What starting position does this attack require?

The first step is adb shell + getprop / pm list packages (T1087) — a discovery primitive. Assumed environment: a network-connected Android device (Fire TV, dev tablet, Android Auto unit, kiosk) with adb-over-wifi enabled.

What is the final impact of this kill-chain?

The final step lands on adb connect (MOB-ADB-OPEN), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

Open ADB on the network → device shell

An IoT / dev device left adbd listening on TCP/5555 — anyone on the LAN runs `adb connect` and gets a shell as the shell user, including pulling user data.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Discovery

adb shell + getprop / pm list packages

T1087 · Account Discovery

Credential Access

Recover tokens / DB / keychain

T1552 · Unsecured Credentials

Discovery

nmap for TCP/5555

N-NMAP-INTERNAL · Internal Nmap Sweep

Collection

adb backup -all → unpack with abe

MOB-BACKUP-EXTRACT · ADB Backup Extraction

Initial Access

adb connect <device>

MOB-ADB-OPEN · ADB Open on Network

§ Context

Assumed environment: a network-connected Android device (Fire TV, dev tablet, Android Auto unit, kiosk) with adb-over-wifi enabled. Attacker is on the same network.

§ Steps

01
adb shell + getprop / pm list packagesDiscovery
T1087— Account Discovery
02
Recover tokens / DB / keychainCredential Access
T1552— Unsecured Credentials
03
nmap for TCP/5555Discovery
N-NMAP-INTERNAL— Internal Nmap Sweep
04
adb backup -all → unpack with abeCollection
MOB-BACKUP-EXTRACT— ADB Backup Extraction
05
adb connect <device>Initial Access
MOB-ADB-OPEN— ADB Open on Network

§ References

T1087Account Discovery
T1552Unsecured Credentials

§ Frequently asked

What is the "Open ADB on the network → device shell" attack path?: An IoT / dev device left adbd listening on TCP/5555 — anyone on the LAN runs `adb connect` and gets a shell as the shell user, including pulling user data. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is adb shell + getprop / pm list packages (T1087) — a discovery primitive. Assumed environment: a network-connected Android device (Fire TV, dev tablet, Android Auto unit, kiosk) with adb-over-wifi enabled.
What is the final impact of this kill-chain?: The final step lands on adb connect <device> (MOB-ADB-OPEN), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

Open ADB on the network → device shell

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Unauth DICOM PACS → mass medical-image exfil

BACnet HVAC → disrupt building operations

z/OS TN3270 → RACF userID brute → mainframe shell

Reachable Modbus PLC → direct register override

TCC bypass → access Photos / Camera without consent

npm typosquat → developer workstation → corporate VPN