🧙
Pentesting & Red Teaming Notes
  • Windows
    • Recon - Initial Access
    • Privilege Escalation
      • Enable Privs
      • SeBackupPrivilege
      • SeImpersonatePrivilege
      • SeDebugPrivilege
    • Kerberoasting
    • Lateral Movement
    • MSSQL
    • AD Related
    • Bypass-Evasion Techniques
    • Post Exploitation
    • Miscellaneous
    • UAC Bypass
    • Exploits
      • MS03-026 - RPC DCOM
      • MS04-011 - LSASRV
      • MS08-67 - Netapi
      • MS17-010 - Eternalblue
      • CVE-2019-1388
      • CVE-2020-1472 - Zerologon
      • CVE-2020-16938
      • CVE-2021-1675 - PrintNightmare
      • CVE-2022-21999 - SpoolFool
    • Coerced Auth
  • Linux
  • Abusing Active Directory ACLs
    • ReadLAPSPassword
    • WriteDacl
    • GenericWrite
    • ForceChangePassword
    • WriteOwner
  • Port Forwarding - Tunneling
  • Cloud
  • Mobile
  • Malware Development
    • Process Migration
    • Process Hollowing
    • Dynamic API Resolution
    • Suspended Threads
    • PPID Spoofing
    • Thread Stack Spoofing
    • ETW (Event Tracing for Windows)
    • AMSI Bypass
    • Tools
    • Esoteric
Powered by GitBook
On this page
  • Static Analysis
  • Dynamic Analysis
  • System level certificate installation
  • Setting up proxy using ADB
  • Currently focused activity
  • Focusing / Starting another activity
  • List activities of an APK
  • Mobile Vulnerabilities & What to check
  • OWASP Top 10

Mobile

Static Analysis

  • jdgui http://java-decompiler.github.io/

  • apktool https://ibotpeaches.github.io/Apktool/

  • dex2jar https://github.com/pxb1988/dex2jar

  • jadx https://github.com/skylot/jadx

Dynamic Analysis

Set a proxy Install the certificate and you are ready to go

System level certificate installation

  • Export your Burp Certificate Proxy > Options > CA Certificate > Export in DER format

  • Convert it to PEM openssl x509 -inform der -in cacert.der -out burp.pem

  • Rename it with its checksum mv burp.pem $(openssl x509 -inform PEM -subject_hash_old -in burp.pem | head -1)".0"

  • Mount a writeable system adb shell "mount -o rw,remount /system"

  • Upload the certificate adb push <generated.0> /system/etc/security/cacerts/ adb push 9a5ba575.0 /system/etc/security/cacerts/

  • Reboot the vm adb reboot

Setting up proxy using ADB

Setting up a proxy

  • adb shell settings put global http_proxy <proxy ip>:<proxy port>

Flushing the proxy setting

  • adb shell settings delete global http_proxy

Currently focused activity

vbox86p:/ # dumpsys window windows | grep -E 'mCurrentFocus|mFocusedApp'
  mCurrentFocus=Window{dbfa51e u0 com.mailchimp.mailchimp/com.mailchimp.android.mcm.ui.auth.onboarding.OnboardingActivity}
  mFocusedApp=AppWindowToken{f6705a0 token=Token{2e6bea3 ActivityRecord{4b7dd2 u0 com.mailchimp.mailchimp/com.mailchimp.android.mcm.ui.auth.onboarding.OnboardingActivity t10}}}
vbox86p:/ # dumpsys window displays | grep -E "mCurrentFocus"
  mCurrentFocus=Window{36941bb u0 com.block.juggle/org.cocos2dx.javascript.AppActivity}

Focusing / Starting another activity

am start -n com.mailchimp.mailchimp/com.mailchimp.android.mcm.ui.upload.FileUploadActivity

List activities of an APK

127|vbox86p:/ # dumpsys package | grep -Eo "^[[:space:]]+[0-9a-f]+[[:space:]]+com.mailchimp.mailchimp/[^[:space:]]+" | grep -oE "[^[:space:]]+$" | sort -u
com.mailchimp.mailchimp/androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryChargingProxy
com.mailchimp.mailchimp/androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryNotLowProxy
com.mailchimp.mailchimp/androidx.work.impl.background.systemalarm.ConstraintProxy$NetworkStateProxy
com.mailchimp.mailchimp/androidx.work.impl.background.systemalarm.ConstraintProxy$StorageNotLowProxy
com.mailchimp.mailchimp/androidx.work.impl.background.systemalarm.ConstraintProxyUpdateReceiver
com.mailchimp.mailchimp/androidx.work.impl.background.systemalarm.RescheduleReceiver
com.mailchimp.mailchimp/com.google.firebase.iid.FirebaseInstanceIdReceiver
com.mailchimp.mailchimp/com.google.firebase.messaging.FirebaseMessagingService
com.mailchimp.mailchimp/com.mailchimp.android.mcm.fcm.MCMFirebaseInstanceIDService
com.mailchimp.mailchimp/com.mailchimp.android.mcm.fcm.MCMFirebaseMessagingService
com.mailchimp.mailchimp/com.mailchimp.android.mcm.shortcut.ShortcutLauncherActivity
com.mailchimp.mailchimp/com.mailchimp.android.mcm.ui.auth.splash.SplashActivity
com.mailchimp.mailchimp/com.mailchimp.android.mcm.ui.upload.FileUploadActivity
com.mailchimp.mailchimp/com.mailchimp.android.mcm.widgets.addsubscribers.AddSubscriberWidgetConfigureActivity
com.mailchimp.mailchimp/com.mailchimp.android.mcm.widgets.addsubscribers.AddSubscriberWidgetProvider
com.mailchimp.mailchimp/com.mailchimp.android.mcm.widgets.recentcampaign.RecentCampaignWidgetConfigureActivity
com.mailchimp.mailchimp/com.mailchimp.android.mcm.widgets.recentcampaign.RecentCampaignWidgetProvider
com.mailchimp.mailchimp/io.branch.referral.InstallListener
morph3 ➜ /tmp/ λ aapt list -a $wd/../Downloads/mailchimp-marketing-crm-to-grow-your-business_5.47.0\(21380\).apk | sed -n '/ activity /{:loop n;s/^.*android:name.*="\([^"]\{1,\}\)".*/\1/;T loop;p;t}' | sort -u
com.google.android.gms.auth.api.signin.internal.SignInHubActivity
com.google.android.gms.common.api.GoogleApiActivity
com.google.android.libraries.places.widget.AutocompleteActivity
com.jakewharton.processphoenix.ProcessPhoenix
com.mailchimp.android.mcm.LocalApiKeyActivity
com.mailchimp.android.mcm.shortcut.ShortcutLauncherActivity
com.mailchimp.android.mcm.ui.NewTaskSingleFragmentActivity
com.mailchimp.android.mcm.ui.SingleFragmentActivity
com.mailchimp.android.mcm.ui.auth.onboarding.OnboardingActivity
com.mailchimp.android.mcm.ui.auth.splash.AsyncSplashActivity
com.mailchimp.android.mcm.ui.auth.splash.IntroActivity
com.mailchimp.android.mcm.ui.home.detail.ad.AdEditingActivity
com.mailchimp.android.mcm.ui.neapolitan.MobileNeapolitanActivity
com.mailchimp.android.mcm.ui.signup.SignUpActivity
com.mailchimp.android.mcm.ui.upload.FileUploadActivity
com.mailchimp.android.mcm.widgets.AccountVerificationForwardingActivity
com.mailchimp.android.mcm.widgets.addsubscribers.AddSubscriberWidgetConfigureActivity
com.mailchimp.android.mcm.widgets.recentcampaign.RecentCampaignWidgetConfigureActivity
com.yalantis.ucrop.UCropActivity

Mobile Vulnerabilities & What to check

OWASP Top 10

  • M1 Improper Platform Usage

    • Misconfigurations in AndroidManifest.xml

  • M2 Insecure Data Storage

    • If an app storages a data on the external storage insecurely. SQL Databases, XML files, Log files, Cookie storages, Binary Data etc.

  • M3 Insecure Communication

    • Clear text communication, communication without SSL

  • M4 Insecure Authentication

    • Insecure 2FA implementations, 2FA bypass.

    • If you can access to an API without authorization.

    • OTP bypass, Client side bypasses. For example you can manipulate the response of the server and bypass the 2FA or OTP.

  • M5 Insufficient Cryptography

    • Incorrent encryption, using encoding.

  • M6 Insecure Authorization

    • IDORs

  • M7 Client Code Quality

    • Client side sql injection, buffer overflows, XSS.

  • M8 Code Tampering

    • For example, cracking a free aplication to a premium one.

  • M9 Reverse Engineering

    • Sensitive informations, strings etc.

  • M10 Extraneous Functionality

    • For example, developer forgots an external functionality on the app.

    • Leftover backdoor, debug parameter etc.

PreviousCloudNextMalware Development

Last updated 12 months ago