- A+
所属分类:WooYun-Zone
瘦蛟舞
(科普是一种公益行为) 
| 2015-05-15 17:26
Android监听端口应用定位 (WOOYUN)
通过 netstat 发现设备正在监听1946/1222两个端口
shell@hammerhead:/ $ netstat |grep -i listen
tcp 0 0 0.0.0.0:1946 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1222 0.0.0.0:* LISTEN
tcp6 0 0 :::8192 :::* LISTEN
tcp6 0 0 :::7777 :::* LISTEN
tcp6 0 0 :::14087 :::* LISTEN
tcp6 0 0 :::14088 :::* LISTEN
tcp6 0 0 :::14089 :::* LISTEN
tcp6 0 0 :::14092 :::* LISTEN
tcp6 0 0 :::6259 :::* LISTEN
通过/proc/net/tcp可以找到这两个端口对应的应用 uid 为10094(即u0_a94)
0.0.0.0:1946 对应 00000000:079A(16进制)
shell@hammerhead:/ $ cat /proc/net/tcp
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode
0: 00000000:079A 00000000:0000 0A 00000000:00000000 00:00000000 00000000 10094 0 28470 1 00000000 100 0 0 10 -1
1: 00000000:04C6 00000000:0000 0A 00000000:00000000 00:00000000 00000000 10094 0 28463 1 00000000 100 0 0 10 -1
2: 7F01A8C0:BF15 69176CCA:14A7 01 00000000:00000000 00:00000000 00000000 10106 0 26727 1 00000000 22 4 25 10 -1
通过 ps 确定应用为 pplive
shell@hammerhead:/ $ ps|grep u0_a94
u0_a94 4526 238 887672 42060 ffffffff 00000000 S com.pplive.androidphone
u0_a94 4706 238 900924 46028 ffffffff 00000000 S com.pplive.androidphone:remote
如果 root 了,可以更简单,@小荷才露尖尖角
root@hammerhead:/ # busybox netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:1946 0.0.0.0:* LISTEN 4706/com.pplive.and
tcp 0 0 0.0.0.0:1222 0.0.0.0:* LISTEN 4706/com.pplive.and
tcp 0 0 :::8192 :::* LISTEN 3617/com.ss.android
tcp 0 0 :::14087 :::* LISTEN 2485/com.tencent.an
tcp 0 0 :::14088 :::* LISTEN 2485/com.tencent.an
tcp 0 0 :::14089 :::* LISTEN 2485/com.tencent.an
tcp 0 0 :::14092 :::* LISTEN 2485/com.tencent.an
tcp 0 0 :::6259 :::* LISTEN 3983/com.baidu.brow
udp 0 0 0.0.0.0:1900 0.0.0.0:* 4706/com.pplive.and
udp 0 0 0.0.0.0:11918 0.0.0.0:* 4706/com.pplive.and
udp 0 0 0.0.0.0:6878 0.0.0.0:* 4706/com.pplive.and
