Devices - Penetration Testing Like a Hacker. - SecNiche Security Labs

More documents

Recommendations

Info

HOW-TOCookies Manager+Cookies Manager+ 1.5.1: This add-on can edit domain,path and name of multiple cookies. The edited cookiescan be saved as new entries or can replace the oldentries. Apart from this, the add-on can backup andrestore all or selected cookies, export cookie informationonto your clipboard and automatically monitor cookieschanges. Please remember the fact that you canonly edit cookies from your current session, once thesession ends, the cookies will expire because we areusing the bundled Firefox browser that came with Tor.(Add-on Link: https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/).Figure 12. Tamper Data Context Field Modify WindowIf you right click an item and select Replayin browser, then you can modify that item’sparameters like protocol, credentials, port, host,path and you can then click OK to see the URIgetting replayed with the modified details that youentered.• When a request is made through your browser,a pop-up prompts you to – tamper the request,submit it without tampering or abort the request.• Selecting tamper will show you a tamper windowwhere you can edit the data using the contextfields, after that you can submit the modifiedvalues. Tamper data is particularly useful whenusername and password parameters are passedthrough an HTTPS request. These parametersshow up in the tamper window, which allows youto modify by adding SQL Injection/XSS text to theusername/email and password fields.ConclusionIt is quite simple for a pen tester to make a good pentesting application from a freely available browserlike Firefox. The Firefox project was released backon November 9, 2004, thus, the number of add-onsthat are available for the Firefox community is in largenumbers. This makes it a lot easier for even beginnersto use third party add-ons for converting their browsersto something as strong as a hacking application. Due tothe large number of add-ons available for Firefox, oneshould also understand that there are a lot of alternateadd-ons available for doing the same XSS, SQLInjection or HTTP requests modify / replay.In the beginning we used Tor Browser Bundlebecause it’s portable, doesn’t store any history logs andyou can relocate the browser and Tor to any computeryou like without installing anything. Also, once youinstall all your important add-ons on the browser thatis used by Tor Browser Bundle, the add-ons stays withthe browser and you don’t need to install them everytime you change systems. An older version of Firefox(Firefox 3.6.20) was used because most add-ons arecompatible with this version and not with the latest 6.0or 7.0b1 versions of the browser.Figure 13. Cookies Manager+ER. DHANANJAY D. GARGThe author holds a Bachelor’s Degreein Electronics & Telecommunication.He likes working on projects related toinformation security. He holds a diplomain Cyber Law and Information Security &Ethical Hacking. As a freelance writer, heoften writes on topics related to computersciences. He has written articles for journals like PenTestMagazine, Data Center Magazine and Enterprise IT SecurityMagazine. He can be reached out at:dhananjaydgarg1989@gmail.com.05/2011 (5) SeptemberPage 46http://pentestmag.com
Say Hello toRed TeamTesng!Security Art's Red Team service operates on all frontson behalf of the organizaon, evaluang allinformaon security layers for possible vulnerabilies.Only Red Team tesng provides you with livefeedback on the true level of your organizaonalsecurity.Thinking creavely! That’s our approach to your test.Security Art’s Red-Team methodologyconsists of:1. Informaon and intelligence gathering2. Threat modeling3. Vulnerability assessment4. Exploitaon5. Risk analysis and quanficaon ofthreats to monetary values6. Reporngwww.security-art.comReady to see actualbenefits from yournext security review?info@security-art.comOr call US Toll free:1 800 300 3909UK Toll free:0 808 101 2722
Page 2 and 3: EDITOR’S NOTE05/2011 (05)Editor:
Page 4 and 5: POINT OF VIEWIsn’t Social Enginee
Page 6 and 7: POINT OF VIEWTrust Pentesting Team.
Page 8 and 9: FOCUSBreaking Downthe i* {Devices}P
Page 10: FOCUSListing 1. IPhone applications
Page 19 and 20: AndroidManifest.xml. An important p
Page 21 and 22: Smartphone running the version of A
Page 23 and 24: Simplied User ExperienceThe user in
Page 26 and 27: FOCUSAttacking the MobileInfrastruc
Page 28 and 29: FOCUSAt any rate, I think these ent
Page 30 and 31: FOCUSToneLoc and LoadUseful For a P
Page 32 and 33: FOCUSoperate in a degraded state; f
Page 34 and 35: FOCUSInside AndroidApplicationsBy t
Page 36 and 37: (NEW) STANDARDSNew PenetrationTesti
Page 38 and 39: (NEW) STANDARDSof Hatforce. Before
Page 40: (NEW) STANDARDSReferences• [1] So
Page 43 and 44: name, IP address and server locatio
Page 45: Figure 8. User Agent Switcher Menur

Devices - Penetration Testing Like a Hacker. - SecNiche Security Labs

Create successful ePaper yourself

Delete template?

Save as template?