Drozer Tutorial
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Bug bounty tip: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us at https://go.intigriti.com/hacktricks today, and start earning bounties up to $100,000!
Sieve (from mrwlabs)
Parts of this tutorial were extracted from the Drozer documentation pdf.
Install Drozer Client inside your host. Download it from the latest releases.
Download and install drozer APK from the latest releases. At this moment it is this.
Agent is running on port 31415, we need to port forward to establish the communication between the Drozer Client and Agent, here is the command to do so:
Finally, launch the application and press the bottom "ON"
And connect to it:
Commands | Description |
Help MODULE | Shows help of the selected module |
list | Shows a list of all drozer modules that can be executed in the current session. This hides modules that you don’t have appropriate permissions to run. |
shell | Start an interactive Linux shell on the device, in the context of the Agent. |
clean | Remove temporary files stored by drozer on the Android device. |
load | Load a file containing drozer commands and execute them in sequence. |
module | Find and install additional drozer modules from the Internet. |
unset | Remove a named variable that drozer passes to any Linux shells that it spawns. |
set | Stores a value in a variable that will be passed as an environmental variable to any Linux shells spawned by drozer. |
shell | Start an interactive Linux shell on the device, in the context of the Agent |
run MODULE | Execute a drozer module |
exploit | Drozer can create exploits to execute in the decide. |
payload | The exploits need a payload. |
Find the name of the package filtering by part of the name:
Basic Information of the package:
Read Manifest:
Attack surface of the package:
Activities: Maybe you can start an activity and bypass some kind of authorization that should be prevent you from launching it.
Content providers: Maybe you can access private data or exploit some vulnerability (SQL Injection or Path Traversal).
Services:
is debuggable: Learn more
An exported activity component’s “android:exported” value is set to “true” in the AndroidManifest.xml file:
List exported activities:
Start activity:
Maybe you can start an activity and bypass some kind of authorization that should be prevent you from launching it.
You can also start an exported activity from adb:
PackageName is com.example.demo
Exported ActivityName is com.example.test.MainActivity
This post was so big to be here so you can access it in its own page here.
A exported service is declared inside the Manifest.xml:
Inside the code check for the **handleMessage**function which will receive the message:
Take a look to the drozer help for app.service.send:
Note that you will be sending first the data inside "msg.what", then "msg.arg1" and "msg.arg2", you should check inside the code which information is being used and where.
Using the --extra option you can send something interpreted by "msg.replyTo", and using --bundle-as-obj you create and object with the provided details.
In the following example:
what == 2354
arg1 == 9234
arg2 == 1
replyTo == object(string com.mwr.example.sieve.PIN 1337)
In the Android basic info section you can see what is a Broadcast Receiver.
After discovering this Broadcast Receivers you should check the code of them. Pay special attention to the onReceive function as it will be handling the messages received.
In this example abusing the FourGoats apk Content Provider you can send an arbitrary SMS any non-premium destination without asking the user for permission.
If you read the code, the parameters "phoneNumber" and "message" must be sent to the Content Provider.
A prodduction APK should never be debuggeable. This mean that you can attach java debugger to the running application, inspect it in run time, set breakpoints, go step by step, gather variable values and even change them. InfoSec institute has an excellent article on digging deeper when you application is debuggable and injecting runtime code.
When an application is debuggable, it will appear in the Manifest:
You can find all debuggeable applications with Drozer:
Bug bounty tip: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us at https://go.intigriti.com/hacktricks today, and start earning bounties up to $100,000!
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
