Android测试渗透框架Drozer的安装与使用

一、简介

Drozer原名Mecury,是一款针对Android系统的开源安全测试框架。
Drozer是一款由python开发的开源框架,用户可以使用python语言自己编写模块,同时有很多第三方优秀的安全测试模块可供使用。另一款知名的Androguard框架就是基于Drozer开发的。

官网:https://labs.mwrinfosecurity.com/tools/drozer/
github:https://github.com/mwrlabs/drozer

二、安装

官网提供了三个平台的drozer版本:Debian/Ubuntu,RPM、Windows。
我的安装环境:win7 64位、python 2.7、JDK1.6。

在Windows平台安装Drozer有好几个坑:

  1. 关于jdk的版本:必须是jdk1.6;

  2. 关于jdk和drozer安装目录的路径:不能包含空格,否则会提示出错。具体解决方法如下:
    问题:
    Could not find java. Please ensure that it isinstalled and on your PATH.
    If this error persists, specify the path in the~/.drozer_config file:
    [executables]
    java = C:\path\to\java
    解决:
    [executables]
    java = C:\ProgramFiles\Java\jdk1.8.0_71\bin\java.exe
    javac = C:\ProgramFiles\Java\jdk1.8.0_71\bin\javac.exe
    java.exe和javac.exe的文件路径按以上格式写好,保存在1.drozer_config文件中,用rename1.drozer_config .drozer_config将1.drozer_config文件名改为.drozer_config,将.drozer_config文件保存在”c:\users\你的用户名”文件夹下。

  3. 关于drozer agent的版本:我装的是Drozer windows的最新版本2.3.4,但实际上使用该版本的agent.apk在运行某些模块的时候会导致应用崩溃(如scanner.provider.finduris等)。参照网上的文章,使用2.3.3版本的agent.apk可以顺利运行,具体原因可能需要阅读源码才能知道了。

    agent.apk 2.3.3版本

三、使用

  1. 建立连接
    与手机agent建立连接有几种方法,这里描述的是利用USB线的连接过程:
    (1)首先打开手机端agent,打开端口
    (2)在PC端运行 “adb forward tcp:31415 tcp:31415”命令进行端口转发
    (3)在PC端运行“drozer.bat console connect”命令进入与agent交互模式

  2. 常用命令
    dz> list 列出所有模块
    dz> run app.package.list 运行app.package.list模块
    dz> run app.package.list -h 显示app.package.list模块的使用方法和所有参数

  3. Drozer自带默认模块:

序号 模块名称 功能
1 app.activity.forintent Find activities that can handle the given intent
2 app.activity.info Gets information about exported activities
3 app.activity.start Start an Activity
4 app.broadcast.info Get information about broadcast receivers
5 app.broadcast.send Send broadcast using an intent
6 app.broadcast.sniff Register a broadcast receiver that can sniff particular intents
7 app.package.attacksurface Get attack surface of package
8 app.package.backup Lists packages that use the backup API (returns true on FLAG_ALLOW_BACKUP)
9 app.package.debuggable Find debuggable packages
10 app.package.info Get information about installed packages
11 app.package.launchintent Get launch intent of package
12 app.package.list List Packages
13 app.package.manifest Get AndroidManifest.xml of package
14 app.package.native Find Native libraries embedded in the application
15 app.package.shareduid Look for packages with shared UIDs
16 app.provider.columns List columns in content provider
17 app.provider.delete Delete from a content provider
18 app.provider.download Download a file from a content provider that supports files
19 app.provider.finduri Find referenced content URIs in a package
20 app.provider.info Get information about exported content providers
21 app.provider.insert Insert into a Content Provider
22 app.provider.query Query a content provider
23 app.provider.read Read from a content provider that supports files
24 app.provider.update Update a record in a content provider
25 app.service.info Get information about exported services
26 app.service.send Send a Message to a service, and display the reply
27 app.service.start Start Service
28 app.service.stop Stop Service
29 auxiliary.webcontentresolver Start a web service interface to content providers
30 exploit.jdwp.check Open @jdwp-control and see which apps connect
31 exploit.pilfer.general.apnprovider Reads APN content provider
32 exploit.pilfer.general.settingsprovider Reads Settings content provider
33 information.datetime Print Date/Time
34 information.deviceinfo Get verbose device information
35 information.permissions Get a list of all permissions used by packages on the device
36 scanner.activity.browsable Get all BROWSABLE activities that can be invoked from the web browser
37 scanner.misc.native Find native components included in packages
38 scanner.misc.readablefiles Find world-readable files in the given folder
39 scanner.misc.secretcodes Search for secret codes that can be used from the dialer
40 scanner.misc.sflagbinaries Find suid/sgid binaries in the given folder (default is /system)
41 scanner.misc.writablefiles Find world-writable files in the given folder
42 scanner.provider.finduris Search for content providers that can be queried from our context
43 scanner.provider.injection Test content providers for SQL injection vulnerabilities
44 scanner.provider.sqltables Find tables accessible through SQL injection vulnerabilities
45 scanner.provider.traversal Test content providers for basic directory traversal vulnerabilities
46 shell.exec Execute a single Linux command
47 shell.send Send an ASH shell to a remote listener
48 shell.start Enter into an interactive Linux shell
49 tools.file.download Download a File
50 tools.file.md5sum Get md5 Checksum of file
51 tools.file.size Get size of file
52 tools.file.upload Upload a File
53 tools.setup.busybox Install Busybox
54 tools.setup.minimalsu Prepare ‘minimal-su’ binary installation on the device

你可能感兴趣的:(android,应用逆向分析)