Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-17 06:28:27 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/mobile-pentesting/android-app-pentesting/drozer-tutorial
History
Translator workflow 54a7bb5de7 Translated to Swahili
2024-02-11 02:13:58 +00:00
..
exploiting-content-providers.md Translated to Swahili 2024-02-11 02:13:58 +00:00
README.md Translated to Swahili 2024-02-11 02:13:58 +00:00

README.md

Mwongozo wa Drozer

Jifunze kuhusu kudukua AWS kutoka mwanzo hadi mtaalamu na htARTE (Mtaalamu wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Mshauri wa tuzo za mdudu: jiandikishe kwa Intigriti, jukwaa la tuzo za mdudu la malipo lililoanzishwa na wadukuzi, kwa wadukuzi! Jiunge nasi kwenye https://go.intigriti.com/hacktricks leo, na anza kupata tuzo hadi $100,000!

{% embed url="https://go.intigriti.com/hacktricks" %}

APKs za kujaribu

Sehemu za mafunzo haya zilitolewa kutoka kwenye hati ya maelezo ya Drozer.

Usanidi

Sanidi Mteja wa Drozer ndani ya mwenyeji wako. Pakua kutoka kwenye toleo jipya.

pip install drozer-2.4.4-py2-none-any.whl
pip install twisted
pip install service_identity

Pakua na usakinishe drozer APK kutoka kwa toleo jipya. Kwa sasa ni hii.

adb install drozer.apk

Kuanza Seva

Mawakala inafanya kazi kwenye bandari 31415, tunahitaji kuelekeza bandari ili kuwezesha mawasiliano kati ya Mteja wa Drozer na Mawakala, hapa ni amri ya kufanya hivyo:

adb forward tcp:31415 tcp:31415

Hatimaye, zindua programu na bonyeza kitufe cha "ON"

Na unganisha nayo:

drozer console connect

Amri Zinazovutia

Amri Maelezo
Help MODULE Inaonyesha msaada wa moduli iliyochaguliwa
list Inaonyesha orodha ya moduli zote za drozer ambazo zinaweza kutekelezwa katika kikao cha sasa. Hii inaficha moduli ambazo huna ruhusa sahihi za kuendesha.
shell Anza kabati la Linux linaloshirikiana kwenye kifaa, katika muktadha wa Wakala.
clean Ondoa faili za muda zilizohifadhiwa na drozer kwenye kifaa cha Android.
load Pakia faili inayohifadhi amri za drozer na utekeleze kwa mfuatano.
module Tafuta na usakinishe moduli za ziada za drozer kutoka kwenye mtandao.
unset Ondoa kivinjari kilichopewa jina ambacho drozer inapitisha kwa kabati za Linux yoyote inayozalisha.
set Hifadhi thamani katika kivinjari ambacho kitapitishwa kama kivinjari cha mazingira kwa kabati za Linux zinazozalishwa na drozer.
shell Anza kabati la Linux linaloshirikiana kwenye kifaa, katika muktadha wa Wakala
run MODULE Tekeleza moduli ya drozer
exploit Drozer inaweza kuunda mbinu za kutekeleza kwenye kifaa. drozer exploit list
payload Mbinu za kutekeleza zinahitaji mzigo. drozer payload list

Pakiti

Tafuta jina la pakiti kwa kuchuja kwa sehemu ya jina:

dz> run app.package.list -f sieve
com.mwr.example.sieve

Maelezo Muhimu ya pakiti:

dz> run app.package.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
Process Name: com.mwr.example.sieve
Version: 1.0
Data Directory: /data/data/com.mwr.example.sieve
APK Path: /data/app/com.mwr.example.sieve-2.apk
UID: 10056
GID: [1028, 1015, 3003]
Shared Libraries: null
Shared User ID: null
Uses Permissions:
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.INTERNET
Defines Permissions:
- com.mwr.example.sieve.READ_KEYS
- com.mwr.example.sieve.WRITE_KEYS

Soma Manifest:

run app.package.manifest jakhar.aseem.diva

Eneo la shambulio la pakiti:

dz> run app.package.attacksurface com.mwr.example.sieve
Attack Surface:
3 activities exported
0 broadcast receivers exported
2 content providers exported
2 services exported
is debuggable
  • Shughuli: Labda unaweza kuanza shughuli na kuepuka aina fulani ya idhini ambayo inapaswa kukuzuia kuiendesha.
  • Watoaji wa yaliyomo: Labda unaweza kupata data binafsi au kutumia udhaifu fulani (SQL Injection au Path Traversal).
  • Huduma:
  • is debuggable: Jifunze zaidi

Shughuli

Thamani ya "android:exported" ya sehemu ya shughuli iliyotolewa imewekwa kuwa "kweli" katika faili ya AndroidManifest.xml:

<activity android:name="com.my.app.Initial" android:exported="true">
</activity>

Orodhesha shughuli zilizosafirishwa:

dz> run app.activity.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
com.mwr.example.sieve.FileSelectActivity
com.mwr.example.sieve.MainLoginActivity
com.mwr.example.sieve.PWList

Anza shughuli:

Labda unaweza kuanza shughuli na kuepuka aina fulani ya idhini ambayo inapaswa kukuzuia kuiendesha.

{% code overflow="wrap" %}

dz> run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList

{% endcode %}

Unaweza pia kuanza shughuli iliyosafirishwa kutoka adb:

  • Jina la Pakiti ni com.example.demo
  • Jina la Shughuli iliyosafirishwa ni com.example.test.MainActivity
adb shell am start -n com.example.demo/com.example.test.MainActivity

Watoaji wa Yaliyomo

Chapisho hili lilikuwa kubwa sana kuwekwa hapa hivyo unaweza kulipata kwenye ukurasa wake mwenyewe hapa.

Huduma

Huduma iliyotolewa inatangazwa ndani ya Manifest.xml:

{% code overflow="wrap" %}

<service android:name=".AuthService" android:exported="true" android:process=":remote"/>

{% endcode %}

Ndani ya kificho angalia kwa handleMessage ambayo itapokea ujumbe:

Orodha ya huduma

dz> run app.service.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
com.mwr.example.sieve.AuthService
Permission: null
com.mwr.example.sieve.CryptoService
Permission: null

Kuwasiliana na huduma

To interact with a service, you can use the run command in drozer. This command allows you to execute various actions on the target service.

To use the run command, you need to specify the package name of the target application and the action you want to perform. For example, if you want to list the activities of an application, you can use the following command:

run app.activity.info -a <package_name>

Replace <package_name> with the actual package name of the target application.

You can also use the run command to perform other actions, such as listing the services, content providers, broadcast receivers, and more. The available actions depend on the target application and the permissions you have.

Remember to always check the documentation and permissions of the target application to understand what actions you can perform and what information you can access.

By using the run command in drozer, you can interact with the target service and gather valuable information for your pentesting activities.

app.service.send            Send a Message to a service, and display the reply
app.service.start           Start Service
app.service.stop            Stop Service

Mfano

Angalia msaada wa drozer kwa app.service.send:

Tafadhali kumbuka kuwa utatuma kwanza data ndani ya "msg.what", kisha "msg.arg1" na "msg.arg2", unapaswa kuchunguza ndani ya kificho taarifa gani inatumika na wapi.
Kwa kutumia chaguo la --extra unaweza kutuma kitu kinachotafsiriwa na "msg.replyTo", na kwa kutumia --bundle-as-obj unaweza kuunda kitu na maelezo yaliyotolewa.

Katika mfano ufuatao:

  • what == 2354
  • arg1 == 9234
  • arg2 == 1
  • replyTo == object(string com.mwr.example.sieve.PIN 1337)
run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --msg 2354 9234 1 --extra string com.mwr.example.sieve.PIN 1337 --bundle-as-obj

Wapokeaji wa Matangazo

Katika sehemu ya habari ya msingi ya Android unaweza kuona ni nini Wapokeaji wa Matangazo.

Baada ya kugundua Wapokeaji wa Matangazo hawa, unapaswa angalia nambari yao. Toa tahadhari maalum kwa kazi ya onReceive kwani itakuwa inashughulikia ujumbe uliopokelewa.

Gundua wapokeaji wote wa matangazo

run app.broadcast.info #Detects all

Angalia wapokeaji wa matangazo ya programu

To check the broadcast receivers of an app, you can use the drozer tool. Drozer is a comprehensive security assessment framework for Android devices. It allows you to interact with the Android operating system at the deepest level, providing a wide range of functionalities for mobile penetration testing.

To begin, make sure you have drozer installed on your machine. You can find installation instructions in the official drozer documentation.

Once you have drozer installed, follow these steps to check the broadcast receivers of an app:

  1. Connect your Android device to your machine using a USB cable.

  2. Open a terminal and start the drozer server by running the following command:

    drozer console connect

  3. Once the drozer server is running, you can use the app.package.broadcast module to list the broadcast receivers of a specific app. Run the following command:

    run app.package.broadcast -a <package_name>

    Replace <package_name> with the package name of the app you want to check.

  4. Drozer will display a list of broadcast receivers associated with the specified app package. Analyze the output to identify any potential security vulnerabilities or misconfigurations.

By checking the broadcast receivers of an app, you can gain insights into how the app communicates with other components and identify any potential security risks. This information can be valuable during a mobile penetration testing engagement.

#Check one negative
run app.broadcast.info -a jakhar.aseem.diva
Package: jakhar.aseem.diva
No matching receivers.

# Check one positive
run app.broadcast.info -a com.google.android.youtube
Package: com.google.android.youtube
com.google.android.libraries.youtube.player.PlayerUiModule$LegacyMediaButtonIntentReceiver
Permission: null
com.google.android.apps.youtube.app.common.notification.GcmBroadcastReceiver
Permission: com.google.android.c2dm.permission.SEND
com.google.android.apps.youtube.app.PackageReplacedReceiver
Permission: null
com.google.android.libraries.youtube.account.AccountsChangedReceiver
Permission: null
com.google.android.apps.youtube.app.application.system.LocaleUpdatedReceiver
Permission: null

Mawasiliano ya Utangazaji

Broadcast ni njia ya mawasiliano katika mfumo wa Android ambayo inaruhusu programu moja kutuma ujumbe kwa programu zingine zilizosajiliwa kusikiliza ujumbe huo. Katika muktadha wa uchunguzi wa usalama wa programu za Android, broadcast inaweza kutumika kwa njia mbalimbali za kuingilia kati na kudhibiti programu.

Kuna aina mbili za broadcast: broadcast ya mfumo na broadcast ya desturi. Broadcast ya mfumo hutumwa na mfumo wa Android kwa matukio fulani, kama vile kuanza kwa kifaa au mabadiliko ya hali ya mtandao. Broadcast ya desturi hutumwa na programu yenyewe kwa madhumuni maalum.

Kwa mfano, programu inaweza kutuma broadcast ya desturi wakati inapata habari ya siri kutoka kwa mtumiaji, kama vile nenosiri au nambari ya siri. Programu zingine zilizosajiliwa kusikiliza broadcast hiyo zinaweza kujibu kwa kuchukua hatua fulani, kama vile kuhifadhi habari hiyo au kuituma kwa seva ya mbali.

Katika uchunguzi wa usalama wa programu za Android, broadcast inaweza kutumiwa kwa njia mbalimbali, kama vile kudukua programu, kusikiliza habari ya siri, au kudhibiti programu kwa njia isiyo halali. Kwa hiyo, ni muhimu kwa wachunguzi wa usalama kuelewa jinsi broadcast inavyofanya kazi na jinsi ya kuzuia na kugundua mashambulizi yanayohusiana na broadcast.

app.broadcast.info          Get information about broadcast receivers
app.broadcast.send          Send broadcast using an intent
app.broadcast.sniff         Register a broadcast receiver that can sniff particular intents

Tuma ujumbe

Katika mfano huu, kwa kutumia FourGoats apk Content Provider, unaweza kutuma SMS yoyote kwa marudio yoyote bila kuomba idhini ya mtumiaji.

Ikiwa unasoma nambari, parameta "phoneNumber" na "message" lazima zitumwe kwa Content Provider.

run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --component org.owasp.goatdroid.fourgoats.broadcastreceivers SendSMSNowReceiver --extra string phoneNumber 123456789 --extra string message "Hello mate!"

Inawezekana kudebugiwa

APK ya uzalishaji kamwe haipaswi kuwa inawezekana kudebugiwa. Hii inamaanisha kuwa unaweza kuunganisha kidebuga cha Java kwenye programu inayotumika, kuichunguza wakati wa kukimbia, kuweka alama za kusimamisha, kwenda hatua kwa hatua, kukusanya thamani za pembenzi na hata kuzibadilisha. Taasisi ya InfoSec ina makala bora kuhusu kuchimba kina wakati programu yako inawezekana kudebugiwa na kuingiza kificho wakati wa kukimbia.

Wakati programu inawezekana kudebugiwa, itaonekana kwenye Manifest:

<application theme="@2131296387" debuggable="true"

Unaweza kupata programu zote zinazoweza kudebugiwa na Drozer:

run app.package.debuggable

Mafunzo

Taarifa zaidi

Mshauri wa tuzo ya mdudu: jiandikishe kwa Intigriti, jukwaa la tuzo ya mdudu la malipo ya juu lililoanzishwa na wadukuzi, kwa wadukuzi! Jiunge nasi kwenye https://go.intigriti.com/hacktricks leo, na anza kupata tuzo hadi $100,000!

{% embed url="https://go.intigriti.com/hacktricks" %}

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!

Njia nyingine za kusaidia HackTricks: