CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • What is frida
  • Setup
  • Disable SSL Pinning
  • Useful frida commands
  • Debug
  • Failed to spawn
  • Resources
  1. Tools

Frida

PreviousAndroid StudioNextCrackMapExec

Last updated 7 months ago

What is frida

Frida is a powerful tool that can be used for Android Apps pentest to help analyze and manipulate apps. It works by allowing testers to inject their own code into running applications, which helps them understand how an app behaves, find security issues, and potentially exploit vulnerabilities.

Here's a simple breakdown of what Frida does in Android pentesting:

  • Dynamic Instrumentation: Frida lets you inject custom scripts into a running Android app. This helps you monitor and control the app's behavior in real-time, without modifying the app itself.

  • Bypass Security: Many Android apps have security mechanisms like certificate pinning or root detection. Frida can help bypass these protections so that testers can examine how the app communicates or interacts with its backend services.

  • Manipulate Code: With Frida, you can change how parts of an app work by altering its functions during runtime. This helps in testing how the app handles certain data or actions, and in finding security vulnerabilities like insecure APIs.

  • Hooking: Frida allows testers to "hook" into specific functions of the app to see what data is being processed. For example, you can monitor encryption or decryption functions to capture sensitive data like passwords.

  • Flexible Scripting: It provides a scripting environment using JavaScript, so you can write custom scripts to automate tasks like logging data or manipulating responses, making it very versatile for testing different kinds of apps.

Setup

  • Take frida server from

  • unxz frida-server-version-android-x86.xz to decompress the file

  • Follow the instructions form the article previously mentioned above

# Copy the server to the device
adb push ./frida-server-$version-android-$arch /data/local/tmp/frida-server
#        ^Change this to match the name of the binary you just extracted

# Enable root access to the device
adb root

# Make the server binary executable
adb shell "chmod 755 /data/local/tmp/frida-server"

# Start the server on your device
adb shell "/data/local/tmp/frida-server &"
  • I am on Ubuntu

  • pip3 install frida-tools Install Frida

  • frida-ps -U from your ubuntu

  • In case you get an error like this Failed to enumerate processes: unable to connect to remote frida-server: closed it means the server is not running on the emulator. In this case try to launch it like this

user ~/Documents/hackthebox $ adb shell
root@generic_x86_64:/ # su
root@generic_x86_64:/ # /data/local/tmp/frida-server &
[1] 3806
  • Then frida-ps -U should work and will list the running process on the target

Disable SSL Pinning

  • First I launched Pinned and kept it on during the whole process

  • When running frida-ps -U you should see the app you wish to transform in the list. Running this frida-ps -D emulator-5554 -ai will give you more details on the running app -D <id> will allow you to specify which plug in device you wish to see the app installed on and -ai will show the Identifier column. This works as well frida-ps -U -ai

  • With the other command the output looks like this

  • Then you just need to run frida -D emulator-5554 -l ./frida-script.js -f com.example.pinned or frida -U -l ./frida-script.js -f com.example.pinned

  • Turn out the best way to run the app with cert pinning is with this command frida -U -l ./frida-script.js Appname It will avoid bugs.

  • Now we should be able to intercept the traffic and actually see it in Burp (frida server should still be running for this process)

Useful frida commands

  • frida-ls-devices list plugged in devices

  • frida-ps -D <id> -ai list installed apps on a specific device

  • frida-ps -Uai list all processes with details

Debug

Failed to spawn

If you get

Failed to spawn: need Gadget to attach on jailed Android; its default location is: /home/user/.cache/frida/gadget-android-arm64.so

It means that Gadget is missing. Gadget is important to hook on jailed devices.

You might need to click on "Show all XXX assets" to see all the Gadget's versions

Once downloaded un zip it and then:

# Create the directory if it does not exist
mkdir /home/user/.cache/frida/
# Move the file to the directory it need to be in
mv frida-gadget-16.5.2-android-arm64.so /home/user/.cache/frida/gadget-android-arm64.so

Resources

I am going to use Pinned (from the HTB challenge). If you do not have and HTB subscription you can try this on provided by Tim Perry from his article mentioned above.

Take kindly provided by our new friend Tim wget https://raw.githubusercontent.com/httptoolkit/frida-android-unpinning/main/frida-script.js

Note: Apparently the --no-pause is not necessary anymore see

For Pinned for example I just had to click login in my screen (that I did not close)

And I got the flag from Burp

If this did not work, check out this

Go to the official frida repo An get Gadget, so here for example we would need this one (but your might be different)frida-gadget-android-arm64.so

here
this app
this script
here
article
here
Frida labs - series of challenges designed for learning Frida for Android by AD2001
Pinned process
Pinned process detailed
spawned
show assets