Several different tools and techniques are available for Android to enumerate software and configurations, allowing you to begin to validate the software on devices. This cheat sheet is based on the work performed on Android TV devices (we documented our steps in the post Android TV Devices: Pre-0wned Supply Chain Security Threats).
This information gathered with the commands below does not automatically validate the supply chain, but provides data that can be used for manual validation. As there are many versions of Android and device configurations, the commands below may not work exactly as described here. Some of the collected data will greatly depend on whether or not you are able to “root” the Android device.
Adb (Android Debugger) Commands
$ adb connect 192.168.1.150
connected to 192.168.1.150:5555
$ adb devices -l
List of devices attached
192.168.1.150:5555 device product:walley model:MBOX device:walleye transport_id:1
$ adb shell
walleye:/ $
$ adb root
restarting adbd as root
$ adb shell
walleye:/ #
$ adb shell pm list packages -f
package:/system/app/TvdVideo/TvdVideo.apk=com.softwinner.TvdVideo
package:/system/priv-app/CtsShimPrivPrebuilt/CtsShimPrivPrebuilt.apk=com.android.cts.priv.ctsshim
package:/system/priv-app/GoogleExtServices/GoogleExtServices.apk=com.google.android.ext.services
package:/data/app/com.google.android.katniss-cge_xXeW17WhrGeW3nufDg==/base.apk=com.google.android.katniss
package:/system/priv-app/TelephonyProvider/TelephonyProvider.apk=com.android.providers.telephony
package:/system/priv-app/DynamicSystemInstallationService/DynamicSystemInstallationService.apk=com.android.dynsystem
package:/system/priv-app/CalendarProvider/CalendarProvider.apk=com.android.providers.calendar
$ adb shell pm list packages <FILTER-STR>
$ adb shell pm list packages -f <FILTER-STR> #See their associated file.
$ adb shell pm list packages -d <FILTER-STR> #Filter to only show disabled packages.
$ adb shell pm list packages -e <FILTER-STR> #Filter to only show enabled packages.
$ adb shell pm list packages -s <FILTER-STR> #Filter to only show system packages.
$ adb shell pm list packages -3 <FILTER-STR> #Filter to only show third party packages.
$ adb shell pm list packages -i <FILTER-STR> #See the installer for the packages.
$ adb shell pm list packages -u <FILTER-STR> #Also include uninstalled packages.
$ adb shell pm list packages –user <USER_ID> <FILTER-STR> #The user space to query.
Source: https://book.hacktricks.xyz/mobile-pentesting/android-app-pentesting/adb-commands
Dumping the flash over the network:
$ adb forward tcp:5555 tcp:5555
$ adb shell
$ sudo nc -l -p 5555 -e dd if=/dev/block/mmcblk0
In a new terminal execute these commands :
$ mkdir ~/dump
$ cd ~/dump
$ nc 127.0.0.1 5555 | pv -i 0.5 > mydump.img
Mount Device Disk Images
View partition list
$ sudo parted mydump.img print
List all mountable partitions. They will be listed on Files Explorer allowing you to click on a partition to mount it:
$ sudo kpartx -a -v mydump.img
Delete device mappers, and make sure all mounted partitions have been unmounted:
$ sudo kpartx -d -v mydump.img
Scan The Network For Android Debugging (adb) Ports
$ nmap -sV -p 5555 –open 192.168.1.0/24
Nmap scan report for 192.168.1.148
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
5555/tcp open freeciv?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5555-TCP:V=7.94%I=7%D=1/23%Time=65AFEA8D%P=x86_64-pc-linux-gnu%r(ad
SF:bConnect,2C,”AUTH\x01\0\0\0\0\0\0\0\x14\0\0\0\x9f\t\0\0\xbe\xaa\xab\xb7
SF:\x94\xde\x92\xbd\0\^\x14c\xc0UDkPB\xb9\xf7\x80\xe7\x12\x8a”);
Get Device Properties
Get all properties:
$ adb shell getprop
Get the Android release number:
$ adb shell getprop ro.build.version.release
Get the build fingerprint from the vendor:
$ adb shell getprop ro.vendor.build.fingerprint
Get the device model:
$ adb shell getprop ro.product.model
Get the release name:
$ adb shell getprop ro.product.device
Get the running Apps:
$ adb shell ps | grep u0_
Service listing:
$ adb shell service list
List App permissions:
$ adb shell pm list permissions -g -f
Pull The Logs
$ adb logcat
$ adb logcat -d -f /sdcard/log.txt
$ adb pull /sdcard/log.txt
Tools and References
- Autopsy – The Android Analyzer module hasn’t been updated in a while, but it still supports parsing some items from Android devices. It also gives you access to the File System directory tree faster than any commercial tool out there. Most tools make you wait to see the file system during parsing – not Autopsy. Also, keyword searching and carvers are top-notch.
- Jadx– Android App decompiler
- Mobexler (Commercial) – “Mobexler is a customized virtual machine, designed to help in penetration testing of Android & iOS applications.”
- MobSF – Mobile App static analyzer
- Androidqf – Automates and simplifies most of the commands presented here in one utility (Makes backups, downloads logs, and applications, etc..)
- Apk sh – “apk.sh is a Bash script that makes reverse engineering Android apps easier, automating some repetitive tasks like pulling, decoding, rebuilding and patching an APK.”
- Missing signs: how several brands forgot to secure a key piece of Android
- Analyze installed Android applications for security risks in Termux
