1 00:00:00,090 --> 00:00:06,190 - Hello all and welcome to the Android Security and Exploitation by Pentester 2 00:00:06,190 --> 00:00:11,450 Academy. My name is Aditya and I'm your course instructor for this entire training 3 00:00:11,450 --> 00:00:17,737 series. So this course is available on PentesterAcademy.com and you can 4 00:00:17,737 --> 00:00:23,529 also check out the certifications at securitytube-training.com. So in 5 00:00:23,529 --> 00:00:29,603 the last video, we actually got InsecureBank up and running where we were 6 00:00:29,603 --> 00:00:34,885 able to do transaction from one account to the other account and we were basically 7 00:00:34,885 --> 00:00:49,880 able to see it in the login screens as well. So in this video we are going to 8 00:00:49,880 --> 00:00:55,771 have a look at one of the tools which is called AndBug and is used for Android 9 00:00:55,771 --> 00:01:01,156 application debugging and basically allows you to see what is going inside the 10 00:01:01,156 --> 00:01:05,605 application, which particular methods are being called with what particular 11 00:01:05,605 --> 00:01:11,802 arguments and all these kind of things. So AndBug is simply a wrap around JDWP 12 00:01:11,802 --> 00:01:17,591 which is the Java Debug Wire Protocol and compared to the other debugger which is 13 00:01:17,591 --> 00:01:22,487 the Java Debugger or JDB, it's much more interactive and gives you a lot more 14 00:01:22,487 --> 00:01:28,985 flexibility over it. So using Andbug, you can basically analyze what are the 15 00:01:28,985 --> 00:01:34,593 different classes and methods which look interesting to you and which might be a 16 00:01:34,593 --> 00:01:40,403 thing for further introspection and once you have identified that you can go inside 17 00:01:40,403 --> 00:01:47,250 JDB and basically set break points and all of that. So you can download AndBug from 18 00:01:47,250 --> 00:01:53,792 this GitHub link. Also it's available in the VM which is provided along with this 19 00:01:53,792 --> 00:02:00,000 course. So the goal for this particular video is to find out the method 20 00:02:00,000 --> 00:02:05,130 responsible for the transaction. Once you have identified the method responsible for 21 00:02:05,130 --> 00:02:13,887 transaction, we'll go ahead and and trace the method. So let's start up AndBug. We 22 00:02:13,887 --> 00:02:30,700 have the InsecureBank up and running. Let's unzip the AndBug master. You can 23 00:02:30,700 --> 00:02:42,761 simply install it by doing a python setup.py install. So this will install the 24 00:02:42,761 --> 00:02:55,700 AndBug. Now you have the AndBug. So you can get inside a AndBug shell by providing 25 00:02:55,700 --> 00:03:04,622 in the process id of the application you want to debug. Let's do a adb shell ps and 26 00:03:04,622 --> 00:03:14,719 grep for insecure. So we got the process id which is 1212. We can do andbug shell-p 27 00:03:14,800 --> 00:03:23,516 1212. Now we are inside the AndBug shell and everything worked fine so far so 28 00:03:23,516 --> 00:03:28,556 let's go ahead and do a classes which will give us a list of all the currently loaded 29 00:03:28,556 --> 00:03:35,748 classes. As you can see over here there're a lot of classes. Basically anything that 30 00:03:35,748 --> 00:03:42,899 you import in one of your javaclass, we'll be able to see it over here. So if you 31 00:03:42,899 --> 00:03:48,546 have to import the HTTP package or activity package, you'll see all of that 32 00:03:48,546 --> 00:03:54,980 over here which is not that interesting to us. So what is interesting to us is the 33 00:03:54,980 --> 00:04:04,089 classes which is responsible for the application. So we can do a classes and 34 00:04:04,089 --> 00:04:11,040 basically grep for com.android.insecurebank. Now we have 35 00:04:11,040 --> 00:04:21,310 these different classes which is for the Insecure Bank. Now we are interested in 36 00:04:21,310 --> 00:04:26,600 the transfer funds, like how the transaction actually happens. So we can 37 00:04:26,600 --> 00:04:32,432 maybe look inside the Transfer class or we can either look inside the RestClient. 38 00:04:32,432 --> 00:04:39,745 Let's have a look at the methods inside that RestClient class. You can simply type 39 00:04:39,745 --> 00:04:46,104 methods, basically paste it and this will give you all the methods inside this 40 00:04:46,104 --> 00:04:52,686 particular class. If you look over here there's a RestClient init method, do log 41 00:04:52,700 --> 00:05:01,730 in, do transfer which is something useful for us. GetHttpContent, parseError, post 42 00:05:01,730 --> 00:05:07,359 HttpContent, and sidechannel. We are interested in the dotransfer method over 43 00:05:07,359 --> 00:05:22,760 here. You can simply now do a method trace and copy and paste this. It will set up a 44 00:05:22,760 --> 00:05:27,900 hook at this particular method. Now whenever this dotransfer method gets 45 00:05:27,900 --> 00:05:34,788 called, it will show up all the parameters or the arguments that it is being called 46 00:05:34,788 --> 00:05:44,093 with in the AndBug screen. Let's try it out. So from account, let's say 9876 to 47 00:05:44,093 --> 00:05:52,585 account 4444, amount let's make it $60,000 dollars. And if you click on transfer, you 48 00:05:52,585 --> 00:05:57,827 basically see the entire thing that's happening over here. You can see that some 49 00:05:57,827 --> 00:06:04,572 of the arguments that are being parsed are from account and then the server, the 50 00:06:04,572 --> 00:06:14,974 port, the to Account and the amount. This is how you analyze any particular method 51 00:06:14,974 --> 00:06:22,938 using AndBug. So in the next video, we'll have a look at how you can use this 52 00:06:22,938 --> 00:06:29,094 information along with JDB and set break points and maybe even call arbitrary 53 00:06:29,094 --> 00:06:36,896 methods which you want. So that's all for this video. I hope you like the video. If 54 00:06:36,896 --> 00:06:41,284 you have any feedback or comments, feel free to send it out to me and you can also 55 00:06:41,284 --> 00:06:45,734 tweet it @adi1391. Thank you