Mobile Testing 2

Dynamic Analysis

Traffic Interception

Add Proxy Certificate

# Convert DER to PEM
openssl x509 -inform DER -in cert -out cacert.pem
NUM=$(openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1)
mv cacert.pem $NUM.0

# Insert Burp Cert
adb devices
adb push 9a5ba575.0 /sdcard/
adb shell "su -c 'mount -o rw,remount /system'"
adb shell "su -c 'mv /sdcard/9a5ba575.0 /system/etc/security/cacerts/'"
adb shell "su -c 'chmod 644 /system/etc/security/cacerts/9a5ba575.0'"
adb shell "su -c 'ls -l /system/etc/security/cacerts/9a5ba575.0'"
adb shell "su -c 'reboot'"

Forward Traffic

adb shell "su -c 'iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 192.168.222.70:8080'"
adb shell "su -c 'iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination 192.168.222.70:8080'"
adb shell "su -c 'iptables -t nat -A OUTPUT -p tcp --dport 8080 -j DNAT --to-destination 192.168.222.70:8080'"
adb shell "su -c 'iptables -t nat -A OUTPUT -p tcp --dport 7000 -j DNAT --to-destination 192.168.222.70:8080'"
adb shell "su -c 'iptables -t nat -A OUTPUT -p tcp --dport 7001 -j DNAT --to-destination 192.168.222.70:8080'"
adb shell "su -c 'iptables -t nat -A OUTPUT -p tcp --dport 7003 -j DNAT --to-destination 192.168.222.70:8080'"
adb shell "su -c 'iptables -t nat -A OUTPUT -p tcp --dport 7777 -j DNAT --to-destination 192.168.222.70:8080'"
adb shell "su -c 'iptables -t nat -L'"

Essential Tools

# ADB
adb devices
adb -s ce0617160cdf473601 shell
adb connect 192.168.1.10:5555
adb -s 192.168.1.10:5555 shell
adb push note.txt /sdcard/
adb pull /sdcard/note.txt
adb install appname.apk
adb uninstall package_name
adb shell ps | grep -i appname
adb shell logcat | grep -i 19586
adb shell logcat | grep -i "http\|https\|cookie\|login\|md5\|sha1\|auth\|pass"
adb forward tcp:<host port> tcp:<device port>

# Package Manager
adb shell pm list packages
adb shell pm list packages -f google
adb shell pm list packages -3 | sort
adb shell pm path jakhar.aseem.diva
adb pull /data/app/jakhar.aseem.diva-1/base.apk

# Activity Manager
am start -n package_name/.activity_name
am start -a jakhar.aseem.diva.action.VIEW_CREDS
am start -a jakhar.aseem.diva.action.VIEW_CREDS2 --ez "check_pin" false
am broadcast -n com.android.insecurebankv2/.MyBroadCastReceiver -a theBroadcast --es phonenumber 4444 --es newpass 123456
content query --uri content://jakhar.aseem.diva.provider.notesprovider/notes

# SQlite
qlite3 database_name
.tables
select * from table_name;

# Run-As
run-as jakhar.aseem.diva
run-as jakhar.aseem.diva whoami

Debug & Backup Flags

# If debug="true"

# Drozer specific apk
run app.package.attacksurface com.mwr.dz

# Drozer all applications
run app.package.debuggable

# JDB
adb shell ps | grep package_name
adb forward tcp:7777 jdwp:process_id  // process_id = 13907
jdb -attach localhost:7777
> classes
> methods com.android.insecurebankv2.LoginActivity
> stop in com.android.insecurebankv2.LoginActivity.createUser()
> step
> locals
> set text = "Hacked!!!"
> run

# JDB One Liner
echo "classes" | jdb -attach localhost:7777 | grep package_name
echo "methods com.android.insecurebankv2.LoginActivity" | jdb -attach localhost:7777 | grep package_name

# If backup="true"

# Extract
adb backup com.android.insecurebankv2

# https://sourceforge.net/projects/adbextractor/
# Convert to tar using abe
java -jar abe.jar unpack backup.ab backup.tar password
tar xvf backup.tar

# Convert to tar using dd and python
dd if=backup.ab bs=1 skip=24 | python -c "import zlib,sys;sys.stdout.write(zlib.decompress(sys.stdin.read()))" > backup.tar

Drozer

# Install drozer application in linux and drozer-agent in android.
wget https://github.com/mwrlabs/drozer/releases/download/2.4.4/drozer_2.4.4.deb
dpkg -i drozer_2.4.4.deb
adb forward tcp:31415 tcp:31415
drozer console connect

# Drozer apk
wget https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk

# List all the installed packages
run app.package.list

# Find the package name of a specific app
run app.package.list –f (string to be searched)

# See basic information
run app.package.info –a (package name)

# Identify the exported application components
run app.package.attacksurface (package name)

# Identify the list of exported Activities
run app.activity.info -a (package name)

# Launch the exported Activities
run app.activity.start --component (package name) (component name)

# Identify the list of exported Services
run app.service.info -a (package name)

# Identify the list of exported Broadcast receivers
run app.broadcast.info -a (package name)

# Send a message to a Broadcast receiver
run app.broadcast.send --action (broadcast intent filter) --extra string phonenumber 4444 --extra string newpass 123456

# Content providers
run app.provider.info -a jakhar.aseem.diva
run scanner.provider.finduris -a jakhar.aseem.diva
run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes/

# Detect SQL injections in content providers
run scanner.provider.injection -a (package name)

# Detect Directory Traversal in content providers
run scanner.provider.traversal -a com.mwr.example.sieve

# Sniff Broadcast
run app.broadcast.sniff --action "theBroadcast"

Frida

# Frida Server
/data/local/tmp/frida-server-14.0.8-android-x86_64 &

# Root Bypass JS
frida -U -f package_name -l root_bypass.js --no-pause

# SSLCert Pinning Bypass JS
frida -U -f package_name -l frida-android-repinning_sa.js --no-pause

Objection

# Objection
env
pwd
ls
file cat SharedPreferences.xml
!whoami // run any system command
android hooking list activities
android hooking search classes (keyword)
android hooking list class_methods com.android.insecurebankv2.LoginActivity
android hooking watch class_method com.android.insecurebankv2.LoginActivity.doesSUexist --dump-return
android hooking set return_value com.android.insecurebankv2.PostLogin.doesSUexist false
android intent launch_activiry com.android.insecurebankv2.PostLogin
memory dump all result.dump
strings result.dump | grep -i "password"
android sslpinning disable
android root disable
android root simul