Android Pentesting

Learning Resourses

Diving Deep: A Comprehensive Guide to Android Penetration Testing — Part 1Medium

Diving Deep: A Comprehensive Guide to Android Penetration Testing — Part 2Medium

Diving Deep: A Comprehensive Guide to Android Penetration Testing — Part 3Medium

---

----------------------------------------------------------------

Virtual Android Emulators:

1. Android Studio: https://developer.android.com/studio

2. MEmu emulator: https://www.memuplay.com/

3. Genymotion: https://www.genymotion.com

4. NoxPlayer: https://www.bignox.com

----------------------------------------------------------------

Step 1: Use Rooted device/emulator:

----------------------------------------------------------------

---

Step 2: Python frida packages installation in Windows:

Python frida packages installation. 
Install Python for windows from here: https://www.python.org/downloads/windows/
We need to install some python packages for frida server. 
For this enter following command in terminal:
//pip install setuptools
//pip install Frida
//pip install frida-tools
//pip install objection
Verify the installed frida version using below command:
//frida –version
Like output: Frida 17.2.17 
Note down the installed version for installing Frida server in mobile devices
----------------------
Setting up Frida-server on Android Emulator/Device:
The Frida server is responsible for handling communication between the Frida tools (client) and the target application (server).
Before installing Frida on Android, you need a rooted Android device or rooted emulators.
1) First, you need to download the Frida server for your specific android arch version (arm, arm64, X86, X86_64).
2) Connect the device to ADB To find out the arch version of the device, run the following command.
//adb shell getprop ro.product.cpu.abi
like Output: x86_64
3) We can download the Frida server from their official release page:
https://github.com/frida/frida/releases
4)Download according to your frida version that you have downloaded before in the windows.
As I have 117.2.17 so i have downloaded frida -server 17.2.17 — android x86_64.xz
like: frida-server-17.2.17-android-x86_64.xz
5) Now push these file to android device
// adb push /path/to/frida-server-file /data/local/tmp
6) Now go to android shell and check the file has been successfully pushed in the location /data/local/tmp
7) Give permission to execute the frida-server:
// adb shell
// cd /data/local/tmp
// ls -la
// chmod +x frida-server-17.2.17-android-x86_6
8) Now just execute the file with ./frida-server-17.2.17-android-x86_6

add to path to environment variables:  C:\Users\asad\Platform-tools\platform-tools
add to path to environment variables:  C:\Users\asad\AppData\Local\Android\Sdk\build-tools\30.0.3 

----------------------------------------------------------------

Step 2: Platform-tools (adb) installation:

installation in Linux
//sudo apt install adb
---------
installation in Windows
Download platform-tools for windows from the following the link:
https://dl.google.com/android/repository/platform-tools-latest-windows.zip
Extract and Copy Folder to User Directory
Add adb path in System environment variables

----------------------------------------------------------------

Step 2: Connect device to ADB:

We need to connect our device to adb to run commands on device. 
But first goto settings >> Developer options and enable debugging mode in device so that adb can communicate with the device.
Open Emulater and and start Android Virtual Device
To check if device is connected to adb:
//adb devices
You should see ip of your device along with device name.
Note: if the adb does not work, delete the emulator’s own adb. Program Files\Microvirt\MEmu\adb.exe
----------------------
Go to execute the shell in Device:
//adb shell
Check Privalge:
//id
//whoami
----------------------
To Restart the ADB Server:
//adb kill-server
//adb start-server
----------------------
Install the target application in the device:
//adb install name.apk
//adb push name.apk /sdcard/
Open the application and keep it running in the background.
----------------------
To list all the Installed Packages in Android
//adb shell 
//pm list packages
----------------------
To dump all the Memory Consumption of all the list applications:
//adb shell
//dumpsys meminfo
----------------------
To read the logs of events of an Android device:
//adb logcat -d -f /data/local/logcats.log
The Log file saved in /data/local/ in Android Device
adb shell cat /data/local/logcats.log
----------------------
To download APKTool from the following the link:
https://mega.nz/folder/yNNBxA7b#csABkuIUaiGhBHoctbv1EQ
----------------------
To download JADX GUI from the following the link:
https://mega.nz/file/7AEgybJQ#71Qp0BrjSiY_Pv4HYD5H3jfXIyfkspjlWX2gH7ahJRE
----------------------
"drozer2" Android security assessment and penetration testing tool Download following the link:
Drozer installer:
https://mega.nz/file/KZdVUDwQ#90JXD9YNxL5pGLUgHzcxujv6KXVzVMicxUr88hHAF98
Drozer Agent:
https://mega.nz/file/rJdXHbBL#fgkBM1SBwTEJHaK97XmuqqpYYt7z4SgivSB61t_Dnc0
----------------------
Download crack Burp suite in Window
https://mega.nz/folder/LB9XhDob#LsE1tE7H-YxGDfwgjCB40g
----------------------
Installation of Mobsf in kali
https://allabouttesting.org/quick-tutorial-mobsf-installation-on-linux-windows/

----------------------------------------------------------------

Step 2: Setup BurpSuite Proxy:

Go to settings
Click on About phone and you will see Build number
Now click on Build number seven times to enable debugging option 
Go to Wi-FI and left click on it for two seconds on the wifi name show up
click on Modify Network
Click on Show advanced options
in Proxy hostname enter your machine’s ip address,Proxy port you can select any , I have selected 8081 randomly
In Burp Suite Go to Proxy>Options>Add
Add 8081 and make sure to select All interfaces
Before we start capturing traffic we would need to install Burp ca certificate on our Android virtual device, the steps are as follows:
Go to Proxy>Options>Import/export CA Certificate
Click on Export>Certificate in DER format
Click on next and save the cert anywhere you wish with extension .cer
Next you can push the file on virtual device  
//adb push cacert.cer /sdcard/
or you can have an email configured on your virtual device to receive files
Now go to Settings>Security>Install from sd card
A new window pops up select Internal Storage
Go to the location where you downloaded cacert.cer
Name the certificate as cacert , click ok , if you dont have a lockcreen pin set it will ask you to set it up , you can setup the pin and click ok
Now we have our PortSwigger CA saved
Now you can try opening an app and see its traffic in Burp Suite
For example here is the traffic from an app from a private program on hackerone

----------------------------------------------------------------

Step 2: Download and Configure frida Server

We need to download the frida server package for our android device according to our device’s arch version.
https://github.com/frida/frida/releases/
To find out the arch version of the device 
Download and Configure Frida Server to run following command.
//adb shell getprop ro.product.cpu.abi
To cut short download following if device configuration is the same as mentioned above:
frida-server-12.4.7-android-x86.xz
frida-server-12.4.7-android-x86_64.xz
Push the Frida server to the emulator or device’s temporary directory using ADB:
$ adb push frida-server /data/local/tmp/
Ensure the Frida server has the necessary permissions:
$ adb shell "chmod 777 /data/local/tmp/frida-server"
Launch Frida on the device by executing the following command:
$ adb shell "/data/local/tmp/frida-server &"
Verify that Frida is running correctly by checking the attached processes on the device:
$ frida-ps -U
Now, we can bypass SSL pinning by utilizing a Frida script. The following Frida command will unpin SSL certificates for a specified app:
$ frida --codeshare akabe1/frida-multiple-unpinning -U -f <appname>
Replace with the package name or process name of the target application.

Step 2: Frida Server Setup:

We need to run frida server into device before injection our script. Follow the steps below:
I. Push frida-server into device:
Now we need to push our frida-server file into device. Extract and Copy “frida-server-12.4.7-android-x86” file in adb folder rename file as “frida-server”. After this, run following command.
//adb push <path_of_frida_server_folder><space></data/local/tmp>
//adb push C:\ADB\frida-server /data/local/tmp

Step 2: Give permissions to frida-Server:

//adb shell chmod 777 /data/local/tmp/frida-server

----------------------------------------------------------------