Sawa ya tuzo ya mdudu: jiandikishe kwa Intigriti, jukwaa la tuzo la mdudu la malipo lililoanzishwa na wakora kwa wakora**! Jiunge nasi kwenye https://go.intigriti.com/hacktricks leo, na anza kupata tuzo hadi $100,000!

APKs za kujaribu

• Sieve (kutoka kwa mrwlabs)

• DIVA

Sehemu za mafunzo haya zilichimbuliwa kutoka kwenye hati ya pdf ya nyaraka ya Drozer.

Usanidi

Sanidi Mteja wa Drozer ndani ya mwenyeji wako. Pakua kutoka kwa toleo za hivi karibuni ya mwrlabs.

pip install drozer-2.4.4-py2-none-any.whl
pip install twisted
pip install service_identity

Pakua na usakinishe drozer APK kutoka kwa toleo za hivi karibuni. Kwa sasa ni hii.

adb install drozer.apk

Kuanza Msimamizi

Mawakala inaendesha kwenye bandari 31415, tunahitaji kusogeza bandari ili kuanzisha mawasiliano kati ya Mteja wa Drozer na Mawakala, hapa ni amri ya kufanya hivyo:

adb forward tcp:31415 tcp:31415

Hatimaye, zindua programu na bonyeza chini "ON"

Na uunganishe:

drozer console connect

Amri Zinazovutia

Pakiti

Pata jina la pakiti kwa kuchuja sehemu ya jina:

dz> run app.package.list -f sieve
com.mwr.example.sieve

Maelezo Msingi ya pakiti:

dz> run app.package.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
Process Name: com.mwr.example.sieve
Version: 1.0
Data Directory: /data/data/com.mwr.example.sieve
APK Path: /data/app/com.mwr.example.sieve-2.apk
UID: 10056
GID: [1028, 1015, 3003]
Shared Libraries: null
Shared User ID: null
Uses Permissions:
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.INTERNET
Defines Permissions:
- com.mwr.example.sieve.READ_KEYS
- com.mwr.example.sieve.WRITE_KEYS

Soma Manifest:

run app.package.manifest jakhar.aseem.diva

Eneo la mashambulizi la pakiti:

dz> run app.package.attacksurface com.mwr.example.sieve
Attack Surface:
3 activities exported
0 broadcast receivers exported
2 content providers exported
2 services exported
is debuggable

• Shughuli: Labda unaweza kuanzisha shughuli na kukiuka aina fulani ya idhini ambayo inapaswa kukuzuia kuisakinisha.

• Watoa maudhui: Labda unaweza kupata data binafsi au kutumia udhaifu fulani (SQL Injection au Path Traversal).

• Huduma:

• is debuggable: Jifunze zaidi

Shughuli

Thamani ya "android:exported" ya sehemu ya shughuli iliyosafirishwa imewekwa kuwa "kweli" katika faili ya AndroidManifest.xml:

<activity android:name="com.my.app.Initial" android:exported="true">
</activity>

Orodhesha shughuli zilizosafirishwa:

dz> run app.activity.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
com.mwr.example.sieve.FileSelectActivity
com.mwr.example.sieve.MainLoginActivity
com.mwr.example.sieve.PWList

Anza shughuli:

Labda unaweza kuanzisha shughuli na kuzidisha aina fulani ya idhini ambayo inapaswa kukuzuia usiianzishe.

dz> run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList

Unaweza pia kuanza shughuli iliyohamishiwa kutoka adb:

• Jina la Pakiti ni com.example.demo

• Jina la Shughuli iliyohamishiwa ni com.example.test.MainActivity

adb shell am start -n com.example.demo/com.example.test.MainActivity

Watoa Huduma

Chapisho hili lilikuwa kubwa sana hapa hivyo unaweza kupata katika ukurasa wake mwenyewe hapa.

Huduma

Huduma iliyotolewa hutangazwa ndani ya Manifest.xml:

<service android:name=".AuthService" android:exported="true" android:process=":remote"/>

Ndani ya code angalia kwa **handleMessage** function ambayo itapokea ujumbe:

Orodha ya huduma

dz> run app.service.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
com.mwr.example.sieve.AuthService
Permission: null
com.mwr.example.sieve.CryptoService
Permission: null

Kuongiliana na huduma

app.service.send            Send a Message to a service, and display the reply
app.service.start           Start Service
app.service.stop            Stop Service

Mfano

Angalia msaada wa drozer kwa app.service.send:

Tafadhali kumbuka kuwa utatuma kwanza data ndani ya "msg.what", kisha "msg.arg1" na "msg.arg2", unapaswa kuchunguza ndani ya kanuni ni habari gani inayotumiwa na wapi. Kwa kutumia chaguo --extra unaweza kutuma kitu kinachotafsiriwa na "msg.replyTo", na kutumia --bundle-as-obj unaweza kuunda kitu na maelezo yaliyotolewa.

Katika mfano ufuatao:

• what == 2354

• arg1 == 9234

• arg2 == 1

• replyTo == object(string com.mwr.example.sieve.PIN 1337)

run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --msg 2354 9234 1 --extra string com.mwr.example.sieve.PIN 1337 --bundle-as-obj

Wapokeaji wa Matangazo

Katika sehemu ya habari msingi ya Android unaweza kuona ni nini Wapokeaji wa Matangazo.

Baada ya kugundua hawa Wapokeaji wa Matangazo unapaswa kuangalia nambari yao. Toa tahadhari maalum kwa kazi ya onReceive kwani itashughulikia ujumbe uliopokelewa.

Gundua wote wapokeaji wa matangazo

run app.broadcast.info #Detects all

Angalia wapokeaji wa matangazo ya programu

#Check one negative
run app.broadcast.info -a jakhar.aseem.diva
Package: jakhar.aseem.diva
No matching receivers.

# Check one positive
run app.broadcast.info -a com.google.android.youtube
Package: com.google.android.youtube
com.google.android.libraries.youtube.player.PlayerUiModule$LegacyMediaButtonIntentReceiver
Permission: null
com.google.android.apps.youtube.app.common.notification.GcmBroadcastReceiver
Permission: com.google.android.c2dm.permission.SEND
com.google.android.apps.youtube.app.PackageReplacedReceiver
Permission: null
com.google.android.libraries.youtube.account.AccountsChangedReceiver
Permission: null
com.google.android.apps.youtube.app.application.system.LocaleUpdatedReceiver
Permission: null

Matangamano ya Utangazaji

app.broadcast.info          Get information about broadcast receivers
app.broadcast.send          Send broadcast using an intent
app.broadcast.sniff         Register a broadcast receiver that can sniff particular intents

Tuma ujumbe

Katika mfano huu wa kutumia FourGoats apk Mtoaji wa Yaliyomo unaweza ** kutuma SMS ya kupendelea yoyote ** kwa marudio yoyote ** bila kuomba ** idhini ya mtumiaji.

Ikiwa utasoma nambari, vigezo "phoneNumber" na "message" lazima vitumwe kwa Mtoaji wa Yaliyomo.

run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --component org.owasp.goatdroid.fourgoats.broadcastreceivers SendSMSNowReceiver --extra string phoneNumber 123456789 --extra string message "Hello mate!"

Inaweza kudebugiwa

APK ya uzalishaji kamwe isitumike kudebugiwa. Hii inamaanisha kwamba unaweza kuambatisha kidebuga cha Java kwenye programu inayotumika, kuichunguza wakati wa uendeshaji, kuweka alama za kusitisha, kwenda hatua kwa hatua, kukusanya thamani za pembejeo na hata kuzibadilisha. Taasisi ya InfoSec ina makala bora kuhusu kuchimba kina zaidi wakati programu yako inaweza kudebugiwa na kuingiza namna ya kutekelezwa wakati wa uendeshaji.

Wakati programu inaweza kudebugiwa, itaonekana kwenye Faili ya Mwongozo:

<application theme="@2131296387" debuggable="true"

Unaweza kupata programu zote zinazoweza kudebugiwa kwa Drozer:

run app.package.debuggable

Mafunzo

• https://resources.infosecinstitute.com/android-penetration-tools-walkthrough-series-drozer/#gref

• https://github.com/mgcfish/mobiletools/blob/master/_posts/2016-08-01-Using-Drozer-for-application-security-assessments.md

• https://www.hackingarticles.in/android-penetration-testing-drozer/

• https://medium.com/@ashrafrizvi3006/how-to-test-android-application-security-using-drozer-edc002c5dcac

Taarifa zaidi

• https://blog.dixitaditya.com/android-pentesting-cheatsheet/

Mwongozo wa tuzo ya mdudu: jiandikishe kwa Intigriti, jukwaa la bug bounty la malipo ya juu lililoanzishwa na wadukuzi, kwa wadukuzi! Jiunge nasi kwenye https://go.intigriti.com/hacktricks leo, na anza kupata tuzo hadi $100,000!