Pen Testing the Web with Firefox Michael “theprez98” Schearer twitter.com/theprez98
[email protected]
Who am I?
Associate and network analyst for Booz Allen Hamilton in central Maryland Separated from 8+ years of active duty in the U.S. Navy as an EA6B Electronic Countermeasures Officer (Penetration Tester of Enemy Air Defenses) Spent 9 months in the ground in Iraq as a counter-IED specialist Contributing author to Penetration Tester's Open Source Toolkit (Volume 2), 2), Netcat Netcat Power Power Tool Tools s and Kismet Hacking Amateur radio operator and active member of the NetStumbler, DEFCON, and BackTrack-Linux BackTrack-Lin ux forums, a part-time football coach, and father of four
What’s this all about? Then…
Google for information gathering Individual programs for sepa separat rate e ta task sks s Different interfaces for different programs OS-specific to tools
Now…
Specialized websites for detailed research Firefox as a platform to launch separate attacks The browser interface to point, click and pwn! (Mostly) OS transparent
By pen testing , I mean… Black/gray/white box testing Ethical hacking Security auditing Vulnerability assessment Standards compliance Training
All of the above
By the web , I mean… Anything accessible over the Internet Anything accessible over Intranets Anything traversing the tubes All of the above
By Firefox , I mean…
The Firefox browser Installed on Windows, Linux, Mac OS 95% of the tools demonstrated today can be used with Firefox on any OS In the very few instances i nstances when I use something OS-specific, I will be sure to point it out to you (Much of this is also browser-transparent)
Why the browser? (1) Firewall restrictions Limited access accounts Internet café Mobile phones Generally speaking, an environment where your ability to install other tools or use the CLI is severely restricted
Why the browser (2)
The browser isn’t always the only way to do something
Sometimes it isn’t even the easiest way
However you may encounter situations when the browser is your only option This presentation is your guide for those situations
Pen Testing the Web with Firefox (Mostly)* anonymous browsing Passive information gathering Display capabilities Passive vulnerability assessment Active vulnerability assessment
A few more…
(Mostly)* anonymous browsing Third party website tools Public internet terminals Web-based HTTP proxies Proxy add-ons Google cache
Third party website tools Allows you to view content through a third party so as to not alert the target Content may be dated Allows gathering of:
Metadata (i.e., centralops.net) Context (Google cache, Wayback Machine)
Public internet terminals Provides a degree of anonymity due to third party location, multiple users, and lack of authentication mechanisms Some (i.e., libraries) are free, but many cost (airports, hotels, etc.) Ability to install or add functionality may be limited
Web-based HTTP proxies Hides IP address from target by using a third party (proxy) Works best if the third party is trusted not to reveal the attacker’s information Some proxies may be blocked depending upon your source location
Proxy add-ons Browser-based proxy configuration Permits tunneling through open proxies Provides plausible deniability during penetration tests by obscuring the source of your traffic
Torbutton Simple on-off button that switches your proxy settings between the default (off) and Tor’s settings (on) Requires Tor to be installed Does not work with other proxy configurations
FoxyProxy Supports multiple proxy configurations Supports Tor (when installed); otherwise no additional software required Initial setup can be a little confusing
Google cache (cache:)
Display Google’s cached version of a web page instead of the current version of the page
Google will highlight terms in your query that appear after the cache: search operator
Greasemonkey Allows you to customize the way a webpage displays using small bits of JavaScript Thousands of installable scripts are located at userscripts.org Google Cache Continue Redux inserts cache links on Google cache pages
*Caveats Some proxy servers (i.e., Squid) use the X-Forwarded-For tag which can reveal the originating IP address Owners of proxy servers may be subject to court orders to reveal log information
Passive information gathering PassiveRecon Passive Cache
PassiveRecon Provides information security professionals with the ability to perform "packetless" discovery of target resources utilizing publicly available information Executes 20+ pre-configured searches regarding IP, DNS, mail server information, and Google searches
Passive Cache Uses Google's text-only cache service and Archive.org Wayback Machine to display historical versions of a specified web link Allows for the viewing of a page, or site, while avoiding active connections to a target site
Display capabilities Changing the way the page is viewed depending upon how the browser renders the code; or based upon the user-agent string May seem trivial, but consider the following example…
IE Tab Embeds Internet Explorer inside Firefox tabs Allows viewing of pages in different browser without having to start/restart IE
“Switch rendering engine” option allows quick comparison of page views
Safari View, Opera View, Chrome View…
javascript:SnapshotWin() client.html
javascript:SnapshotWin() client.html setup/config.html
Passive vulnerability analysis Netcraft WiGLE FOCA SHODAN
Netcraft (1) Internet services company based in Bath, England Provides internet security services, including anti-fraud and anti-phishing services, application testing, code reviews, and automated penetration testing Provides research data and analysis on many aspects of the Internet
Netcraft (2) Information can be gathered manually from the website or automatically by installing the Netcraft Toolbar (IE and FF) Toolbar provides links to Netcraft services, site risk rating, site reports and hosting providers Interpretation of some data may reveal potential site vulnerabilities
WiGLE Wireless Geographic Logging Engine Maps of wireless networks as contributed by its users 19+ million networks worldwide
Admin offices
Brandon Shores
Wagner Public road
Admin offices
Brandon Shores
Wagner Public road
CEG
CEG CEG CEG Public road
Admin offices
Brandon Shores
CEG Wagner
Fingerprinting Organizations with Collected Archives (FOCA) Developed by Chema Alonso and José Palzón and presented at DEFCON 17 Search and automatically download documents Extract metadata and other hidden information and lost data
FOCA (2) Analyze the information to aid in fingerprinting a network Other than downloading the file, the process is completely passive FOCA is available via download; or Documents can be submitted via a web interface
What is SHODAN? (1) SHODAN (http://shodan.surtri.com/ (http://shodan.surtri.com/ ) is a computer search engine designed by web developer John Matherly (http://twitter.com/achillean http://twitter.com/achillean)) While SHODAN is a search engine, it is much different than content search engines like Google, Yahoo or Bing
What is SHODAN? (2) Typical search engines crawl for data on web pages and then index it for searching SHODAN interrogates ports and grabs the resulting banners, then indexes the banners (rather than the web content) for searching Optimizing search results requires some basic knowledge of banners
SHODAN Search Provider Firefox Add-on
SHODAN Helper Firefox Add-on
Surely these HTML links will require some additional authentication…
Nope. No authentication required for Level 15! No authentication required for configure commands
No authentication required for Level 15 exec commands
Active vulnerability analysis Exploit-Me HackBar Key-logger Tamper Data Groundspeed
Exploit-Me
Suite of lightweight security testing tools Introduced at SecTor ’07 by Nishchal Bhalla lla and Rohi Ro hitt Seth Sethii of Secu Securit rity y Co Comp mpas ass s XSS-Me to test for Cross-Site Scripting vulnerabilities (www.xssed.com (www.xssed.com)) SQL Inject-Me to test for SQL injection vulnerabilities Access-Me tests access vulnerabilities Future: Web Service-Me, Overflow-Me, Enumerate-Me, BruteForce-Me 58
HackBar Web developer tool designed to help with security audits on code Assists in testing SQL injections, XSS holes and general site security Test security with obfuscation and deobfuscation
Key-logger
Advertised as “never lose a message board post or email again”
If you have physical access to the target machine… Records all keystrokes typed in web pages Icon can be hidden from status bar
Tamper Data
Acts like a proxy server
Allows you to view and modify HTTP/HTTPS headers and post parameters
Trace and time http response/requests Popular for hacking e-commerce sites that don’t do server -side -side validation (i.e., of price) Changing high scores on flash-based games
Groundspeed Allows users to manipulate the application user interface Eliminate limitations and client-side controls Useful for penetration testing of web applications
A few more… Browser-based shells nmap-cgi (web-based front end for Nmap) Web-based front ends (generally) Internet Kiosk Attack Tool (iKAT)
…
Credits: Websites
archive.org anonymouse.org centralops.net ikat.ha.cked.net (Paul Craig) informatica64.com/foca/ netcraft.com nmap-cgi.tuxfamily.org shodanhq.com wigle.net
Credits: Add-ons
Exploit-Me (Security Compass) FoxyPro FoxyProxy xy (Eric (Eric H. Jung) Jung) Google Cache Cache Continue Continue Redux Redux (Jeffery (Jeffery To) Greasemonkey Greasemonkey ( Anthony Lieuallen, Lieuallen, Aaron Boodman, Boodman, Johan Sundström) Groundspeed (Felipe Moreno-Strauch) Fiddler (E. Lawrence) HackBar (Johan Adriaans) Adriaans) IE Tab ( PCMan PCMan (Hong Jen Yee), Yee), yuoo2k) yuoo2k) Key-logger (arrumi) Passive Cache (Brian Baskin) PassiveRecon PassiveRecon (Justin Morehouse) Morehouse) SHODAN Helper (Gianni Amato) SHODAN Search Provider (sagar38) Tamper Data (Adam Judson) Torbut Torbutton ton (Mike (Mike Perry) Perry)
Your feedback
These slides are available on www.scribd.com/theprez98 This presentation is a small portion of a larger training class on browser-based penetration testing If you found this interesting, and think it would be a worthwhile training class at a future Black Hat event (or other venue), please provide feedback to both Black Hat and myself
Pen Testing the Web with Firefox Michael “theprez98” Schearer twitter.com/theprez98
[email protected]