一、Drozer简介

    Drozer是MWR Labs开发的一款Android安全测试框架。是目前最好的Android安全测试工具之一。其官方文档说道:“Drozer允许你一一个普通android应用的身份与其他应用和操作系统交互。”在Web世界已经有了许多安全测试工具了,我们只需要给出一个目标,这些工具就会自动为我们安全测试报告。但Drozer与这样的自动化扫描器不同,Drozer是一种交互式的安全测试工具。使用Drozer进行安全测试,用户在自己的工作站上输入命令,Drozer会将命令发送到Android设备上的代理程序执行。其官方文档说道:“Drozer允许你一一个普通android应用的身份与其他应用和操作系统交互。

二、Drozer下载

所需安装环境：

• Windows10 专业版1803

• 逍遥安卓模拟器5.6.1（下载）

  先尝试了夜神模拟器，后边发现run app.package.list命令不显示安装包，所以改用了逍遥安卓模拟器，可自行尝试其他模拟器）
  

• Python2.7.14（下载）

• drozer-2.4.4.win32.msi（官网介绍）

需要下载一个Windows客户端和一个安卓客户端：

1.【windows客户端】下载drozer (msi)安装包，或者下载python的whl格式安装包drozer (Python .whl)
2.【安卓客户端】drozer (Agent .apk only)

• drozer使用指南（mwri-drozer-user-guide-2015-03-23.pdf）
• drozer项目github地址（ https://github.com/mwrlabs/drozer）

三、 基本配置和故障排除

1. 在逍遥安卓模拟器中安装运行drozer Agent App，并打开Embbdded Server:

image.png

2.打开命令行工具，并cd切换到安卓模拟器的安装路径D:\Program Files\Microvirt\MEmu，运行adb devices命令，查看是否能看到模拟器。如果看不到，重启模拟器试试。

3.使用 adb 进行端口转发，转发到上边Drozer使用的端口 31415，并进入Drozer 控制台：

adb forward tcp:31415 tcp:31415
drozer console connect

4.python报错

报错1：ImportError: No module named google.protobuf

解决方法：pip install protobuf

报错2：ImportError: No module named OpenSSL

解决方法：pip install pyOpenSSL

报错3：drozer Server requires Twisted to run.
Run 'pip install twisted' to fetch this dependency.

解决方法：pip install twisted

警告1：UserWarning: You do not have a working installation of the service_identity module: 'No module named service_identity'. Please install it from https://pypi.python.org/pypi/service_identity and make sure all of its dependencies are satisfied.

解决方法：pip install service_identity

5.查看Drozer是否能正常使用

• 切换到drozer安装目录C:\Python27\Scripts>drozer，并执行drozer.bat脚本。

  
  
  image.png

• 用list命令列出Drozer所有功能模块，如能正常显示，则说明Drozer已正确安装。
  dz> list

app.activity.info           Gets information about exported activities.         
app.activity.start          Start an Activity                                   
app.broadcast.info          Get information about broadcast receivers           
app.broadcast.send          Send broadcast using an intent                      
app.broadcast.sniff         Register a broadcast receiver that can sniff        
                            particular intents                                  
app.package.attacksurface   Get attack surface of package                       
app.package.backup          Lists packages that use the backup API (returns true
                            on FLAG_ALLOW_BACKUP)                               
app.package.debuggable      Find debuggable packages                            
app.package.info            Get information about installed packages            
app.package.launchintent    Get launch intent of package                        
app.package.list            List Packages                                       
app.package.manifest        Get AndroidManifest.xml of package                  
app.package.native          Find Native libraries embedded in the application.  
app.package.shareduid       Look for packages with shared UIDs                  
app.provider.columns        List columns in content provider                    
app.provider.delete         Delete from a content provider                      
app.provider.download       Download a file from a content provider that        
                            supports files                                      
app.provider.finduri        Find referenced content URIs in a package           
app.provider.info           Get information about exported content providers    
app.provider.insert         Insert into a Content Provider                      
app.provider.query          Query a content provider                            
app.provider.read           Read from a content provider that supports files    
app.provider.update         Update a record in a content provider               
app.service.info            Get information about exported services             
app.service.send            Send a Message to a service, and display the reply  
app.service.start           Start Service                                       
app.service.stop            Stop Service                                        
auxiliary.webcontentresolver
                            Start a web service interface to content providers. 
exploit.jdwp.check          Open @jdwp-control and see which apps connect       
exploit.pilfer.general.apnprovider
                            Reads APN content provider                          
exploit.pilfer.general.settingsprovider
                            Reads Settings content provider                     
information.datetime        Print Date/Time                                     
information.deviceinfo      Get verbose device information                      
information.permissions     Get a list of all permissions used by packages on   
                            the device                                          
scanner.activity.browsable  Get all BROWSABLE activities that can be invoked    
                            from the web browser                                
scanner.misc.native         Find native components included in packages         
scanner.misc.readablefiles  Find world-readable files in the given folder       
scanner.misc.secretcodes    Search for secret codes that can be used from the   
                            dialer                                              
scanner.misc.sflagbinaries  Find suid/sgid binaries in the given folder (default
                            is /system).                                        
scanner.misc.writablefiles  Find world-writable files in the given folder       
scanner.provider.finduris   Search for content providers that can be queried    
                            from our context.                                   
scanner.provider.injection  Test content providers for SQL injection            
                            vulnerabilities.                                    
scanner.provider.sqltables  Find tables accessible through SQL injection        
                            vulnerabilities.                                    
scanner.provider.traversal  Test content providers for basic directory traversal
                            vulnerabilities.                                    
shell.exec                  Execute a single Linux command.                     
shell.send                  Send an ASH shell to a remote listener.             
shell.start                 Enter into an interactive Linux shell.              
tools.file.download         Download a File                                     
tools.file.md5sum           Get md5 Checksum of file                            
tools.file.size             Get size of file                                    
tools.file.upload           Upload a File                                       
tools.setup.busybox         Install Busybox.                                    
tools.setup.minimalsu       Prepare 'minimal-su' binary installation on the     
                            device. 

下一篇将讲述如何用Drozer进行安卓 APK的安全测试及常用命令。