ip addr
Find your IP address, as highlighted
in the image below.
To find your Android device, execute this command, replacing the IP address with the IP address you found above, including the CIDR suffix "/24".
netdiscover -r 172.16.123.155/24
Netdiscover finds the devices on your
network. Find the one that is not from
"VMware",
as highlighted
in the image below.
Execute this command to connect to your Android device, replacing the IP address with the IP address of the device you determined in the previous step.
adb connect 172.16.123.171
Adb connects, as shown
below.
If you don't have a Drozer agent on your emulator, execute these commands to install one:
wget https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk
adb install drozer-agent-2.3.4.apk
adb forward tcp:31415 tcp:31415
The command completes without errors,
as shown below.
drozer console connect
run app.package.info -a com.twitter.android
Information about the app appears,
starting with general information as
shown below.
At the end, there are three permissions the Twitter app defines, as shown below:
I was unable to find out what "READ_DATA" does in detail, but we can learn more about the other two permissions.
To see the appm components, execute this command:
run app.package.attacksurface com.twitter.android
Twitter uses several activities,
"broadcast receivers", and
services, but no "content providers",
as shown below.
run app.activity.info -a com.twitter.android
We see that the AUTH_APP permission
controls access to the AuthorizeAppActivity
activity,
as shown below.
run app.broadcast.info -a com.twitter.android
We see that the RESTRICTED permission
controls access to the AppBroadcastReceiver
receiver,
as shown below.
run information.permissions --permission com.twitter.android.permission.READ_DATA
run information.permissions --permission com.twitter.android.permission.RESTRICTED
run information.permissions --permission com.twitter.android.permission.AUTH_APP
exit
As shown below, READ_DATA and RESTRICTED
have the signature protection level,
and AUTH_APP is marked as dangerous.
The signature-level permissions are only available to apps signed with the same certificate, and the dangerous permission will pop a box up, requesting permission from the user.
Execute these commands to do that.
apt update
apt install openjdk-8-jdk -y
If an "Outdated processor microcode"
box appears, press Enter.
Execute this command to reboot Kali.
reboot
Execute this command to select the default
version of javac, the
Java compiler:
update-alternatives --config javac
Find "java-8" on the list and select it. When
I did it, that was item 2
as shown below.
Execute this command to select the default version of java:
update-alternatives --config java
Find "java-8" on the list and select it. When
I did it, that was item 2
as shown below.
drozer agent build --permission \
com.twitter.android.permission.READ_DATA \
com.twitter.android.permission.RESTRICTED \
com.twitter.android.permission.AUTH_APP
The agent is built and placed in the /tmp
directory. Note the path to the agent,
highlighted in the image below.
adb connect 172.16.123.171
Adb connects, as shown
below.
adb logcat -c
adb logcat | grep perm
Leave this window running, as shown
below.
In the second command, adjusting the path to lead to the APK file you built previously with Drozer.
adb uninstall com.mwr.dz
adb install /tmp/tmpzXbifs/agent.apk
The agent installs, as shown in the upper
window in the image below.
The log shows that the app was not granted these two permissions:
This makes sense, because those are signature-level permissions, and the Drozer agent is not signed with the Twitter certificate.
adb uninstall com.mwr.dz
adb uninstall com.twitter.android
The operations succeed,
as shown below.
drozer agent build --define-permission \
com.twitter.android.permission.READ_DATA normal \
com.twitter.android.permission.RESTRICTED normal \
com.twitter.android.permission.AUTH_APP normal --permission \
com.twitter.android.permission.READ_DATA \
com.twitter.android.permission.RESTRICTED \
com.twitter.android.permission.AUTH_APP
The agent is built and placed in the /tmp
directory. Note the path to the agent,
highlighted in the image below.
In the second command, adjusting the path to lead to the APK file you built previously with Drozer.
adb install /tmp/tmp_URMcR/agent.apk
The agent installs, as shown below.
If you are using Android 5.0 or above, the installation should fail with the error message shown below.
Find the text covered by a green box in the image above. Enter it into the form below to record your success.
I used the one shown below.
You can't use the Gapps button to install Google Play. Instead, you need to install these two components one by one, rebooting after each installation.
https://samsclass.info/128/proj/Genymotion-ARM-Translation_v1.1.zip
https://samsclass.info/128/proj/gapps-jb-20130813-signed.zip
Then repeat the project. This time Twitter will install.
Launch the Drozer agent, configure port forwarding, and execute these commands to see Twitter's protection levels:
drozer console connect
run information.permissions --permission com.twitter.android.permission.READ_DATA
run information.permissions --permission com.twitter.android.permission.RESTRICTED
run information.permissions --permission com.twitter.android.permission.AUTH_APP
exit
The permissions are
all normal,
as shown below.
Find the text covered by a green box in the image above. Enter it into the form below to record your success.