Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

ADB (Android Debug Bridge) is the primary interface for interacting with Android devices and emulators. For pentesters, it enables shell access, APK extraction, log capture, port forwarding, and app manipulation. Requires USB Debugging enabled on the device (Settings → Developer Options → USB Debugging).

Connect

USB: 
adb devices
TCP/IP (Wi-Fi): 
# First connect via USB, then switch to TCP
adb tcpip 5555
adb connect <DEVICE-IP>:5555
adb disconnect
Emulator: 
adb -e shell        # emulator only
adb -d shell        # physical device only
adb -s <SERIAL> shell  # specific device by serial

Shell

adb shell                        # interactive shell
adb shell <command>              # single command
adb shell su                     # root shell (rooted device)

App Management

List packages: 
adb shell pm list packages               # all
adb shell pm list packages -3            # third-party only
adb shell pm list packages | grep <name>
Get APK path: 
adb shell pm path <package.name>
Pull APK from device: 
adb pull /data/app/<package.name>-<hash>/base.apk ./target.apk
Install / uninstall: 
adb install target.apk
adb install -r target.apk        # reinstall (keep data)
adb uninstall <package.name>
Start / stop app: 
adb shell am start -n <package>/<activity>
adb shell am force-stop <package.name>

File Transfer

adb pull /sdcard/file.txt ./             # device → host
adb push ./file.txt /sdcard/             # host → device
Common paths:
PathContents
/sdcard/External storage
/data/data/<pkg>/App private data (root required)
/data/local/tmp/World-writable temp dir

Logs

adb logcat                               # all logs
adb logcat -s <TAG>                      # filter by tag
adb logcat | grep -i <package>           # filter by package name
adb logcat -d > logcat.txt              # dump and exit
adb logcat -c                           # clear log buffer

Port Forwarding

Forward traffic from host to device, useful for connecting Burp Suite to the emulator proxy or accessing services on the device: 
adb forward tcp:<HOST-PORT> tcp:<DEVICE-PORT>
adb forward tcp:8080 tcp:8080
Reverse forward (device → host): 
adb reverse tcp:<DEVICE-PORT> tcp:<HOST-PORT>
adb reverse tcp:8080 tcp:8080

Traffic Interception Setup (Burp Suite)

Step 1: Push Burp CA to device: 
# Export DER from Burp → convert to PEM
openssl x509 -inform der -in burp.der -out burp.pem

# Get the hash filename Android expects
openssl x509 -inform PEM -subject_hash_old -in burp.pem | head -1
# Example output: 9a5ba575

mv burp.pem 9a5ba575.0

# Push to system trusted store (root required)
adb push 9a5ba575.0 /sdcard/
adb shell
su
mount -o rw,remount /system
cp /sdcard/9a5ba575.0 /system/etc/security/cacerts/
chmod 644 /system/etc/security/cacerts/9a5ba575.0
Step 2: Set proxy on device: Settings → Wi-Fi → Long press network → Modify Network → Advanced → Proxy Manual → set Burp host/port. Or via ADB: 
adb shell settings put global http_proxy <BURP-IP>:8080
# Remove proxy
adb shell settings delete global http_proxy

Filesystem / App Data

# List app data directory (root required)
adb shell ls /data/data/<package.name>/

# Pull entire app data
adb pull /data/data/<package.name>/ ./app-data/

# Shared preferences (often stores tokens/flags)
adb shell cat /data/data/<package.name>/shared_prefs/<name>.xml

# SQLite databases
adb pull /data/data/<package.name>/databases/<db>.db .
sqlite3 <db>.db .tables
sqlite3 <db>.db "SELECT * FROM <table>;"

Broadcast / Intent Injection

Send intents to test exported components: 
# Start activity
adb shell am start -a android.intent.action.VIEW -d "http://target.com"

# Start exported activity directly
adb shell am start -n <package>/<activity>

# Send broadcast
adb shell am broadcast -a <ACTION> --es key value

# Start service
adb shell am startservice -n <package>/<service>

Dumpsys

adb shell dumpsys activity                     # running activities
adb shell dumpsys activity packages | grep <pkg>  # package info
adb shell dumpsys package <package.name>       # permissions, activities, services
adb shell dumpsys meminfo <package.name>       # memory usage

Useful One-Liners

# Screenshot
adb shell screencap /sdcard/screen.png && adb pull /sdcard/screen.png

# Screen record
adb shell screenrecord /sdcard/record.mp4

# Current foreground activity
adb shell dumpsys window | grep mCurrentFocus

# List exported activities
adb shell dumpsys package <package.name> | grep -A 2 "Activity"

# Check if device is rooted
adb shell which su

# Get Android version
adb shell getprop ro.build.version.release

# Get device architecture
adb shell getprop ro.product.cpu.abi