Mercury User Guide v1.1

Similar documents
UNRESTRICTED EXTERNAL

How to Install Applications (APK Files) on Your Android Phone

The "Eclipse Classic" version is recommended. Otherwise, a Java or RCP version of Eclipse is recommended.

Allow Installation from Unknown Sources

Smartphone Pentest Framework v0.1. User Guide

Using GitHub for Rally Apps (Mac Version)

An Introduction To The Web File Manager

The full setup includes the server itself, the server control panel, Firebird Database Server, and three sample applications with source code.

Lab 0 (Setting up your Development Environment) Week 1

Silk Test Testing Mobile Web Applications

Pentesting Android Apps. Sneha Rajguru

Pentesting Android Mobile Application

TAO Installation Guide v0.1. September 2012

Lab 4 In class Hands-on Android Debugging Tutorial

Extending Remote Desktop for Large Installations. Distributed Package Installs

UP L18 Enhanced MDM and Updated Protection Hands-On Lab

STABLE & SECURE BANK lab writeup. Page 1 of 21

MarkLogic Server. Connector for SharePoint Administrator s Guide. MarkLogic 8 February, 2015

Web Application Vulnerability Testing with Nessus

Developing In Eclipse, with ADT

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

Android Environment SDK

Penetration Testing Android Applications

Android Programming and Security

AVG Business SSO Partner Getting Started Guide

SIMIAN systems. Setting up a Sitellite development environment on Windows. Sitellite Content Management System

Using Microsoft Visual Studio API Reference

NetWrix File Server Change Reporter. Quick Start Guide

Wireless Security Camera with the Arduino Yun

Signiant Agent installation

Android: How To. Thanks. Aman Nijhawan

Getting started with 2c8 plugin for Microsoft Sharepoint Server 2010

JAMF Software Server Installation Guide for Linux. Version 8.6

Qsync Install Qsync utility Login the NAS The address is :8080 bfsteelinc.info:8080

Cloud Storage Service

GETTING STARTED WITH SQL SERVER

SourceAnywhere Service Configurator can be launched from Start -> All Programs -> Dynamsoft SourceAnywhere Server.

System Administration Training Guide. S100 Installation and Site Management

SAIP 2012 Performance Engineering

Silk Test Testing Mobile Applications

AppUse - Android Pentest Platform Unified

FileMaker Server 11. FileMaker Server Help

Working with Templates. Schoolwires Centricity2

Getting Started with Dynamic Web Sites

1 Download & Installation Usernames and... Passwords

MassTransit 6.0 Enterprise Web Configuration for Macintosh OS 10.5 Server

Wakanda Studio Features

How To Install Amyshelf On Windows 2000 Or Later

Running a Program on an AVD

Network/Floating License Installation Instructions

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Mobile Application Security and Penetration Testing Syllabus

Board also Supports MicroBridge

Web Testing, Java Testing, Server Monitoring. AppPerfect Installation Guide

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Content Management System User Guide

Point of View ProTab 3XXL IPS - Android 4.0 Tablet PC. Contents... 1 General notices for use... 2 Disclaimer... 2 Box Contents...

FileMaker Server 10 Help

The Web Pro Miami, Inc. 615 Santander Ave, Unit C Coral Gables, FL T: info@thewebpro.com

User and Reference Manual

Project management integrated into Outlook

Maximizer CRM 12 Winter 2012 Feature Guide

System Software for Developer Release Note (Ver.D1.1.2)

Adobe Marketing Cloud Bloodhound for Mac 3.0

Source Code Management for Continuous Integration and Deployment. Version 1.0 DO NOT DISTRIBUTE

How To Use Query Console

Copyright 2013, 3CX Ltd.

Basic Unix/Linux 1. Software Testing Interview Prep

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

XenMobile Logs Collection Guide

Automation of Smartphone Traffic Generation in a Virtualized Environment. Tanya Jha Rashmi Shetty

The power of root on Android emulators

Configuration Manual Yahoo Cloud System Benchmark (YCSB) 24-Mar-14 SEECS-NUST Faria Mehak

Manipulating Microsoft SQL Server Using SQL Injection

1. Product Information

SYLLABUS MOBILE APPLICATION SECURITY AND PENETRATION TESTING. MASPT at a glance: v1.0 (28/01/2014) 10 highly practical modules

Online Backup Client User Manual Linux

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

SecuraLive ULTIMATE SECURITY

Kollaborate Server Installation Guide!! 1. Kollaborate Server! Installation Guide!

USB HSPA Modem. User Manual

Zoom Plug-ins for Adobe

PaperStream Connect. Setup Guide. Version Copyright Fujitsu

X10 Webinterface User Quick Guide(ver0.9.2 Beta)

WatchDox Administrator's Guide. Application Version 3.7.5

QuickStart Guide for Managing Computers. Version 9.2

SEER Enterprise Shared Database Administrator s Guide

Developing for MSI Android Devices

WebView addjavascriptinterface Remote Code Execution 23/09/2013

CLC Bioinformatics Database

Authoring for System Center 2012 Operations Manager

Mobile Device Management Version 8. Last updated:

ALERT installation setup

Magento OpenERP Integration Documentation

RecoveryVault Express Client User Manual

Amira License Manager

Basic Android Setup Windows Version

FileMaker Server 13. FileMaker Server Help

Transcription:

Mercury User Guide v1.1 Tyrone Erasmus 2012-09-03

Index Index 1. Introduction... 3 2. Getting started... 4 2.1. Recommended requirements... 4 2.2. Download locations... 4 2.3. Setting it up... 4 2.3.1. Recommended tools... 4 2.3.2. Android Configuration... 4 3. Using Mercury... 6 3.1. Starting a connection... 6 3.2. First steps... 6 3.3. Interacting with application components... 8 3.3.1. Intents... 8 3.3.2. Activities... 8 3.3.3. Services... 8 3.3.4. Content Providers... 8 3.3.5. Broadcast Receivers... 9 3.4. Shells and Busybox... 9 3.5. Downloads and Uploads... 10 3.6. Modules... 10 4. Want to know more?... 11 MWR InfoSecurity 2 of 11

Introduction 1. Introduction This guide explains how to get started with using Mercury. Mercury is a framework that is changing all the time and so this document might not always be 100% accurate for the latest development version on Github. This document will however always be relevant for the latest release version on http://labs./tools/2012/03/16/mercury/ Mercury is an advanced tool that requires experience with Android in order to fully make use of all its functionality. If you haven t spent the required couple of hours learning Android basics, some of the functions and features of Mercury may not make total sense. With that said, there is a fair amount of functionality, especially in the modules section that allows users to find new vulnerabilities without much prior knowledge or Android exploitation experience. MWR InfoSecurity 3 of 11

Getting started 2. Getting started The following explains what is required, where to download and how to get started with setting up the environment needed to run Mercury. 2.1. Recommended requirements Phone or emulator running Android 2.2+ Computer running Linux and Python 2.7. Mercury works on Windows and Mac but the autocompletion of commands is not supported on these platforms due to the reliance on the GNU Readline library. 2.2. Download locations Release versions of Mercury are stable and released on an ad hoc basis when milestones have been reached. Supporting documentation will be updated and released with every new release version of Mercury. To download the latest release version of Mercury, please visit http://labs./tools/2012/03/16/mercury/downloads/ Mercury is in constant development and so some may prefer to have the freshest features available from day to day. Get it from Github using: git clone https://github.com/mwrlabs/mercury.git 2.3. Setting it up 2.3.1. Recommended tools It is recommended that basic Android tools are installed on the computer where Mercury will be used. Tools like ADB (Android Debug Bridge) are very useful to have and are required when using Mercury over USB or with an emulator. ADB is available in some software repositories and can be installed using: sudo yum install android-tools The recommended location to get it from is http://developer.android.com/sdk/installing.html 2.3.2. Android Configuration Mercury can be used on USB connected Android devices, emulators and over a WIFI connection. The following explains the required setup for each configuration. USB/Emulator Make sure that USB Debugging is enabled. This will allow you to use ADB and other development tools on your device. MWR InfoSecurity 4 of 11

Getting started Connect the USB device or start the emulator and install mercury-server.apk using: adb install mercury-server.apk This is an essential step for any connected device or emulator. Forward the Mercury server port to your localhost so that the client is able to connect to it: adb forward tcp:31415 tcp:31415 WIFI If you are connecting to your device over a wireless network, you will need to get the IP address of your phone. This can be obtained by going to the Wireless settings on the device and clicking on the connected access point. The following dialog will appear containing the device s IP address: Make sure that Unknown sources is checked in the device s security settings, as shown below: Install mercury-server.apk on your device using your favourite method. MWR InfoSecurity 5 of 11

Using Mercury 3. Using Mercury 3.1. Starting a connection Open the Mercury app and toggle the On/Off button (Green light = On). Start the Mercury client using: python mercury.py Type connect followed by the IP address of your Android device. The IP address will be 127.0.0.1 if you have a directly connected device or emulator. You should end up with a screen that looks as follows: If you get a response like **Network Error** Could not connect to 127.0.0.1:31415 then make sure you have done the following: Enabled the Mercury server Have access to TCP port 31415 on your Mercury server (remember to forward the port for locally connected devices and emulators). 3.2. First steps There is inline help available within Mercury s command-line interface. In order to get help about available features, type? or help. Typing help (command) will give an explanation of what the command is and will give examples of typical use-cases. To view command-line usage instructions only for a particular command, type the command appended with a -h or --help. If you are familiar with Android development, you will notice the 4 different application components available as sub-folders within Mercury. These application components are: Activities denoted as activity in Mercury Services denoted as service in Mercury Content providers denoted as provider in Mercury Broadcast receivers denoted as broadcast in Mercury Another folder that provides some general tools pertaining to installed Android packages on the connected device is packages. Commands inside packages can be used to get information about installed packages and view their general attack surface. MWR InfoSecurity 6 of 11

Using Mercury A general workflow for examining a single application on the device is as follows: Get information about the package of interest Examine the attack surface of the package Interact with each available application features to find potential problems To find information about packages of interest, navigate to the packages folder. Here are some things to try: Type info to get information about all the installed packages on the device. Try to use info -f browser to filter for specific package information about the Android browser Look for packages that use the INTERNET permission by typing info -p internet View how you can interact with one of these applications by issuing the attacksurface (packagename) command The following is an example of the attacksurface command being issued on an application: At this point the various application components can be investigated by using the info -f (packagename) command in the respective application component folders e.g. provider folder A feature that might appeal to the more advanced users is the manifest command in the packages section. This essentially replaces the need for using AAPT in order to get the AndroidManifest.xml of a package. An example of viewing Mercury s manifest is shown below: MWR InfoSecurity 7 of 11

Using Mercury 3.3. Interacting with application components In order to understand this section, you will need to be relatively familiar with Android development or at least how the Android model works with the various application components. 3.3.1. Intents Intents are the basis of communication between Android application components that gives Android its modular unique design. To read more about forming different intents in order to interact with application components, please refer to http://developer.android.com/guide/topics/intents/intents-filters.html 3.3.2. Activities Getting the launch intent of an application can be done using the launchintent command. The following will find the launch intent for Google Play. launchintent com.android.vending Rebuilding this intent with the start command will launch Google Play. This can be done as follows: start --action android.intent.action.main --category android.intent.category.launcher -- flags 0x10000000 --component com.android.vending com.android.vending.assetbrowseractivity When starting new activities, a common error is not specifying the FLAG_ACTIVITY_NEW_TASK flag with the start command. The hex representation of it is 0x10000000 as seen in the above command. An indication that you have forgotten this flag is the following error message: Calling startactivity() from outside of an Activity context requires the FLAG_ACTIVITY_NEW_TASK flag. Is this really what you want? When typing an action like android.intent.action.main or a category, try to tab complete it to avoid having to type too much. This feature is only supported on Unix-based systems. Typing info in this section will give information about all the exported activities available on the device. Here is an example of starting an activity using the --component argument of the start command: start --component com.android.browser com.android.browser.browseractivity flags 0x10000000 3.3.3. Services Starting and stopping of services can be performed in Mercury by building intents in a similar fashion to activities. Specifying a component is normally the preferred way of starting and stopping services, which can be done with the --component flag of the start and stop commands. Binding to services is an advanced feature that can only be done using Mercury s reflection interface, which is a topic that is not covered in this guide. More information about this can be found at https://github.com/mwrlabs/mercury/wiki/using-reflection. 3.3.4. Content Providers Content providers are often a source of data leakage in applications and Mercury has some powerful features that allow you to find these vulnerabilities. Navigate to the provider section to access these tools. Typing info in this section will reveal all of the exported content providers on the device. Some may require certain permissions in order to read or write to them and some don t require any permissions whatsoever. MWR InfoSecurity 8 of 11

Using Mercury If you are interested in finding content providers with no required permissions, type: info -p null In order to query a content provider, the following structure general applies: query content://app_authority/table Often, data can be retrieved simply by querying content://app_authority. There is no defined way to find valid content URIs but Mercury has functionality available to try and find valid content URIs in the application s DEX file, which is essentially its executable. Use finduri (packagename) in order to find referenced content URIs. An example of querying the settings provider is shown below: There are many vulnerabilities to be found in content providers, such as SQL injection, directory traversal and the consequences of manipulating stored data of other applications. For more information about these attacks please see http://labs./assets/246/bheu12-tyrone_erasmus-the_heavymetal_that_poisoned_the_droid.pdf Various other SQL-like functions have been provided in this section in order to insert, delete and update rows in a content provider. Familiarity with SQL does help when attempting to exploit a content provider. 3.3.5. Broadcast Receivers Information about registered broadcast receivers can be found using the info feature in the broadcast subsection. Looking for broadcast receivers which do not enforce the sending application to have any permissions and examining what actions are performed when a broadcast is sent to the application is the main goal of assessing these application components. Mercury allows a user to send broadcasts to the entire device or to specific applications only, controlled by the intent that is built using the send command. To understand more about the broadcast receiver that you are targeting, you would need to decompile the application and check what kind of extras it is expecting and what code is executed once a broadcast is received. 3.4. Shells and Busybox Mercury has 2 kinds of shell types available in the shell folder. Oneoff shell is well-suited for performing tasks on the device that do not require a persistent state. This shell does not actually maintain a persistent shell connection, only opening a new shell, executing the supplied commands and returning the value. The persistent shell can be used for tasks that require persistence, such as opening a new shell session with elevated privileges. If you can exploit a vulnerability to obtain a root shell, this is the shell you want to be using. As an example of the difference between the 2 shells, when running Mercury on a rooted/jailbroken device, typing su in the persistent shell will give you a root shell whereas the oneoff shell will not. MWR InfoSecurity 9 of 11

Using Mercury Busybox is an awesome tool that provides many utilities that Android is lacking. The normal usage of Busybox requires root access on Android but using it inside Mercury does not. In order to upload Busybox, navigate to the modules folder and type the following: *mercury#modules> run setup.busybox [*] Uploading busybox [+] Succeeded [*] chmod 770 busybox You are now able to use $BB to reference the busybox binary inside the oneoff and persistent shells Once this has been done, Busybox is uploaded into Mercury s data directory and can be used from either of the 2 Mercury shells. To use Busybox from either shell, type $BB as a shortcut to its full path, which is /data/data/com.mwr.mercury/busybox. As an example, type the following to use Busybox s date command: oneoffshell:/data/data/com.mwr.mercury$ $BB date Fri Jul 27 14:42:52 UTC 2012 3.5. Downloads and Uploads Mercury includes functionality to download and upload files between the user s computer and the Android device. Downloading and uploading of files is obviously restricted to the permissions of Mercury e.g. uploading a file to the SD card will not work because Mercury does not have the WRITE_EXTERNAL_STORAGE permission. There are few folders on an Android device that can be written to with such limited permissions and that is why the majority of the time uploading files to Mercury s private data folder is advised. Upload and download functionality can be found inside the tools folder in Mercury. The usage of these tools is fairly self-explanatory but help download and help upload can be used for more information. A common use of the download feature is downloading application APK files. Their location can be found by using the info command in the packages folder. 3.6. Modules The modules section is where all the automagic happens. Anything from vulnerability scanners, to root exploits, to information pilfering modules can be found here. To get a list of all the currently available modules, type list. You will notice that they have a folder-like structure that have a correlation to where they are found in the merc/modules folder in the Mercury folder on your hard drive. Information about each module can be obtained using the info (module) command. Here are a few good reasons to make a Mercury module: You find yourself repeatedly performing the same task in Mercury You have an automated exploit of some kind that you would like to share You have a useful addon that does not quite fit into the everyday usage of Mercury This is the part where if you are interested further in making your own modules, then you should visit the developer documentation at https://github.com/mwrlabs/mercury/wiki The modules section is essentially open ended, with the possibility to extend Mercury to do very many things. Especially with the addition of the reflection interface that allows you to dynamically execute code on the Android MWR InfoSecurity 10 of 11

Want to know more? device by pushing it from the Python client. More about this can be found in the developer documentation on Github. 4. Want to know more? For more information about the technical workings of Mercury, see https://github.com/mwrlabs/mercury/wiki/developer-documentation Everyone is invited to come join the Mercury development team on Github at https://github.com/mwrlabs/mercury/issues for opinions on new features, code contributions and other questions. Send us a tweet: @droidhg Email us: mercury[at] MWR InfoSecurity 11 of 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information