一、Drozer简介
Drozer是MWR Labs开发的一款Android安全测试框架。是目前最好的Android安全测试工具之一。其官方文档说道:“Drozer允许你一一个普通android应用的身份与其他应用和操作系统交互。”在Web世界已经有了许多安全测试工具了,我们只需要给出一个目标,这些工具就会自动为我们安全测试报告。但Drozer与这样的自动化扫描器不同,Drozer是一种交互式的安全测试工具。使用Drozer进行安全测试,用户在自己的工作站上输入命令,Drozer会将命令发送到Android设备上的代理程序执行。其官方文档说道:“Drozer允许你一一个普通android应用的身份与其他应用和操作系统交互。
二、Drozer下载
所需安装环境:
Windows10 专业版1803
-
逍遥安卓模拟器5.6.1(下载)
先尝试了夜神模拟器,后边发现run app.package.list命令不显示安装包,所以改用了逍遥安卓模拟器,可自行尝试其他模拟器) Python2.7.14(下载)
drozer-2.4.4.win32.msi(官网介绍)
需要下载一个Windows客户端和一个安卓客户端:
1.【windows客户端】下载drozer (msi)安装包,或者下载python的whl格式安装包drozer (Python .whl)
2.【安卓客户端】drozer (Agent .apk only)
- drozer使用指南(mwri-drozer-user-guide-2015-03-23.pdf)
- drozer项目github地址( https://github.com/mwrlabs/drozer)
三、 基本配置和故障排除
1. 在逍遥安卓模拟器中安装运行drozer Agent App,并打开Embbdded Server:
2.打开命令行工具,并cd切换到安卓模拟器的安装路径D:\Program Files\Microvirt\MEmu,运行adb devices命令,查看是否能看到模拟器。如果看不到,重启模拟器试试。
3.使用 adb 进行端口转发,转发到上边Drozer使用的端口 31415,并进入Drozer 控制台:
adb forward tcp:31415 tcp:31415
drozer console connect
4.python报错
报错1:ImportError: No module named google.protobuf
解决方法:pip install protobuf
报错2:ImportError: No module named OpenSSL
解决方法:pip install pyOpenSSL
报错3:drozer Server requires Twisted to run.
Run 'pip install twisted' to fetch this dependency.
解决方法:pip install twisted
警告1:UserWarning: You do not have a working installation of the service_identity module: 'No module named service_identity'. Please install it from https://pypi.python.org/pypi/service_identity and make sure all of its dependencies are satisfied.
解决方法:pip install service_identity
5.查看Drozer是否能正常使用
-
切换到drozer安装目录C:\Python27\Scripts>drozer,并执行drozer.bat脚本。
image.png 用
list命令列出Drozer所有功能模块,如能正常显示,则说明Drozer已正确安装。
dz> list
app.activity.info Gets information about exported activities.
app.activity.start Start an Activity
app.broadcast.info Get information about broadcast receivers
app.broadcast.send Send broadcast using an intent
app.broadcast.sniff Register a broadcast receiver that can sniff
particular intents
app.package.attacksurface Get attack surface of package
app.package.backup Lists packages that use the backup API (returns true
on FLAG_ALLOW_BACKUP)
app.package.debuggable Find debuggable packages
app.package.info Get information about installed packages
app.package.launchintent Get launch intent of package
app.package.list List Packages
app.package.manifest Get AndroidManifest.xml of package
app.package.native Find Native libraries embedded in the application.
app.package.shareduid Look for packages with shared UIDs
app.provider.columns List columns in content provider
app.provider.delete Delete from a content provider
app.provider.download Download a file from a content provider that
supports files
app.provider.finduri Find referenced content URIs in a package
app.provider.info Get information about exported content providers
app.provider.insert Insert into a Content Provider
app.provider.query Query a content provider
app.provider.read Read from a content provider that supports files
app.provider.update Update a record in a content provider
app.service.info Get information about exported services
app.service.send Send a Message to a service, and display the reply
app.service.start Start Service
app.service.stop Stop Service
auxiliary.webcontentresolver
Start a web service interface to content providers.
exploit.jdwp.check Open @jdwp-control and see which apps connect
exploit.pilfer.general.apnprovider
Reads APN content provider
exploit.pilfer.general.settingsprovider
Reads Settings content provider
information.datetime Print Date/Time
information.deviceinfo Get verbose device information
information.permissions Get a list of all permissions used by packages on
the device
scanner.activity.browsable Get all BROWSABLE activities that can be invoked
from the web browser
scanner.misc.native Find native components included in packages
scanner.misc.readablefiles Find world-readable files in the given folder
scanner.misc.secretcodes Search for secret codes that can be used from the
dialer
scanner.misc.sflagbinaries Find suid/sgid binaries in the given folder (default
is /system).
scanner.misc.writablefiles Find world-writable files in the given folder
scanner.provider.finduris Search for content providers that can be queried
from our context.
scanner.provider.injection Test content providers for SQL injection
vulnerabilities.
scanner.provider.sqltables Find tables accessible through SQL injection
vulnerabilities.
scanner.provider.traversal Test content providers for basic directory traversal
vulnerabilities.
shell.exec Execute a single Linux command.
shell.send Send an ASH shell to a remote listener.
shell.start Enter into an interactive Linux shell.
tools.file.download Download a File
tools.file.md5sum Get md5 Checksum of file
tools.file.size Get size of file
tools.file.upload Upload a File
tools.setup.busybox Install Busybox.
tools.setup.minimalsu Prepare 'minimal-su' binary installation on the
device.