# Mobile Testing 2 ## Dynamic Analysis ### Traffic Interception #### Add Proxy Certificate ```bash # Convert DER to PEM openssl x509 -inform DER -in cert -out cacert.pem NUM=$(openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1) mv cacert.pem $NUM.0 # Insert Burp Cert adb devices adb push 9a5ba575.0 /sdcard/ adb shell "su -c 'mount -o rw,remount /system'" adb shell "su -c 'mv /sdcard/9a5ba575.0 /system/etc/security/cacerts/'" adb shell "su -c 'chmod 644 /system/etc/security/cacerts/9a5ba575.0'" adb shell "su -c 'ls -l /system/etc/security/cacerts/9a5ba575.0'" adb shell "su -c 'reboot'" ``` #### Forward Traffic ```bash adb shell "su -c 'iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 192.168.222.70:8080'" adb shell "su -c 'iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination 192.168.222.70:8080'" adb shell "su -c 'iptables -t nat -A OUTPUT -p tcp --dport 8080 -j DNAT --to-destination 192.168.222.70:8080'" adb shell "su -c 'iptables -t nat -A OUTPUT -p tcp --dport 7000 -j DNAT --to-destination 192.168.222.70:8080'" adb shell "su -c 'iptables -t nat -A OUTPUT -p tcp --dport 7001 -j DNAT --to-destination 192.168.222.70:8080'" adb shell "su -c 'iptables -t nat -A OUTPUT -p tcp --dport 7003 -j DNAT --to-destination 192.168.222.70:8080'" adb shell "su -c 'iptables -t nat -A OUTPUT -p tcp --dport 7777 -j DNAT --to-destination 192.168.222.70:8080'" adb shell "su -c 'iptables -t nat -L'" ``` ### Essential Tools ```shell # ADB adb devices adb -s ce0617160cdf473601 shell adb connect 192.168.1.10:5555 adb -s 192.168.1.10:5555 shell adb push note.txt /sdcard/ adb pull /sdcard/note.txt adb install appname.apk adb uninstall package_name adb shell ps | grep -i appname adb shell logcat | grep -i 19586 adb shell logcat | grep -i "http\|https\|cookie\|login\|md5\|sha1\|auth\|pass" adb forward tcp: tcp: # Package Manager adb shell pm list packages adb shell pm list packages -f google adb shell pm list packages -3 | sort adb shell pm path jakhar.aseem.diva adb pull /data/app/jakhar.aseem.diva-1/base.apk # Activity Manager am start -n package_name/.activity_name am start -a jakhar.aseem.diva.action.VIEW_CREDS am start -a jakhar.aseem.diva.action.VIEW_CREDS2 --ez "check_pin" false am broadcast -n com.android.insecurebankv2/.MyBroadCastReceiver -a theBroadcast --es phonenumber 4444 --es newpass 123456 content query --uri content://jakhar.aseem.diva.provider.notesprovider/notes # SQlite qlite3 database_name .tables select * from table_name; # Run-As run-as jakhar.aseem.diva run-as jakhar.aseem.diva whoami ``` ### Debug & Backup Flags ```shell # If debug="true" # Drozer specific apk run app.package.attacksurface com.mwr.dz # Drozer all applications run app.package.debuggable # JDB adb shell ps | grep package_name adb forward tcp:7777 jdwp:process_id // process_id = 13907 jdb -attach localhost:7777 > classes > methods com.android.insecurebankv2.LoginActivity > stop in com.android.insecurebankv2.LoginActivity.createUser() > step > locals > set text = "Hacked!!!" > run # JDB One Liner echo "classes" | jdb -attach localhost:7777 | grep package_name echo "methods com.android.insecurebankv2.LoginActivity" | jdb -attach localhost:7777 | grep package_name # If backup="true" # Extract adb backup com.android.insecurebankv2 # https://sourceforge.net/projects/adbextractor/ # Convert to tar using abe java -jar abe.jar unpack backup.ab backup.tar password tar xvf backup.tar # Convert to tar using dd and python dd if=backup.ab bs=1 skip=24 | python -c "import zlib,sys;sys.stdout.write(zlib.decompress(sys.stdin.read()))" > backup.tar ``` ### Drozer ```shell # Install drozer application in linux and drozer-agent in android. wget https://github.com/mwrlabs/drozer/releases/download/2.4.4/drozer_2.4.4.deb dpkg -i drozer_2.4.4.deb adb forward tcp:31415 tcp:31415 drozer console connect # Drozer apk wget https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk # List all the installed packages run app.package.list # Find the package name of a specific app run app.package.list –f (string to be searched) # See basic information run app.package.info –a (package name) # Identify the exported application components run app.package.attacksurface (package name) # Identify the list of exported Activities run app.activity.info -a (package name) # Launch the exported Activities run app.activity.start --component (package name) (component name) # Identify the list of exported Services run app.service.info -a (package name) # Identify the list of exported Broadcast receivers run app.broadcast.info -a (package name) # Send a message to a Broadcast receiver run app.broadcast.send --action (broadcast intent filter) --extra string phonenumber 4444 --extra string newpass 123456 # Content providers run app.provider.info -a jakhar.aseem.diva run scanner.provider.finduris -a jakhar.aseem.diva run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes/ # Detect SQL injections in content providers run scanner.provider.injection -a (package name) # Detect Directory Traversal in content providers run scanner.provider.traversal -a com.mwr.example.sieve # Sniff Broadcast run app.broadcast.sniff --action "theBroadcast" ``` ### Frida ```shell # Frida Server /data/local/tmp/frida-server-14.0.8-android-x86_64 & # Root Bypass JS frida -U -f package_name -l root_bypass.js --no-pause # SSLCert Pinning Bypass JS frida -U -f package_name -l frida-android-repinning_sa.js --no-pause ``` ### Objection ```shell # Objection env pwd ls file cat SharedPreferences.xml !whoami // run any system command android hooking list activities android hooking search classes (keyword) android hooking list class_methods com.android.insecurebankv2.LoginActivity android hooking watch class_method com.android.insecurebankv2.LoginActivity.doesSUexist --dump-return android hooking set return_value com.android.insecurebankv2.PostLogin.doesSUexist false android intent launch_activiry com.android.insecurebankv2.PostLogin memory dump all result.dump strings result.dump | grep -i "password" android sslpinning disable android root disable android root simul ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hsaad.gitbook.io/x/extras/mobile-testing/mobile-testing-2.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.