Description
As is well-known, newer versions of Android enforce access control for devices connected via ADB, such as verifying the MAC address of a device requesting ADB access. This renders unauthorized ADB access attacks ineffective under these circumstances. Therefore, I've been pondering whether we could bypass this by spoofing the attacker's MAC address to deceive and connect to the target machine. The challenge lies in identifying the authorized MAC address in the first place. My thought is whether it's feasible to deduce this through fingerprinting ADB traffic patterns or by sniffing the network. Alternatively, could a Man-in-the-Middle (MitM) attack within the local network, where we intercept traffic between two devices connected via ADB, reveal the identity of the connected device?
To elaborate, the steps for such an approach might involve:
ADB Traffic Analysis: Attempt to analyze typical ADB communication patterns to identify unique characteristics that could potentially be associated with a specific MAC address. This would require deep understanding of ADB protocol nuances and might not be a straightforward task due to encryption and the variability of data exchanged.
Network Sniffing: Monitor network traffic for ADB-related packets, which could include initial handshake messages that may reveal the MAC address or other identifying information. However, ADB typically uses SSL/TLS for secure communication, making passive sniffing less practical without decryption capabilities.
MitM Attack: Implement an MitM attack within the LAN to intercept and decrypt ADB traffic. This would require exploiting vulnerabilities in the adb implementation or obtaining the necessary certificates trusted by the target devices. Once in place, the MitM position could allow capturing and analyzing the traffic to discern the authorized MAC address.