How to work with Drozer (Penetration Testing Tool Mobile)
Hey Everyone, In this post, we will be seeing about Drozer and how it can be used to pen-test the android application. So for that, we need following things:
A mobile device/Emulator (Rooted preferred) and with debugging mode on.
Drozer agent needed to be installed in Device. (Drozer Agent link).
Drozer Framework can be any source (Windows/Linux). I used Android Tamer (contain all tool for penetration testing of mobile).
Visit https://sourceforge.net/projects/androidtamer/files/latest/download to download android tamer and install it in Virtual box.A Vulnerable Android App to test it. I took DIVA Android – Damn Insecure and vulnerable App for Android, we can download it from https://github.com/payatu/diva-android.
Now we need to start the Android Tamer in virtual box and connect our device to it, after connecting check the connection by typing adb devicesnow you will be able to see your device number and name on the screen.
Steps to Proceed Further in analyses of android application.
Start drozer agent in mobile and turn it on (there is the option to turn on the server in the app).
Now we need to move to android tamer and open the terminal and execute following commands:
adb forward tcp:31415 tcp:31415to connect mobile and drozer server.drozer console connectto open the drozer console and work on it.listto list drozer modules.run app.package.listto list all application installed on the mobile device.run app.package.list -f divato search app using string, here diva is app name.run app.package.info -a jakhar.aseem.divato see package information, here jakhar.aseem.diva is the package name.run app.package.attacksurface jakhar.aseem.divato identify attack surface.run app.activity.info -a jakhar.aseem.divato check activity whether they are exported or not.run app.activity.start --component (package name) (component name)to start the activity on mobile.run app.activity.start --component jakhar.aseem.divajakhar.aseem.diva.APICredsActivity
There we have multiple commands in drozer using which we could exploit application more. Surf for more commands.
Related Articles
What is the penetration testing tool & importance?
Penetration testing is the process of validating and scanning your web applications for finding threats in the application. In other words for answering a simple question: "What could a hacker do to harm my web application, or organisation’s online ...Why Web Vulnerabilities testing to be Automated
If you maintain a website, a web application or you just simply user of that website, you probably would want to find out a little bit about the sites that you own or have visited as to whether or not they are actually secure. There are some great ...Why Web Application Testing is important?
In this modern digital world, simply going online can expose us to a number of harmful cyber threats online. Now a day’s we can complete our grocery shopping to school bills, admissions via online. If you manage a company or some organization, your ...Why we need Web Testing for Web Application ?
Why we need Web Testing for Web Application In a simple terms web testing is checking your web application for potential bugs before it’s made live or before code is moved into the production environment. During this stage issues such as that of web ...How to use burp suite with android mobile
Hi, This post is regarding How to use burp suite with android mobile. Step 1: Open Settings and click Wi-Fi in your mobile. Step 2 : Click on Wi-Fi and Long press on your Connected Network (here TP-LICK_720C). Step 3 : Click on Modify network. Step 4 ...