11 KiB
Drozer Tutorial
{{#include ../../../banners/hacktricks-training.md}}
APKs to test
Sehemu za mafunzo haya zilitolewa kutoka kwenye Drozer documentation pdf.
Installation
Sakinisha Drozer Client ndani ya mwenyeji wako. Pakua kutoka kwenye latest releases.
pip install drozer-2.4.4-py2-none-any.whl
pip install twisted
pip install service_identity
Pakua na sakinisha drozer APK kutoka kwa toleo la hivi karibuni. Wakati huu ni hii.
adb install drozer.apk
Kuanzisha Server
Agent inafanya kazi kwenye bandari 31415, tunahitaji port forward ili kuanzisha mawasiliano kati ya Drozer Client na Agent, hapa kuna amri ya kufanya hivyo:
adb forward tcp:31415 tcp:31415
Hatimaye, anzisha programu na bonyeza chini "ON"
Na uunganishe nayo:
drozer console connect
Interesting Commands
| Commands | Description |
|---|---|
| Help MODULE | Inaonyesha msaada wa moduli iliyochaguliwa |
| list | Inaonyesha orodha ya moduli zote za drozer ambazo zinaweza kutekelezwa katika kikao cha sasa. Hii inaficha moduli ambazo huna ruhusa sahihi za kuendesha. |
| shell | Anza shell ya Linux ya kuingiliana kwenye kifaa, katika muktadha wa Agent. |
| clean | Ondoa faili za muda zilizohifadhiwa na drozer kwenye kifaa cha Android. |
| load | Pakia faili inayoshikilia amri za drozer na uzitekeleze kwa mpangilio. |
| module | Tafuta na sakinisha moduli za ziada za drozer kutoka Mtandao. |
| unset | Ondoa kigezo kilichopewa jina ambacho drozer hupitisha kwa shell zozote za Linux ambazo inazalisha. |
| set | Hifadhi thamani katika kigezo ambacho kitapewa kama kigezo cha mazingira kwa shell zozote za Linux zinazozalishwa na drozer. |
| shell | Anza shell ya Linux ya kuingiliana kwenye kifaa, katika muktadha wa Agent |
| run MODULE | Tekeleza moduli ya drozer |
| exploit | Drozer inaweza kuunda exploits za kutekeleza kwenye kifaa. drozer exploit list |
| payload | The exploits need a payload. drozer payload list |
Package
Tafuta jina la kifurushi kwa kuchuja kwa sehemu ya jina:
dz> run app.package.list -f sieve
com.mwr.example.sieve
Taarifa za Msingi za kifurushi:
dz> run app.package.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
Process Name: com.mwr.example.sieve
Version: 1.0
Data Directory: /data/data/com.mwr.example.sieve
APK Path: /data/app/com.mwr.example.sieve-2.apk
UID: 10056
GID: [1028, 1015, 3003]
Shared Libraries: null
Shared User ID: null
Uses Permissions:
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.INTERNET
Defines Permissions:
- com.mwr.example.sieve.READ_KEYS
- com.mwr.example.sieve.WRITE_KEYS
Soma Manifest:
run app.package.manifest jakhar.aseem.diva
Uso wa shambulio wa kifurushi:
dz> run app.package.attacksurface com.mwr.example.sieve
Attack Surface:
3 activities exported
0 broadcast receivers exported
2 content providers exported
2 services exported
is debuggable
- Activities: Labda unaweza kuanzisha shughuli na kupita aina fulani ya idhini ambayo inapaswa kukuzuia kuanzisha.
- Content providers: Labda unaweza kufikia data binafsi au kutumia udhaifu fulani (SQL Injection au Path Traversal).
- Services:
- is debuggable: Learn more
Activities
Thamani ya “android:exported” ya kipengele cha shughuli kilichosafirishwa imewekwa kuwa “true” katika faili la AndroidManifest.xml:
<activity android:name="com.my.app.Initial" android:exported="true">
</activity>
Orodha ya shughuli zilizotolewa:
dz> run app.activity.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
com.mwr.example.sieve.FileSelectActivity
com.mwr.example.sieve.MainLoginActivity
com.mwr.example.sieve.PWList
Start activity:
Labda unaweza kuanzisha shughuli na kupita aina fulani ya idhini ambayo inapaswa kukuzuia kuizindua.
dz> run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList
Unaweza pia kuanzisha shughuli iliyosafirishwa kutoka adb:
- Jina la Kifurushi ni com.example.demo
- Jina la Shughuli iliyosafirishwa ni com.example.test.MainActivity
adb shell am start -n com.example.demo/com.example.test.MainActivity
Watoa Maudhui
Post hii ilikuwa kubwa sana kuwa hapa hivyo unaweza kuipata kwenye ukurasa wake hapa.
Huduma
Huduma iliyosafirishwa inatangazwa ndani ya Manifest.xml:
<service android:name=".AuthService" android:exported="true" android:process=":remote"/>
Ndani ya msimbo angalia kazi ya **handleMessage** ambayo itakuwa pokea ujumbe:
Orodha ya huduma
dz> run app.service.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
com.mwr.example.sieve.AuthService
Permission: null
com.mwr.example.sieve.CryptoService
Permission: null
Wasiliana na huduma
app.service.send Send a Message to a service, and display the reply
app.service.start Start Service
app.service.stop Stop Service
Mfano
Angalia msaada wa drozer kwa app.service.send:
Kumbuka kwamba utaanza kutuma data ndani ya "msg.what", kisha "msg.arg1" na "msg.arg2", unapaswa kuangalia ndani ya msimbo ni taarifa gani inatumika na wapi.
Kwa kutumia chaguo --extra unaweza kutuma kitu kinachofasiriwa na "msg.replyTo", na kwa kutumia --bundle-as-obj unaunda kitu na maelezo yaliyotolewa.
Katika mfano ufuatao:
what == 2354arg1 == 9234arg2 == 1replyTo == object(string com.mwr.example.sieve.PIN 1337)
run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --msg 2354 9234 1 --extra string com.mwr.example.sieve.PIN 1337 --bundle-as-obj
Broadcast Receivers
Katika sehemu ya msingi ya taarifa za Android unaweza kuona ni nini Broadcast Receiver.
Baada ya kugundua Broadcast Receivers hizi unapaswa kuangalia msimbo wao. Zingatia kwa makini onReceive kazi kwani itakuwa inashughulikia ujumbe uliopokelewa.
Gundua zote broadcast receivers
run app.broadcast.info #Detects all
Angalia wapokeaji wa matangazo wa programu
#Check one negative
run app.broadcast.info -a jakhar.aseem.diva
Package: jakhar.aseem.diva
No matching receivers.
# Check one positive
run app.broadcast.info -a com.google.android.youtube
Package: com.google.android.youtube
com.google.android.libraries.youtube.player.PlayerUiModule$LegacyMediaButtonIntentReceiver
Permission: null
com.google.android.apps.youtube.app.common.notification.GcmBroadcastReceiver
Permission: com.google.android.c2dm.permission.SEND
com.google.android.apps.youtube.app.PackageReplacedReceiver
Permission: null
com.google.android.libraries.youtube.account.AccountsChangedReceiver
Permission: null
com.google.android.apps.youtube.app.application.system.LocaleUpdatedReceiver
Permission: null
Matukio ya Mawasiliano
app.broadcast.info Get information about broadcast receivers
app.broadcast.send Send broadcast using an intent
app.broadcast.sniff Register a broadcast receiver that can sniff particular intents
Tuma ujumbe
Katika mfano huu wa kutumia FourGoats apk Mtoa Maudhui unaweza kutuma SMS yoyote kwa marudio yasiyo ya premium bila kumuuliza mtumiaji ruhusa.
Ikiwa unasoma msimbo, vigezo "phoneNumber" na "message" vinapaswa kutumwa kwa Mtoa Maudhui.
run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --component org.owasp.goatdroid.fourgoats.broadcastreceivers SendSMSNowReceiver --extra string phoneNumber 123456789 --extra string message "Hello mate!"
Is debuggeable
APK ya uzalishaji haitakiwi kuwa debuggable.
Hii inamaanisha kwamba unaweza kuunganisha java debugger kwenye programu inayotembea, kuichunguza wakati wa utekelezaji, kuweka breakpoints, kwenda hatua kwa hatua, kukusanya thamani za mabadiliko na hata kuzibadilisha. InfoSec institute ina makala bora kuhusu kuchimba zaidi wakati programu yako ni debuggable na kuingiza msimbo wa wakati wa utekelezaji.
Wakati programu ni debuggable, itaonekana katika Manifest:
<application theme="@2131296387" debuggable="true"
Unaweza kupata programu zote zinazoweza kudebug na Drozer:
run app.package.debuggable
Tutorials
- https://resources.infosecinstitute.com/android-penetration-tools-walkthrough-series-drozer/#gref
- https://github.com/mgcfish/mobiletools/blob/master/_posts/2016-08-01-Using-Drozer-for-application-security-assessments.md
- https://www.hackingarticles.in/android-penetration-testing-drozer/
- https://medium.com/@ashrafrizvi3006/how-to-test-android-application-security-using-drozer-edc002c5dcac
More info
{{#include ../../../banners/hacktricks-training.md}}