hacktricks/mobile-pentesting/android-app-pentesting/adb-commands.md
Carlos Polop a2ca955cb9 a
2024-02-09 01:36:13 +01:00

384 lines
10 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
**Adb is usually located in:**
```bash
#Windows
C:\Users\<username>\AppData\Local\Android\sdk\platform-tools\adb.exe
#MacOS
/Users/<username>/Library/Android/sdk/platform-tools/adb
```
**Information obtained from:** [**http://adbshell.com/**](http://adbshell.com)
# Connection
```
adb devices
```
This will list the connected devices; if "_**unathorised**_" appears, this means that you have to **unblock** your **mobile** and **accept** the connection.
This indicates to the device that it has to start and adb server in port 5555:
```
adb tcpip 5555
```
Connect to that IP and that Port:
```
adb connect <IP>:<PORT>
```
If you get an error like the following in a Virtual Android software (like Genymotion):
```
adb server version (41) doesn't match this client (36); killing...
```
It's because you are trying to connect to an ADB server with a different version. Just try to find the adb binary the software is using (go to `C:\Program Files\Genymobile\Genymotion` and search for adb.exe)
## Several devices
Whenever you find **several devices connected to your machine** you will need to **specify in which one** you want to run the adb command.
```bash
adb devices
List of devices attached
10.10.10.247:42135 offline
127.0.0.1:5555 device
```
```bash
adb -s 127.0.0.1:5555 shell
x86_64:/ # whoami
root
```
## Port Tunneling
In case the **adb** **port** is only **accessible** from **localhost** in the android device but **you have access via SSH**, you can **forward the port 5555** and connect via adb:
```bash
ssh -i ssh_key username@10.10.10.10 -L 5555:127.0.0.1:5555 -p 2222
adb connect 127.0.0.1:5555
```
# Packet Manager
## Install/Uninstall
### adb install \[option] \<path>
```bash
adb install test.apk
adb install -l test.apk # forward lock application
adb install -r test.apk # replace existing application
adb install -t test.apk # allow test packages
adb install -s test.apk # install application on sdcard
adb install -d test.apk # allow version code downgrade
adb install -p test.apk # partial application install
```
### adb uninstall \[options] \<PACKAGE>
```bash
adb uninstall com.test.app
adb uninstall -k com.test.app Keep the data and cache directories around after package removal.
```
## Packages
Prints all packages, optionally only those whose package name contains the text in \<FILTER>.
### adb shell pm list packages \[options] \<FILTER-STR>
```bash
adb shell pm list packages <FILTER-STR>
adb shell pm list packages -f <FILTER-STR> #See their associated file.
adb shell pm list packages -d <FILTER-STR> #Filter to only show disabled packages.
adb shell pm list packages -e <FILTER-STR> #Filter to only show enabled packages.
adb shell pm list packages -s <FILTER-STR> #Filter to only show system packages.
adb shell pm list packages -3 <FILTER-STR> #Filter to only show third party packages.
adb shell pm list packages -i <FILTER-STR> #See the installer for the packages.
adb shell pm list packages -u <FILTER-STR> #Also include uninstalled packages.
adb shell pm list packages --user <USER_ID> <FILTER-STR> #The user space to query.
```
### adb shell pm path \<PACKAGE>
Print the path to the APK of the given .
```bash
adb shell pm path com.android.phone
```
### adb shell pm clear \<PACKAGE>
Delete all data associated with a package.
```bash
adb shell pm clear com.test.abc
```
# File Manager
### adb pull \<remote> \[local]
Download a specified file from an emulator/device to your computer.
```bash
adb pull /sdcard/demo.mp4 ./
```
### adb push \<local> \<remote>
Upload a specified file from your computer to an emulator/device.
```bash
adb push test.apk /sdcard
```
# Screencapture/Screenrecord
### adb shell screencap \<filename>
Taking a screenshot of a device display.
```bash
adb shell screencap /sdcard/screen.png
```
### adb shell screenrecord \[options] \<filename>
Recording the display of devices running Android 4.4 (API level 19) and higher.
```bash
adb shell screenrecord /sdcard/demo.mp4
adb shell screenrecord --size <WIDTHxHEIGHT>
adb shell screenrecord --bit-rate <RATE>
adb shell screenrecord --time-limit <TIME> #Sets the maximum recording time, in seconds. The default and maximum value is 180 (3 minutes).
adb shell screenrecord --rotate # Rotates 90 degrees
adb shell screenrecord --verbose
```
(press Ctrl-C to stop recording)
**You can download the files (images and videos) using **_**adb pull**_
# Shell
### adb shell
Get a shell inside the device
```bash
adb shell
```
### adb shell \<CMD>
Execute a command inside the device
```bash
adb shell ls
```
## pm
The following commands are executed inside of a shell
```bash
pm list packages #List installed packages
pm path <package name> #Get the path to the apk file of tha package
am start [<options>] #Start an activity. Whiout options you can see the help menu
am startservice [<options>] #Start a service. Whiout options you can see the help menu
am broadcast [<options>] #Send a broadcast. Whiout options you can see the help menu
input [text|keyevent] #Send keystrokes to device
```
# Processes
If you want to get the PID of the process of your application you can execute:
```bash
adb shell ps
```
And search for your application
Or you can do
```bash
adb shell pidof com.your.application
```
And it will print the PID of the application
# System
```bash
adb root
```
Restarts the adbd daemon with root permissions. Then, you have to conenct again to the ADB server and you will be root (if available)
```bash
adb sideload <update.zip>
```
flashing/restoring Android update.zip packages.
# Logs
## Logcat
To **filter the messages of only one application**, get the PID of the application and use grep (linux/macos) or findstr (windows) to filter the output of logcat:
```bash
adb logcat | grep 4526
adb logcat | findstr 4526
```
### adb logcat \[option] \[filter-specs]
```bash
adb logcat
```
Notes: press Ctrl-C to stop monitor
```bash
adb logcat *:V # lowest priority, filter to only show Verbose level
adb logcat *:D # filter to only show Debug level
adb logcat *:I # filter to only show Info level
adb logcat *:W # filter to only show Warning level
adb logcat *:E # filter to only show Error level
adb logcat *:F # filter to only show Fatal level
adb logcat *:S # Silent, highest priority, on which nothing is ever printed
```
### adb logcat -b \<Buffer>
```bash
adb logcat -b # radio View the buffer that contains radio/telephony related messages.
adb logcat -b # event View the buffer containing events-related messages.
adb logcat -b # main default
adb logcat -c # Clears the entire log and exits.
adb logcat -d # Dumps the log to the screen and exits.
adb logcat -f test.logs # Writes log message output to test.logs .
adb logcat -g # Prints the size of the specified log buffer and exits.
adb logcat -n <count> # Sets the maximum number of rotated logs to <count>.
```
## dumpsys
dumps system data
### adb shell dumpsys \[options]
```bash
adb shell dumpsys
adb shell dumpsys meminfo
adb shell dumpsys battery
```
Notes: A mobile device with Developer Options enabled running Android 5.0 or higher.
```bash
adb shell dumpsys batterystats collects battery data from your device
```
Notes: [Battery Historian](https://github.com/google/battery-historian) converts that data into an HTML visualization. **STEP 1** _adb shell dumpsys batterystats > batterystats.txt_ **STEP 2** _python historian.py batterystats.txt > batterystats.html_
```bash
adb shell dumpsys batterystats --reset erases old collection data
```
adb shell dumpsys activity
# Backup
Backup an android device from adb.
```bash
adb backup [-apk] [-shared] [-system] [-all] -f file.backup
# -apk -- Include APK from Third partie's applications
# -shared -- Include removable storage
# -system -- Include system Applciations
# -all -- Include all the applications
adb shell pm list packages -f -3 #List packages
adb backup -f myapp_backup.ab -apk com.myapp # backup on one device
adb restore myapp_backup.ab # restore to the same or any other device
```
If you want to inspect the content of the backup:
```bash
( printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" ; tail -c +25 myapp_backup.ab ) | tar xfvz -
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>