PenTest Playbook
  • Welcome!
  • Web App Pentesting
    • SQL Injection
    • NoSQL Injection
    • XSS
    • CSRF
    • SSRF
    • XXE
    • IDOR
    • SSTI
    • Broken Access Control/Privilege Escalation
    • Open Redirect
    • File Inclusion
    • File Upload
    • Insecure Deserialization
      • XMLDecoder
    • LDAP Injection
    • XPath Injection
    • JWT
    • Parameter Pollution
    • Prototype Pollution
    • Race Conditions
    • CRLF Injection
    • LaTeX Injection
    • CORS Misconfiguration
    • Handy Commands & Payloads
  • Active Directory Pentest
    • Domain Enumeration
      • User Enumeration
      • Group Enumeration
      • GPO & OU Enumeration
      • ACLs
      • Trusts
      • User Hunting
    • Domain Privilege Escalation
      • Kerberoast
        • AS-REP Roast (Kerberoasting)
        • CRTP Lab 14
      • Targeted Kerberoasting
        • AS-REP Roast
        • Set SPN
      • Kerberos Delegation
        • Unconstrained Delegation
          • CRTP Lab 15
        • Constrained Delegation
          • CRTP Lab 16
        • Resource Based Constrained Delegation (RBCD)
          • CRTP Lab 17
      • Across Trusts
        • Child to Parent (Cross Domain)
          • Using Trust Tickets
            • CRTP Lab 18
          • Using KRBTGT Hash
            • CRTP Lab 19
        • Cross Forest
          • Lab 20
        • AD CS (Across Domain Trusts)
          • ESC1
            • CRTP Lab 21
        • Trust Abuse - MSSQL Servers
          • CRTP Lab 22
    • Lateral Movement
      • PowerShell Remoting
      • Extracting Creds, Hashes, Tickets
      • Over-PassTheHash
      • DCSync
    • Evasion
      • Evasion Cheetsheet
    • Persistence
      • Golden Ticket
        • CRTP Lab 8
      • Silver Ticket
        • CRTP Lab 9
      • Diamond Ticket
        • CRTP Lab 10
      • Skeleton Key
      • DSRM
        • CRTP Lab 11
      • Custom SSP
      • Using ACLs
        • AdminSDHolder
        • Rights Abuse
          • CRTP Lab 12
        • Security Descriptors
          • CRTP Lab 13
    • Tools
    • PowerShell
  • AI Security
    • LLM Security Checklist
    • GenAI Vision Security Checklist
    • Questionnaire for AI/ML/GenAI Engineering Teams
  • Network Pentesting
    • Information Gathering
    • Scanning
    • Port/Service Enumeration
      • 21 FTP
      • 22 SSH
      • 25, 465, 587 SMTP
      • 53 DNS
      • 80, 443 HTTP/s
      • 88 Kerberos
      • 135, 593 MSRPC
      • 137, 138, 139 NetBios
      • 139, 445 SMB
      • 161, 162, 10161, 10162/udp SNMP
      • 389, 636, 3268, 3269 LDAP
      • Untitled
      • Page 14
      • Page 15
      • Page 16
      • Page 17
      • Page 18
      • Page 19
      • Page 20
    • Nessus
    • Checklist
  • Mobile Pentesting
    • Android
      • Android PenTest Setup
      • Tools
    • iOS
  • DevSecOps
    • Building CI Pipeline
    • Threat Modeling
    • Secure Coding
      • Code Review Examples
        • Broken Access Control
        • Broken Authentication
        • Command Injection
        • SQLi
        • XSS
        • XXE
        • SSRF
        • SSTI
        • CSRF
        • Insecure Deserialization
        • XPath Injection
        • LDAP Injection
        • Insecure File Uploads
        • Path Traversal
        • LFI
        • RFI
        • Prototype Pollution
        • Connection String Injection
        • Sensitive Data Exposure
        • Security Misconfigurations
        • Buffer Overflow
        • Integer Overflow
        • Symlink Attack
        • Use After Free
        • Out of Bounds
      • C/C++ Secure Coding
      • Java/JS Secure Coding
      • Python Secure Coding
  • Malware Dev
    • Basics - Get detected!
    • Not so easy to stage!
    • Base64 Encode Shellcode
    • Caesar Cipher (ROT 13) Encrypt Shellcode
    • XOR Encrypt Shellcode
    • AES Encrypt Shellcode
  • Handy
    • Reverse Shells
    • Pivoting
    • File Transfers
    • Tmux
  • Wifi Pentesting
    • Monitoring
    • Cracking
  • Buffer Overflows
  • Cloud Security
    • AWS
    • GCP
    • Azure
  • Container Security
  • Todo
Powered by GitBook
On this page
  • Install Android Studio
  • Rooting the Device
  • Installing RootAVD
  • Setting up Burp Proxy
  1. Mobile Pentesting
  2. Android

Android PenTest Setup

Install Android Studio

  • Since I'm using Apple M3, I downloaded Android Studio ARM version from the Downloads Page since it uses native emulation with qemu resulting in faster performance.

  • Select Pixel 8 API 35 (Android 15, arm64-v8a) device from Virtual Device Manager.

  • Select "Cold Boot" from Advanced Settings > Emulated Performance.

  • Export SDK Platform-tools and emulator to PATH variable.

vi .zshrc
export PATH="$PATH:/Users/sid/Library/Android/sdk/platform-tools:/Users/sid/Library/Android/sdk/emulator"
source zshrc

  • List the devices

emulator -list-avds

Pixel_8_API_35

  • Start the device

emulator -avd Pixel_8_API_35

  • The device should boot up and we can start a Android Debug Bridge (ADB) to start a shell on the device. 

adb shell

  • If we try switching the user to root, we can't. 

su

Rooting the Device

Installing RootAVD

Using Magisk (Magic Mask) and RootAVD, we'll root the device.

Magisk provides an environment that allows us to run as root on Android.

RootAVD uses Magisk to root a running AVD.

git clone https://gitlab.com/newbit/rootAVD.git

./rootAVD.sh

This should show us helpful commands that can be run. Running the first example command should give us root access. It will shut down the emulator once the device is rooted.

./rootAVD.sh system-images/android-35/google_apis_playstore/arm64-v8a/ramdisk.img

Restart the device and check root access through ADB shell. Your device would prompt you to grant access, click on grant.

emulator -avd Pixel_8_API_35

adb shell
su

Setting up Burp Proxy

Configure Burp Suite to Intercept Android Traffic:

  • Default Burp Proxy is on localhost:8080. To capture traffic from an Android device, modify the listener:

    • Navigate to Settings > Tools > Proxy > Proxy Listeners.

    • Click "Edit" and change "Bind to address" to “all interfaces”.

  • This allows Burp to intercept requests from the Android device.

2. Download Burp's CA Certificate:

  • Run: curl -s -L http://localhost:8080/cert -o burp.der.

  • Convert to PEM format using OpenSSL:

openssl x509 -inform der -in burp.der -out burp.pem.

3. Certificate Naming and Android 14 Changes:

  • Many guides suggest renaming the PEM to a hashed name like 9a5ba575.0.

  • Note: On Android 14, injecting certificates into /system/etc/security/cacerts does not work because certs are now in a read-only location: /apex/com.android.conscrypt/cacerts.

4. Workaround Using Magisk and NCC Module:

  • Magisk: A tool that allows running custom modules on rooted devices.

  • Module Needed: ConscryptTrustUserCerts by NCC Group, which helps install the Burp certificate in the system trust store.

  • Download it

curl -s -L https://github.com/nccgroup/ConscryptTrustUserCerts/releases/download/v0.1/ConscryptTrustUserCerts.zip -o ConscryptTrustUserCerts.zip

5. Transfer Files to Android Device:

  • Upload burp.pem and ConscryptTrustUserCerts.zip to the device using ADB:

    • adb push burp.pem /sdcard/Download

    • adb push ConscryptTrustUserCerts.zip /sdcard/Download

6. Install Burp CA Certificate:

  • Open Settings on the Android device.

  • Go to Encryption & credentials > Install a certificate > CA certificate.

  • Navigate to Downloads, select burp.pem, and install.

  • Verify under Trusted Credentials > User Tab.

7. Install the Magisk Module:

  • Launch Magisk on the device.

  • Update if needed and install Magisk components.

  • Reboot the device.

  • Open Magisk again, navigate to Modules, and click Install from storage.

  • Select ConscryptTrustUserCerts.zip and confirm installation.

  • Reboot again to apply changes.

8. Verify CA Certificate in System Store:

  • Check in Settings > Trusted Credentials to confirm Burp CA is in both User and System stores.

9. Configure Proxy on Android:

  • Open Settings > Network & internet > Internet.

  • Select your Wi-Fi network, click the pencil icon to edit, and choose Proxy: Manual.

  • Enter the IP of Burp Suite host and Port: 8080.

  • Save the settings.

10. Test Setup:

  • Open an app (e.g., YouTube Shorts) and check Burp Suite’s Proxy History to see intercepted traffic.

PreviousAndroidNextTools

Last updated 6 months ago