owasp-workshop-android-pentest
Learning Penetration Testing of Android Applications
How to start with Android Application Pentesting?
The should be very easy. We configured two virtual machines with all tools you need here:
- https://drive.google.com/open?id=0BwhtuArcTcxMWlhvTW5SYkFsbWc
Android OWASP VM.ova
- Android 5 VM for the Android App Pentest Workshop (SHA256 a44802f001f4b078efa1e8a4cbbe993fbbdeb1269b6c680410dd5f3f67190429
)OWASP Ruhrpott.ova
- Ubuntu based VM for the OWASP Android App Pentest Workshop (SHA256 8f8d51f47757ca9221144e92602f4163916114456f376a5f92c12da0451948aa
)
Requirements
The following are hardware and software recommendations:
- Linux / Windows / Mac Operating System
- Oracle VirtualBox (in a recent version)
- 25 GB of storage on your hard drive
- >4 GB RAM
Setup
- After you downloaded the two VMs import them in VirtualBox via
File -> Import Appliance ...
. - Configure the the DHCP of VirtualBox to allow configure the internal network:
VBoxManage dhcpserver add --netname intnet --ip 10.13.13.100 --netmask 255.255.255.0 --lowerip 10.13.13.101 --upperip 10.13.13.254 --enable
- Start the Android VM first and wait until it is booted, this ensures that the it will have the IP
10.13.13.101
. (PIN: 0000) - Start the OWASP VM. It will should have the IP
10.13.13.102
. (pentester:owasp2017) - You are now ready to start with the challenges.
Workshops
This repository was used in previous Workshops and the following table is used to reference them:
What | Where | When | Slides | Link |
---|---|---|---|---|
OWASP Stammtisch Ruhrpott | Essen, Germany | 31.01.17 | Slides | Wiki |
OWASP Stammtisch Ruhrpott | Essen, Germany | 04.03.17 | Slides | Wiki |
SHA2017 | Zeewolde, Netherlands | 05.08.17 | Slides | Link |
It would be nice if you give us a small notice, when you are doing a workshop with our project so we can reference it here.
Contribute
You can contribute via a pull request or an issue with a bug or a feature request. Please keep in mind that we are developing this project in our free time so a response might take some time .
How to add challenges
- Clone
owasp-workshop-android-pentest/Vuln_app_1/app/src/main/java/ruhrpott/owasp/com/vuln_app_1/Template.java
- Clone
owasp-workshop-android-pentest/Vuln_app_1/app/src/main/res/layout/fragment_template.xml
- Change
fragment_basic_http
inView rootView = inflater.inflate(R.layout.fragment_basic_http, container, false);
to your fragment created in 2. - Design your fragment
- Add challenge to
public Fragment getItem(int position)
inowasp-workshop-android-pentest/Vuln_app_1/app/src/main/java/ruhrpott/owasp/com/vuln_app_1/MainActivity.java
Solutions
In the case you are get stuck with a challenge, see the wiki for hints.