Devices - Penetration Testing Like a Hacker. - SecNiche Security Labs

More documents

Recommendations

Info

HOW-TOBuilding Your OwnPentesting ApplicationAlthough even today web browsers serve the primary purposeof bringing information resources to the user, they no longerrepresent a software application with bare bones support for justHTML. Today, web browsers like Mozilla Firefox come with thesupport of add-ons, which are small installable enhancements to abrowser’s foundation.These add-ons when installed inside a browsercan add additional functionality to the browserand this additional functionality can be used onthe web pages that are viewed by the user.The best part about these add-ons is that they enablethird-party developers to add new features withoutinterfering with the original source code of the hostapplication. These add-ons are dependent on theservices that are provided by the host application toregister themselves. Thus, third party developers canupdate their add-ons without making any changesto the host application as the host applicationoperates independently. These add-ons can serve forscatterbrained as well as for informative purposes likehacking, penetration testing, and more.Mozilla Firefox Add-onsMozilla Add-ons (https://addons.mozilla.org/en-US/firefox/) is a huge repositoryfor add-ons that supportMozilla software like MozillaFirefox browser. These addonsare submitted by many developers from acrossthe globe for end-users. Using the privacy and securityadd-ons from this gallery, we can build a good browserbased application for penetration testing and securitypurposes.Pen <strong>Testing</strong> Add-onsTorTor: Experts always suggest that it’s best to hideyour identity before getting involved in any securityrelated operations. Tor allows user to maintain onlineanonymity. Tor basically has a worldwide network ofservers that helps route the internet traffic and thus,disguise a user’s geographical location. The best thingabout Tor is that it’s open-source and anybody can useTor network for free.• To setup Tor, you need to first downloadthe Tor Browser Bundle from Link: https://www.torproject.org/download/download.html.en.This bundle will will ask your permission to extracta bundle of files to the location where Tor installerwas downloaded.• Now, Start Tor Browser. Once you’re connectedto the Tor Network, the browser (Firefox 3.6.20)will automatically open up with a congratulationsmessage that your IP address is now changed. Forexample, my IP address changed to 85.223.65.238,which is located in Netherlands.WHOISWHOIS: Internet resources such as domain name,IP addresses or controller systems are registeredin database systems. WHOIS is used to query the05/2011 (5) SeptemberPage 42http://pentestmag.com
name, IP address and server location. Right clickingon the flag will let you access additional informationabout the web site using external lookups such asDomainTools WHOIS, WOT Scorecard, McAfeeSiteAdvisor and many more. You can also add additionallookups which you find necessary. Clicking on the flagicon will by default take you to Geotool, which Flagfox’sdefault action (see Figure 2) (Add-on Link: https://addons.mozilla.org/en-US/firefox/addon/flagfox/).Figure 1. Vidalia Control PanelFigure 2. Flagfox in Firefox 6.0databases for cognizing the data about the resource,assignees, registrants and administrative information.Flagfox: This extension introduces a flag icon on theright hand side of your address bar (see Figure 1). Thisflag shows the web server’s physical location. Hoveringover the flag will display information such as domainExploit Database SearchExploit Database Search: The Exploit Database (http://exploit-db.com/) is an archive of more than 15000exploits and software vulnerabilities. This exploitdatabase is a great place for information securityresearchers and penetration testers for getting anexploit’s information in plain text format.Offsec Exploit-db Search: This add-on simply addsOffsec Exploit Archive search among other installedsearch engines in your Firefox. (Add-on Link: https://addons.mozilla.org/en-US/firefox/addon/offsec-exploitdb-search/).SQL InjectionSQL Injection: Database applications are critical intoday’s web scenario. If a database application isunable to filter out escape characters then it becomesvery easy for malicious users to perform SQL codeinjection on a vulnerable application. Using this, amalicious user can gain access to the server andcan delete or modify records. Recently websites likeKathmandu Metropolitan City, Metropolitan UK Police,Nepal Telecommunications Authority, BART PoliceDatabase and NASA Forum were exposed of the SQLFigure 3. Geotool lookup of a website05/2011 (5) SeptemberPage 43http://pentestmag.com
Page 2 and 3: EDITOR’S NOTE05/2011 (05)Editor:
Page 4 and 5: POINT OF VIEWIsn’t Social Enginee
Page 6 and 7: POINT OF VIEWTrust Pentesting Team.
Page 8 and 9: FOCUSBreaking Downthe i* {Devices}P
Page 10: FOCUSListing 1. IPhone applications
Page 19 and 20: AndroidManifest.xml. An important p
Page 21 and 22: Smartphone running the version of A
Page 23 and 24: Simplied User ExperienceThe user in
Page 26 and 27: FOCUSAttacking the MobileInfrastruc
Page 28 and 29: FOCUSAt any rate, I think these ent
Page 30 and 31: FOCUSToneLoc and LoadUseful For a P
Page 32 and 33: FOCUSoperate in a degraded state; f
Page 34 and 35: FOCUSInside AndroidApplicationsBy t
Page 36 and 37: (NEW) STANDARDSNew PenetrationTesti
Page 38 and 39: (NEW) STANDARDSof Hatforce. Before
Page 40: (NEW) STANDARDSReferences• [1] So
Page 45 and 46: Figure 8. User Agent Switcher Menur
Page 47: Say Hello toRed TeamTesng!Security

Devices - Penetration Testing Like a Hacker. - SecNiche Security Labs

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?