Wiki
  • Introduction
  • 👾Penetration Testing
    • Application Security
      • Mobile App Security
        • Android Application Testing
          • Security Checklist
          • SSL Pinning Bypasses
          • Non-Proxy Aware Applications
            • Setting up VPN Server
            • Bypasses
          • Common Proxying Issues
          • Android Local Storage Checks
          • Android Task Hijacking
          • Kiosk Mode / Breakout Testing
          • Magisk on GenyMotion
        • iOS Application Testing
          • iOS Testing Using Objection
          • IPA Analysis Using MobSF
          • iOS Jailbreak Bypass
          • Decrypting iOS Apps
          • iOS Reverse Engineering
          • Jailbreak Detection Bypasses
          • iOS Local Storage Checks
          • Installing IPA
          • ATS Auditing
          • iOS Jailbreaking
          • Frida Pinning Bypasses
          • iOS Jailbreaking
        • Code Security
        • Frida on Windows
      • Web Application Security
        • Web Shells
        • CSV Injection
        • Measure Response Time using CURL
        • OSINT
          • EyeWitness
        • GraphQL Hacking
      • API Security
        • Security Checklist
        • Postman and Burp
        • CURL via BurpSuite
        • SOAP API Pentesting
    • Infrastructure Security
      • Network Infrastructure
        • Red Team Powershell Scripts
        • Mounting NFS Shares
        • Password Cracking/Auditing
        • Remote Access Sheet
        • Password Cracking Using Hashcat
        • Calculate IP Addresses from CIDR
        • Grep IP addresses or IP Ranges from a File
        • Default Credentials Checking
        • Check SSL/TLS Certificates
        • Log a terminal session
        • Unauthenticated Mongo DB
        • Microsoft SQL Server (MSSQL)
        • NTP Mode 6 Vulnerabilities
        • BloodHound
        • AD Offensive Testing
        • CrackMapExec
        • Select all IP addresses in Sublime Text
        • Convert CIDRs to an IP address list
        • Microsoft Exchange Client Access Server Information Disclosure
        • Web Server HTTP Header Internal IP Disclosure
        • smbclient.py
        • GetUserSPNs.py
        • Get-GPPPassword.py
        • SMBMap
        • Mounting Shares
        • mitm6
        • AD Attacks
        • Weak IKE Security Configurations
        • Locked BIOS Password Bypass
      • Wireless Security
        • Cached Wireless Keys
        • Aircrack Suite
    • SSL/TLS Security
    • Secure Code Review
      • Python
      • Semgrep
        • Semgrep to HTML Report
    • Cloud Security
      • Cloud Penetration Testing
    • Social Engineering
      • Simulated Phishing
        • GoPhish
    • Tool Usage
      • Docker
      • Split
      • PhantomJS
      • Aquatone
      • Tmux
      • Ipainstaller
      • Public IP From Command Line
      • Wifite
      • IKE Scan
      • Grep
      • Pulling APKs
      • Bitsadmin
      • Drozer
      • Iptables
      • Python Web Server
      • Crackmapexec
      • Impacket
      • Nessus
      • Adding SUDO User
      • Nmap
      • Metasploit Payloads
      • SMTP Open Relay
      • SQLMap
      • Screen
      • Remove All After Colon
      • Remove Old Linux Kernels
      • CURL
      • Hashcat
      • Secure Copy Protocol (SCP)
      • SSH & PGP Tools
      • IP Calculator
      • BloodHound
      • Netcat File Transfer
      • OpenVAS
      • BurpSuite
      • Exiftool
      • Python Virtual Environments
    • Errors and Solutions
      • Kill Process On Specific Port
      • Kill SSH Port Forwarding
      • SSH Key
      • Expanding Disk on Kali VM
    • Scoping
      • Scoping Questionnaires
        • Mobile App Testing
    • OSINT
      • Dark Web OSINT
      • Certificate Chain Check
      • EyeWitness - Web Service Screenshot
      • Tor to Browse Onion Links
      • DarkDump - Scan Dark Web for Onion Links
      • Domain related File Search
      • Google Dorking
      • IP / Network Blocks owned by a Company
  • ⌨️Programming
    • Automation
      • Running a Service at Boot
      • Network Connectivity Cron
    • Python
      • Adding Columns in Pandas
      • Copy Entire Column Data To New Column Pandas
      • Loading Progress Bar
      • Reorder Columns in Pandas
      • Filename with Date/Time Stamp
      • Command Line Arguments
      • Changing Date Format
      • Removing Index Column Pandas
      • Regex - Remove HTML Tags
      • Column Header Mapping
  • 🌐Miscellaneous
    • Scripts
      • Clickjacking Checker
      • Bulk WHOIS
      • SMB Signing Check
      • FDQN to IP Address
      • Grep IP Addresses
      • Nessus Parser
      • Build Review Audit
      • Nessus Merger
      • Nmap2CSV
      • Remove Audio From Videos
    • Favourite Reads/Links
    • Hacking Posters
    • Windows Developer VMs
    • Windows Workspaces
    • GitHub Pages
    • Interview Prep
      • Senior Penetration Tester
    • CVSS Formula
    • Android Rooting
      • Lineage OS 18.1 on OnePlus X
      • TWRP Recover on OnePlus X
      • Magisk Rooting
    • Presentation Slides
      • BlackHat - USA [2022]
  • 🐞Vulnerability Wiki
    • 🌐APPLICATION LEVEL
      • 🔒AUTHENTICATION
        • Authentication Bypass
        • Lack of Password Confirmation
        • 2FA Code Brute-forceable
        • Lack of Verification
        • Lack of Throttling on Form Submissions
        • Lack of Rate Limiting on Login
        • Weak Password Complexity Rules
        • 🖥️SESSION MANAGEMENT
        • 🔑ACCESS CONTROL
      • 🔢INPUT VALIDATION
      • ➗CRYPTOGRAPHY
      • 📉LOGGING
      • 📕DATA PROTECTION
      • 📲COMMUNICATION
      • 👨‍💻MALICIOUS CODE
      • 💡LOGIC
      • 🗄️FILE UPLOAD
      • ⚙️API ISSUES
      • 🔍CONFIGURATIONS
    • 💾INFRASTRUCTURE LEVEL
      • ICMP Timestamp Request Remote Date Disclosure (CVE-1999-0524)
      • ASP.NET Debug Mode Validation
Powered by GitBook
On this page
  • Setup:
  • Debian/Ubuntu Package - Drozer Agent APK file
  • Side-Loading the Drozer Agent APK
  • List of devices attached
  • Drozer Agent Installed
  • Connecting to the Drozer Console
  • Testing:
  • Find out the list of applications using keywords:
  • Run a vulnerable activity from the package:
  • Find out exported activities:
  • Find out package information:
  • Attack Surfaces:
  • Find URIs

Was this helpful?

  1. Penetration Testing
  2. Tool Usage

Drozer

An installation and wiki guide to using Drozer for Android application testing

Setup:

Install missing dependency

sudo apt install -f
dozer
adb forward tcp:31415 tcp:31415
drozer console connect

Once your emulator is up and running, it is now time to have some sideloading fun. The folks at MWR labs have created an awesome Android attack framework called “drozer”. The framework consists of software that needs to be installed on Ubuntu, as well as an “APK” file that needs to be sideloaded onto your emulated Android.

First, you need to download both the “Ubuntu/Debian” package, and the drozer Agent APK files from MWR labs. The following screenshots show what you are looking for:

Debian/Ubuntu Package - Drozer Agent APK file

After the downloads are complete, perform the Ubuntu/Debian package installation first, as follows:

$ sudo dpkg -i ~/Downloads/drozer_2.3.4.deb
$ sudo apt install -f

Seriously? It’s that simple? Yes! This will nicely install all of the required dependencies for you. It seems a little backwards, and counterintuitive, but trust me, this will work well.

Side-Loading the Drozer Agent APK

Now it’s time to use our Android emulator to sideload the drozer APK package. In addition to this, if we have another APK we want to perform penetration testing against, we probably want to sideload that APK file as well.

The first steps are to make sure your emulator is running, check access with ADB, and sideload packages as needed.

$ emulator -avd pentest1 & $ adb devices

List of devices attached


$ adb install ~/Downloads/drozer-agent-2.3.4.apk

Drozer Agent Installed

In order to use “drozer”, we must start the agent App on the Android emulator, and then turn on the embedded server, which listens on TCP port 31415. In addition to this, we must use “ADB” to forward the TCP port 31415 to the Android emulator so that we may communicate between the Ubuntu host and the Android drozer Agent. After forwarding the TCP communications, use the “drozer” command under Ubuntu to connect to the drozer console.

Connecting to the Drozer Console

At this stage, we have a fully operating attack framework, and can use many of the reconnaissance, scanning, and attack commands that drozer provides for us. The example below simply lists Android packages on the system.

The various drozer modules have appropriate help associated with each. From a penetration testing perspective, you should treat this like any other penetration testing activity, meaning you need to perform reconnaissance, APK package information gathering of various providers, intents, broadcast receivers and so forth before starting to exploit some of the inherent weaknesses.

$ sudo dpkg -i ~/Downloads/drozer_2.3.4.deb
$ sudo apt install -f
$ emulator -avd pentest1 &
$ adb devices
$ adb install ~/Downloads/drozer-agent-2.3.4.apk

Testing:

Find out the list of applications using keywords:

dz > run app.package.list -f MyApplication (or any other app name)

Run a vulnerable activity from the package:

dz> run app.activity.start --component com.mobile.app ExponentDevActivity

Find out exported activities:

dz> run app.activity.info -a com.mobile.app

Find out package information:

dz> run app.package.info -a com.mobile.application

Attack Surfaces:

dz> run app.package.attacksurface com.mobile.application

Find URIs

dz> run scanner.provider.finduris -a ie.mobile.application
PreviousBitsadminNextIptables

Last updated 4 years ago

Was this helpful?

👾