Devices - Penetration Testing Like a Hacker. - SecNiche Security Labs

EDITOR’S NOTE05/2011 (05)Editor: Sebastian Bulasebastian.bula@software.com.plTEAMBetatesters / Proofreaders: Massimo Buso, Ankit Prateek,Santosh Rana, Rishi Narang, Davide Quarta, Gerardo IglesiasGarvan, Steve Hodge, Jeff Weaver, Santosh RanaSenior Consultant/Publisher: Paweł MarciniakCEO: Ewa Dudzicewa.dudzic@software.com.plArt Director: Ireneusz Pogroszewskiireneusz.pogroszewski@software.com.plDTP: Ireneusz PogroszewskiProduction Director: Andrzej Kucaandrzej.kuca@software.com.plMarketing Director: Sebastian Bulasebastian.bula@software.com.plPublisher: Software Press Sp. z o.o. SK02-682 Warszawa, ul. Bokserska 1Phone: 1 917 338 3631www.hakin9.org/enWhilst every effort has been made to ensure the high quality ofthe magazine, the editors make no warranty, express or implied,concerning the results of content usage.All trade marks presented in the magazine were used only forinformative purposes.All rights to trade marks presented in the magazine arereserved by the companies which own them.To create graphs and diagrams we usedprogrambyMathematical formulas created by Design Science MathTypeDISCLAIMER!The techniques described in our articles may onlybe used in private, local networks. The editorshold no responsibility for misuse of the presentedtechniques or consequent data loss.Dear Readers,How do you feel when you read yet another piece of newsabout yet another tabloid journalist hacking into yet anothercelebrity / politician / accident victim / etc. mobile and extractingconfidential information from their voice mail (The News ofThe World thank you very much for making the news)? Ibelieve that people who use their mobiles like their cars (youdon’t have to know what’s under the bonnet to know how todrive it – so the vast majority of us) are perplexed at the ideathat their precious secrets can be disclosed so easily and theirindispensible mobile friends can be hacked into by namelessagents, lurking somewhere out of their sight. But how a hackerfeels? I believe – offended, because how can you call tryingout a 4-digit code (which is most likely 1,2,3,4, or the year ofthe user’s birth, or something equally impenetrable) till youfind the correct sequence? I might be a bit biased here, but Ifind calling it brute-forcing a bit of an overstatement.Thus, we’ve decided to devote our September edition to mobilesecurity, seen, as always, from a pentester perspective. Themobile apps market is growing rapidly, and so are attemptsof compromising its security. Nowadays everyone can be a„hacker”, as we have already mentioned, but securing yourselffrom a real threat is another pair of shoes. And what betterway of managing security issues than penetration testing?The centerpiece of this issue’s focus is Aditya K Sood’sBreaking Down the i*{Devices}, concentrating on data testing,decrypting and mobile apps developers „wrongdoings”,who sometimes tend to disregard security issues at a scalewhich can be described as at least inappropriate, takinginto consideration the expanding market. Cory Adams willencourage you to Act Like a Criminal while LeveragingAndroid Malware for Improved Penetration Testing Results,Bill Mathews will share his views on Attacking the MobileInfrastructure, and Devesh Bhatt will take you Inside AndroidApplications, concentrating on manifest configuration. Somegeneral points of Mobile Application Security Testing will bepresented to you by Iftach Ian Amit.There are of course other articles worth looking at in this issueof PenTest Magazine. I can definitely recommend ArthurGervais’ New Penetration Business Model – the idea behindhis Hatforce project, based on crowd-sourcing. It might beanother step in the field of IT security, surely worth looking atand taking further.Enjoy your readingSebastian Buła& Penetration Test Magazine Team05/2011 (5) SeptemberPage 2 http://pentestmag.com

CONTENTSPOINT OF VIEW04Isn’t Social Engineering the SafestForm of Pentesting?by Ankit PratekOne might argue over this, but for a student and a buddingpentester like me, this is the truth and holds water. Socialengineering won’t call your work illegal unless you harmsomeone personally or cause some financial loss. Plus,since you don’t have certifications at competitive prices,no one even wants you to be a certified Social Engineerat that unaffordable price.06Trust Pentesting Team. Do you?by Rishi NarangWith the advent of security and its counterpart, a largeshare of vulnerabilities has been due to human errorsin the software lifecycle. These errors have either creptin mistakenly, or the loop holes have been intentionallyinserted with ‘malicious’ intentions.FOCUS08Breaking Down the i*{Devices}by Aditya K SoodSmartphones have revolutionized the world. Theonline world is grappling with severe security andprivacy issues. The smartphone applications require anaggressive approach of security testing and integrityverification in order to serve the three metrics of securitysuch as confidentiality, integrity and availability.16Act Like A Criminalby Cory AdamsWhat, act like a criminal? That would usually beconsidered bad advice, but having an understanding ofhow cyber criminals conduct business will lead to betterpenetration testing results. In-depth malware analysiswill reveal criminals’ tactics, techniques, and procedures.These can be utilized to generate improved penetrationtesting abilities by allowing the tester to view the targetas a would-be intruder does.22Mobile Application Security Testingby Iftach Ian AmitThriving vendor marketplaces (such as iTunes and theAndroid store) encourage the rapid development anddeployment of mobile applications to consumers andbusinesses alike. Additionally, alternative 3rd-partydownload and install markets open up as software writersseek opportunities, outside the walled gardens providedby the mainstream stores.26Attacking the Mobile Infrastructureby Bill MathewsWe will explore a few philosophies for attacking amobile management infrastructure. The article will coverthe differences in testing mobile stuff vs “everythingelse” as well as reusing some of the things you know todemystify the mobile world.30ToneLoc and Load – Useful For aPentester?by Chris McAndrewWhen on average it takes less than half an hour tobypass the security of many voicemail systems and therewards can be over L250,000 for a weekends work, it’sno wonder that phreaking telephone systems is enjoyinga resurgence.34Inside Android Applicationsby Devesh BhattBy the end of 2011, the number of Smartphone shipmentsaround the world will explode to nearly 468 million unitsand the android operating system would have a fiftypercent market share. This would increase the number ofattacks on mobile applications and also the investment insecuring the applications from the attacks.(NEW) STANDARDS36New Penetration Testing BusinessModelby Arthur GervaisToday everybody can become a hacker. The knowledgespreads all over the Internet. A lot of hackers are showingtheir know-how by sharing the results of their attacks.Why do not use this knowledge through crowd-sourcingin order to globally improve the security? Starting fromthis fundamental idea, a business model has beendeveloped by Hatforce.HOW-TO42Building Your Own PentestingApplicationby Dhananjay D.GargAlthough even today web browsers serve the primarypurpose of bringing information resources to the user,they no longer represent a software application withbare bones support for just HTML. Today, web browserslike Mozilla Firefox come with the support of add-ons,which are small installable enhancements to a browser’sfoundation.05/2011 (5) SeptemberPage 3 http://pentestmag.com

POINT OF VIEWIsn’t Social Engineeringthe Safest Form of PenTesting?If it’s permitted, registered and certified, it’s pentesting, and if it’snot, it’s just plain words scary hacking.One might argue over this, but for a student anda budding pentester like me, this is the truthand holds water. Social engineering won’t callyour work illegal unless you harm someone personallyor cause some financial loss. Plus, since you don’t havecertifications at competitive prices, no one even wantsyou to be a certified Social Engineer at that unaffordableprice.As a learner I don’t think any of the two shouldbe your main concerns. Just knowing the passwordand some browsing using it should be enough for anencouragement. I can get someone drunk and get hispasswords rather than doing phishing and other stuff.Getting picked up by girls from a bar and then usingtheir laptop or desktop with an excuse to check mymails is what I have been doing lately. The fun part is todiscover the lover’s files and saved passwords… Okay,maybe I am not being picked up by girls in the bar, butthey do give me their laptops to use the Internet (not inthe bar of course, well the bar was supposed to soundcool). Anyways, other moves are: offering my laptop toothers to change passwords or login into any account.Some smart ones check the anti-virus inclusion list totrack keyloggers, some trust me, others have not heardabout firefox addons, or the changed script that enablesstoring all passwords without offering to remember.Trojans haven’t helped me much, nor has any exploitfrom Metasploit that I know of (some 3 or 4), exceptfor my own virtual machine which has no anti-virus.Accessing other PCs myself than accessing it remotelyhas so far worked pretty good for me. I’m often filledwith guilt that I make friends just to add them to mystolen passwords list… But that’s a different story, let’snot get there. Watching desktop screens of your friendsat night and clicking their picture remotely at that verymoment aren’t on the list of the most interesting things,but one still might enjoy doing it for fun and, of course,learning. But try not to go for the easy way, which isimplanting the .pdf in your friend’s laptop, who uses anolder version of Adobe Reader. Removing my devicefrom my friend’s Facebook was the coolest correctionthat I’ve done so far (oh, try Konqueror, it impressedme). Getting the phone number to stay in touch is easy,then updating Facebook status from that number is somuch fun, thanks to the websites the names of whichcan’t be disclosed here.Moving on, the only method I’ve found to protect myown Facebook wall from sms spoofing is by not sharingmy phone number with anyone. Sms spoofing is so easy,simple and free a non-geek can do it. Against caller idspoofing, those who can crack astrisk aren’t idle enoughto try me, so I feel pretty much safe. I am not so sure ifFacebook knows they have this vulnerability, since it’sstill on the go. I really hope they buy this issue.Upon being caught when the secret was somehowrevealed to people, saying that I was pentesting your05/2011 (5) SeptemberPage 4 http://pentestmag.com

things to improve your security has saved me manytimes from beatings, but with practice it happens lessoften these days. I hope my actions have been legal sofar, I’m not looking forward to do anything illegal, justbrushing up some skills. One of my idols Kevin Mitnikscares me these days with his you should not do thosemistakes that I did types, I am pretty much concernednow, and scared too often. This legal-illegal issue is themost repulsive thing in a budding pentester’s life likemine. Never have I done any harm to anyone, evenwith those still-working passwords in my system, noneof those people have ever faced any problems so far,they don’t even know about it (yet), in fact many gotimproved security features in their accounts but it canstill be looked at as illegal.I took a course for International Certification assumingit will make it easy for me to get permission fromauthorities to practice with them, but my trainers weredoing fraud in the name of that false certification, sonow I have even lost that hope too, humph! I’m lookingforward to platforms like Hatforce, thanks to Arthur(see this issue). As a Non-Certified Infosec Pro, SocialEngineering is what I feel best to practice and withpositive results it’s always encouraging. And again,nothing illegal has been done so far, and none to behappening in the future either.ANKIT PRATEEK, RHCE,CISPIn the next issue ofHacking Applemagazine:Available to downloadon September 30 thSoon in Hakin9!TOR Project, Botnets, Social Network Security, Hacking Apple, Biometrics, Rootkits, Debugging/Fuzzing, SQL Injection, Stuxnet, Hacking Facebook, Port scanner, IP scanners, ISMS, SecurityPolicy, Data Recovery, Data Protection Act, Single Sign On, Standards and Certificates, Biometrics,E-discovery, Identity Management, SSL Certificate, Data Loss Prevention, Sharepoint Security,Wordpress SecurityIf you would like to contact Hakin9 team, just send an email toen@hakin9.org. 05/2011 (5) September We will reply a.s.a.p.Page 5 http://pentestmag.com

POINT OF VIEWTrust Pentesting Team.Do You?With the advent of security and its counterpart, a large shareof vulnerabilities has been due to human errors in the softwarelifecycle. These errors have either crept in mistakenly, or the loopholes have been intentionally inserted with ‘malicious’ intentions.The last decade witnessed millions of small orcritical vulnerabilities and most of them dulyfixed, mitigated or remediated, but what aboutthe human link, the human mistakes, the humanintentions. It can never be fixed but early detections anda keen eye can save you from unintentional handing thesecret keys to a thief.In my professional and personal experience,there have been very few clients and customerswho are actually aware of what is happening duringtheir pentest phase. They are aware about thevulnerabilities reported; the calls and explanationspresented by the pen-testing team, but are obliviousto the network facts and access rights. Most of clientshave a strict objectives mentioned in the contract.These objectives include guidelines that refrains apentester from DOS attacks on service or system,persistent threats, intrusiveattacks or code executionsetc. if the system is liveand production as this canresult in disruption of theirservices. Wherein, if the system is a dummy clone,such genre of attacks can be permitted by the clientin controlled conditions. But how many customersactually verify the attempts by the pentesting teamthrough the logs – system as well as the networklogs.In my professional and personal experience, therehave been very few clients and customers who areactually aware of what is happening during theirpentest phase.Pentesting team has limited timeslots or has limitedtime windows to perform such assessments. On astandard note, a client should always make a note ofthe IP addresses allowed for the pentester, and exemptit on perimeter security (if really needed) else, keep therest of security postulate on its toes. IT team shouldalways check the logs and look for anything that isbeyond the scope of pentesting contract like,• Check the resources being accessed via theapplication and/or server logs.• Check the internal and/or public IP addresses beingaccessed via the network logs.• Any discrepancy in the logs reflecting thepentesters’ IP address should result in blocking thatIP address till a satisfactory explanation is providedby the team.In the worst case scenario,if the attacker (hidden undera pseudonym) renders hisservices to a firm wearinga white hat and steals database information, sourcecode, or even the credentials etc. Later, even if thevulnerability has been mitigated, he still possessescritical information at his disguise. If the logs showthat some of the critical files have been dumpedduring the pentesting phase, a client can (and should)05/2011 (5) SeptemberPage 6 http://pentestmag.com

always raise an eyebrow if this is a production system.Any pentesting phase if not intrusive needs a POC(proof of concept) and not a valid attack to hamperthe services. Vulnerability can be proven with the factthat it can allow an attacker to download a file, but noactual need of accessing every critical file (passwords,configuration etc.) on the server just to prove yourpoint. Client should mention that in the contract –During intrusive pentests, the team is ONLY allowedto download/access ‘index.html’ or (any low criticalityfiles) as POC.Customers can also deploy certain measures toprevent themselves from such disguised attacks,• Prefer pentesting on dummy cloned servers whereliberal perimeter network checks are in place (maybe a different LAN/VLAN all together)• Appropriate segregation of resources – critical vs.in-scope logistics• Continuous monitoring of logs – network/perimeteras well as server and/or application and validatethe accessing of files.• If production system, try to keep critical filesencrypted. It can enable a pentester to demonstratea vulnerability (if any) without compromising theconfidentiality or integrity.• Interview the responsible team on their daily activityand which resources did they accessed and why?• No modification in the production files existingon the server. Client can validate this with simplemodification time checks on its servers.The idea behind a successful pentesting assessmentis to either validate the security controls against thethinking patterns of cyber criminals, or to get a greencheck on the compliance controls during audit cycles.But, in no manner will a client appreciate the databeing compromised due to an attacker camouflagedunder the white cloak of its team members.RISHI NARANGRishi Narang is an Information Security Professional, and isCyber Psychology enthusiast. He can be reached via Twitter(@rnarang).05/2011 (5) SeptemberPage 7 http://pentestmag.com

FOCUSBreaking Downthe i* {Devices}Penetration Testing Like a HackerSmartphones have revolutionized the world. The online world isgrappling with severe security and privacy issues. The smartphoneapplications require an aggressive approach of security testingand integrity verification in order to serve the three metrics ofsecurity such as confidentiality, integrity and availability.This paper sheds a light on the behavioral testingand security issues present in Apple’s IOSdevices and applications. Primarily, this paperrevolves around penetration testing of iPhone deviceand its applications. The paper does not discuss theiPhone application source code analysis and reverseengineering.Mach-O Format and IPhone ArchitectureMach-O is the primary file format that is used forrunning applications and programs on Apple devices.This format is stored as an application binaryinterface on the respective MAC OS X operatingsystem. Mach-O provides support for intermediate(debug) and final build (released) of the binaries.This is quite helpful in debugging as MACH-O formatsupports both dynamic and statically linked codefiles. Mach-O format is basically divided into threemain components stated as header structure, loadstructure and data structure. The header structureexplicitly specifies the environment information of thebinary which is required by the kernel to differentiatebetween the code execution on different processorsand architectures. Load structure comprises of thevarious segments which define the byte size andmemory protection attributes. When the code isexecuted dynamically, the segments map the desiredbytes into virtual memory as these segments arealways aligned with the virtual memory pages. Datastructure contains various sections of data which aremapped through the segments defined in the loaderstructure. Usually, there are text and data segments.For example: considering an Objective C, there aresegments defined as __OBJC which are private to theObjective C compiler. The internals of Mach-O formatcan be read here [1]. Figure 1 shows the genericlayout of iPhone architecture.The application binaries (Mach-O) format areencrypted in nature when these are retrieved from theApple store. In order to perform source code analysisthese files are required to be decrypted by the processof reverse engineering.Figure 1. iPhone architecture05/2011 (5) SeptemberPage 8 http://pentestmag.com

DFU and Jail breakingDevice Firmware Upgrade (DFU) allows the user torestore factory defaults by restoring operating system.However, this mechanism has been exploited withrobust exploits in order to thwart the inherent sandbox.The complete process is applied under jail breakingwhich allows the attackers to circumvent the DataProtection Framework (DPF). As a result of this, itbecomes easy to run Objective C code on the device asthe entire application layer protection gets demolishedby jail breaking process.Jail breaking [2] is an important step from testingperspective if the application has to go under thereverse engineering process. As the designedapplication runs only on the required architecture(ARM), it is ineffectual to try to run these applicationson the local machine or even on the simulator forreverse engineering purposes using GDB. The bestway is to perform jail breaking (exploits are availablein public) and then debug that application in order toperform implicit analysis. It is advisable for normaland regular work purposes to avoid jail breaking fromtesting purposes and the penetration tester or reverseengineer has to go to the core to perform legitimatetesting steps. Jail breaking requires specific steps tobe performed as discussed here [3]. One should besure of Jail breaking exploit which performs tethered[4] or un-tethered jail breaking (depends on the typeof bootrom version is used), which might impact therunning state of your IPhone. After jail breaking,requisite utilities such as GDB, GCC etc must beinstalled. For example: using red snow to perform ajail break loads only SSH as the main utility for rootingiPhone. Once Cydia is installed, use the defaultrepository to install other tools. Cydia has aptitudepackage downloader. Always choose the developer orhacker profile in Cydia while jail breaking.Scrutinizing IPhone Backup ProcessThe IPhone device follows a defined backup process.However, with the change in IOS and IPhone versions,there are certain developments that have taken placein creating backup files. Generally, when an IPhone isattached to the computer and ITunes is running, thesoftware by default performs some backup operationsand creates some backup file. These files are usedextensively for forensic investigations and containfruitful information. A new entry is created every time atthe location: /Users//Library/ApplicationSupport/MobileSync/Backup/., C:\Documents and Settings\USERNAME\Application Data\Apple Computer\MobileSync\Backup;when a device is synced with the laptop. The back pathmay vary depending upon the operating systems. Thebackup directory contains some index files, propertyfiles (plist) and manifest (mbdb, mbdx) files. This mightvary with different IOS versions. The primary files thatneed attention are manifest files having extensions suchas mbdb and mbdx. Simply editing these files might giveyou some clear test information but that is incomplete innature. The best way is to use iPhonebackupdb.py [5]script in order to process the files automatically.Fuzzing Endpoints CommunicationEvery application requires end point communicationswhich involves both port 80 and port 443. Certain largesize applications work in a distributed environment. Itmeans that the application does not communicate usingsingle end point; rather data is transacted from multipleend points by using dual channel. The fuzzing shouldencompass different scenarios as discussed below:• For HTTP specific communication fuzzing, useany HTTP proxy such as Charles, Web Scarab,Fiddler and Burp to perform fuzzing of differentimplicit parameters in the request. As discussedearlier, server might fetch data from other nodesin the communication channel. Thus, all the nodesmust be verified against the type of data. Whenevaluating a Client-Server iPhone application, boththe server and client should be tested (fuzzed).Always verify whether both end points are secure.It has been noticed that most of the vendors areimplementing input validation only at Client-side,and, as a result, are vulnerable to injection attackswhen request is directly issues to the server.• For aggressive testing, fuzzing local files(Application specific files) can be used toinstrument the application for automated brute forcepurposes, as well as abusing of other applicationspecific features.• For effective penetration testing, raw HTTP agentsuch as cURL should be used to send customqueries to different endpoints from the jail brokeniPhone in order to utilize the device resources andsession rather setting a network proxy and routingtraffic out of it. This is a very effective step forfuzzing end points. This step actually ensures thenature of malicious applications attacking legitimateapplication on iPhone device.• All the end points must be verified against thestrength of deployed SSL. One should notconcentrate on testing the single end point for SSLstability.The end point fuzzing is very critical to determine thestrength of application from a behavioral perspective.05/2011 (5) SeptemberPage 9 http://pentestmag.com

FOCUSListing 1. IPhone applications revealing sensitive informationGET /e0/temp.php?check=1&...Host: a.example.comReferrer: http://third-party.com/OSN-IDCookie: uuid=cf07qb76f47b34563389f27a9ae1d391GET /temp.php?d[sex]=m...Host: b.example.comX-Admob-Isu: IPHONE-UDIDCookie: uuid=cf07qb76f47b34563389f27a9ae1d391GET /?param=xxxxxxxx-xxxx-...&u=IPHONE-UDIDHost: c.example.comUser-Agent: Apache [Guess]IPhone Data Leaking and VerificationIPhone is prone to data leakage and privacy issues.The robustness of application design and legitimateiOS can prevent information leakage from the deviceand the system. From a penetration testing perspective,the data leakage and privacy issues should be dealtstrongly. There are certain specific set of informationthat must be verified. It includesEvery device including iPhone comes with a UniqueDevice Identifier (UDID) which is binded to the particularuser when the device is sold in the market. It meansUDID provides the information about the environmentof the user and developers or hackers can use thisidentifier to query other system information. The mainconcern relates to the user monitoring which includesbrowsing habits. It is strongly recommended that everyapplication must be tested against the usage of thisidentifier and its transaction with third party services.Other critical information include Personal IdentifiableInformation (PII), Online Social Network ID (OSN-ID) and Location Identifiers (LID). Listing 1 shows theFigure 2. Converted plist les in jail broken iPhoneinsecure implementation of user private information inan inappropriate manner.A detailed study about the online social privacy leakagehas been conducted here [6] which show exactly howmobile platforms reveal sensitive information.Tracing Properties (Plist) FilesThe files with the extension plist are used in every IOSdevice to store preferences in the form of strings. Theformat of these files varies with MAC OS versions. It ispossible that one encounters plist files in binary formator XML format. The binary format is chosen to parse thestrings for robust application performance. If the filesare present in the XML format, then it is fine otherwise itis advisable to convert the binary format to XML formatusing inbuilt Xcode tool (Property List Editor) or opensource utilities (psutil) as presented in Figure 2.Tracing IPSW and IPA FilesFiles with extension IPSW (iPad/iPhone Software)are the software update files that are used to upgradeprogram and iOS firmware images on apple devices.Basically this is a software updating package whichbundles as a zip file. It is easy to change the .ipswextension to .zip extension and then unzipping it to getthe files in an unbundled state. These files are locatedat Mac OS X: [user]/Library/iTunes/iPhone SoftwareUpdates/ and Windows XP: \Documents and Settings\[username]\Application Data\Apple Computer\iTunes\iPhoneSoftware Updates\. The unzipped archive contains .DMGfiles which is an updated version .IMG. The .DMG filesare encrypted in nature and can be differentiated basedon the size of DMG. If the size of DMG file is large, thenit must be a root file system file otherwise these areramdisk files. In order to decrypt DMG files, one canuse VFDecrypt [7] tool. This tool might give an issuein certain version of windows and CPU architectures.In addition to that, one can use iDecrypt [8] tool aspresented in Figure 3.In order to decrypt itappropriately, DMG key forspecific device is required.Luckily, it is providedwith tool and all the keysare listed in XML file aspresented in Figure 4 .Files having IPA (iPad/iPhone Application)extension are termed asthe updated versions ofAPP files. The IPA files storethe application package foriPhone devices. Generally,05/2011 (5) SeptemberPage 10http://pentestmag.com

classes which should be verified in every penetrationtesting project. This set of issues has been derived onthe same benchmark of web applications but in realitythere is a difference in security testing due to architectureand deployment environment of the applications. In anycase, the top 10 mobile risks should be incorporated into the methodology of iPhone testing.During the course of this paper, it has been shownthat there are a lot of developments that have takenplace in the iOS world and testing should be executedaccordingly. In the past, iPhone testing has been donein relation to specific scenarios, but nowadays iPhoneapplications require more aggressive testing to ensuresecurity.AcknowledgementI would like thank Itzik Kotler (CTO, Security Art) forreviewing the paper and providing deep insight into theiPhone penetration testing.I would also like to thank Dr.Richard J Enbody for providing continuous support indoing security research.ConclusionThe world is changing fast due to mobile revolution.This paper deliberated upon the iPhone architecturefrom perspective of penetration testing. The architectureplays a crucial role in developing security testingmethodologies. In this paper, iPhone detailed securitytesting vectors have been discussed which includetesting of data at rest, decrypting files and insecuredesign practices followed by the application developers.For a full matured security assessment of iPhones, allthe discussed vectors should be tested appropriately sothat secure applications can be developed.ADITYA K SOODAditya K Sood is a Senior Securitypractitioner, researcher and PhDcandidate at Michigan StateUniversity. He has already workedin the security domain for Armorize,COSEINC and KPMG. He is also afounder of SecNiche Security Labs, an independent securityresearch arena for cutting edge computer security research.He has been an active speaker at industry conferencesand already spoken at RSA , HackInTheBox, ToorCon,HackerHalted, Source. TRISC, AAVAR, EuSecwest , XCON,Troopers, OWASP AppSec US, FOSS, CERT-IN (07)etc. He haswritten content for HITB Ezine, Hakin9, ISSA, ISACA, CrossTalk,Usenix Login,Elsevier Journals such as NESE,CFS. He is also aco author for debugged magazine.05/2011 (5) Septemberhttp://pentestmag.com

AndroidManifest.xml. An important point to understandis that simply locating a vulnerability, developing anexploit, and triggering the exploit does not guaranteefull access to the Smartphone. However, even minimalpermissions may allow an attacker the ability to collectvaluable information about the victim.Since not all penetration testers have the time toconduct vulnerability analysis and write an exploit it isimportant to note that other options are available thatallow a quicker assessment of the target environment.At DefCon 19, Zimperium unveiled the AndroidNetwork Toolkit which is available from the AndroidMarket free of cost (there is a $10 corporate version).The toolkit allows a penetration tester the ability to scanthe network, check for un-patched phones, and fireolder exploits, with the ultimate goal of arbitrary codeexecution. Another resource available to a penetrationtester is the availability of free and useable exploitsfrom public repositories such as Exploit Database(Figure 3) http://www.exploit-db.com. With theseaccess methods available to penetration testers, whyeven bother analyzing Android malware?Why analyze Android malware?This article is not stating thatmalware analysis is necessarilypart of the pentesting discipline.Rather, this article is trying topoint out the importance of usingother disciplines to increase theeffectiveness of the penetrationtesting. Many in the security fieldare quick to undervalue the studyof malware, unless it reveals theinitial attack vector as they aremostly concerned with how thepenetration occurred. Once theyidentify the attack vector, applycountermeasures, and clean upafter an attack they move onwithout ever conducting in-depthanalysis of any malware placedon the network. This often occursdue to one or a combinationof reasons such as: limitedmanpower, time constraints,and lack of a malware analysisskill set. While these are allvalid problems, not reviewingmalware is a flawed approachas malware can reveal morethan some in the security fieldunderstand.Figure 3. Example of exploits available at Exploit DatabaseFigure 4. Android SDK and AVD ManagerWhen conducting a penetration test to evaluate thesecurity of a network or an aspect of the network,why wouldn’t you test the security in a way that itis actually going to be tested? Regardless of thenetwork, the security mechanisms in place willeventually be tested by an attacker. The attackmay not be targeted, in fact it may be an attempteddrive-by exploit, a user falling for a phishing attack,or simply a user downloading an application witha malicious payload. Malware analysis provides ameans of understanding the attack vector, the intentof the attack, possible persistence mechanisms,its ability to propagate through the network, andsophistication level. All of this intelligence can beleveraged to build improved tests to be used duringa penetration test to ensure that networks are beingtested in a realistic manner.Malware analysis will not usually provide the initialattack vector, but it can reveal how the attackeroperates and this is a very important piece of thepuzzle. Malware analysis can provide details into allof the functionality previously listed and insight intohow attackers are evolving as security measures areput in place to mitigate threats. Google is aggressiveabout removing malicious applications from the05/2011 (5) SeptemberPage 19http://pentestmag.com

FOCUSTable 1. Android malware analysis toolsName of Tool Tool Functionality LinkDex2Jar Disassembler http://code.google.com/p/dex2jar/Dexdump Disassembler http://developer.android.com/sdk/index.htmlDedexer Disassembler http://dedexer.sourceforge.net/Smali/Baksmali Assembler/Disassembler http://code.google.com/p/smali/ApkTool Decompiler http://code.google.com/p/android-apktool/Java Decompiler Decompiler http://java.decompiler.free.fr/Market (which is a huge attack vector) so attackershave developed ways to extend the life of an attack.Tim Wyatt of Lookout writes Lookout has identified anew Android Trojan, GGTracker, which is automaticallydownloaded to a user’s phone after visiting a maliciouswebpage that imitates the Android Market. The Trojanis able to sign-up a victim to a number of premiumSMS subscription services without the user’s consent.This can lead to unapproved charges to a victim’sphone bill.Another advancement in malware is a new threat todevices running Google’s Android mobile operatingsystem is an advance on earlier Android Trojansexamined by CA Security that unleash payloads whichlog incoming and outgoing call details and durations ina text file, according to researcher Dinesh Venkatesan.These provide examples of how the malware is growingin sophistication and is only a sign of things to come assecurity becomes tighter. The information gained hereby thorough malware analysis is vital in understandingwhat threats are present today and allows penetrationtesters the ability to replay cutting edge attacks toensure the end customer is protected.How do you Analyze Android Malware?Analyzing a piece of Android malware can be lesscomplicated than analyzing other types of malware.This is because the analysis environment is rathersimple to set up and the Dalvik Executables (.dex)can be decompiled to a readable language. To beginpick the OS of your choosing (the following instructionwill successfully build an environment for Windows XPSP3 32-bit). Since Android applications are writtenin Java, download and install the JDK from: http://www.oracle.com/technetwork/java/javase/downloads/index.html. After the installation of the JDK, theAndroid Software Development Kit (SDK) can now bedownloaded and installed. (Note: the JDK, not just theJava Runtime Environment is necessary for properinstallation of the Android SDK) The Android SDKcan be found at: http://developer.android.com/sdk/index.html.Once the Android SDK has been successfullyinstalled, navigate to the Android SDK and AndroidVirtual Device (AVD) manager, select AvailablePackages and install the SDK for the version ofAndroid desired (see figure 4). Next, a virtual devicemust be created using the AVD manager. This can bedone by selecting a name (just for user reference) andselecting a target, which will be a version of Androidthat you installed the SDK for.Rather than using an actual phone to analyze themalware which will, in turn, likely infect the phone,an emulator provides the same functionality whilerunning safely in the virtual analysis environment. Theemulator inside the analysis environment mitigatesthe risk of analyzing the sample and can save timeover connecting to hardware. To start the emulator:open a command prompt, navigate to the androidsdk\platform-toolsdirectory and run the followingcommand:Emulator-arm.exe –avd Figure 5. Android emulatorIf successful, then the emulator window will appear(Figure 5). (Note: The emulator can be slow andmay take a while to appear.) At this point a simulated05/2011 (5) SeptemberPage 20http://pentestmag.com

Smartphone running the version of Android youselect is active within the analysis environment;now the malicious application can be loaded. Thisis accomplished using Adb and issuing the followingcommand:adb.exe install (Note: Replace sample with the title of the malwaresample you are analyzing.)The following table (Table 1) is a list (not comprehensive)of free tools available to Android malwareanalysis to aid during the examination of a malwaresample.Many in the security field view malware analysis asthe reactive response to an attack, but the oppositeapproach can be taken to help mitigate damages priorto this. Penetration testers can analyze or use malwareanalysis results to understand what an attacker is after,persistence mechanisms, propagation techniques, andadvanced methods being utilized. This intelligenceallows penetration testers the ability to replay realworld attacks and ensure the highest quality results areprovided to the customer.CORY ADAMSCory Adams has been in the informationsecurity eld for over 7 years. He iscurrently a Reverse Engineer with a Fortune100 company. He specializes in malwareanalysis as well as vulnerability analysis.Follow Cory on twitter @SeedyAdams.COMMENTWe are open for suggestions and discussion. Don’thesitate to comment on the articles which you’veread in this issue. Share your opinion on the subjectmatter brought up, back up or confront the pointof view of the author. The best comments will bepublished on our site and in our next issue.05/2011 (5) Septemberhttp://pentestmag.com

FOCUSMobile ApplicationSecurity TestingMobile apps are more than the sum of their componentsThriving vendor marketplaces (such as iTunes and the Androidstore) encourage the rapid development and deploymentof mobile applications to consumers and businesses alike.Additionally, alternative 3 rd -party download and install marketsopen up as software writers seek opportunities, outside the walledgardens provided by the mainstream stores.Having your software purchased and downloadedby millions of people worldwide has long beenthe holy grail of mobile software developers, butit also attracts the attention of fraudsters who recognizethe accessibility and lack of security features of theseplatforms. The mobile platform opens several attackavenues for malicious software and opportunities todefraud victims due to its lax control mechanisms, andlack of standardization of the user experience offering.Therefore, mobile applications should be designed,developed, and tested having security in mind, muchlike web applications that handle sensitive information.The design and development of mobile applications issignificantly different to thatof traditional client-serversor web applications. Mobileapplications should takeinto account both theenvironment (platform,libraries, capabilities), together with major differences inend-user expectations. Mobile users demand a simpleuser experience (in terms of details), and often requirecompletely different business processes compared withother interaction channels.Security ChallengesThere are two main security challenges to mobileapplications that stem from their usage and limitations:• Insecure Connections• Simplified User ExperienceAny foreign code that runs on the mobileplatform has the potential to alter the userexperience and manipulate the locally storeddata as well as the data in transit.Insecure ConnectionsMobile devices are used in a number of unknown andoften insecure connection profiles (from public Wi-Fi, through rogue cells that proxy communication).This makes them vulnerable to simple attacks notconsidered in the threat modeling of a traditional webapplication. Additionally, insecure communications areoften used to overcome platform limitations and designconsiderations such as: battery consumption profiles,processing speed, and communication overhead.Insecure communicationsfor mobile applicationsexpose several exploitationavenues (including local andremote), and enable fraudulentapplication creation usingextremely simple tools and techniques that are freelyavailable in the market. This not only puts the end userat risk of data loss, but also allows attackers an easyaccess path into the organization that provides servicesthrough the mobile applications. Any foreign code thatruns on the mobile platform has the potential to alterthe user experience and manipulate the locally storeddata as well as the data in transit. Thus fraudsters gaina prime opportunity to conduct their attacks.05/2011 (5) SeptemberPage 22http://pentestmag.com

Simplied User ExperienceThe user interface provided by mobile applicationsdiffers wildly from other interfaces provided for endusers. It aims to provide a simpler and more interactiveexperience. Many times it actually changes theapplication logic behind the business process with thepotential to undermine theintegrity of even the mostrobust existing softwareprocesses.Mobile Application Secure Design andDevelopmentThere are a few ways to deal with these challengeswhen approaching a secure mobile application testingproject:• Mobile Application Penetration Testing• Fraud/Usability TestingMobile Application Penetration TestingMobile applications should be evaluated and testedagainst attacks that take advantage of the exposedexploitation avenues – including local and remote.In order to even start such testing, a mobileapplication testing lab is required – which usuallyconsists of a development PC for disassemblingand simulating the application runtime in a containedenvironment, a mobile device (preferably rooted, inorder to allow closer inspection of the applicationin it’s native environment), and a network thatA fraud/usability test should be conductedto find any loopholes or vulnerabilities in theprocesses or user interface handling.would simulate both the WiFi as well as the cellularconnectivity.The mobile applications and its corresponding serversidecomponents should be tested as part of thepenetration test, which covers both traditional issues (suchas SQL injections and OWAPS top 10 vulnerabilities),together with customfuzzing of any proprietaryprotocols, full analysisof the communications,and any logical issues in the application design andimplementation.One major area of focus should be the seeminglytrivial elements of the communication models usedby the applications. Issues such as establishingsecure communications over an encrypted channelare overlooked too often. Situations such as improperverification of certificate chains, and the lack of usernotification along with a fail open approach that naivelyignores such errors leave mobile applications open toman in the middle attacks that would raise many alarmson a web application.An additional element that should be looked intois the kind of media that the application considersas trusted. Many times, sensitive applications donot consider WiFi connections any different than thatof a 3G one. Moreover, in an attempt to provide abetter user experience, switching from one mediumto another while keeping the session alive is oftenimplemented in such applications. Obviously, thereare different weights to the trustworthiness of aFigure 1. The different scopes in which mobile application security should deal with, as opposed to the common approach where the focusis set almost exclusively on the application itself05/2011 (5) SeptemberPage 23http://pentestmag.com

FOCUScellular connection and a WiFi connection (anddifferent weights within WiFi connections – from adhocnetworks, through publicly accessible internetconnections, to trusted home or office connections).Such behavior should also be examined when testingthe mobile application, as one of the threats to amobile application would be to force a user into aninsecure network – thus lowering some of the guardsand native security features of a trusted networkand enabling an attacker to take advantage of theaccessibility of an open connection.Fraud / Usability TestingThe kinds of attacks that a mobile platform allowsdiffer from those used on PC platforms. They aresometimes more successful, as the user is lessaware of the underlying components that allow theapplication to run. Examples such as local pharming,and exploiting mobile operating system capabilities(where a more secure alternative should have beenprovided by the applications) are only a few of suchattacks that are currently known to be highly effectivein the wild.Also, due to the business process changes mandatedby the simplified mobile user interface, it is vital to verifythat such business processes are still valid in terms oftheir correctness and security.A fraud/usability test should be conducted to find anyloopholes or vulnerabilities in the processes or userinterface handling.When alternative business processes and workflowsare chosen (to improve customer experience), it shouldbe taken for granted that an attacker will gain accessto such application workflows, so it is important tofully analyze any consequences and impacts of suchaccess.Alternative business flows are very common whentesting mobile applications, and as testers we often findthese supported through the same servers that providethe standard web user with business logic.Mapping out these services also allows an additionalattack vector to be exposed – not only affecting mobileusers, but every user of the system (especially whendealing with financially related processes).ConclusionIt is important not to keep the focus/scope too narrowwhen approaching mobile application testing. As mobileapplications are literally greater than the sum of theircomponents: Having the actual mobile platform to takeinto account, the usability issues that take precedencetoo often, the backend services that expose a lighterbusiness process (often erring on the side of making iteasier for users to authenticate or authorize activities),and the lack of transparency to the user in terms of theunderlying security features it has grown accustomed to(such as an indication that the communication channelis encrypted at all), make mobile application testing achallenge of its own, and our jobs much more critical inpointing out gaps that would later turn out to be criticalfor the application author.IFTACH IAN AMITIftach Ian Amit brings over a decade ofexperience in the security industry, anda mixture of software development, OS,network and Web security expertise asVice President Consulting to the toptiersecurity consulting rm Security-Art. Prior to Security-Art, Ian was theDirector of Security Research at Aladdinand Finjan. Ian has also held leadership roles as founder andCTO of a security startup in the IDS/IPS arena, and a directorat Datavantage. Prior to Datavantage, he managed theInternet Applications as well as the UNIX departments at thesecurity consulting rm Comsec.Ian is a frequent speaker at the leading industry conferencessuch as BlackHat, DefCon, Infosec, Hacker-Halted, FIRST,BruCon, SOURCE, ph-neutral, and many more.ADVERSTISE WITH USDoes your company provide penetration testingservices? Would you like to advertise them inour magazine? If you represent a company andcontribute an article to the magazine, we will provideyou with free advertising space – depending on thecharacter and the quality of you contribution. Themore contributions you make, the more advertisingopportunities you get – like your logo on the cover, or aspecial issue of the magazine (which our subscriberswill download for free), devoted exclusively to yourcompany.05/2011 (5) SeptemberPage 24http://pentestmag.com

FOCUSAttacking the MobileInfrastructureWe will explore a few philosophies for attacking a mobilemanagement infrastructure. The article will cover the differencesin testing mobile stuff vs “everything else” as well as reusing someof the things you know to demystify the mobile world.Iwould like to point out that I am by no means anexpert in mobile devices or their managementinfrastructures. This article was as much a learningexperience for me as a writing project. I chose,deliberately to not make this a terribly technical articleand more of a how to approach this article because Ithink sometimes in our industry we get hopelessly lostin the this will be so cool that we forget the this is theright, practical approach. Hope you enjoy.As penetration testers we often times get mired intrying to craft attacks and finding 0-days when we shouldbe fixating on our jobs, that is to provide an assessmentof the security posture of a given system with practicalscenarios. Though I see thevalue in crafting new attacks,I’m not sure it’s the job of atraditional penetration testerbut that’s another article. It’shard enough to resist thattemptation when dealing withweb applications and Windows systems that have beenaround forever and are pretty well understood but throwin something new and our geek buzzers start buzzingovertime. Whenever we’re asked to test some newthing, in this case a mobile infrastructure, out come thecompilers and debuggers. We should start by askingourselves the most boring question possible, is this stuffreally THAT different than what we’re used to?As penetration testers we often times get miredin trying to craft attacks and finding 0-dayswhen we should be fixating on our jobs, that is toprovide an assessment of the security posture of agiven system with practical scenarios.Mobile smart phones and tablets do have a few keydifferences that I wanted to outline:• They are by and large single user systems with rootor admin restricted by default• They run specialized operating systems but relyheavily on web interactions• Often they aren’t controlled or managed by IT,users bring in their personal phones for businessuse (we’re not focusing on these)• Tablets (well the iPad anyway) are quicklybecoming a great way to work from conferencerooms, meetings, etc. They are really a hybridbetween smart phone and alaptop.Now before we dig too muchdeeper I want to say that I’mnot going to focus too muchon attacking the phones/tablets themselves, there is quite a bit of researchand work being done in those areas already and Idoubt I could add much to it. I have always takena more practical approach to penetration testing(right or wrong), I start with the simplest, widestreaching techniques first then move out to the moredifficult methods of attack. I’m not discounting directphone attacks I just find them to be more of a pain05/2011 (5) SeptemberPage 26http://pentestmag.com

than they’re worth. First you have to find a phone totarget which is usually on a person, hope they haveit on and then hope it’s vulnerable to somethingyou’re prepared before. It’s pretty difficult to craft anattack in just a few seconds as the target is walkingby. I digress, the real gold is in the managementinfrastructure of these devices (where it exists)because most likely it contains all the information inthe phone anyway. It’s also probably a much easierand more practical target.I’m also not going to focus on any one managementinfrastructure as I would like to keep it generic enoughto apply to as many as possible. As I looked at thesevarious management tools most of them seemed tohave a few things in common. First, they’re almostall web based with a database backend, does thatsound new, exciting or cutting edge? I hope not. That’sright though, most of these cutting edge, high endmanagement infrastructures are simple web apps.Do we need to break out our compilers and startcomposing custom attacks yet? Probably not. Let’slook at a few ways to approach the problem, withoutdoing anything crazy.Attacking the FrontNow that we have determined most of these arebasically web apps let’s look at where we can hit thisinfrastructure the hardest, the management interface.If you have either been a penetration tester or a webapplication developer, I’ve been fortunate (I think) tohave been both, then you know a dirty not-so-secretsecret. Developers, administrators and IT managementdo not take management interfaces terribly seriously. Ifit’s an inside the firewall test you are nearly guaranteedto find a few open admin interfaces typically with defaultcredentials. Of course I’m certain this won’t happenwith anything as important as a mobile managementinfrastructure but just in case let’s continue our attackon the front.Theoretically every web application that interfaceswith a database has a SQL Injection (SQLi)vulnerability of some sort. Bold statement? Not really,just based on years of experience, I’ve met very fewwith no exploitable vulnerability. Fast forwardingthough let’s say our management infrastructure hasa SQLi vulnerability and we can insert records, let’slook at all we can do with that. First and foremostwe can probably enroll our own phone and figure outwhat the management infrastructure does to a phone.Second we will be able to push our own maliciouscode to the entire enterprise. From a penetrationtesting perspective it’s not going to get much betterthan that. Fortunately I’m sure all of these variousinfrastructures have undergone many rounds ofsecurity testing and hence it just won’t be this easy.Moving on.Attacking the MiddleA few things I noticed while taking my tour of thevarious management suites (aside from how cute alltheir names are) is that almost without exception theyall included some sort of enterprise app store thoughthey gave them various names. Thispiqued my interest for several reasonsoutside of just attack vectors thoughhaving an app store front-end presentsus with the same vulnerabilities asthe management system’s admininterface. This one is interestingfrom a purely logistical perspectivebecause I’m curious who is doingquality control on the apps gettingpushed out. Can anyone submit anapp? Most of the vendor website’sweren’t very clear on this matter andI was on a tight deadline. At any rate,the workflow in these systems wouldbe very interesting to analyze. Like itor not (I don’t particularly) but Apple’spolicy of app review before app storesubmission probably catches mostmalware. More companies should takenote for their enterprise mobile appsand adopt a similar policy I think.05/2011 (5) SeptemberPage 27http://pentestmag.com

FOCUSAt any rate, I think these enterprise app stores makeexcellent points of attack if you can get them to do whatyou want. That’s a lot of if’s because again I’m certain thesethings are tested beyond normal industry standards, wait,they’re not? Of course not, it’s that dirty little not-so-secretsecret again, you can’t really restrict access to these appstores since every phone has to have access (this is thehard part of true mobility) and they’re web applications,once again, so same SQLi rules apply. This middle layerprovides another great entry into the infrastructure, againif you can get it to do what you want.Attacking the MobilityOne aspect of this that I was initially trying to avoid butreally can’t be is what I’ll call the provider influence.Most enterprises, and if you’re not sick of that wordby the end of this article there is something wrong withyou and I’ll tell you why at the end, choose a singleprovider, in the US it’s Verizon, AT&T and a bunch ofothers. An interesting attack vector involving the vendorbut is probably slightly harder would be an attack onthe provider’s Over-the-Air (OTA) update system. Againunless you want to end up in prison this should remaina proximity attack on known target you are authorized totest and not attempted on the provider as a whole.This could be used to push out an update of your ownROM or firmware, etc. This is advanced attacking stuffand not something I would typically recommend as Isuspect the other methods would work just fine. I woulduse this one as sort of a last resort but it is a majorflaw I don’t see considered in most of these enterprisemanagement vendors. The provider influence mightbe the number one issue in the way of your mobileinfrastructure security strategy. They tend to not likesecurity much for reasons far beyond the scope of thisarticle.Attacking the ProprietaryI and almost every security guy I know have pretty firmlyembraced Open Source software, again, for reasonsbeyond the scope of this article. Simply put, a systemmust be able to be examined to be considered secure. Ithas to stand up to scrutiny. Every mobile managementinfrastructure I came across (I narrowed it down to threeinitially for this article) proudly touted its proprietarynature as providing extra security. When I hear this as apenetration tester I immediately start salivating, closedsystems that say things like we’re enterprise and closedso we’re better than everything else just get me going.I asked for demo copies from all three but all three said05/2011 (5) SeptemberPage 28http://pentestmag.com

they would be happy to give me a walk through but thatinstallable demoes weren’t available at this time. Again,a big red flag to me, especially when they all had a try itnow button on their website. That’s what I get for beinghonest I guess. Anyway, the point is when a vendortouts their closed and proprietary nature and claimsthat as a feature you should usually run the other wayscreaming or buy something else. The funniest part ofthis is I had easy access to an installable trial copy ofExchange (the granddaddy of mobile management withActiveSync, etc) and people say Microsoft isn’t easyto work with. Exchange wasn’t what I was looking for.Moving on.Attacking the Backend (of the user)So far we’ve attacked the front, back and various midsectionsbut we’ve left the so-called backend alone.Only because I feel that these sorts of fire bomb attacksin a penetration test is cheating because often they’retoo simple and involve verylittle actual skill. All you needto do is trick the user intoinstalling a piece of customsoftware and bam, gameover. Send them an email forged to be from their ITdirector or boss, install this or you’ar fired or somethingmore eloquent, wait for them to ignore the permissionswarning most phones give you and then sit back andcollect data. Sounds easy? It is, but it’s not much funand it only proves that humans are often the weakestlink. Everyone knows that already, get a real job. Sorry,that’s just a pet peeve of mine.The key difference here is that often these mobilephones aren’t linked to any mobile managementinfrastructure so you don’t have a choice in attackvectors, it has to be the phone. Users would mostlynever consider using their personal laptop for workbut often they’ll choose to use a personal iPhone overa company provided BlackBerry (come on you wouldtoo) so as a result that iPhone isn’t the property ofthe company and isn’t managed by IT. This creates amanagement nightmare for sure and one that can bedriven home more sharply by a proper penetration test.Imagine getting control of an iPad or phone that hasVPN access into a corporate network but is personallyowned by the user. That would probably turn a lot ofexecutive heads and kick a mobile security programinto high gear I would hope.Bonus: Using Your Smart Phone to Perform aPenetration TestI’m not terribly sure how practical this is but now youcan even use your mobile phone as penetration testWhen a vendor touts their “closed andproprietary” nature and claims that as a featureyou should usually run the other way screamingor buy something else.References• The State of Mobile Malware [INFOGRAPHIC]: http://mashable.com/2011/08/12/mobile-malware/• How To Hack a Mobile Phone: http://video.google.com/videoplay?docid=-8987396544207653068• The Keys to Successfully Managing Mobile Devices inYour Enterprise: http://maasters.maas360.com/forum/expertise/the-keys-to-successfully-managing-mobile-devices-in-your-enterprise/• How Phone Hacking Worked and How to Make SureYou’re not a Victim: http://nakedsecurity.sophos.com/2011/07/08/how-phone-hacking-worked/equipment. http://gitbrew.org/debdroid/ will show youthe way. I plan to try this someday when I have somemobile gear to spare but again I’m not really sure amobile phone is beefy enough to handle some of thetools folks use, we’ll see though.The bottom line when pen testing a mobilemanagement infrastructure is to really stick with whatyou know and aim for thelargest payoff. Don’t try tocreate some new hardwaredevice plus write softwarefor a two week engagementwhen you can utilize a simple SQLi attack and own allthe mobiles in the enterprise. Simpler is usually better.Proprietary and closed systems usually make very richtargets for simple attacks and that boys and girls is whatusually makes them enterprise. Enterprise is typicallyjust another word for closed and as I’ve said they arealso usually very brittle systems that have not beenadequately scrutinized. If you have ever done one ofthose penetration tests where the clients says now stayaway from that system, it will crash if you just port scanit, that system is usually considered Enterprise. Now goforth and test the mobile world, let me know what typesof simple attacks worked for you and I’ll reprint themhere (fully credited of course).BILL MATHEWSBill Mathews is co-founder andlead geek of Hurricane Labs,an information security rmfounded in 2004. You can reachBill @billford on Twitter and beread other musings on http://blog.hurricanelabs.com05/2011 (5) SeptemberPage 29http://pentestmag.com

FOCUSToneLoc and LoadUseful For a Pentester?When on average it takes less than half an hour to bypass thesecurity of many voicemail systems and the rewards can be over£250,000 for a weekends work, it’s no wonder that phreakingtelephone systems is enjoying a resurgence.Written off by many as Old Hat or Lo Tech anddefinitely Belonging to the 1980’s does theWardialler still have a place in the modernpen testers toolkit?I would suggest that this question is best answeredby someone that is currently suffering from a Theft ofService attack against their PBX and is haemorrhagingcash at £30 to £40k per day.The attack may not be new, the technology may havebeen around for many years but it is still very effectiveand increasingly popular.Wardialling originally was the practice of dialling all ofthe telephone numbers in a range in order to find thosewhich were answered with a modem. These days it isprobably more accurate to say that the goal is to classifyall the responses as accurately as possible, in fact ifyou visit the web sites for the last two war diallers inmy brief timeline you will see that both make a point ofsaying that they can classify / attack PBX and voicemailsystems.Wardialling first came into the spotlight in the 1983 filmWar Games where David Lightman, the hacker, uses awardialler, appropriately called the war games dialler tounwittingly accesses WOPR, the supercomputer, which isprogrammed to predict possible outcomes of nuclear warand he nearly starts World War III. As with most things to dowith computing the original name just has to be shortenedso the war games dialler became the war dialler.1993(ish) ToneLoc: (http://downloads.securityfocus.com/tools/auditing/pstn/tl110.zip) Short for Tone Locator wascreated by Minor Threat and Mucho Maas. It is DOS-basedbut also runs on Win95+ platforms. It dials numbers, andsaves the login session to be viewed later.1995 THC-Scan, the worlds most used crossplatform wardialler was released and approximately10 years later THC-Scan evolved into THC-ScanNG(Next Generation). Once again van Hauser created amasterpiece; TSNG was distributed if you have a pool of1000 modems – no problem! One master server couldcontrol a vast array of zombies allowing the war diallingto be controlled remotely. TSNG can be downloadedfrom http://thc.org/thc-tsng/.1998 Sandstorm (now NIKSUN) released Phone-Sweep the Corporate War Dialler. PhoneSweepoffered a safe platform (no hackers using it to distributeTrojans) which utilised a GUI interface runningunder Windows 95. PhoneSweep is still available(commercially) today. PhoneSweep offers three distinctmodes Connect, Identify or Penetrate and is capable ofclassifying phones, faxes and modems in a single callutilising their patented Single Call Detect methodology.Additional product information is available from http://www.niksun.com/product.php?id=17.2001 SecureLogix release version 3 of their TelesweepWardialler, Telesweep offers both passive: (the first callinto a number is in voice mode – no tones are sent)05/2011 (5) SeptemberPage 30http://pentestmag.com

and active mode where tones are sent immediately.Telesweep, like PhoneSweep, also has a penetrationmode where it can carry out a dictionary attack againstany suitable target that it locates. Telesweep is availablefor download from http://www.securelogix.com/modemscanner/index.htm.The big problem with modem based wardiallers is thatthey are slow, a single modem being capable of around40 calls per hour at best, so it can take a long time todial through a complete number range.iWariWar: https://www.softwink.com/iwar/ The intelligentWar Dialler: Once again we have a system which iscapable of controlling multiple modems, however iWargoes further, iWar is capable of supporting IAX trunks.This not only allows you to scan without any additionalhardware but it also opens up the world of caller IDspoofing; additionally the use of IAX trunks gives anincrease in call throughput.WarVOXWarVOX: http://warvox.org/ this is a rather unusualdialler in as much as there is no modem support at all;all calls are carried over IAX trunks. Now we get someserious throughput a couple of trunks giving access to40+ concurrent trunks would enable you to dial througha 10,000 number range within 3 hours. Another unusualaspect of WarVOX is that it uses the audio stream toclassify the call thereby allowing it to identify Voicemailboxes, IVRs, and PBXs, as well as modems and faxmachines.If you don’t have access to an IAX trunk, don’t worry.I have WarVOX running on a virtual machine with anAsterisk PBX (http://www.asterisk.org/asterisknow/) onanother. The Asterisk PBX working as a bridge betweenIAX and any other type of trunk you like. Or evenWarVOX via IAX to Asterisk; Asterisk via SIP to yourcorporate PBX – now you can call out over your officetelephone lines.What are we detecting?Obviously modems, potentially offering an unsecuredmethod of accessing a network but I am more interestedin telephony than data, so what do I get?Modems, remote access maintenance modems,to be more specific, many of which will have defaultor very basic passwords, with these I potentiallyhave access to the telephone system programminginterface. Additionally these remote maintenancemodems may offer access to the administrationinterfaces of the entire telephony estate including suchgoodies as voicemail and IVR servers, centralisedmanagement servers and contact centres; the list isvery nearly endless.IVR and voicemail systems; many telephone systemusers, including administrators, are extremely lax withtheir password management, making voicemail aninteresting source of both corporate and personalinformation; additional services may also be availablethrough voicemail and IVR ports. On one 700 usersystem I audited 54 users had 1234 as a passcode afurther 37 had 1111. Another company’s corporate policywas that the voicemail passcode MUST be the last fourdigits of your telephone number.DISA (Direct Inward System Access) this is a facilityfound on many different types of telephone system,although some manufacturers secure it by giving it adifferent name! DISA is a facility whereby you dial intothe corporate telephone system, usually via a Direct DialNumber and then you are presented with secondarydial tone and in many cases this ‘secondary dial tone’is totally unprotected. Once you have tone you dial 9followed by any valid number and if you are connected,which 99 times out of 100 you will be, pwned!! You cannow dial in and out of the system and mostly you candial anything you want be it mobile, international orpremium rated numbers.Why attack telephone systems?Disclosure of informationData disclosed without authorisation. Examples includeboth eavesdropping on conversations and unauthorisedaccess to voicemail messages.Data modicationData altered in some way by reordering, deleting ormodifying it. For example, an intruder may changebilling information, or modify system tables to gainadditional services. Equally with VoIP traffic it may bepossible to inject additional data into the audio stream;so there you are explaining to your partner how late youhave to stay at work while the hacker injects audio froma night club.Unauthorised accessActions that permit an unauthorised user to gain accessto system resources or privileges. For example A groupof Chelsea Football Club fans hacked into ManchesterUnited’s Phone system and replaced their normal out ofhours message with chants of We are the champoins [1].Denial of serviceActions that prevent the system from functioning inaccordance with its intended purpose. A telephonesystem may be rendered inoperable or forced to05/2011 (5) SeptemberPage 31http://pentestmag.com

FOCUSoperate in a degraded state; for instance if you havefour telephone lines with a call on each you can’tanswer a fifth call (TDOS – Telecommunication DenialOf Service), equally if your VoIP system is busy dealingwith a flood of SIP Invites it may not be able to processany calls (DOS or DDOS – Distributed Denial OfService).Traffic analysisThis is information gathering, for example call records(SMDR Output from a PBX) from which inferences canthen be drawn.For example, an intruder that observes a high volumeof calls between a company’s legal department andlawyers specialising in acquisitions, could conclude thatthe company is about to expand by purchasing anotherbusiness.The Terrorist ThreatThe French authorities that studied the terrorist attack ona Madrid commuter train in 2004, investigated whetherthe bombers hacked into the telephone exchange of abank near Paris as they were planning their attack [2].Theft of serviceTheft of service – (toll fraud), probably the most commonof motive for attackers.Toll fraud is a popular attack because it is a highprofit low risk enterprise. Compromised systems aredaisy chained together with Dial Through services (inmuch the same way as a hacker would use multipleproxies) to hide the origin of the attack. The PBX atthe end of the chain is then used to dial premium ratenumbers and the attacker takes the profit from thesenumbers.VoIP versus Modem DiallersThe main advantages of VoIP diallers over Modemdiallers are:ThroughputIf you customer has a number range of 100 numbers itis possibly bearable to test them with a modem as it willonly take a few hours but if your customer base includesany major companies with say a 1000+ number rangethen you are going to be looking at days to scan therange with a single modem or an hour with somethinglike WarVox.FingerprintingThe ability to detect and identify a greater variety ofendpoints. With the current generation of war diallersyou can achieve much more than just identifying diallingand modem tones. When you analyse calls with WarVoxyou are presented with both signal and spectrum graphsand although WarVox does not currently have the abilityto automatically group or audio fingerprint the data oncefuture versions contain this functionality the possibilitieswill be phenomenal. Automatically identifying the PBXby correctly fingerprinting the embedded voicemailsystem for a start! Potentially all you would need wouldbe reference recordings of standard voicemail / IVRprompts.And anything which tests faster and fingerprints moreaccurately MUST make life easier.Of course life never just gets easier; there must alsobe a downside:ComplexityYou now have to understand about configuring an IAXtrunk instead of popping in a modem driver disk. Youwill also have to understand the complexities of settingup call timers; if you make the call too long you mayalert your customer to your testing by leaving them alot of silent voicemails. You will also have to cope witha wider variety of output and until audio fingerprinting isavailable that could be time consuming and in the caseof WarVox, that could be a lot of MP3s to listen to.ExpenseThe software may be free but the IAX trunk won’t be, soif you don’t have the customer base or the right type ofcustomers for this type of service the IAX trunk may betoo much to swallow.Cautionary noteNot all ITSPs are happy to let you use a war dialleracross their network, so it pays to check this out beforecommitting to any form of contract.Some theoretical toll fraud figuresVoicemail PasscodesIf a voicemail system has 4 digit pin numbers thenthe number range is normally 1000 to 9999 (peoplegenerally don’t seem to like using the numbers that beginwith zeros) which equates to 8,999 permutations.If the system can accept twenty simultaneous inboundcalls (20 port voicemail) and it takes approximately fiveseconds to input a PIN number, then the life expectancyof a four digit PIN code is approximately 38 Minutes:((8999 x 5) /60)/20 = 37.4958On single port voicemail the life expectancy increasesto 12.49 Hours.05/2011 (5) SeptemberPage 32http://pentestmag.com

Sources• http://www.mirrorfootball.co.uk [1]• Siemens Enterprise [2]• Bell Communications [3]• Communication Fraud Control Agency [4]• Comms Dealer January 2009 [5]Projected RevenuesLet’s assume that you have a bank of Premium Ratetelephone numbers (probably in a foreign country)where each number is capable of generating £5.00 perminute.If you can gain access to the target telephone systemand start it dialling out at 5 O’clock on Friday evening(as they finish work) and if the target company is fastenough to terminate your calls at 9 O’clock on Mondaymorning, then you have been generating calls for 64hours.Therefore we have 3840 minutes at £5.00 per minute= £19,200But if you can generate 10 simultaneous calls =£192,000Or maybe 20 simultaneous calls = £384,000Not bad for a weekends work!!!!!!Telecom fraud is estimated at US$52-60 billion perannum, globally and is currently growing ay 15% perannum [4]. (Communication Fraud Control Agency)Telecom Fraud in the UK costs £1.3 billion annuallyand 40% of companies have experienced it [5].CHRIS MCANDREWAfter completing college with a HND inelectrical engineering Chris worked for anumber of years as a diagnostic engineeron avionic systems. Having been maderedundant he started working for atelecom company while looking for a“proper” job and 27 years later, as he admits, he’s still on thelookout. He is currently employed as a specialist engineer byone of the largest privately owned telecom companies in theworld where (amongst other things) he is technical lead foranything to do with hacking.CONTRIBUTEPenTest Magazine is a community-oriented magazine.We want IT security specialists and enthusiasts to worktogether and create a magazine of the best quality,attractive to every individual and enterprise interestedin the penetration testing field.If you are interested in being a part of our community– submit an article or bring up a subject you considerimportant and up-to-date. Are there any trends on themarket you’d like to take a closer look at? Are thereany tools or solutions worth reviewing or presenting tothe community? Are there any touchy and controversialissues you feel have to be discussed in public? Thenshare your opinions with us.If you run an IT security company, your contributionis the most welcome. Tell us about your solutions andadvertise in the magazine for free, or have a specialissue devoted exclusively to you. As long as youprovide top-notch, non-commercial writings, we arealways ready to cooperate and help your companydevelop with us.Are you a student? We’re looking forward to youarticles! Fresh attitude, opinions and beliefs of theyoung and budding IT security gurus are invaluablefor us. You will give your career a great start when youwrite to a respectable IT magazine. Showing an issuewith your name among the names of other authors– and often famous ones – will be your great assetduring a job interview.If you think you don’t have enough time to create anarticle from scratch, but feel interested in the magazine– become one of our beta testers. This way you will getthe opportunity to look at a new issue’s contents beforeit’s even published, and your name, too, will appear inthe magazine. If you feel the need to contribute andshare you knowledge, but don’t have enough sparetime for creative writing – beta testing is just for you.05/2011 (5) SeptemberPage 33http://pentestmag.com

FOCUSInside AndroidApplicationsBy the end of 2011, the number of Smartphone shipments aroundthe world will explode to nearly 468 million units and the androidoperating system would have a fifty percent market share. Thiswould increase the number of attacks on mobile applications andalso the investment in securing the applications from the attacks.The most important part of performing anapplication pentest for an android applicationis understanding the manifest configuration.Analyzing a manifest file is one of the most importantand tedious task while performing a penetration testingassessment on the world’s most popular mobile Os.Android is a privilege-separated operating system, inwhich each application runs with a distinct system identity.At install time, Android gives each package a distinct Linuxuser ID. The identity remains constant for the duration ofthe package’s life on that device. On a different device, thesame package may have a different UID; what matters isthat each package has a distinct UID on a given device.Every android application must have an AndroidManifest.xml file in its root directory. The manifestpresents essential information about the application tothe Android system. High-level permissions restrictingaccess to entire components of the system or applicationcan be applied through the AndroidManifest.xml. Themanifest file does the following:• It describes the components like the activities,services, broadcast receivers, and content providersthat the application is composed of. These declarationslet the Android system know what the components areand under what conditions they can be launched.• It determines which processes will host applicationcomponents.• It declares which permissions the application musthave in order to access protected parts of the APIand interact with other applications.Figure 1. AndroidManifest.xml natively obfuscatedFigure 2. Decoding apk application le05/2011 (5) SeptemberPage 34http://pentestmag.com

Table 1. Android malware analysis toolsSetting What to check Recommendationsandroid:If it is set to „auto”, The application may be installed on the Use „”internalOnly” value for this setting.installLocationexternal storage, but the system will install the application onthe internal storage by default. If the internal storage is full,then the system will install it on the external storage. Onceinstalled, the user can move the application to either internalor external storage through the system settingsandroid:protectionLevelandroid:persistentandroid:restoreAnyVersionCharacterizes the potential risk implied in the permissionand indicates the procedure the system should follow whendetermining whether or not to grant the permission to anapplication requesting it.Whether or not the application should remain running at all times– „true” if it should, and „false” if not. The default value is „false”.Indicate that the application is prepared to attempt a restore ofany backed-up data set, even if the backup was stored by a newerversion of the application than is currently installed on the device.Check if the value is set to „normal” or„dangerous”. If it is set to „dangerous”, checkthe permissions.Applications should not normally set thisag. It should be set to “false”Setting this attribute to true will permit theBackup Manager to attempt restore evenwhen a version mismatch suggests that thedata are incompatible• It also declares the permissions that others arerequired to have in order to interact with theapplication’s components.• It declares the minimum level of the Android APIthat the application requires.• It lists the libraries that the application must belinked against.• And moreover, it names the Java package for theapplication. The package name serves as a uniqueidentifier for the application.AndroidManifest.xml file plays a very important role inanalyzing the security of Android mobile applications.The file is of great interest when analyzing systemsecurity because it defines the permissions the systemand applications enforce.Android packages are .apk file. For the test purposeyou can download any android application and extractit and you will see the AndroidManifest.xml file whichwould be difficult to open (see Figure 1).Below I have mentioned step by step methodology toopen and review it.Figure 3. Example of AndroidManifest.xml• Download the following tools• apktool-install-windows-file• apktool-file• Unpack both to your Windows directory.• Now copy the APK file also in that directory and runthe following command in your command prompt(see Figure 2):apktool d app.apk ./app_decryptedHere app.apk is your Android APK file• This will create a folder app _ decrypted in yourcurrent directory. Inside it you can find theAndroidManifest.xml file in decrypted form andyou can also find other XML files inside theapp _ decrypted/res/layout directory.The manifest contains juicy information like permissions,intent filters, and lots more. A typical manifestfile is shown below (see Figure 3).Some of the important configuration settings to lookfor while analyzing a manifest file: Table 1.Analyzing manifest file thoroughly could help apenetration tester plan and execute other attacks.After it is done successfully, the remaining testing boilsdown to a normal web application pentest. So nexttime when you download any application from androidmarket, just take a while to open and analyze theandroidmanifest.xml file for fun.DEVESH BHATTDevesh is an Information Security Researcherand Consultant. He is primarily focused in theapplication Security space. He has worked ondeveloping a framework for securing mobileapplication (Android and IOS). His area ofexpertise also lies in the Cloud Security arena.05/2011 (5) SeptemberPage 35http://pentestmag.com

(NEW) STANDARDSNew PenetrationTesting Business ModelCrowd-sourcing For IT-SecurityToday everybody can become a hacker. The knowledge spreads allover the Internet. A lot of hackers are showing their know-how bysharing the results of their attacks. Why do not use this knowledgethrough crowd-sourcing in order to globally improve the security?Starting from this fundamental idea, a business model has beendeveloped by Hatforce.Almost daily we can see on the news that a newIT system has been attacked by hackers. Even ifit is about Sony [1] or the CIA website [2], theseattacks, harmful in 90% of the cases, show that behindthere lies a competent community who has a highIT security potential. We ask ourselves then: Wheredo these hackers come from? Are they employedprofessionals? Do they act with a well-defined purpose,or are they just smart individuals who don’t know whatelse to do with their knowledge and free time?The beliefs of a hacker may be not easy to understandand gloomy. A hacker’s profile can extend from a roguehigh-school teenager to an experienced professional.While some hackers have the chance to fructify theirknowledge in a legal environment, others gain theirliving following illegal activities. Nevertheless, they allshare a common passion for IT security and they havean important potential.As the modern cybercrime is continuously developingand turning into a financial motivating market, there is astrong need of reinforcements. We should give to everyIT-security talented person the opportunity to show theirskills and use them for a good cause. Why not use theirpassion in order to turn them to the right side.Current situationOver the last couple of years, an interesting trend isvisible in the world of IT: large companies start payingmoney to people who find vulnerabilities within theirproducts. For example, Mozilla has been rewardingpeople who found security weaknesses of their wellknownbrowser [3]. Google is also running a very wellpaid bounty program for their chrome browser and theirwebsites and are ready to pay important amounts ofmoney [4]. Facebook also adopted this new trend andstarted at the end of July 2011 to reward vulnerabilityresearchers [5].A possible explanation for this recent action maybe the fact that companies start to become aware ofthe potential skilfulness that hackers might possess.Consequently, the companies start to cooperate withthe hacker communities, instead of taking legal actionagainst them (like Sony did for example [6]).Considering that the cooperation between hackersand companies can stand while there is enough benefiton both sides, the startup Hatforce came up with anidea.The ideaHatforce.com came up with an idea which can becalled an open market crowd-sourcing platform forpenetration tests. The principle is simple: usingthe worldwide hacker community in order to findvulnerabilities in every IT system possible (websites,servers, software, etc.) and reward them for thevulnerabilities they found.05/2011 (5) SeptemberPage 36http://pentestmag.com

The concept in five steps:1. Clients go on the website hatforce.com and publisha penetration test. At this moment, they specify afixed reward the testers will get if they submit avalid vulnerability.2. Penetration testers select a penetration test theywant to participate to.3. Once they have found a vulnerability in the client’sproduct, the testers submit a detailed description onhatforce.com.4. The client gets the vulnerabilities descriptions andapproves them.5. The client pays then to the testers the specifiedreward for each approved vulnerability.Let’s analyse more in depth the different steps:1. A client is an owner of one or more IT systems (awebsite, server, software, etc.) and can publisha penetration test request for one of his productsFigure 1. Specify a xed reward per vulnerability and how manyvulnerabilities gets rewardedon the website of Hatforce. For each publishedrequest, he has to specify a fixed reward pervulnerability and how many vulnerabilities he wantsto pay. In this way, he is sure about how much hewill pay at maximum and minimum for each test.The principle is simple: using the worldwidehacker community in order to findvulnerabilities in every IT system possible(websites, servers, software, etc.) and rewardthem for the vulnerabilities they found.For example, if the client wants to reward a vulnerabilitywith 100€ and at maximum 3 vulnerabilities, he willpay:• 0 € if no vulnerabilities are found• 100 € if only one vulnerability has been found• 200 € if only two vulnerabilities have been found• 300 € if 3 vulnerabilities have been foundFurthermore, the client is sure not to pay more than300 € because he has specified that he wants to payat maximum 3 vulnerabilities.The scope of a penetration test can be defined fromthe beginning. For example, if the client wants to testits website only for Injection and Cross-Site-Scriptingvulnerabilities, he is able to limit the test by clicking onI define myself the target vulnerabilities and checkingthe check-boxes Injection and Cross-Site Scripting(XSS). Consequently, only the vulnerabilities whichare related to these types of security issues will berewarded.When the client has entered all the necessaryinformation for the test, a contract between the clientand the testers is established. This contract is veryimportant as it legalizes the penetration action. Inmost of the countries a penetration test can only becarried out if the owner of the system agreed uponit. By accepting this contract, the client agrees to letthe penetration testers attack his product within theestablished scope.After the acceptance of the contract, the penetrationtest request will be forwarded to an administrator ofHatforce. The administrator might eventually contactthe client if there are some ambiguities related to histest request and in order to ensure that the client isrequesting a test for a product he really owns. Onceall is clear, the administrator approves the penetrationtest which will be consequently published on thewebsite.2. After being approved by the administrator, thepenetration test is visible to all the registered testers05/2011 (5) SeptemberPage 37http://pentestmag.com

(NEW) STANDARDSof Hatforce. Before they can see any details aboutthe test, the testers first have to sign the contractwith the client. This contract also includes an NDA(non-disclosure agreement), so that the testersshall not divulge any information about the test tothird parties.Crowd-sourcing seems not so well suitable forwhite-box penetration tests on proprietaryproducts, since the source code cannot be madeavailable in public.The testers are then able to start testing the client’sproduct. During the testing they should fill in a socalled test procedure.The test procedure is basically a description of whatthe tester has done during his test. The client will beable to visualize the descriptions and see what kind ofactions the tester has performed on the product. Thisgives the client the possibility to verify that no illegalhacking attempt has been conducted.3. Once a penetration tester has found avulnerability during a test procedure, he has tosubmit it on the website of hatforce.com. Theclient gets immediately informed about it andshould test it.Figure 2. Example of a test procedure description on Hatforce.com4. The client should be able to easily test thevulnerability by following the description providedby the penetration tester. If no any other tester hasfound the same vulnerability before, the client hasto pay the tester the specified reward.5. If the client approves the vulnerability, he pays theestablished reward to the corresponding tester.The marketNowadays on the IT Security market, a penetration testcosts approximately 200$ per hour and can becomemuch more expensive, depending on the experienceof the penetration tester. Usually the client has togive the most of information to the tester about itsproduct, because it is too expensive for a professionalpenetration tester to collect all the information freelyavailable by himself. Consequently, pure black-boxtests are not conducted very often. Unfortunately,exactly these tests represent at best an attack bymalicious persons.On the other side, there is the white-box testing.White-box tests make sense when the penetrationtester is highly skilled and able to analyse source codein order to find vulnerabilities. Crowd-sourcing seemsnot so well suitable for white-box penetration tests onproprietary products, since the source code cannotbe made available in public. Nevertheless, white-boxtests are possible for open source products and couldmaybe prevent people from hiding backdoors withinthem [7].There exist already on the market a couple ofplatforms which also involve crowd-sourcing intheir business model. One example is the ZeroDay Initiative (ZDI) from HP which rewards securityresearchers for the vulnerabilities they find in verypopular IT-products. However, their platform isdifferent than Hatforce.ZDI makes security researchers an offer for submittedvulnerabilities, while on Hatforce a reward for avulnerability is entirely set by the client so that testersknow in advance how much they will be rewarded. Byletting the client to freely define the amount of moneyhe is willing to pay per vulnerability, an evolving openmarket for pentesting is created.Security testing is very expensive nowadays andconsequently, private people or even small and middlesized companies usually do not want to invest in thisdomain. However, with the increasing amount ofhacking attempts that have been conducted over thelast couple of months by hacker groups like LulzSec,even the smaller companies will have to take actionand test their products. Therefore, penetration testingshould become accessible to all types of companies05/2011 (5) SeptemberPage 38http://pentestmag.com

and not only to those that have the means to pay largeamounts of money.How does Hatforce makes moneyHatforce connects the clients who want to test theirproducts and the testers interested in being rewardedfor finding vulnerabilities.In order to make the service the most usable forclients, Hatforce offers them consulting services. Theseconsulting services are applied to the vulnerabilitiesfound by the testers. When a tester describes avulnerability description, the client has to verify thevulnerability. If it is a correct vulnerability and it respectsthe testing scope of the test, it will be approved andpaid.Knowledge and time is necessary to verify thetechnical details of a vulnerability. As a consultingservice, Hatforce can test the vulnerability descriptionsand say if the vulnerability has to be approved or not.For an approved vulnerability, Hatforce can advise theclient on how to fix it. Furthermore, once a vulnerabilityhas been fixed, Hatforce can perform a retest of theproduct and verify if the problem has been correctlyclosed.As this system would not scale if a lot of clients startusing the platform in the future, Hatforce considerssubsequently involving some of the testers in itsconsulting system. A new category of testers wouldbe created – the certified testers. The certified testerswould agree on providing consulting services forthe security vulnerabilities of a client’s product andthey would also be entitled to approve or disapprovevulnerabilities.Difficulties and their solutionsThere are certainly several difficulties and limits thatcrowd-sourcing brings which are described in thefollowing paragraphs.Is it possible to trust an unknown tester?In order to have access to a test, the tester engageshimself in a contract with the client and accepts itsterms and conditions. This ensures that his testingactivity is entirely legal. Nevertheless, there arealways villains of both sides (clients and testers) thatare not eager to respect any rule. Therefore, Hatforceintroduces an evaluation system for testers and clients.If a tester submits a vulnerability, the client is able toevaluate his work by giving him a +1 or a -1 followedby a compulsory comment that explains his decision.The same procedure is possible in the reverse way– a tester can evaluate in the same way thecompany.Can the tester be sure that the company will pay?It is possible that some clients don’t want to approvevulnerabilities or pay their testers. After the clienthas evaluated one of his submitted vulnerabilities,the tester is able to evaluate the company. If a clientdoes not approve a vulnerability description, he shouldstate why and the tester can then respond with anevaluation.A client should be aware that if he has not enoughpositive evaluations (or too many negatives) thenthe testers will most likely not participate at his testsanymore.The Client will try to contact the testers ofHatforce directlyA client may try to contact directly a penetrationtester without going through the platform of Hatforce.However, it is in the own interest of the client to usethe global knowledge of the community in order tofind security problems. The more testers get to testa product of a client, the better it is for the client. Ifa company engages a tester in private, the costs willbe comparable to a standard expensive penetrationtest and the client loses the benefit of the system ofHatforce.Somebody could request a penetration test for awebsite or server he is not the owner ofHatforce has to make sure that the client is really thegenuine owner of the product he wants to have tested.Therefore, Hatforce will contact the client each time hesends a test request and will validate the ownership.Is a penetration test legal?A penetration test is generally illegal if there exists nospecific agreement between the owner of the productto be tested and the tester. Therefore, a writtencontract is needed between the client and the tester.On Hatforce.com clients can use the classic contractwhich has been checked by a German lawyer or contactHatforce and propose a customized contract.The client should be aware that it is the best for himif he states the most clearly what he is awaiting fromthe testers and if he wants to forbid anything during thetests.Is it practical to request a crowd-sourcingpenetration test on a production system?Google and Facebook are doing it now. Usually ifsomeone finds a XSS vulnerability this does not stopa website from working. If someone tries to trigger aDenial of Service attack on a production system, or triesto exploit a buffer overflow, this might be a more serious05/2011 (5) SeptemberPage 39http://pentestmag.com

(NEW) STANDARDSReferences• [1] Sony picture database is hacked, http://www.h-online.com/security/news/item/Hacktivists-break-into-Sony-Pictures-database-1254622.html,03.06.2011 [1]• LulzSec states that the website of CIA is offline, https://twitter.com/#!/LulzSec/status/81115804636155906, 14.06.2011 [2]• Mozilla Security Bug Bounty Program, https://www.mozilla.org/security/bug-bounty.html, 14.12.2010 [3]• Rewarding web application security research, http://googleonlinesecurity.blogspot.com/2010/11/rewarding-web-application-security.html,01.11.2010 [4]• Facebook Security Bounty Program, https://www.facebook.com/whitehat, 29.07.2011 [5]• Sony takes legal action against PS3 hackers, http://www.h-online.com/open/news/item/Sony-takes-legal-action-against-PS3-hackers-1168231.html, 12.01.2011 [6]• OpenSSL Vulnerability Shows Open-Source Process Weaknesses, http://www.gartner.com/DisplayDocument?id=676807 [7]attack. Therefore, Hatforce recommends the client tomake a test on a copy of their website in order to notdisrupt any productivity.Nevertheless, sometimes it is not easily possible tomake a copy of a website, this demands resources andit does also change the value of the test since softwareand configuration files may be slightly changed.Consequently, every test should be planned carefullyand the client should be aware of the associatedrisks. Data backups and intensive communication withHatforce might help mitigate the risk at most.Is crowd-sourcing replacing the standardpenetration test?Depending on the size of the company and many otherfactors, there may be that crowd-sourcing would notbe suitable for a penetration test. For example, largecompanies will most likely want to employ somebodywho will check their entire network infrastructure frominside. Crowd-sourcing cannot be applied to suchdemands. Nevertheless, the recent example of Mozilla,Google and Facebook shows that the crowd-sourcingprinciple has been accepted and is actively in use.Future improvementsHatforce is for the moment just starting its service.There are many improvements that can still be doneand the community can help to refine the model to theirneeds.Once the evaluation system will start to be used,clients will get the best testers depending on their needsand testers will be able to choose the good clients whichhave proven to pay the testers.Hatforce is actually using its own platform to testits own website! There might be some vulnerabilities,although we hope there are not really easy ones, andtesters will be rewarded for finding them.ConclusionAn open market for crowd-sourcing for IT-securitytesting is a new and efficient method to quickly getas many testers as possible. If Sony had used thispossibility with a reasonable reward per vulnerability,testers would have found the simple SQL injectionsthat have been made possible to hack its websites.And Sony is just one of the most popular examples.Who knows how many easy and critical vulnerabilitiesare still out there, not only in the systems of bigcompanies, but also in the products of small andmiddle sized companies.Hatforce offers an efficient and competitive testingopportunity compared to standard penetration tests,since there is no money to be paid if no vulnerabilitiesare found. Furthermore, through crowd-sourcing, everyhacker gets the opportunity to use his knowledge in agood way. Converting illegal hackers in white hats whohelp other people fixing the security vulnerabilities oftheir products is the best result which can be achievedthrough crowd-sourcing.ARTHUR GERVAISArthur Gervais is a passionate studentof IT-Security, currently in Sweden atthe Royal Institute of Technology – KTHin Stockholm. Since an early age, he isdetermined to work in the eld of IT-Security. He is the founder of the startupHatforce which offers crowd-sourcing for IT-security tests. Hehas won recently the “Best Student Award 2011” offered by theGerman Federal Office for Information Security (Bundesamtfür Sicherheit in der Informationstechnik). In 2012 he willachieve his Master degrees from INSA de Lyon (France), KTHStockholm (Sweden) and the Aalto University in Helsinki(Finland).05/2011 (5) SeptemberPage 40http://pentestmag.com

HOW-TOBuilding Your OwnPentesting ApplicationAlthough even today web browsers serve the primary purposeof bringing information resources to the user, they no longerrepresent a software application with bare bones support for justHTML. Today, web browsers like Mozilla Firefox come with thesupport of add-ons, which are small installable enhancements to abrowser’s foundation.These add-ons when installed inside a browsercan add additional functionality to the browserand this additional functionality can be used onthe web pages that are viewed by the user.The best part about these add-ons is that they enablethird-party developers to add new features withoutinterfering with the original source code of the hostapplication. These add-ons are dependent on theservices that are provided by the host application toregister themselves. Thus, third party developers canupdate their add-ons without making any changesto the host application as the host applicationoperates independently. These add-ons can serve forscatterbrained as well as for informative purposes likehacking, penetration testing, and more.Mozilla Firefox Add-onsMozilla Add-ons (https://addons.mozilla.org/en-US/firefox/) is a huge repositoryfor add-ons that supportMozilla software like MozillaFirefox browser. These addonsare submitted by many developers from acrossthe globe for end-users. Using the privacy and securityadd-ons from this gallery, we can build a good browserbased application for penetration testing and securitypurposes.Pen Testing Add-onsTorTor: Experts always suggest that it’s best to hideyour identity before getting involved in any securityrelated operations. Tor allows user to maintain onlineanonymity. Tor basically has a worldwide network ofservers that helps route the internet traffic and thus,disguise a user’s geographical location. The best thingabout Tor is that it’s open-source and anybody can useTor network for free.• To setup Tor, you need to first downloadthe Tor Browser Bundle from Link: https://www.torproject.org/download/download.html.en.This bundle will will ask your permission to extracta bundle of files to the location where Tor installerwas downloaded.• Now, Start Tor Browser. Once you’re connectedto the Tor Network, the browser (Firefox 3.6.20)will automatically open up with a congratulationsmessage that your IP address is now changed. Forexample, my IP address changed to 85.223.65.238,which is located in Netherlands.WHOISWHOIS: Internet resources such as domain name,IP addresses or controller systems are registeredin database systems. WHOIS is used to query the05/2011 (5) SeptemberPage 42http://pentestmag.com

name, IP address and server location. Right clickingon the flag will let you access additional informationabout the web site using external lookups such asDomainTools WHOIS, WOT Scorecard, McAfeeSiteAdvisor and many more. You can also add additionallookups which you find necessary. Clicking on the flagicon will by default take you to Geotool, which Flagfox’sdefault action (see Figure 2) (Add-on Link: https://addons.mozilla.org/en-US/firefox/addon/flagfox/).Figure 1. Vidalia Control PanelFigure 2. Flagfox in Firefox 6.0databases for cognizing the data about the resource,assignees, registrants and administrative information.Flagfox: This extension introduces a flag icon on theright hand side of your address bar (see Figure 1). Thisflag shows the web server’s physical location. Hoveringover the flag will display information such as domainExploit Database SearchExploit Database Search: The Exploit Database (http://exploit-db.com/) is an archive of more than 15000exploits and software vulnerabilities. This exploitdatabase is a great place for information securityresearchers and penetration testers for getting anexploit’s information in plain text format.Offsec Exploit-db Search: This add-on simply addsOffsec Exploit Archive search among other installedsearch engines in your Firefox. (Add-on Link: https://addons.mozilla.org/en-US/firefox/addon/offsec-exploitdb-search/).SQL InjectionSQL Injection: Database applications are critical intoday’s web scenario. If a database application isunable to filter out escape characters then it becomesvery easy for malicious users to perform SQL codeinjection on a vulnerable application. Using this, amalicious user can gain access to the server andcan delete or modify records. Recently websites likeKathmandu Metropolitan City, Metropolitan UK Police,Nepal Telecommunications Authority, BART PoliceDatabase and NASA Forum were exposed of the SQLFigure 3. Geotool lookup of a website05/2011 (5) SeptemberPage 43http://pentestmag.com

HOW-TOFigure 4. Offsec Exploit Archive Searchinjection vulnerability. Thus, SQL injection plays animportant part in any pen testing routine.SQL Inject Me 0.4.5: This add-on comes from aleading information security firm-Security Compass.This add-on will test a website for SQL injectionvulnerabilities by substituting HTML form values withcrafted database escape strings that are used in anSQL injection attack. Although this extension will nottry to expose the security of a website, it’ll look fordatabase error messages in the page. Hence, just like aweb vulnerability scanner, this extension will enumeratethe possible entry points without intruding into thesystem. (Add-on Link: https://addons.mozilla.org/en-US/firefox/addon/sql-inject-me/).• To use this add-on you need to go to Tools > SQLInject ME > Open SQL Inject Me Sidebar.• Once you’re at a login page or on a HTML form,you can test this add-on by clicking the ‘Test allforms with all attacks’ buttons in the sidebar to testthat particular page (see Figure 5).Cross-site scriptingCross-site scripting (XSS): XSS vulnerability is usuallyfound in web applications. In this attack, a malicioususer crafts a URL of a vulnerable website in such a waythat when the malicious code is executed then client’ssession cookie is sent to the malicious user. This enableshim to steal sensitive information from client’s account.The crafted malicious link can easily embedded a HTMLdocument inside a frame using inline HTML frame tagFigure 6. XSS Me Test Results…. Recently websites like Bing.com(MAPS), Google Appspot, Forbes, EC Council andSamba Web Administration Tool (SWAT) were exposedof the XSS vulnerability.XSS Me 0.4.4: This tool works in the same way asSQL Inject Me. This add-on detects reflected XSSvulnerabilities and points out the possible entry pointsfor an attack. This add-on shows the resulting HTMLpage as vulnerable only when JavaScript value (document.vulnerable=true). XSS Me comes from SecCom Labs.(Add-on Link: https://addons.mozilla.org/en-US/firefox/addon/xss-me/).Access VulnerabilityAccess Vulnerability: Web servers can sometimes beaffected by file access vulnerability where a malicioususer uses a mere web browser to get unauthorizedaccess to the files stored on the server. This vulnerabilitydoesn’t allow the malicious user to delete, modify orcreate a file; the user can only read or copy the file fromthe computer. The malicious user gets access to thefile by specifically requesting its name by using a nonstandardURL for bypassing the file access controls ofthe server.Access Me 0.2.4: Web applications affected by accessvulnerability are tested with four different methods.File access requests are sent by using sessionFigure 5. Offsec Exploit Archive SearchFigure 7. Access Me Test Summary05/2011 (5) SeptemberPage 44http://pentestmag.com

Figure 8. User Agent Switcher Menuremoved method, HTTP HEAD verb (retrieve whateverinformation in the form of an entity without returning amessage-body in the response), SECCOM verb, and acombination of session and HEAD/SECCOM. (Add-onLink: https://addons.mozilla.org/en-US/firefox/addon/access-me/).User AgentUser Agent: User agentis basically a clientside application likeweb browser or searchengine crawlers. Useragents strings store information like type of application,OS, and software version. This user agent string isdetected by websites for adjusting the page designlayout. Hence, user agent spoofing is done by webscrapers and spam bots for forcing certain server sidecontents to show up by hiding the browser’s identity. Forexample, Android browser uses HTML rendering engine– WebKit (KHTML) and so Android browser pretends tobe Safari.User Agent Switcher 0.7.3: This add-on by ChrisPederick helps change your browser’s user agent stringto Internet Explorer, Search Robots (Googlebot 2.1,Msnbot 1.1, and Yahoo Slup) or iPhone 3.0. To accessUser Agent Switcher go to Tools > Default User Agent.(Add-on Link: https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/).HackbarHackbar: Hackbar 1.6.1 is a simple but powerfulpenetration and security audit tool. Basically you put alink in the hackbar and then you have to select varioussuitable options from the drop down menu and thenFigure 10. Tamper Data Log Windowjust execute the edited URL. Hackbar is capable ofencrypting a text or link to its MD5, SHA-1, SHA-256or ROT13 hash format. Hackbar also has an encoderdecoderwhich can perform Base64/URL/HEX encodingand decoding. SQL and XSS options of this add-on willhelp you add statements into your URL, like for exampleclicking on Union Select Statement under SQL will givethe output: UNION SELECT 1,2,3,4,5,6,7,8,9,10. Theother amusing uses are viz., string reverse, insertion ofLorem Ipsum text, fibonacci series and more. (Add-onLink: https://addons.mozilla.org/en-US/firefox/addon/hackbar/).Tamper DataTamper Data 11.0.1: Tamper data can effectively beused for testing web based applications. This add-onwill allow you to intercept the HTTP(S) traffic betweenyour computer and the Internet. You can track andmodify HTTP(S) headers, POST and GET requestparameters. (Add-on Link: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/).• Once you install Tamper Data, go to Tools >Tamper Data. This will open a log window. ClickStart Tamper from the top menu to start tamperingwith the HTTP(S) requests. The log will startshowing you all the subsequent requests after youstart tampering. To see details of a request youneed to select the item and double click it to seedetails of a request header.Figure 9. HackbarFigure 11. Tamper with request05/2011 (5) SeptemberPage 45http://pentestmag.com

HOW-TOCookies Manager+Cookies Manager+ 1.5.1: This add-on can edit domain,path and name of multiple cookies. The edited cookiescan be saved as new entries or can replace the oldentries. Apart from this, the add-on can backup andrestore all or selected cookies, export cookie informationonto your clipboard and automatically monitor cookieschanges. Please remember the fact that you canonly edit cookies from your current session, once thesession ends, the cookies will expire because we areusing the bundled Firefox browser that came with Tor.(Add-on Link: https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/).Figure 12. Tamper Data Context Field Modify WindowIf you right click an item and select Replayin browser, then you can modify that item’sparameters like protocol, credentials, port, host,path and you can then click OK to see the URIgetting replayed with the modified details that youentered.• When a request is made through your browser,a pop-up prompts you to – tamper the request,submit it without tampering or abort the request.• Selecting tamper will show you a tamper windowwhere you can edit the data using the contextfields, after that you can submit the modifiedvalues. Tamper data is particularly useful whenusername and password parameters are passedthrough an HTTPS request. These parametersshow up in the tamper window, which allows youto modify by adding SQL Injection/XSS text to theusername/email and password fields.ConclusionIt is quite simple for a pen tester to make a good pentesting application from a freely available browserlike Firefox. The Firefox project was released backon November 9, 2004, thus, the number of add-onsthat are available for the Firefox community is in largenumbers. This makes it a lot easier for even beginnersto use third party add-ons for converting their browsersto something as strong as a hacking application. Due tothe large number of add-ons available for Firefox, oneshould also understand that there are a lot of alternateadd-ons available for doing the same XSS, SQLInjection or HTTP requests modify / replay.In the beginning we used Tor Browser Bundlebecause it’s portable, doesn’t store any history logs andyou can relocate the browser and Tor to any computeryou like without installing anything. Also, once youinstall all your important add-ons on the browser thatis used by Tor Browser Bundle, the add-ons stays withthe browser and you don’t need to install them everytime you change systems. An older version of Firefox(Firefox 3.6.20) was used because most add-ons arecompatible with this version and not with the latest 6.0or 7.0b1 versions of the browser.Figure 13. Cookies Manager+ER. DHANANJAY D. GARGThe author holds a Bachelor’s Degreein Electronics & Telecommunication.He likes working on projects related toinformation security. He holds a diplomain Cyber Law and Information Security &Ethical Hacking. As a freelance writer, heoften writes on topics related to computersciences. He has written articles for journals like PenTestMagazine, Data Center Magazine and Enterprise IT SecurityMagazine. He can be reached out at:dhananjaydgarg1989@gmail.com.05/2011 (5) SeptemberPage 46http://pentestmag.com

Say Hello toRed TeamTesng!Security Art's Red Team service operates on all frontson behalf of the organizaon, evaluang allinformaon security layers for possible vulnerabilies.Only Red Team tesng provides you with livefeedback on the true level of your organizaonalsecurity.Thinking creavely! That’s our approach to your test.Security Art’s Red-Team methodologyconsists of:1. Informaon and intelligence gathering2. Threat modeling3. Vulnerability assessment4. Exploitaon5. Risk analysis and quanficaon ofthreats to monetary values6. Reporngwww.security-art.comReady to see actualbenefits from yournext security review?info@security-art.comOr call US Toll free:1 800 300 3909UK Toll free:0 808 101 2722