Android Penetration Test -Recon-

406ea2cac59924cedae4629c3c6c84fb?s=47 Kengo Suzuki
September 29, 2015

Android Penetration Test -Recon-

406ea2cac59924cedae4629c3c6c84fb?s=128

Kengo Suzuki

September 29, 2015
Tweet

Transcript

  1. 4.

    ࣗલ1FO5FTUͷ͢ʍΊ w Ձ֨͸େମສʙສ͘Β͍ w ࣗ෼Ͱ ΋ ΍ͬͨ΄͏͕Α͘Ͷʁ w ਍அ߲໨ͷऔࣺબ୒େࣄͳ৘ใʹϦιʔεΛ w

    ਍அ୲౰ऀͱͷ΍ΓऔΓͷḿΓ w "OESPJEͷϑϨʔϜϫʔΫʹ͍ͭͯޠΕΔ w ͓খݣ͍Ք͗ʹܨ͕Δ 
  2. 9.

    ΞϓϦ৘ใऩू w ऩरର৅ w QBDLBHF৘ใ w 1FSNJTTJPO৘ใ w σʔλͷஔ͖৔ w

    BOESPJEFYQPSUFEUSVFͳίϯϙʔωϯτ w FUD w ESP[FSΛ࢖͏ͱϥΫ w "OESPJEηΩϡϦςΟɾΞηεϝϯτπʔϧ w σϞ 
  3. 10.

    %SP[FS  # package dz> run app.package.list -f Maps com.google.android.apps.maps

    (Maps) # package৘ใ(ؚΉPermission) dz> run app.package.info -f Maps Package: com.google.android.apps.maps Application Label: Maps Process Name: com.google.android.apps.maps Version: 8.4.1 Data Directory: /data/data/com.google.android.apps.maps APK Path: /system/app/Maps/Maps.apk UID: 10073 GID: [3003, 1028, 1015] Shared Libraries: null Shared User ID: com.google.android.apps.maps Uses Permissions: - android.permission.INTERNET...
  4. 11.

     # android:exportedͳActivity dz> run app.activity.info -a com.google.android.apps.maps Package: com.google.android.apps.maps

    com.google.android.maps.MapsActivity Permission: null com.google.android.maps.PlacesActivity... # android:exported=trueͳίϯϙʔωϯταϚϦ dz> run app.package.attacksurface com.google.android.apps.maps Attack Surface: 9 activities exported 2 broadcast receivers exported 1 content providers exported 4 services exported Shared UID (com.google.android.apps.maps)
  5. 14.

    MPHDBU୳͠ w ԼهλʔϛφϧͰ࣮ߦͯ͠ɺΞϓϦΛ࿔ͬͱ͚͹͓̺ % adb logcat | egrep --color=auto -i

    'cookie|token' w ରࡦ͸؆୯ w #VJME7BSJBOUTͰΘ͚Δͱ͔ w 5JNCFSͱ͔ͰͪΐΖͬͱରԠͯ͠Ε͹͓̺ w ΍ͬͯͯͦΜͳʹָ͘͠ͳ͔ͬͨ 
  6. 17.

    /FUXPSLΩϟϓνϟUDQฤ  w UDQEVNQ OFUDBU XJSFTIBSLͰϦΞϧλΠϜʹύ έοτΛݟΔ σϞ  w

    UDQEVNQ w OFUDBU w XJSFTIBSL ˞ΤϛϡϨʔλʹ͸ผ్Πϯετʔϧ͕ඞཁ ˞࣮ػͷ৔߹ɺ3PPUԽ͕ඞཁ ˞ΤϛϡϨʔλͱ࣮ػ͸$16ΞʔΩςΫνϟ͕ ҧ͏ͷͰɺίϯύΠϧ࣌ʹ஫ҙ͢Δ
  7. 19.

     [Kengo@Mac] ~ % adb shell "./data/local/tcpdump -w - |

    /data/local/./ netcat -l -p 12345” % adb forward tcp:12345 tcp:54321 && nc 127.0.0.1 54321 | sudo wireshark -k -S -i lo0
  8. 21.

    /FUXPSL$BQUVSFIUUQ T ฤ  w ϩʔΧϧ8FCϓϩΩγ w ϒϥ΢β8FCαʔόؒͷIUUQ T ௨৴ΛεχοϑΟϯά͠

    w ύϥϝλ΍γάωνϟ౳Λվ᜵!ϩʔΧϧϓϩΩγͨ͠Γ w 08"41;"1ͳΒ3FDPO͔Β&YQMPJUBUJPO΁ͷભҠָ͕Ͱ͢ ࢀরIUUQXXXTMJEFTIBSFOFU[BLJTT
  9. 23.

    ࣍ճ༧ࠂ   1MBOOJOH  4DPQJOH  3FDPO  4DBOOJOH

     &YQMPJUBUJPO  3FQPSUJOH 4UBHF'MJHIUลΓΛ΍ͬͯΈΔ ͍ͨ