Tools

Install ADB, JADX. Use Android Studio or Genymotion or Nox for an emulator.

Burp

Set up proxy for all interfaces on 8082 or any port not in use and export cacert.der
Long press Wifi on phone and set up proxy on localhost.
Install the .der exported certificate as .CER
Copy it to device and Import it.

Enabled USB Debugging

Click on "Build Number" seven times.
Goto Developer Options and enable USB Degbugging

Install ADB

sudo apt install adb

ADB Connect

Switch on the WiFi and obtain the IP address of device.
Start an ADB server locally.

adb connect 192.168.232.2:5555

Check for connected devices

adb devices

Pull APK from physical/emulator phone

# Check packages:
pm list packages | grep "appname"

# Get installation path
pm path appname

# Pull the file path
adb pull <installation_path> appname_pulled.apk

adb shell

# Start Activity
am start b3mac.appname/.b123Activity

APK Tool

# Decompile APK
apktool d appname.apk

# Without resources
apktool d appname.apk

AWS & Firebase Enumeration

# AWS
cloud_enum


# Firebase


# Search for Keyword
python3 firebaseEnum.py -k company

Patching APK using Objection

Objection and Frida

Order of installation is important. First frida then objection.

pip3 install frida-tools
pip3 install objection

To patch the application, goto the directory with APK and use objection.

objection patchapk --source app.apk

# If the above command gives and error "No module named pkg_resources"
pip install --force-reinstall -U setuptools

# If an error "Unable to find aapt.."
# Add C:\Users\sid\AppData\Local\Android\Sdk\build-tools\35.0.0 to PATH

Copy the .objection.apk file. (Uninstall the original file on device before this).

Manually Patching using Frida

Decompile the APK using APKTool

apktool -d -r InjuredAndroid.apk -o extractedFolder

Goto the "lib" folder and inject the Frida gadget here.

First find the architecture of the device and inject it accordingly (either in x84_64 or x86)

Get Frida for that particular version and copy it to the lib directory.

# download frida gadget - for 32bit ARM in this case
$ wget https://github.com/frida/frida/releases/download/9.1.26/frida-gadget-9.1.26-android-arm.so.xz


# extract the compressed archive
$ unxz frida-gadget-9.1.26-android-arm.so.xz

$ ls
frida-gadget-9.1.26-android-arm.so

# copy frida gadget library in armeabi directory under lib

# Note that we name the frida gadget as " libfrida-gadget.so "
$ cp frida_libs/armeabi/frida-gadget-9.1.26-android-arm.so out_dir/lib/armeabi/libfrida-gadget.so

Inject a System.loadLibrary("frida-gadget") call into the bytecode of the app, ideally before any other bytecode executes or any native code is loaded. A suitable place is typically the static initializer of the entry point classes of the app, e.g. the main application Activity, found via the manifest.

An easy way to do this is to add the following smali code in a suitable function:

Goto the /smali/ directory and find an activity that loads when the application starts.

const-string v0, "frida-gadget"
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V

Add the Internet permission to the manifest if it’s not there already, so that Frida gadget can open a socket.

<uses-permission android:name="android.permission.INTERNET" />

Repackage the application:

$ apktool b -o repackaged.apk out_dir/

Sign the updated APK using your own keys and zipalign.

# if you dont have a keystore already, here's how to create one
$ keytool -genkey -v -keystore custom.keystore -alias mykeyaliasname -keyalg RSA -keysize 2048 -validity 10000

# sign the APK
$ jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore mycustom.keystore -storepass mystorepass repackaged.apk mykeyaliasname

# verify the signature you just created
$ jarsigner -verify repackaged.apk

# zipalign the APK
$ zipalign 4 repackaged.apk repackaged-final.apk

Install the updated APK to a device.

Using frida gadget

When you next start the application you are going to see an empty screen: The injected libfrida-gadget.so library has opened a tcp socket and waits for a connection from frida.

You should see a message similar to the following in logcat:

Frida: Listening on TCP port 27042

Running nestat on the device confirms the listening socket:

shell@flo:/ $ netstat -ln                                                  
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State     
tcp        0      0 127.0.0.1:27042         0.0.0.0:*

As you might expect, the next step is connecting to the listening socket: Most frida tools work as expected although there are a few issues that can be handled better, e.g. connecting to the library after initialization, not just during loading.

There is just one thing to keep in mind: The process name you are going to use in Frida tooling should be “Gadget” instead of the normal package name.

$ frida-ps -U
Waiting for USB device to appear...
  PID  Name
-----  ------
16071  Gadget



$ frida-trace -U -i open Gadget
Instrumenting functions...
open: Auto-generated handler at "/tmp/test/__handlers__/libc.so/open.js"
Started tracing 1 function. Press Ctrl+C to stop.                       
           /* TID 0x2df7 */
  4870 ms  open(pathname=0xa280b100, flags=0x241)
  4873 ms  open(pathname=0xb6d69df3, flags=0x2)
           /* TID 0x33d2 */
115198 ms  open(pathname=0xb6d69df3, flags=0x2)
115227 ms  open(pathname=0xb6d69df3, flags=0x2)

A blank screen may appear when opening the app, but that means the gadget works. To trigger it, use objection.

objection explore

We can now disable SSL pinning.

android sslpinning disable

We could also monitor clipboard, dump memory, check for root detection, run commands, etc.

android clipboard monitor
memory dump all
android heap
sqlite connect /filepath
android hooking 
android keystore list
android keystore watch
android root simulate
android shell_exec

Drozer

Drozer identifies flaws in an app or a device. It acts like an installed Android app and talk to other apps to detect flaws.

Installation

# Install from Github
https://github.com/WithSecureLabs/drozer/releases

pip install drozer-2.4.4-py2-none-any.whl
pip install twisted
pip install service_identity

Set up Drozer Agent on Android

adb install agent.apk

Open the Drozer Agent on device. It waits for a connection on 31415.

Host a Drozer Server on Computer and launch Drozer Console.

adb forward tcp:31415 tcp:31415

drozer console connect

With Drozer shell, we can run commands.

Recon

help
list

# Debuggable Packages
run app.package.debuggable

# Obtain package name of app
run app.package.list -f app_name

# Get info about the app
run app.package.info –a sid.thoviti.app

# View Manifest file
run app.package.manifest sid.thoviti.app

# Identify App's Attack Surface
run app.package.attacksurface sid.thoviti.app

# View the Exported Activities.
run app.activity.info -a sid.thoviti.app

# Exploit and Invoke an activity
run app.activity.start --component sid.thoviti.app sid.thoviti.app.ActivityName

# List Services running via Package
run app.service.info –a <package_name>

# Start a service via app
run app.service.start –-action <nameoftheservice> –component <nameofthepackage> <nameoftheservice>

# List Broadcast Receivers
app.broadcast.info –a <packagename>

# Exploit Broadcast Receivers (Example of SMS)
run app.broadcast.send –-action <nameofthebroadcast> –component <nameofthepackage> <nameofthebroadcastreciever> -–extra string phonenumber <phonenumber> –-extra string message <anymessge>

# List Content Providers

PreviousAndroid PenTest Setup NextiOS

Last updated 1 year ago