Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Port:5555
Making it Rain Android Shells
How 30,000+ Android devices are exposed to the internet
and waiting to be compromised
Steph ...
The Android Debug Bridge
#BSidesMelb19
The Android Debug Bridge
Exposed Devices
ADB Exposure
Top 3 exposed Android versions
in order of prevalence:
1. Jelly Bean
2. Nougat
3. Marshmallow
ADB Exposure
#BSidesMelb19
Top Mobile device models exposed:
1. Pixel 2 XL (12% global exposure)
2. Samsung Galaxy Note3 (...
Why is this happening?
#BSidesMelb19
2. Vendors are shipping products
with ADB enabled
over the network1. Developers are e...
What can you do with a remote ADB
connection on non rooted devices?
• ADB Commands
• Shell commands
• Dumpsys
• Getprop
• ...
ADB command examples
Data Command
Shell on 1 device if multiple devices are connected adb -s <ip address> shell
Connect mu...
ADB Command example (pull & screencap)
#BSidesMelb19
File accessible in
external storage
areas
Check when user
Unlocks scr...
Dumpsys service examples
Data Command
See all services dumpsys * dumpsys | grep "DUMP OF SERVICE"
Accounts used for applic...
Dumpsys command examples
(account)
#BSidesMelb19
Dumpsys command examples
(notification)
#BSidesMelb19
Other commands
Data Command
Kernel version * cat /proc/version
Find external storage location on device * Echo $EXTERNAL_S...
Information accessible via devices running
ADB (unrooted)
• Email addresses of user
• Username in use in other application...
What are the bad guys doing with this
exposure?
• Cryptominer Turf Wars - (Trinity vs Fbot vs ufo miner)
• Backdooring mal...
Identifying malware through ADB
Finding Cryptominers through dumpsys cpuinfo
Decompiled ufo.miner – run.html file
Free stuff for you!
#BSidesMelb19
Android Malware samples that use ADB as a vector for infection:
https://github.com/b15mu...
Takeaways
• “Features” can be more than benign features
• Even if a device isn’t rooted it can expose sensitive informatio...
Nächste SlideShare
Wird geladen in …5
×

Making it Rain Android Shells - How 30,000+ Android devices are exposed to the internet and waiting to be compromised

460 Aufrufe

Veröffentlicht am

Explore how thousands of Android devices are exposed to the internet through the Android Debug Bridge. Find out what devices are exposed, how they are exposed, examples of what an attacker could do with this exposure as well as what the bad guys are already doing with this exposure. This presentation was presented at BSides Melbourne 2019.

Veröffentlicht in: Technologie
  • There is a useful site for you that will help you to write a perfect and valuable essay and so on. Check out, please ⇒ www.HelpWriting.net ⇐
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier
  • If you’re looking for a great essay service then you should check out ⇒ www.WritePaper.info ⇐. A friend of mine asked them to write a whole dissertation for him and he said it turned out great! Afterwards I also ordered an essay from them and I was very happy with the work I got too.
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier
  • Gehören Sie zu den Ersten, denen das gefällt!

Making it Rain Android Shells - How 30,000+ Android devices are exposed to the internet and waiting to be compromised

  1. 1. Port:5555
  2. 2. Making it Rain Android Shells How 30,000+ Android devices are exposed to the internet and waiting to be compromised Steph Jensen @B15Mu7h
  3. 3. The Android Debug Bridge #BSidesMelb19
  4. 4. The Android Debug Bridge
  5. 5. Exposed Devices
  6. 6. ADB Exposure Top 3 exposed Android versions in order of prevalence: 1. Jelly Bean 2. Nougat 3. Marshmallow
  7. 7. ADB Exposure #BSidesMelb19 Top Mobile device models exposed: 1. Pixel 2 XL (12% global exposure) 2. Samsung Galaxy Note3 (11.2% global exposure) 3. Samsung S5 (11.3% global exposure) Top Impacted Countries 1. South Korea 2. Taiwan 3. China 4. Russia 5. Venezuela
  8. 8. Why is this happening? #BSidesMelb19 2. Vendors are shipping products with ADB enabled over the network1. Developers are enabling ADB To assist in debugging operations (easier over network than USB) 3. Users are enabling ADB on personal devices to access 3rd party applications on their devices
  9. 9. What can you do with a remote ADB connection on non rooted devices? • ADB Commands • Shell commands • Dumpsys • Getprop • So many things you can do!!! #BSidesMelb19
  10. 10. ADB command examples Data Command Shell on 1 device if multiple devices are connected adb -s <ip address> shell Connect multiple devices Run bash script – included at end Upload any file onto device Adb push <file to upload> <file upload location> Download file from device Adb pull <file to download> <location on attacking machine to download files to> Take a screenshot of what is happening on the device Adb screencap -p /<directory to save> <filename>.png Take a video of what is happening on the device Adb screenrecord View System messages and application logs Adb logcat (or can run in shell)
  11. 11. ADB Command example (pull & screencap) #BSidesMelb19 File accessible in external storage areas Check when user Unlocks screen then screenshot
  12. 12. Dumpsys service examples Data Command See all services dumpsys * dumpsys | grep "DUMP OF SERVICE" Accounts used for applications (email addresses) * Dumpsys account Last known location of device * Dumpsys location Data sync info * Dumpsys contents Telephone and provider information * dumpsys telephony.registry Network connection information * Dumpsys connectivity Memory information * Dumpsys meminfo Wifi interface information * Dumpsys wifi #BSidesMelb19 • * Stands for “adb shell” or “adb shell –n” if you are connected to multiple devices with the adb+ script
  13. 13. Dumpsys command examples (account) #BSidesMelb19
  14. 14. Dumpsys command examples (notification) #BSidesMelb19
  15. 15. Other commands Data Command Kernel version * cat /proc/version Find external storage location on device * Echo $EXTERNAL_STORAGE Input keyevents * input <type of input> <input value> System state information * Dumpstate Kernel debugging info * Dmesg System/application logging information * Logcat List all packages on the device pm list packages –f pm path <package name> Access databases using permissions available from specified application * adb run-as debuggable.app.package.name cat databases/file > file #BSidesMelb19 * Stands for “adb shell” or “adb shell –n” if you are connected to multiple devices with the adb+ script.
  16. 16. Information accessible via devices running ADB (unrooted) • Email addresses of user • Username in use in other applications • Notifications from all applications • Phone numbers of contacts • Emails received • Applications the user uses • Location of user • Model, build, version of device • Malware on device • Internal network information • Screenshots of the screen • Access to files in external storage • Database files associated with certain applications #BSidesMelb19
  17. 17. What are the bad guys doing with this exposure? • Cryptominer Turf Wars - (Trinity vs Fbot vs ufo miner) • Backdooring malware • RUSSIANS
  18. 18. Identifying malware through ADB Finding Cryptominers through dumpsys cpuinfo Decompiled ufo.miner – run.html file
  19. 19. Free stuff for you! #BSidesMelb19 Android Malware samples that use ADB as a vector for infection: https://github.com/b15mu7h/androidmalwarezoo
  20. 20. Takeaways • “Features” can be more than benign features • Even if a device isn’t rooted it can expose sensitive information that can be used to takeover accounts, pivot to an internal network, assist in social engineering campaigns or ransom the user. • DON’T EXPOSE THE ANDROID DEBUG BRIDGE TO THE INTERNET #BSidesMelb19 @B15Mu7h

×