Devices - Penetration Testing Like a Hacker. - SecNiche Security Labs

More documents

Recommendations

Info

EDITOR’S NOTE05/2011 (05)Editor: Sebastian Bulasebastian.bula@software.com.plTEAMBetatesters / Proofreaders: Massimo Buso, Ankit Prateek,Santosh Rana, Rishi Narang, Davide Quarta, Gerardo IglesiasGarvan, Steve Hodge, Jeff Weaver, Santosh RanaSenior Consultant/Publisher: Paweł MarciniakCEO: Ewa Dudzicewa.dudzic@software.com.plArt Director: Ireneusz Pogroszewskiireneusz.pogroszewski@software.com.plDTP: Ireneusz PogroszewskiProduction Director: Andrzej Kucaandrzej.kuca@software.com.plMarketing Director: Sebastian Bulasebastian.bula@software.com.plPublisher: Software Press Sp. z o.o. SK02-682 Warszawa, ul. Bokserska 1Phone: 1 917 338 3631www.hakin9.org/enWhilst every effort has been made to ensure the high quality ofthe magazine, the editors make no warranty, express or implied,concerning the results of content usage.All trade marks presented in the magazine were used only forinformative purposes.All rights to trade marks presented in the magazine arereserved by the companies which own them.To create graphs and diagrams we usedprogrambyMathematical formulas created by Design Science MathTypeDISCLAIMER!The techniques described in our articles may onlybe used in private, local networks. The editorshold no responsibility for misuse of the presentedtechniques or consequent data loss.Dear Readers,How do you feel when you read yet another piece of newsabout yet another tabloid journalist hacking into yet anothercelebrity / politician / accident victim / etc. mobile and extractingconfidential information from their voice mail (The News ofThe World thank you very much for making the news)? Ibelieve that people who use their mobiles like their cars (youdon’t have to know what’s under the bonnet to know how todrive it – so the vast majority of us) are perplexed at the ideathat their precious secrets can be disclosed so easily and theirindispensible mobile friends can be hacked into by namelessagents, lurking somewhere out of their sight. But how a hackerfeels? I believe – offended, because how can you call tryingout a 4-digit code (which is most likely 1,2,3,4, or the year ofthe user’s birth, or something equally impenetrable) till youfind the correct sequence? I might be a bit biased here, but Ifind calling it brute-forcing a bit of an overstatement.Thus, we’ve decided to devote our September edition to mobilesecurity, seen, as always, from a pentester perspective. Themobile apps market is growing rapidly, and so are attemptsof compromising its security. Nowadays everyone can be a„hacker”, as we have already mentioned, but securing yourselffrom a real threat is another pair of shoes. And what betterway of managing security issues than penetration testing?The centerpiece of this issue’s focus is Aditya K Sood’sBreaking Down the i*{Devices}, concentrating on data testing,decrypting and mobile apps developers „wrongdoings”,who sometimes tend to disregard security issues at a scalewhich can be described as at least inappropriate, takinginto consideration the expanding market. Cory Adams willencourage you to Act Like a Criminal while LeveragingAndroid Malware for Improved Penetration Testing Results,Bill Mathews will share his views on Attacking the MobileInfrastructure, and Devesh Bhatt will take you Inside AndroidApplications, concentrating on manifest configuration. Somegeneral points of Mobile Application Security Testing will bepresented to you by Iftach Ian Amit.There are of course other articles worth looking at in this issueof PenTest Magazine. I can definitely recommend ArthurGervais’ New Penetration Business Model – the idea behindhis Hatforce project, based on crowd-sourcing. It might beanother step in the field of IT security, surely worth looking atand taking further.Enjoy your readingSebastian Buła& Penetration Test Magazine Team05/2011 (5) SeptemberPage 2 http://pentestmag.com
CONTENTSPOINT OF VIEW04Isn’t Social Engineering the SafestForm of Pentesting?by Ankit PratekOne might argue over this, but for a student and a buddingpentester like me, this is the truth and holds water. Socialengineering won’t call your work illegal unless you harmsomeone personally or cause some financial loss. Plus,since you don’t have certifications at competitive prices,no one even wants you to be a certified Social Engineerat that unaffordable price.06Trust Pentesting Team. Do you?by Rishi NarangWith the advent of security and its counterpart, a largeshare of vulnerabilities has been due to human errorsin the software lifecycle. These errors have either creptin mistakenly, or the loop holes have been intentionallyinserted with ‘malicious’ intentions.FOCUS08Breaking Down the i*{Devices}by Aditya K SoodSmartphones have revolutionized the world. Theonline world is grappling with severe security andprivacy issues. The smartphone applications require anaggressive approach of security testing and integrityverification in order to serve the three metrics of securitysuch as confidentiality, integrity and availability.16Act Like A Criminalby Cory AdamsWhat, act like a criminal? That would usually beconsidered bad advice, but having an understanding ofhow cyber criminals conduct business will lead to betterpenetration testing results. In-depth malware analysiswill reveal criminals’ tactics, techniques, and procedures.These can be utilized to generate improved penetrationtesting abilities by allowing the tester to view the targetas a would-be intruder does.22Mobile Application Security Testingby Iftach Ian AmitThriving vendor marketplaces (such as iTunes and theAndroid store) encourage the rapid development anddeployment of mobile applications to consumers andbusinesses alike. Additionally, alternative 3rd-partydownload and install markets open up as software writersseek opportunities, outside the walled gardens providedby the mainstream stores.26Attacking the Mobile Infrastructureby Bill MathewsWe will explore a few philosophies for attacking amobile management infrastructure. The article will coverthe differences in testing mobile stuff vs “everythingelse” as well as reusing some of the things you know todemystify the mobile world.30ToneLoc and Load – Useful For aPentester?by Chris McAndrewWhen on average it takes less than half an hour tobypass the security of many voicemail systems and therewards can be over L250,000 for a weekends work, it’sno wonder that phreaking telephone systems is enjoyinga resurgence.34Inside Android Applicationsby Devesh BhattBy the end of 2011, the number of Smartphone shipmentsaround the world will explode to nearly 468 million unitsand the android operating system would have a fiftypercent market share. This would increase the number ofattacks on mobile applications and also the investment insecuring the applications from the attacks.(NEW) STANDARDS36New Penetration Testing BusinessModelby Arthur GervaisToday everybody can become a hacker. The knowledgespreads all over the Internet. A lot of hackers are showingtheir know-how by sharing the results of their attacks.Why do not use this knowledge through crowd-sourcingin order to globally improve the security? Starting fromthis fundamental idea, a business model has beendeveloped by Hatforce.HOW-TO42Building Your Own PentestingApplicationby Dhananjay D.GargAlthough even today web browsers serve the primarypurpose of bringing information resources to the user,they no longer represent a software application withbare bones support for just HTML. Today, web browserslike Mozilla Firefox come with the support of add-ons,which are small installable enhancements to a browser’sfoundation.05/2011 (5) SeptemberPage 3 http://pentestmag.com
Page 4 and 5: POINT OF VIEWIsn’t Social Enginee
Page 6 and 7: POINT OF VIEWTrust Pentesting Team.
Page 8 and 9: FOCUSBreaking Downthe i* {Devices}P
Page 10: FOCUSListing 1. IPhone applications
Page 19 and 20: AndroidManifest.xml. An important p
Page 21 and 22: Smartphone running the version of A
Page 23 and 24: Simplied User ExperienceThe user in
Page 26 and 27: FOCUSAttacking the MobileInfrastruc
Page 28 and 29: FOCUSAt any rate, I think these ent
Page 30 and 31: FOCUSToneLoc and LoadUseful For a P
Page 32 and 33: FOCUSoperate in a degraded state; f
Page 34 and 35: FOCUSInside AndroidApplicationsBy t
Page 36 and 37: (NEW) STANDARDSNew PenetrationTesti
Page 38 and 39: (NEW) STANDARDSof Hatforce. Before
Page 40: (NEW) STANDARDSReferences• [1] So
Page 43 and 44: name, IP address and server locatio
Page 45 and 46: Figure 8. User Agent Switcher Menur
Page 47: Say Hello toRed TeamTesng!Security

Devices - Penetration Testing Like a Hacker. - SecNiche Security Labs

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?