HackTricks
Search…
Pentesting
Powered By GitBook
Drozer Tutorial

APKs to test

Installation

Install Drozer Client inside your host. Download it from the latest releases.
1
pip install drozer-2.4.4-py2-none-any.whl
2
pip install twisted
3
pip install service_identity
Copied!
Download and install drozer APK from the latest releases. At this moment it is this.
1
adb install drozer.apk
Copied!

Starting the Server

Agent is running on port 31415, we need to port forward to establish the communication between the Drozer Client and Agent, here is the command to do so:
1
adb forward tcp:31415 tcp:31415
Copied!
Finally, launch the application and press the bottom "ON"
And connect to it:
1
drozer console connect
Copied!

Interesting Commands

Commands
Description
Help MODULE
Shows help of the selected module
list
Shows a list of all drozer modules that can be executed in the current session. This hides modules that you don’t have appropriate permissions to run.
shell
Start an interactive Linux shell on the device, in the context of the Agent.
clean
Remove temporary files stored by drozer on the Android device.
load
Load a file containing drozer commands and execute them in sequence.
module
Find and install additional drozer modules from the Internet.
unset
Remove a named variable that drozer passes to any Linux shells that it spawns.
set
Stores a value in a variable that will be passed as an environmental variable to any Linux shells spawned by drozer.
shell
Start an interactive Linux shell on the device, in the context of the Agent
run MODULE
Execute a drozer module
exploit
Drozer can create exploits to execute in the decide. drozer exploit list
payload
The exploits need a payload. drozer payload list

Package

Find the name of the package filtering by part of the name:
1
dz> run app.package.list -f sieve
2
com.mwr.example.sieve
Copied!
Basic Information of the package:
1
dz> run app.package.info -a com.mwr.example.sieve
2
Package: com.mwr.example.sieve
3
Process Name: com.mwr.example.sieve
4
Version: 1.0
5
Data Directory: /data/data/com.mwr.example.sieve
6
APK Path: /data/app/com.mwr.example.sieve-2.apk
7
UID: 10056
8
GID: [1028, 1015, 3003]
9
Shared Libraries: null
10
Shared User ID: null
11
Uses Permissions:
12
- android.permission.READ_EXTERNAL_STORAGE
13
- android.permission.WRITE_EXTERNAL_STORAGE
14
- android.permission.INTERNET
15
Defines Permissions:
16
- com.mwr.example.sieve.READ_KEYS
17
- com.mwr.example.sieve.WRITE_KEYS
Copied!
Read Manifest:
1
run app.package.manifest jakhar.aseem.diva
Copied!
Attack surface of the package:
1
dz> run app.package.attacksurface com.mwr.example.sieve
2
Attack Surface:
3
3 activities exported
4
0 broadcast receivers exported
5
2 content providers exported
6
2 services exported
7
is debuggable
Copied!
    Activities: Maybe you can start an activity and bypass some kind of authorization that should be prevent you from launching it.
    Content providers: Maybe you can access private dato or exploit some vulnerability (SQL Injection or Path Traversal).
    Services:
    is debuggable: Learn more

Activities

An exported activity component’s “android:exported” value is set to “true” in the AndroidManifest.xml file:
1
<activity android:name="com.my.app.Initial" android:exported="true">
2
</activity>
Copied!
List exported activities:
1
dz> run app.activity.info -a com.mwr.example.sieve
2
Package: com.mwr.example.sieve
3
com.mwr.example.sieve.FileSelectActivity
4
com.mwr.example.sieve.MainLoginActivity
5
com.mwr.example.sieve.PWList
Copied!
Start activity:
Maybe you can start an activity and bypass some kind of authorization that should be prevent you from launching it.
1
dz> run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList
Copied!
You can also start an exported activity from adb:
    PackageName is com.example.demo
    Exported ActivityName is com.example.test.MainActivity
1
adb shell am start -n com.example.demo/com.example.test.MainActivity
Copied!

Content Providers

This post was so big to be here so you can access it in its own page here.

Services

A exported service is declared inside the Manifest.xml:
1
<service android:name=".AuthService" android:exported="true" android:process=":remote"/>
Copied!
Inside the code check for the handleMessagefunction which will receive the message:

List service

1
dz> run app.service.info -a com.mwr.example.sieve
2
Package: com.mwr.example.sieve
3
com.mwr.example.sieve.AuthService
4
Permission: null
5
com.mwr.example.sieve.CryptoService
6
Permission: null
Copied!

Interact with a service

1
app.service.send Send a Message to a service, and display the reply
2
app.service.start Start Service
3
app.service.stop Stop Service
Copied!

Example

Take a look to the drozer help for app.service.send:
Note that you will be sending first the data inside "msg.what", then "msg.arg1" and "msg.arg2", you should check inside the code which information is being used and where. Using the --extra option you can send something interpreted by "msg.replyTo", and using --bundle-as-obj you create and object with the provided details.
In the following example:
    what == 2354
    arg1 == 9234
    arg2 == 1
    replyTo == object(string com.mwr.example.sieve.PIN 1337)
1
run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --msg 2354 9234 1 --extra string com.mwr.example.sieve.PIN 1337 --bundle-as-obj
Copied!

Broadcast Receivers

Android apps can send or receive broadcast messages from the Android system and other Android apps, similar to the publish-subscribe design pattern. These broadcasts are sent when an event of interest occurs. For example, the Android system sends broadcasts when various system events occur, such as when the system boots up or the device starts charging. Apps can also send custom broadcasts, for example, to notify other apps of something that they might be interested in (for example, some new data has been downloaded).
Apps can register to receive specific broadcasts. When a broadcast is sent, the system automatically routes broadcasts to apps that have subscribed to receive that particular type of broadcast.
This could appear inside the Manifest.xml file:
1
<receiver android:name=".MyBroadcastReceiver" android:exported="true">
2
<intent-filter>
3
<action android:name="android.intent.action.BOOT_COMPLETED"/>
4
<action android:name="android.intent.action.INPUT_METHOD_CHANGED" />
5
</intent-filter>
6
</receiver>
Copied!
After discovering this Broadcast Receivers you should check the code of them. Pay special attention to the onReceivefunction as it will be handling the messages received.

Detect all broadcast receivers

1
run app.broadcast.info #Detects all
Copied!

Check broadcast receivers of an app

1
#Check one negative
2
run app.broadcast.info -a jakhar.aseem.diva
3
Package: jakhar.aseem.diva
4
No matching receivers.
5
6
# Check one positive
7
run app.broadcast.info -a com.google.android.youtube
8
Package: com.google.android.youtube
9
com.google.android.libraries.youtube.player.PlayerUiModule$LegacyMediaButtonIntentReceiver
10
Permission: null
11
com.google.android.apps.youtube.app.common.notification.GcmBroadcastReceiver
12
Permission: com.google.android.c2dm.permission.SEND
13
com.google.android.apps.youtube.app.PackageReplacedReceiver
14
Permission: null
15
com.google.android.libraries.youtube.account.AccountsChangedReceiver
16
Permission: null
17
com.google.android.apps.youtube.app.application.system.LocaleUpdatedReceiver
18
Permission: null
Copied!

Broadcast Interactions

1
app.broadcast.info Get information about broadcast receivers
2
app.broadcast.send Send broadcast using an intent
3
app.broadcast.sniff Register a broadcast receiver that can sniff particular intents
Copied!

Send a message

In this example abusing the FourGoats apk Content Provider you can send an arbitrary SMS any non-premium destination without asking the user for permission.
If you read the code, the parameters "phoneNumber" and "message" must be sent to the Content Provider.
1
run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --component org.owasp.goatdroid.fourgoats.broadcastreceivers SendSMSNowReceiver --extra string phoneNumber 123456789 --extra string message "Hello mate!"
Copied!

Is debuggeable

A prodduction APK should never be debuggeable. This mean that you can attach java debugger to the running application, inspect it in run time, set breakpoints, go step by step, gather variable values and even change them. InfoSec institute has an excellent article on digging deeper when you application is debuggable and injecting runtime code.
When an application is debuggable, it will appear in the Manifest:
1
<application theme="@2131296387" debuggable="true"
Copied!
You can find all debuggeable applications with Drozer:
1
run app.package.debuggable
Copied!

Tutorials

More info

Last modified 10mo ago