PenTest Playbook
  • Welcome!
  • Web App Pentesting
    • SQL Injection
    • NoSQL Injection
    • XSS
    • CSRF
    • SSRF
    • XXE
    • IDOR
    • SSTI
    • Broken Access Control/Privilege Escalation
    • Open Redirect
    • File Inclusion
    • File Upload
    • Insecure Deserialization
      • XMLDecoder
    • LDAP Injection
    • XPath Injection
    • JWT
    • Parameter Pollution
    • Prototype Pollution
    • Race Conditions
    • CRLF Injection
    • LaTeX Injection
    • CORS Misconfiguration
    • Handy Commands & Payloads
  • Active Directory Pentest
    • Domain Enumeration
      • User Enumeration
      • Group Enumeration
      • GPO & OU Enumeration
      • ACLs
      • Trusts
      • User Hunting
    • Domain Privilege Escalation
      • Kerberoast
        • AS-REP Roast (Kerberoasting)
        • CRTP Lab 14
      • Targeted Kerberoasting
        • AS-REP Roast
        • Set SPN
      • Kerberos Delegation
        • Unconstrained Delegation
          • CRTP Lab 15
        • Constrained Delegation
          • CRTP Lab 16
        • Resource Based Constrained Delegation (RBCD)
          • CRTP Lab 17
      • Across Trusts
        • Child to Parent (Cross Domain)
          • Using Trust Tickets
            • CRTP Lab 18
          • Using KRBTGT Hash
            • CRTP Lab 19
        • Cross Forest
          • Lab 20
        • AD CS (Across Domain Trusts)
          • ESC1
            • CRTP Lab 21
        • Trust Abuse - MSSQL Servers
          • CRTP Lab 22
    • Lateral Movement
      • PowerShell Remoting
      • Extracting Creds, Hashes, Tickets
      • Over-PassTheHash
      • DCSync
    • Evasion
      • Evasion Cheetsheet
    • Persistence
      • Golden Ticket
        • CRTP Lab 8
      • Silver Ticket
        • CRTP Lab 9
      • Diamond Ticket
        • CRTP Lab 10
      • Skeleton Key
      • DSRM
        • CRTP Lab 11
      • Custom SSP
      • Using ACLs
        • AdminSDHolder
        • Rights Abuse
          • CRTP Lab 12
        • Security Descriptors
          • CRTP Lab 13
    • Tools
    • PowerShell
  • AI Security
    • LLM Security Checklist
    • GenAI Vision Security Checklist
    • Questionnaire for AI/ML/GenAI Engineering Teams
  • Network Pentesting
    • Information Gathering
    • Scanning
    • Port/Service Enumeration
      • 21 FTP
      • 22 SSH
      • 25, 465, 587 SMTP
      • 53 DNS
      • 80, 443 HTTP/s
      • 88 Kerberos
      • 135, 593 MSRPC
      • 137, 138, 139 NetBios
      • 139, 445 SMB
      • 161, 162, 10161, 10162/udp SNMP
      • 389, 636, 3268, 3269 LDAP
      • Untitled
      • Page 14
      • Page 15
      • Page 16
      • Page 17
      • Page 18
      • Page 19
      • Page 20
    • Nessus
    • Checklist
  • Mobile Pentesting
    • Android
      • Android PenTest Setup
      • Tools
    • iOS
  • DevSecOps
    • Building CI Pipeline
    • Threat Modeling
    • Secure Coding
      • Code Review Examples
        • Broken Access Control
        • Broken Authentication
        • Command Injection
        • SQLi
        • XSS
        • XXE
        • SSRF
        • SSTI
        • CSRF
        • Insecure Deserialization
        • XPath Injection
        • LDAP Injection
        • Insecure File Uploads
        • Path Traversal
        • LFI
        • RFI
        • Prototype Pollution
        • Connection String Injection
        • Sensitive Data Exposure
        • Security Misconfigurations
        • Buffer Overflow
        • Integer Overflow
        • Symlink Attack
        • Use After Free
        • Out of Bounds
      • C/C++ Secure Coding
      • Java/JS Secure Coding
      • Python Secure Coding
  • Malware Dev
    • Basics - Get detected!
    • Not so easy to stage!
    • Base64 Encode Shellcode
    • Caesar Cipher (ROT 13) Encrypt Shellcode
    • XOR Encrypt Shellcode
    • AES Encrypt Shellcode
  • Handy
    • Reverse Shells
    • Pivoting
    • File Transfers
    • Tmux
  • Wifi Pentesting
    • Monitoring
    • Cracking
  • Buffer Overflows
  • Cloud Security
    • AWS
    • GCP
    • Azure
  • Container Security
  • Todo
Powered by GitBook
On this page
  • Burp
  • Enabled USB Debugging
  • Install ADB
  • ADB Connect
  • APK Tool
  • AWS & Firebase Enumeration
  • Patching APK using Objection
  • Objection and Frida
  • Manually Patching using Frida
  • Using frida gadget
  • Drozer
  • Installation
  • Recon
  1. Mobile Pentesting
  2. Android

Tools

Install ADB, JADX. Use Android Studio or Genymotion or Nox for an emulator.

Burp

  • Set up proxy for all interfaces on 8082 or any port not in use and export cacert.der

  • Long press Wifi on phone and set up proxy on localhost.

  • Install the .der exported certificate as .CER

  • Copy it to device and Import it.

Enabled USB Debugging

  • Click on "Build Number" seven times.

  • Goto Developer Options and enable USB Degbugging

Install ADB

sudo apt install adb

ADB Connect

  • Switch on the WiFi and obtain the IP address of device.

  • Start an ADB server locally.

adb connect 192.168.232.2:5555
  • Check for connected devices

adb devices

Pull APK from physical/emulator phone

# Check packages:
pm list packages | grep "appname"

# Get installation path
pm path appname

# Pull the file path
adb pull <installation_path> appname_pulled.apk
adb shell

# Start Activity
am start b3mac.appname/.b123Activity

APK Tool

# Decompile APK
apktool d appname.apk

# Without resources
apktool d appname.apk

AWS & Firebase Enumeration

# AWS
cloud_enum


# Firebase


# Search for Keyword
python3 firebaseEnum.py -k company

Patching APK using Objection

Objection and Frida

Order of installation is important. First frida then objection.

pip3 install frida-tools
pip3 install objection

To patch the application, goto the directory with APK and use objection.

objection patchapk --source app.apk

# If the above command gives and error "No module named pkg_resources"
pip install --force-reinstall -U setuptools

# If an error "Unable to find aapt.."
# Add C:\Users\sid\AppData\Local\Android\Sdk\build-tools\35.0.0 to PATH

Copy the .objection.apk file. (Uninstall the original file on device before this).

Manually Patching using Frida

Decompile the APK using APKTool

apktool -d -r InjuredAndroid.apk -o extractedFolder

Goto the "lib" folder and inject the Frida gadget here.

First find the architecture of the device and inject it accordingly (either in x84_64 or x86)

Get Frida for that particular version and copy it to the lib directory.

# download frida gadget - for 32bit ARM in this case
$ wget https://github.com/frida/frida/releases/download/9.1.26/frida-gadget-9.1.26-android-arm.so.xz


# extract the compressed archive
$ unxz frida-gadget-9.1.26-android-arm.so.xz

$ ls
frida-gadget-9.1.26-android-arm.so

# copy frida gadget library in armeabi directory under lib

# Note that we name the frida gadget as " libfrida-gadget.so "
$ cp frida_libs/armeabi/frida-gadget-9.1.26-android-arm.so out_dir/lib/armeabi/libfrida-gadget.so

Inject a System.loadLibrary("frida-gadget") call into the bytecode of the app, ideally before any other bytecode executes or any native code is loaded. A suitable place is typically the static initializer of the entry point classes of the app, e.g. the main application Activity, found via the manifest.

An easy way to do this is to add the following smali code in a suitable function:

Goto the /smali/ directory and find an activity that loads when the application starts.

const-string v0, "frida-gadget"
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V

Add the Internet permission to the manifest if it’s not there already, so that Frida gadget can open a socket.

<uses-permission android:name="android.permission.INTERNET" />

Repackage the application:

$ apktool b -o repackaged.apk out_dir/

Sign the updated APK using your own keys and zipalign.

# if you dont have a keystore already, here's how to create one
$ keytool -genkey -v -keystore custom.keystore -alias mykeyaliasname -keyalg RSA -keysize 2048 -validity 10000

# sign the APK
$ jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore mycustom.keystore -storepass mystorepass repackaged.apk mykeyaliasname

# verify the signature you just created
$ jarsigner -verify repackaged.apk

# zipalign the APK
$ zipalign 4 repackaged.apk repackaged-final.apk

Install the updated APK to a device.

Using frida gadget

When you next start the application you are going to see an empty screen: The injected libfrida-gadget.so library has opened a tcp socket and waits for a connection from frida.

You should see a message similar to the following in logcat:

Frida: Listening on TCP port 27042

Running nestat on the device confirms the listening socket:

shell@flo:/ $ netstat -ln                                                  
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State     
tcp        0      0 127.0.0.1:27042         0.0.0.0:*               

As you might expect, the next step is connecting to the listening socket: Most frida tools work as expected although there are a few issues that can be handled better, e.g. connecting to the library after initialization, not just during loading.

There is just one thing to keep in mind: The process name you are going to use in Frida tooling should be “Gadget” instead of the normal package name.

$ frida-ps -U
Waiting for USB device to appear...
  PID  Name
-----  ------
16071  Gadget



$ frida-trace -U -i open Gadget
Instrumenting functions...
open: Auto-generated handler at "/tmp/test/__handlers__/libc.so/open.js"
Started tracing 1 function. Press Ctrl+C to stop.                       
           /* TID 0x2df7 */
  4870 ms  open(pathname=0xa280b100, flags=0x241)
  4873 ms  open(pathname=0xb6d69df3, flags=0x2)
           /* TID 0x33d2 */
115198 ms  open(pathname=0xb6d69df3, flags=0x2)
115227 ms  open(pathname=0xb6d69df3, flags=0x2)

A blank screen may appear when opening the app, but that means the gadget works. To trigger it, use objection.

objection explore

We can now disable SSL pinning.

android sslpinning disable

We could also monitor clipboard, dump memory, check for root detection, run commands, etc.

android clipboard monitor
memory dump all
android heap
sqlite connect /filepath
android hooking 
android keystore list
android keystore watch
android root simulate
android shell_exec

Drozer

Drozer identifies flaws in an app or a device. It acts like an installed Android app and talk to other apps to detect flaws.

Installation

# Install from Github
https://github.com/WithSecureLabs/drozer/releases

pip install drozer-2.4.4-py2-none-any.whl
pip install twisted
pip install service_identity

Set up Drozer Agent on Android

adb install agent.apk

Open the Drozer Agent on device. It waits for a connection on 31415.

Host a Drozer Server on Computer and launch Drozer Console.

adb forward tcp:31415 tcp:31415

drozer console connect

With Drozer shell, we can run commands.

Recon

help
list

# Debuggable Packages
run app.package.debuggable

# Obtain package name of app
run app.package.list -f app_name

# Get info about the app
run app.package.info –a sid.thoviti.app

# View Manifest file
run app.package.manifest sid.thoviti.app

# Identify App's Attack Surface
run app.package.attacksurface sid.thoviti.app

# View the Exported Activities.
run app.activity.info -a sid.thoviti.app

# Exploit and Invoke an activity
run app.activity.start --component sid.thoviti.app sid.thoviti.app.ActivityName

# List Services running via Package
run app.service.info –a <package_name>

# Start a service via app
run app.service.start –-action <nameoftheservice> –component <nameofthepackage> <nameoftheservice>

# List Broadcast Receivers
app.broadcast.info –a <packagename>

# Exploit Broadcast Receivers (Example of SMS)
run app.broadcast.send –-action <nameofthebroadcast> –component <nameofthepackage> <nameofthebroadcastreciever> -–extra string phonenumber <phonenumber> –-extra string message <anymessge>

# List Content Providers
PreviousAndroid PenTest SetupNextiOS

Last updated 10 months ago