Android Penetration Test -Recon-

Transcript

1. 
   !LFOHP4DBM "OESPJE
   1FO
   5FTU
   
   3FDPO
   
   

2. ࣗݾ঺հ ໊લ
   ླ໦ɹݚޗ
   UXJUUFS
   !LFOHP4DBM
   ʙɿηΩϡϦςΟΞφϦετ!๭4*FS
   ೥݄ɿ
   ϚωʔϑΥϫʔυೖࣾ
   ೥݄ʙ೥݄ɿ
   J04։ൃ
   ೥݄ʙ݄ɿ"OESPJE։ൃ
   ೥݄ʙ
   
   ηΩϡϦςΟతͳԿ͔ 

3. 1FO
   5FTUͱ͸ w 1FO FUSBUJPO
   5FTU
   w λʔήοτΞϓϦͷ੬ऑੑΛ࣮ࡍʹಥ͖ɺ৘ใͷऔಘ ΍վ᜵Λૂ͏ςετͷ͜ͱ
   w όά୳͠

   ςετ ͷҰछ 

4. ࣗલ1FO
   5FTUͷ͢ʍΊ w Ձ֨͸େମສʙສ͘Β͍
   w ࣗ෼Ͱ ΋ ΍ͬͨ΄͏͕Α͘Ͷʁ
   w ਍அ߲໨ͷऔࣺબ୒
   
   େࣄͳ৘ใʹϦιʔεΛ
   w

   ਍அ୲౰ऀͱͷ΍ΓऔΓͷḿΓ
   w "OESPJEͷϑϨʔϜϫʔΫʹ͍ͭͯޠΕΔ
   w ͓খݣ͍Ք͗ʹܨ͕Δ 

5. 1FO
   5FTU
   1IBTFT  1MBOOJOH
    4DPQJOH
    3FDPO
    4DBOOJOH
   

   &YQMPJUBUJPO
    3FQPSUJOH 

6. 3FDPOͱ͸ w 3FDPO OBJTBODF 
   ఁ࡯
   w ϦʔνՄೳͳ৘ใΛऩू͠ɺ੔ཧ͢ΔϑΣʔζ
   w ٕज़త৘ใ΋΋ͪΖΜ͕ͩɺλʔήοτͷ૊৫ਤɾϏ δωε಺༰ͱ͍ͬͨͱ͜Ζ΋λʔήοτ

   

7. 3FDPO!"OESPJE w ΞϓϦ৘ใऩऔ
   w MPHDBU୳͠
   w /FUXPSLΩϟϓνϟ 

8. 3FDPO!"OESPJE w ΞϓϦ৘ใऩर
   w MPHDBU୳͠
   w /FUXPSLΩϟϓνϟ 

9. ΞϓϦ৘ใऩू w ऩरର৅
   w QBDLBHF৘ใ
   w 1FSNJTTJPO৘ใ
   w σʔλͷஔ͖৔
   w

   BOESPJEFYQPSUFEUSVFͳίϯϙʔωϯτ
   w FUD
   w ESP[FSΛ࢖͏ͱϥΫ
   w "OESPJEηΩϡϦςΟɾΞηεϝϯτπʔϧ
   w σϞ 

10. %SP[FS  # package dz> run app.package.list -f Maps com.google.android.apps.maps

    (Maps) # package৘ใ(ؚΉPermission) dz> run app.package.info -f Maps Package: com.google.android.apps.maps Application Label: Maps Process Name: com.google.android.apps.maps Version: 8.4.1 Data Directory: /data/data/com.google.android.apps.maps APK Path: /system/app/Maps/Maps.apk UID: 10073 GID: [3003, 1028, 1015] Shared Libraries: null Shared User ID: com.google.android.apps.maps Uses Permissions: - android.permission.INTERNET...

11.  # android:exportedͳActivity dz> run app.activity.info -a com.google.android.apps.maps Package: com.google.android.apps.maps

    com.google.android.maps.MapsActivity Permission: null com.google.android.maps.PlacesActivity... # android:exported=trueͳίϯϙʔωϯταϚϦ dz> run app.package.attacksurface com.google.android.apps.maps Attack Surface: 9 activities exported 2 broadcast receivers exported 1 content providers exported 4 services exported Shared UID (com.google.android.apps.maps)

12. 3FDPO!"OESPJE w ΞϓϦ৘ใऩऔ
    w MPHDBU୳͠
    w /FUXPSLΩϟϓνϟ 

13. MPHDBU୳͠ w σόοά༻ʹ࣮૷͍ͯͨ͠MPHDBU͕ϦϦʔε༻ͷBQL ʹ࢒ͬͨ··
    ׌ͭMPHDBU͕ηϯγςΟϒͳ৘ใΛؚΜ ͰΔ৔߹
    w 
    ৘ใ࿙͍͑ͷνϟϯε
    

14. MPHDBU୳͠ w ԼهλʔϛφϧͰ࣮ߦͯ͠ɺΞϓϦΛ࿔ͬͱ͚͹͓̺
    % adb logcat | egrep --color=auto -i

    'cookie|token' w ରࡦ͸؆୯
    w #VJME7BSJBOUTͰΘ͚Δͱ͔
    w 5JNCFSͱ͔ͰͪΐΖͬͱରԠͯ͠Ε͹͓̺
    w ΍ͬͯͯͦΜͳʹָ͘͠ͳ͔ͬͨ 

15. 3FDPO!"OESPJE w ΞϓϦ৘ใऩऔ
    w MPHDBU୳͠
    w /FUXPSLΩϟϓνϟ 

16. /FUXPSLΩϟϓνϟ w τϥϑΟοΫΛ؍࡯ͯ͠ɺUDQपΓͷϓϩςΫγϣϯͷ ໰୊ɺαʔόαΠυଆͷมͳ࣮૷ɺηογϣϯϋϯυ ϦϯάͳͲͷ৘ใΛऩू͢Δ͜ͱ͕໨తɹ 

17. /FUXPSLΩϟϓνϟ
    UDQฤ  w UDQEVNQ
    
    OFUDBU
    
    XJSFTIBSLͰϦΞϧλΠϜʹύ έοτΛݟΔ σϞ
    w

    UDQEVNQ
    w OFUDBU
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    w XJSFTIBSL
    ˞ΤϛϡϨʔλʹ͸ผ్Πϯετʔϧ͕ඞཁ ˞࣮ػͷ৔߹ɺ3PPUԽ͕ඞཁ ˞ΤϛϡϨʔλͱ࣮ػ͸$16ΞʔΩςΫνϟ͕
    ҧ͏ͷͰɺίϯύΠϧ࣌ʹ஫ҙ͢Δ

18. ؀ڥਤ    GPSXBSE

19.  [Kengo@Mac] ~ % adb shell "./data/local/tcpdump -w - |

    /data/local/./ netcat -l -p 12345” % adb forward tcp:12345 tcp:54321 && nc 127.0.0.1 54321 | sudo wireshark -k -S -i lo0

20. w -ϨΠϠʔ·Ͱ͔͠Ұݟͯ͠Θ͔Βͳ͍
    w ηογϣϯϨϕϧͷ࿩ͳΒΘ͔Δ
    w Ͱ΋ΞϓϦͱαʔόͱͷಈ࡞͸ΠϚΠνΘ͔ΒΓʹ͍͘
    w )UUQT௨৴ΛݟΕͳ͍
    ϩʔΧϧ8FCϓϩΩγΛཱͯΔ UDQEVNQ
    

    
    OFUDBU
    
    XJSFTIBSLͷݶք 

21. /FUXPSL
    $BQUVSF
    IUUQ T ฤ  w ϩʔΧϧ8FCϓϩΩγ
    w ϒϥ΢β8FCαʔόؒͷIUUQ T ௨৴ΛεχοϑΟϯά͠
    

    w ύϥϝλ΍γάωνϟ౳Λվ᜵!ϩʔΧϧϓϩΩγͨ͠Γ
    w 08"41
    ;"1ͳΒ3FDPO͔Β&YQMPJUBUJPO΁ͷભҠָ͕Ͱ͢
    ࢀর
    IUUQXXXTMJEFTIBSFOFU[BLJTT

22.  ࢀর
    IUUQXXXTMJEFTIBSFOFU[BLJTT ͜Μͳײ͡

23. ࣍ճ༧ࠂ   1MBOOJOH
     4DPQJOH
     3FDPO
     4DBOOJOH
    

     &YQMPJUBUJPO
     3FQPSUJOH 
    4UBHF'MJHIUลΓΛ΍ͬͯΈΔ ͍ͨ

24. 5IBOL
    ZPV ઈࢍ࠾༻த