Understanding Vulnerabilities in Android OS Architecture
March 26, 2019
OWASP Top 10 – What are Different Types of XSS ?
April 17, 2019

March 29, 2019

Today we are going to learn about the Drozer!  The game changer tool for android Pentesting.  Drozer(Mercury) is the pentesting framework for the android. Drozer allow you to find security flaw in the app and devices. Drozer is developed by MWR info security. It works as a client-server model. You can download the Drozer.  You have to download drozer with agent.

Setting up drozer with Agent.

  • Open the Appie and the Genymotion Device.
  • Download Drozer Agent.
  • Install the drozer agent using command:  adb install agent.apk
  • Open the drozer application in the running emulator and start the embedded server via clicking the off button.
  • Embedded server will start on port 31415. Now we have to forward all commands of drozer client to drozer server through android debug Bridge.
  • Command for forward connection: adb forward tcp:31415 tcp:31415
  • Type drozer console connect command and it will open drozer .
  • Now type command: list it will show all pre-install module with their respected command .
  • If you want to know more about any module then you can use –help command.
  • Type command:  run app.service.info. It will show you more information about that module with their respected arguments .

Prerequisites(Reference: https://github.com/mwrlabs/drozer)

  1. Python2.7

Note: On Windows please ensure that the path to the Python installation and the Scripts folder under the Python installation are added to the PATH environment variable.

Note: On Windows please ensure that the path to javac.exe is added to the PATH environment variable.

Test Cases

  • Identify the Attack Surface

run app.package.attacksurface <<package name>>

  • Attacking on Activities via Launching Activities:

Activities list from a package
run app.activity.info -a <<package_name>>

To launch any selected activity
run app.activity.start –component <<package_name>> <<activity_name>>

That’s all for today.

Discover more from SecureLayer7 - Offensive Security, API Scanner & Attack Surface Management

Subscribe now to keep reading and get access to the full archive.

Continue reading

Enable Notifications OK No thanks