Nasaha za bug bounty: jiandikishe kwa Intigriti, jukwaa la bug bounty la premium lililotengenezwa na hackers, kwa hackers! Jiunge nasi kwenye https://go.intigriti.com/hacktricks leo, na anza kupata bounties hadi $100,000!

Register - IntigritiRegister - Intigriti

APKs za kupima

• Sieve (kutoka mrwlabs)

• DIVA

Sehemu za tutorial hii zilipatikana kutoka kwenye Drozer documentation pdf.

Usanidi

Sakinisha Drozer Client ndani ya mwenyeji wako. Pakua kutoka kwenye toleo la hivi karibuni.

pip install drozer-2.4.4-py2-none-any.whl
pip install twisted
pip install service_identity

Pakua na sakinisha drozer APK kutoka kwa toleo la hivi karibuni. Wakati huu ni hii.

adb install drozer.apk

Kuanzisha Server

Agent inafanya kazi kwenye bandari 31415, tunahitaji kupeleka bandari ili kuanzisha mawasiliano kati ya Drozer Client na Agent, hapa kuna amri ya kufanya hivyo:

adb forward tcp:31415 tcp:31415

Hatimaye, anzisha programu na bonyeza chini "WASHO"

Na uunganishe nayo:

drozer console connect

Interesting Commands

Package

Tafuta jina la kifurushi kwa kuchuja kwa sehemu ya jina:

dz> run app.package.list -f sieve
com.mwr.example.sieve

Taarifa za Msingi za kifurushi:

dz> run app.package.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
Process Name: com.mwr.example.sieve
Version: 1.0
Data Directory: /data/data/com.mwr.example.sieve
APK Path: /data/app/com.mwr.example.sieve-2.apk
UID: 10056
GID: [1028, 1015, 3003]
Shared Libraries: null
Shared User ID: null
Uses Permissions:
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.INTERNET
Defines Permissions:
- com.mwr.example.sieve.READ_KEYS
- com.mwr.example.sieve.WRITE_KEYS

Soma Manifest:

run app.package.manifest jakhar.aseem.diva

Uso wa shambulio wa kifurushi:

dz> run app.package.attacksurface com.mwr.example.sieve
Attack Surface:
3 activities exported
0 broadcast receivers exported
2 content providers exported
2 services exported
is debuggable

• Shughuli: Labda unaweza kuanzisha shughuli na kupita aina fulani ya idhini ambayo inapaswa kukuzuia kuanzisha.

• Watoa maudhui: Labda unaweza kufikia data binafsi au kutumia udhaifu fulani (SQL Injection au Path Traversal).

• Huduma:

• inaweza kudhibitiwa: Jifunze zaidi

Shughuli

Thamani ya kipengele cha shughuli kilichosafirishwa “android:exported” imewekwa kuwa “true” katika faili la AndroidManifest.xml:

<activity android:name="com.my.app.Initial" android:exported="true">
</activity>

Orodha ya shughuli zilizotolewa:

dz> run app.activity.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
com.mwr.example.sieve.FileSelectActivity
com.mwr.example.sieve.MainLoginActivity
com.mwr.example.sieve.PWList

Anza shughuli:

Labda unaweza kuanzisha shughuli na kupita aina fulani ya idhini ambayo inapaswa kukuzuia kuanzisha hiyo.

dz> run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList

Unaweza pia kuanzisha shughuli iliyosafirishwa kutoka adb:

• Jina la Kifurushi ni com.example.demo

• Jina la Shughuli iliyosafirishwa ni com.example.test.MainActivity

adb shell am start -n com.example.demo/com.example.test.MainActivity

Content Providers

Post hii ilikuwa kubwa sana kuwa hapa hivyo unaweza kuipata kwenye ukurasa wake hapa.

Services

Huduma iliyosafirishwa inatangazwa ndani ya Manifest.xml:

<service android:name=".AuthService" android:exported="true" android:process=":remote"/>

Ndani ya msimbo angalia kwa **handleMessage** kazi ambayo itapokea ujumbe:

Orodha ya huduma

dz> run app.service.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
com.mwr.example.sieve.AuthService
Permission: null
com.mwr.example.sieve.CryptoService
Permission: null

Wasiliana na huduma

app.service.send            Send a Message to a service, and display the reply
app.service.start           Start Service
app.service.stop            Stop Service

Mfano

Angalia msaada wa drozer kwa app.service.send:

Kumbuka kwamba utaanza kutuma data ndani ya "msg.what", kisha "msg.arg1" na "msg.arg2", unapaswa kuangalia ndani ya msimbo ni taarifa gani inayotumika na wapi. Kwa kutumia chaguo --extra unaweza kutuma kitu kinachofasiriwa na "msg.replyTo", na kwa kutumia --bundle-as-obj unaunda kitu na maelezo yaliyotolewa.

Katika mfano ufuatao:

• what == 2354

• arg1 == 9234

• arg2 == 1

• replyTo == object(string com.mwr.example.sieve.PIN 1337)

run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --msg 2354 9234 1 --extra string com.mwr.example.sieve.PIN 1337 --bundle-as-obj

Wapokeaji wa Matangazo

Katika sehemu ya msingi ya Android unaweza kuona ni nini Wapokeaji wa Matangazo.

Baada ya kugundua Wapokeaji hawa wa Matangazo unapaswa kuangalia msimbo wao. Zingatia kwa makini onReceive kazi kwani itakuwa inashughulikia ujumbe uliopokelewa.

Gundua wote wapokeaji wa matangazo

run app.broadcast.info #Detects all

Angalia wapokeaji wa matangazo wa programu

#Check one negative
run app.broadcast.info -a jakhar.aseem.diva
Package: jakhar.aseem.diva
No matching receivers.

# Check one positive
run app.broadcast.info -a com.google.android.youtube
Package: com.google.android.youtube
com.google.android.libraries.youtube.player.PlayerUiModule$LegacyMediaButtonIntentReceiver
Permission: null
com.google.android.apps.youtube.app.common.notification.GcmBroadcastReceiver
Permission: com.google.android.c2dm.permission.SEND
com.google.android.apps.youtube.app.PackageReplacedReceiver
Permission: null
com.google.android.libraries.youtube.account.AccountsChangedReceiver
Permission: null
com.google.android.apps.youtube.app.application.system.LocaleUpdatedReceiver
Permission: null

Matendo ya Broadcast

app.broadcast.info          Get information about broadcast receivers
app.broadcast.send          Send broadcast using an intent
app.broadcast.sniff         Register a broadcast receiver that can sniff particular intents

Tuma ujumbe

Katika mfano huu wa kutumia FourGoats apk Mtoa Maudhui unaweza kutuma SMS yoyote kwa marudio yasiyo ya premium bila kumuuliza mtumiaji ruhusa.

Ikiwa unasoma msimbo, vigezo "phoneNumber" na "message" lazima vitumwe kwa Mtoa Maudhui.

run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --component org.owasp.goatdroid.fourgoats.broadcastreceivers SendSMSNowReceiver --extra string phoneNumber 123456789 --extra string message "Hello mate!"

Is debuggeable

APK ya uzalishaji haitakiwi kuwa debuggable. Hii inamaanisha kwamba unaweza kuunganisha java debugger kwenye programu inayotembea, kuikagua wakati wa utekelezaji, kuweka breakpoints, kwenda hatua kwa hatua, kukusanya thamani za mabadiliko na hata kuzibadilisha. InfoSec institute ina makala bora kuhusu kuchimba zaidi wakati programu yako ni debuggable na kuingiza msimbo wa wakati wa utekelezaji.

Wakati programu ni debuggable, itaonekana katika Manifest:

<application theme="@2131296387" debuggable="true"

Unaweza kupata programu zote zinazoweza kudebug na Drozer:

run app.package.debuggable

Tutorials

• https://resources.infosecinstitute.com/android-penetration-tools-walkthrough-series-drozer/#gref

• https://github.com/mgcfish/mobiletools/blob/master/_posts/2016-08-01-Using-Drozer-for-application-security-assessments.md

• https://www.hackingarticles.in/android-penetration-testing-drozer/

• https://medium.com/@ashrafrizvi3006/how-to-test-android-application-security-using-drozer-edc002c5dcac

More info

• https://blog.dixitaditya.com/android-pentesting-cheatsheet/

Bug bounty tip: jiandikishe kwa Intigriti, jukwaa la bug bounty la hali ya juu lililotengenezwa na hackers, kwa hackers! Jiunge nasi kwenye https://go.intigriti.com/hacktricks leo, na anza kupata zawadi hadi $100,000!

Register - IntigritiRegister - Intigriti