-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[MASTG-TOOL-0015] Update drozer content and remove outdated references (
#2614) * WIP new draft of drozer tool page * drozer tool page rewrite * Codeblock consistency * Adjust passive voice in drozer tool page * Apply suggestions from code review --------- Co-authored-by: Nyaalex <[email protected]> Co-authored-by: Carlos Holguera <[email protected]> Co-authored-by: Jeroen Beckers <[email protected]> Co-authored-by: Sven <[email protected]>
- Loading branch information
5 people
authored
Jul 28, 2024
1 parent
2e79e73
commit 28b75fc
Showing
1 changed file
with
43 additions
and
43 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,76 +1,76 @@ | ||
| --- | ||
| title: Drozer | ||
| title: drozer | ||
| platform: android | ||
| source: https://github.com/FSecureLABS/drozer | ||
| source: https://github.com/WithSecureLabs/drozer | ||
| --- | ||
|
|
||
| [Drozer](https://github.com/FSecureLABS/drozer "Drozer on GitHub") is an Android security assessment framework that allows you to search for security vulnerabilities in apps and devices by assuming the role of a third-party app interacting with the other application's IPC endpoints and the underlying OS. | ||
| [drozer](https://github.com/WithSecureLabs/drozer "drozer on GitHub") is a security testing framework for Android that allows you to search for security vulnerabilities in apps and devices by assuming the role of an app interacting with the Android runtime, other apps' IPC endpoints, and the underlying OS. | ||
|
|
||
| The advantage of using drozer consists on its ability to automate several tasks and that it can be expanded through modules. The modules are very helpful and they cover different categories including a scanner category that allows you to scan for known defects with a simple command such as the module `scanner.provider.injection` which detects SQL injections in content providers in all the apps installed in the system. Without drozer, simple tasks such as listing the app's permissions require several steps that include decompiling the APK and manually analyzing the results. | ||
| drozer can be used during Android security assessments to automate tasks. It allows testers and reverse engineers to: | ||
|
|
||
| ## Installing Drozer | ||
| - Discover and interact with the attack surface exposed by Android apps. | ||
| - Execute dynamic Java-code on a device, to avoid the need to compile and install small test scripts. | ||
|
|
||
| You can refer to [drozer GitHub page](https://github.com/FSecureLABS/drozer "Drozer on GitHub") (for Linux and Windows, for macOS please refer to this [blog post](https://fi5t.xyz/en/posts/drozer-on-mac/ "(not)Unique experience blog - Installing Drozer on macOS Catalina")) and the [drozer website](https://labs.withsecure.com/tools/drozer/ "Drozer Website") for prerequisites and installation instructions. | ||
| drozer runs both in Android emulators and on real devices. It does not require USB debugging or other development features to be enabled; so you can perform assessments on devices in their production state to simulate attacks. | ||
|
|
||
| ## Using Drozer | ||
| You can extend drozer with additional modules to find, test and exploit other weaknesses; this, combined with scripting possibilities, helps to automate regression testing for security issues. | ||
|
|
||
| Before you can start using drozer, you'll also need the drozer agent that runs on the Android device itself. Download the latest drozer agent [from the GitHub releases page](https://github.com/FSecureLABS/drozer/releases/ "drozer GitHub releases") and install it with `adb install drozer.apk`. | ||
| ## Installing drozer and Setup | ||
|
|
||
| Once the setup is completed you can start a session to an emulator or a device connected per USB by running `adb forward tcp:31415 tcp:31415` and `drozer console connect`. This is called direct mode and you can see the full instructions in the [User Guide in section "Starting a Session"](https://labs.withsecure.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf "Starting a Session"). An alternative is to run Drozer in infrastructure mode, where, you are running a drozer server that can handle multiple consoles and agents, and routes sessions between them. You can find the details of how to setup drozer in this mode in the ["Infrastructure Mode"](https://labs.withsecure.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf "Infrastructure Mode") section of the User Guide. | ||
| Detailed instructions on how to install and set up the drozer console on your machine and the drozer agent on the Android phone can be found in the [drozer Github repo](https://github.com/WithSecureLabs/drozer "Installation instructions of drozer"). | ||
|
|
||
| Now you are ready to begin analyzing apps. A good first step is to enumerate the attack surface of an app which can be done easily with the following command: | ||
| ### Example usage | ||
|
|
||
| ```bash | ||
| dz> run app.package.attacksurface <package> | ||
| ``` | ||
| Once drozer is set up, you can use drozer to perform reconnaissance and exploitation of Android applications from the perspective of a malicious app on the device. [The drozer User Manual](https://labs.withsecure.com/tools/drozer#3 "drozer User Manual") introduces an intentionally vulnerable application - [sieve](https://github.com/WithSecureLabs/sieve "GitHub repo - sieve") - together with step-by-step exploitation instructions. | ||
|
|
||
| Again, without drozer this would have required several steps. The module `app.package.attacksurface` lists activities, broadcast receivers, content providers and services that are exported, hence, they are public and can be accessed through other apps. Once we have identified our attack surface, we can interact with the IPC endpoints through drozer without having to write a separate standalone app as it would be required for certain tasks such as communicating with a content provider. | ||
| Some common drozer commands include: | ||
|
|
||
| For example, if the app has an exported Activity that leaks sensitive information we can invoke it with the Drozer module `app.activity.start`: | ||
| #### Searching for applications on the device | ||
|
|
||
| ```bash | ||
| dz> run app.activity.start --component <package> <component name> | ||
| ```sh | ||
| run app.package.list -f <keyword> | ||
| ``` | ||
|
|
||
| This previous command will start the activity, hopefully leaking some sensitive information. Drozer has modules for every type of IPC mechanism. Download [InsecureBankv2](0x08b-Reference-Apps.md#insecurebankv2) if you would like to try the modules with an intentionally vulnerable application that illustrates common problems related to IPC endpoints. Pay close attention to the modules in the scanner category as they are very helpful automatically detecting vulnerabilities even in system packages, specially if you are using a ROM provided by your cellphone company. Even [SQL injection vulnerabilities in system packages by Google](https://issuetracker.google.com/u/0/issues/36965126 "SQL injection in Android") have been identified in the past with drozer. | ||
| This lists basic information about any packages containing the word "<keyword>" in their bundle identifier. This includes package names, key directories used by the application, and any permissions used or defined by the application. | ||
|
|
||
| ## Other Drozer commands | ||
| #### Enumerating the attack surface of an app | ||
|
|
||
| Here's a non-exhaustive list of commands you can use to start exploring on Android: | ||
| ```sh | ||
| run app.package.attacksurface <package> | ||
| ``` | ||
|
|
||
| ```bash | ||
| # List all the installed packages | ||
| $ dz> run app.package.list | ||
| This command inspects the target app's manifest and provides a report on any exported components of the application, and verifies whether the application is debuggable. | ||
|
|
||
| # Find the package name of a specific app | ||
| $ dz> run app.package.list -f (string to be searched) | ||
| Once the attack surface has been identified, you can obtain more specific information about each component class. For example, to list Activities, you can use the following command: | ||
|
|
||
| # See basic information | ||
| $ dz> run app.package.info -a (package name) | ||
| ```sh | ||
| run app.activity.info -a <package> | ||
| ``` | ||
|
|
||
| # Identify the exported application components | ||
| $ dz> run app.package.attacksurface (package name) | ||
| This lists the names of all exported Activities, together with the permissions required to interact with them. | ||
|
|
||
| # Identify the list of exported Activities | ||
| $ dz> run app.activity.info -a (package name) | ||
| #### Starting an Activity | ||
|
|
||
| # Launch the exported Activities | ||
| $ dz> run app.activity.start --component (package name) (component name) | ||
| In order to launch an exported activity, use the following command: | ||
|
|
||
| # Identify the list of exported Broadcast receivers | ||
| $ dz> run app.broadcast.info -a (package name) | ||
| ```sh | ||
| run app.activity.start --component <package> <component name> | ||
| ``` | ||
|
|
||
| # Send a message to a Broadcast receiver | ||
| $ dz> run app.broadcast.send --action (broadcast receiver name) -- extra (number of arguments) | ||
| When calling `app.activity.start`, you can build a much more complex intent. As with all drozer modules, you can request more usage information by using the `help` command: | ||
|
|
||
| # Detect SQL injections in content providers | ||
| $ dz> run scanner.provider.injection -a (package name) | ||
| ```sh | ||
| dz> help app.activity.start | ||
| Attempting to run shell module | ||
| usage: run app.activity.start [-h] [--action ACTION] [--category CATEGORY [CATEGORY ...]] [--component PACKAGE COMPONENT] [--data-uri DATA_URI] [--extra TYPE KEY VALUE] [--flags FLAGS [FLAGS ...]] [--mimetype MIMETYPE] | ||
| ``` | ||
| ## Other Drozer resources | ||
| You can learn more about how intents are created by running `help intents`. | ||
| ## Other drozer resources | ||
| Other resources where you might find useful information are: | ||
| - [Official drozer User Guide](https://labs.withsecure.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf "Drozer User Guide"). | ||
| - [drozer GitHub page](https://github.com/FSecureLABS/drozer "GitHub repo") | ||
| - [drozer Wiki](https://github.com/FSecureLABS/drozer/wiki "drozer Wiki") | ||
| - [Official drozer User Manual](https://labs.withsecure.com/tools/drozer "drozer User Manual") | ||
| - [drozer GitHub page](https://github.com/WithSecureLabs/drozer "GitHub repo - drozer") | ||
| - [drozer Agent GitHub page](https://github.com/WithSecureLabs/drozer-agent "GitHub repo - drozer-agent") |