hacktricks/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md

268 lines
11 KiB
Markdown
Raw Normal View History

2022-04-28 23:27:22 +00:00
# AVD - Android Virtual Device
2022-04-28 16:01:33 +00:00
2022-05-01 13:25:53 +00:00
## AVD - Android Virtual Device
2022-04-28 16:01:33 +00:00
<details>
2022-12-24 11:52:08 +00:00
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
2022-09-09 11:57:02 +00:00
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
2022-12-24 11:52:08 +00:00
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
2022-04-28 16:01:33 +00:00
</details>
2020-09-10 15:57:58 +00:00
Thank you very much to [**@offsecjay**](https://twitter.com/offsecjay) for his help while creating this content.
2022-05-01 13:25:53 +00:00
## What is
2021-11-30 16:46:07 +00:00
Android Studio allows to **run virtual machines of Android that you can use to test APKs**. In order to use them you will need:
* The **Android SDK tools** - [Download here](https://developer.android.com/studio/releases/sdk-tools).
* Or **Android Studio** (with Android SDK tools) - [Download here](https://developer.android.com/studio).
In Windows (in my case) **after installing Android Studio** I had the **SDK Tools installed in**: `C:\Users\<UserName>\AppData\Local\Android\Sdk\tools`
2022-05-01 13:25:53 +00:00
## JDK
2021-04-07 12:08:35 +00:00
For MacOS machines I recommend you to install the following version to be able to use the CLI commands mentioned in the following sections:
```bash
brew install openjdk@8
```
2022-05-01 13:25:53 +00:00
## GUI
2022-05-01 13:25:53 +00:00
### Prepare Virtual Machine
2022-02-02 15:35:20 +00:00
If you installed Android Studio, you can just open the main project view and access: _**Tools**_ --> _**AVD Manager.**_
2022-12-24 11:52:08 +00:00
![](<../../.gitbook/assets/image (330) (1).png>)
2021-11-30 16:46:07 +00:00
Then, click on _**Create Virtual Device**_, _**select** the phone you want to use_ and click on _**Next.**_\
2022-04-05 22:24:52 +00:00
\_\_In the current view you are going to be able to **select and download the Android image** that the phone is going to run:
![](<../../.gitbook/assets/image (331).png>)
2022-04-06 08:57:29 +00:00
So, select it and click on _**Download**_\*\* (**now wait until the image is downloaded).**\
**Once the image is downloaded, just select \_**Next\*\*\_ and \_**Finish**\_.
![](<../../.gitbook/assets/image (332).png>)
2021-11-30 16:46:07 +00:00
The virtual machine will be created. Now **every time that you access AVD manager it will be present**.
2022-05-01 13:25:53 +00:00
### Run Virtual Machine
2021-11-30 16:46:07 +00:00
In order to **run** it just press the _**Start button**_.
![](<../../.gitbook/assets/image (334).png>)
2022-05-01 13:25:53 +00:00
## Command Line tool
2022-05-01 13:25:53 +00:00
### Prepare Virtual Machine
2021-04-07 12:08:35 +00:00
{% hint style="info" %}
In **MacOS** systems the executable is located in `/Users/<username>/Library/Android/sdk/tools/bin`
{% endhint %}
First of all you need to **decide which phone you want to use**, in order to see the list of possible phones execute:
```
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat list device
id: 0 or "tv_1080p"
Name: Android TV (1080p)
OEM : Google
Tag : android-tv
---------
id: 1 or "tv_720p"
Name: Android TV (720p)
OEM : Google
Tag : android-tv
---------
id: 2 or "wear_round"
Name: Android Wear Round
OEM : Google
Tag : android-wear
---------
id: 3 or "wear_round_chin_320_290"
Name: Android Wear Round Chin
OEM : Google
Tag : android-wear
---------
id: 4 or "wear_square"
Name: Android Wear Square
OEM : Google
Tag : android-wear
---------
id: 5 or "Galaxy Nexus"
Name: Galaxy Nexus
OEM : Google
---------
id: 6 or "Nexus 10"
Name: Nexus 10
OEM : Google
---------
id: 7 or "Nexus 4"
Name: Nexus 4
OEM : Google
---------
id: 8 or "Nexus 5"
Name: Nexus 5
OEM : Google
---------
id: 9 or "Nexus 5X"
Name: Nexus 5X
OEM : Google
```
Once you have decide the name of the device you want to use, you need to **decide which Android image you want to run in this device.**\
2022-04-05 22:24:52 +00:00
You can list all the options using `sdkmanager`:
2020-09-10 15:57:58 +00:00
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\sdkmanager.bat --list
```
2021-11-30 16:46:07 +00:00
And **download** the one (or all) you want to use with:
2020-09-10 15:57:58 +00:00
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\sdkmanager.bat "platforms;android-28" "system-images;android-28;google_apis;x86_64"
```
Once you have downloaded the Android image you want to use you can **list all the downloaded Android images** with:
```
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat list target
----------
id: 1 or "android-28"
Name: Android API 28
Type: Platform
API level: 28
Revision: 6
----------
id: 2 or "android-29"
Name: Android API 29
Type: Platform
API level: 29
Revision: 4
```
At this moment you have decided the device you want to use and you have downloaded the Android image, so **you can create the virtual machine using**:
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat -v create avd -k "system-images;android-28;google_apis;x86_64" -n "AVD9" -d "Nexus 5X"
```
2021-11-30 16:46:07 +00:00
In the last command **I created a VM named** "_AVD9_" using the **device** "_Nexus 5X_" and the **Android image** "_system-images;android-28;google\_apis;x86\_64_".\
2022-02-02 15:35:20 +00:00
Now you can **list the virtual machines** you have created with:
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat list avd
Name: AVD9
Device: Nexus 5X (Google)
Path: C:\Users\cpolo\.android\avd\AVD9.avd
Target: Google APIs (Google Inc.)
Based on: Android API 28 Tag/ABI: google_apis/x86_64
The following Android Virtual Devices could not be loaded:
Name: Pixel_2_API_27
Path: C:\Users\cpolo\.android\avd\Pixel_2_API_27_1.avd
Error: Google pixel_2 no longer exists as a device
```
2022-05-01 13:25:53 +00:00
### Run Virtual Machine
2021-11-30 16:46:07 +00:00
We have already seen how you can list the created virtual machines, but **you can also list them using**:
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -list-avds
AVD9
Pixel_2_API_27
```
You can simply **run any virtual machine created** using:
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -avd "VirtualMachineName"
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9"
```
Or using more advance options you can run a virtual machine like:
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9" -http-proxy 192.168.1.12:8080 -writable-system
```
2022-05-01 13:25:53 +00:00
### Command line options
2022-01-31 14:51:03 +00:00
However there are **a lot of different command line useful options** that you can use to initiate a virtual machine. Below you can find some interesting options but can [**find a complete list here**](https://developer.android.com/studio/run/emulator-commandline)
2022-04-28 23:27:22 +00:00
**Boot**
* `-snapshot name` : Start VM snapshot
* `-snapshot-list -snapstorage ~/.android/avd/Nexus_5X_API_23.avd/snapshots-test.img` : List all the snapshots recorded
2022-04-28 23:27:22 +00:00
**Network**
* `-dns-server 192.0.2.0, 192.0.2.255` : Allow to indicate comma separated the DNS servers to the VM.
* **`-http-proxy 192.168.1.12:8080`** : Allow to indicate an HTTP proxy to use (very useful to capture the traffic using Burp)
* `-port 5556` : Set the TCP port number that's used for the console and adb.
* `-ports 5556,5559` : Set the TCP ports used for the console and adb.
* **`-tcpdump /path/dumpfile.cap`** : Capture all the traffic in a file
2022-04-28 23:27:22 +00:00
**System**
2022-02-02 15:35:20 +00:00
* `-selinux {disabled|permissive}` : Set the Security-Enhanced Linux security module to either disabled or permissive mode on a Linux operating system.
* `-timezone Europe/Paris` : Set the timezone for the virtual device
* `-screen {touch(default)|multi-touch|o-touch}` : Set emulated touch screen mode.
* **`-writable-system`** : Use this option to have a writable system image during your emulation session. You will need also to run `adb root; adb remount`. This is very useful to install a new certificate in the system.
2022-05-01 13:25:53 +00:00
## Install Burp certificate on a Virtual Machine
2021-11-30 16:46:07 +00:00
First of all you need to download the Der certificate from Burp. You can do this in _**Proxy**_ --> _**Options**_ --> _**Import / Export CA certificate**_
2022-12-03 17:35:56 +00:00
![](<../../.gitbook/assets/image (367).png>)
2021-11-30 16:46:07 +00:00
**Export the certificate in Der format** and lets **transform** it to a form that **Android** is going to be able to **understand.** Note that **in order to configure the burp certificate on the Android machine in AVD** you need to **run** this machine **with** the **`-writable-system`** option.\
For example you can run it like:
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9" -http-proxy 192.168.1.12:8080 -writable-system
```
Then, to **configure burps certificate do**:
```bash
openssl x509 -inform DER -in burp_cacert.der -out burp_cacert.pem
CERTHASHNAME="`openssl x509 -inform PEM -subject_hash_old -in burp_cacert.pem | head -1`.0"
mv burp_cacert.pem $CERTHASHNAME #Correct name
adb root && adb remount #Allow to write on /syste
adb push $CERTHASHNAME /sdcard/ #Upload certificate
adb shell mv /sdcard/$CERTHASHNAME /system/etc/security/cacerts/ #Move to correct location
adb shell chmod 644 /system/etc/security/cacerts/$CERTHASHNAME #Assign privileges
adb reboot #Now, reboot the machine
```
Once the **machine finish rebooting** the burp certificate will be in use by it!
2022-05-01 13:25:53 +00:00
## Take a Snapshot
You can **use the GUI** to take a snapshot of the VM at any time:
![](<../../.gitbook/assets/image (336).png>)
2022-04-28 16:01:33 +00:00
<details>
2022-12-24 11:52:08 +00:00
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
2022-09-09 11:57:02 +00:00
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
2022-12-24 11:52:08 +00:00
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
2022-04-28 16:01:33 +00:00
</details>