside the device
|
||
|
||
```bash
|
||
adb shell
|
||
```
|
||
|
||
### adb shell \<CMD>
|
||
|
||
Execute a command inside the device
|
||
|
||
```bash
|
||
adb shell ls
|
||
```
|
||
|
||
## pm
|
||
|
||
The following commands are executed inside of a shell
|
||
|
||
```bash
|
||
pm list packages #List installed packages
|
||
pm path <package name> #Get the path to the apk file of tha package
|
||
am start [<options>] #Start an activity. Whiout options you can see the help menu
|
||
am startservice [<options>] #Start a service. Whiout options you can see the help menu
|
||
am broadcast [<options>] #Send a broadcast. Whiout options you can see the help menu
|
||
input [text|keyevent] #Send keystrokes to device
|
||
```
|
||
|
||
# Processes
|
||
|
||
If you want to get the PID of the process of your application you can execute:
|
||
|
||
```bash
|
||
adb shell ps
|
||
```
|
||
|
||
And search for your application
|
||
|
||
Or you can do
|
||
|
||
```bash
|
||
adb shell pidof com.your.application
|
||
```
|
||
|
||
And it will print the PID of the application
|
||
|
||
# System
|
||
|
||
```bash
|
||
adb root
|
||
```
|
||
|
||
Restarts the adbd daemon with root permissions. Then, you have to conenct again to the ADB server and you will be root (if available)
|
||
|
||
```bash
|
||
adb sideload <update.zip>
|
||
```
|
||
|
||
flashing/restoring Android update.zip packages.
|
||
|
||
# Logs
|
||
|
||
## Logcat
|
||
|
||
To **filter the messages of only one application**, get the PID of the application and use grep (linux/macos) or findstr (windows) to filter the output of logcat:
|
||
|
||
```bash
|
||
adb logcat | grep 4526
|
||
adb logcat | findstr 4526
|
||
```
|
||
|
||
### adb logcat \[option] \[filter-specs]
|
||
|
||
```bash
|
||
adb logcat
|
||
```
|
||
|
||
Notes: press Ctrl-C to stop monitor
|
||
|
||
```bash
|
||
adb logcat *:V # lowest priority, filter to only show Verbose level
|
||
|
||
adb logcat *:D # filter to only show Debug level
|
||
|
||
adb logcat *:I # filter to only show Info level
|
||
|
||
adb logcat *:W # filter to only show Warning level
|
||
|
||
adb logcat *:E # filter to only show Error level
|
||
|
||
adb logcat *:F # filter to only show Fatal level
|
||
|
||
adb logcat *:S # Silent, highest priority, on which nothing is ever printed
|
||
```
|
||
|
||
### adb logcat -b \<Buffer>
|
||
|
||
```bash
|
||
adb logcat -b # radio View the buffer that contains radio/telephony related messages.
|
||
|
||
adb logcat -b # event View the buffer containing events-related messages.
|
||
|
||
adb logcat -b # main default
|
||
|
||
adb logcat -c # Clears the entire log and exits.
|
||
|
||
adb logcat -d # Dumps the log to the screen and exits.
|
||
|
||
adb logcat -f test.logs # Writes log message output to test.logs .
|
||
|
||
adb logcat -g # Prints the size of the specified log buffer and exits.
|
||
|
||
adb logcat -n <count> # Sets the maximum number of rotated logs to <count>.
|
||
```
|
||
|
||
## dumpsys
|
||
|
||
dumps system data
|
||
|
||
### adb shell dumpsys \[options]
|
||
|
||
```bash
|
||
adb shell dumpsys
|
||
|
||
adb shell dumpsys meminfo
|
||
|
||
adb shell dumpsys battery
|
||
```
|
||
|
||
Notes: A mobile device with Developer Options enabled running Android 5.0 or higher.
|
||
|
||
```bash
|
||
adb shell dumpsys batterystats collects battery data from your device
|
||
```
|
||
|
||
Notes: [Battery Historian](https://github.com/google/battery-historian) converts that data into an HTML visualization. **STEP 1** _adb shell dumpsys batterystats > batterystats.txt_ **STEP 2** _python historian.py batterystats.txt > batterystats.html_
|
||
|
||
```bash
|
||
adb shell dumpsys batterystats --reset erases old collection data
|
||
```
|
||
|
||
adb shell dumpsys activity
|
||
|
||
# Backup
|
||
|
||
Backup an android device from adb.
|
||
|
||
```bash
|
||
adb backup [-apk] [-shared] [-system] [-all] -f file.backup
|
||
# -apk -- Include APK from Third partie's applications
|
||
# -shared -- Include removable storage
|
||
# -system -- Include system Applciations
|
||
# -all -- Include all the applications
|
||
|
||
adb shell pm list packages -f -3 #List packages
|
||
adb backup -f myapp_backup.ab -apk com.myapp # backup on one device
|
||
adb restore myapp_backup.ab # restore to the same or any other device
|
||
```
|
||
|
||
If you want to inspect the content of the backup:
|
||
|
||
```bash
|
||
( printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" ; tail -c +25 myapp_backup.ab ) | tar xfvz -
|
||
```
|
||
|
||
|
||
<details>
|
||
|
||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||
|
||
Other ways to support HackTricks:
|
||
|
||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|
||
|
||
|