1 00:00:00,090 --> 00:00:06,700 - Hello, and welcome to the Android Security and Exploitation Training Course 2 00:00:06,700 --> 00:00:12,040 by Pentester Academy. You can also check out the certifications at 3 00:00:12,040 --> 00:00:18,690 securitytube-training.com. So in the previous video we had a look at how you 4 00:00:18,690 --> 00:00:24,630 can use AndBug in order to analyze any applications and basically check out the 5 00:00:24,630 --> 00:00:30,800 methods and the arguments that are going along. So in this particular video, we are 6 00:00:30,800 --> 00:00:37,056 going to have a look at JDB or Java DeBugger and how we can use it in order to 7 00:00:37,056 --> 00:00:42,926 analyze applications much more deeply, right? So one of the drawbacks of AndBug 8 00:00:42,926 --> 00:00:50,788 is it does not allow you by default to set up break points and maybe change the 9 00:00:50,788 --> 00:00:56,129 variables at that particular point of time, which is possible with JDB. So that 10 00:00:56,129 --> 00:01:01,400 is one of the reasons you can use JDB for, maybe by--for setting up break points and 11 00:01:01,400 --> 00:01:06,071 changing some of the variables and seeing how the application performs for that, 12 00:01:06,071 --> 00:01:12,530 right. So one of the things you can start doing is you can figure out which all 13 00:01:12,530 --> 00:01:17,322 applications are debuggable using Drozer. So you can simply do a run 14 00:01:17,322 --> 00:01:21,915 “app.package.debuggable,” and it will show you a list of all the packages or 15 00:01:21,915 --> 00:01:27,602 applications which have debug flag enabled. Alternatively, if the application 16 00:01:27,602 --> 00:01:32,619 is not debuggable, you can reverse the application and add the particular 17 00:01:32,619 --> 00:01:38,225 statement “android:debuggable=true, ” into the AndroidManifest.xml, which will simply 18 00:01:38,225 --> 00:01:44,216 make the application debuggable and then you can use JDB for that, right. So JDB 19 00:01:44,216 --> 00:01:50,533 simply relies on the Java DeBug by protocol, which AndBug also uses. And you 20 00:01:50,533 --> 00:01:56,464 can check out the official documentation on the article website. And this is some 21 00:01:56,464 --> 00:02:05,700 of the things from the actual website. So JDWP was introduced in JDK 1.4.2, and 22 00:02:05,700 --> 00:02:11,360 it is mostly used to debug applications for java, which are running in the JVM, 23 00:02:11,360 --> 00:02:19,420 but it also supports DVM or the Dalvik Virtual Machine. Right. So what we can do 24 00:02:19,420 --> 00:02:25,790 is we can start off by finding out the process ID for a particular Android 25 00:02:25,790 --> 00:02:42,500 application. So let me log in to Santoku and make sure that AndBug is not running. 26 00:02:42,500 --> 00:02:53,120 Yeah, okay. So now let's do a adb shell PS and grep for insecure, so the process ID 27 00:02:53,120 --> 00:03:00,450 is 1212. And once we have found out that, we need to forward the port. So we need to 28 00:03:00,450 --> 00:03:08,290 do adb forward, tcp and give it a particular port, and then jdwp and put the 29 00:03:08,290 --> 00:03:18,045 process ID of the application. So let's go ahead and do it. So adb forward, tcp lets 30 00:03:18,045 --> 00:03:26,485 use the port 1337, and jdwp to be 1212, right? And once you have done the 31 00:03:26,485 --> 00:03:41,010 forwarding, you can simply go ahead and attach local host 1337. Sorry. So let's... 32 00:03:41,010 --> 00:03:49,094 Good. Yeah. So if you see something like this, this means that the JDB or the Java 33 00:03:49,094 --> 00:03:56,223 DeBugger has successfully attached to your particular application. And here also you 34 00:03:56,223 --> 00:04:00,398 can do a class list and get a list of all the classes, but in this case you won't be 35 00:04:00,398 --> 00:04:06,572 able to parse it, just like you did in AndBug, but since we already know that 36 00:04:06,572 --> 00:04:15,346 package name is com.android.insecurebank, and the class name is RestClient. So let's 37 00:04:15,346 --> 00:04:23,968 go ahead and analyze the methods, which is com.android.insecurebank.RestClient. 38 00:04:23,968 --> 00:04:31,751 Right? It gives you a list of all the methods. Now you might notice that it 39 00:04:31,751 --> 00:04:38,800 gives some additional methods as well, which were not visible in AndBug, right? 40 00:04:38,800 --> 00:04:47,940 So let's set a break point at this particular dotransfer. 41 00:04:57,000 --> 00:05:09,370 It's client.dotransfer, and try to transfer some amount. And if you see that 42 00:05:09,370 --> 00:05:14,640 in JDB the break point has been hit. Now here you can do a lot many different 43 00:05:14,640 --> 00:05:21,030 things, so one of the things is you can check out all the local variables. You can 44 00:05:21,030 --> 00:05:26,250 even change any of the local variables. For example, you can change the amount to 45 00:05:26,250 --> 00:05:37,110 be something like 70,000. And you can basically resume it, so 70,000 will be 46 00:05:37,110 --> 00:05:45,350 transferred. And you can verify it by doing a adb logcat, and then grepping for 47 00:05:45,350 --> 00:05:51,950 1212. Right. So you see that amount transferred has been 70,000. Now there's 48 00:05:51,950 --> 00:05:56,320 another transfer 60,000 which is the default amount which we put inside the 49 00:05:56,320 --> 00:06:01,140 application. So this might be because this is not the actual thing which is actually 50 00:06:01,140 --> 00:06:04,610 transferring the amount, or this is not the actual thing which is actually 51 00:06:04,610 --> 00:06:09,920 printing out this log statement. So that you can figure out from the application 52 00:06:09,920 --> 00:06:16,510 source code, right? And also, one of the other things you can do is basically call 53 00:06:16,510 --> 00:06:25,540 a particular method just from the JDB, right? So for example, let's maybe make a 54 00:06:25,540 --> 00:06:39,970 transfer again. The break point has been hit, and let's do eval dotransfer. 55 00:06:39,970 --> 00:06:51,722 Position error. Maybe...okay, because the port was not correct, so it's 161.241. So 56 00:06:51,722 --> 00:07:12,582 let's do a eval dotransfer. Place, we're putting in the IP and then the port, from 57 00:07:12,582 --> 00:07:21,397 account, to account and the amount. Port, from account, to account, and the amount. 58 00:07:21,397 --> 00:07:34,941 987. And this has simply happened, right? If we look over here, it says transfer 59 00:07:34,941 --> 00:07:41,547 amount 987, from account, to account, and this one, right? So this is how you can 60 00:07:41,547 --> 00:07:46,563 use JDB in order to debug applications, and also to call any arbitrary methods 61 00:07:46,563 --> 00:07:54,282 from within the application. So that's all for this video, and you can play a lot 62 00:07:54,282 --> 00:07:58,265 more with AndBug and JDB if you want, and you can do a lot more different things 63 00:07:58,265 --> 00:08:03,952 with it. So I hope you liked the video, and if you have any feedback or queries, 64 00:08:03,952 --> 00:08:08,520 feel free to reach out to me at adi@attify.com and you can also tweet to 65 00:08:08,520 --> 00:08:11,000 me @adi1391.