You are on page 1of 78

Pen Testing the Web with Firefox

Michael “theprez98” Schearer

Who am I?
 

  

Associate and network analyst for Booz Allen Hamilton in central Maryland Separated from 8+ years of active duty in the U.S. Navy as an EA6B Electronic Countermeasures Officer (Penetration Tester of Enemy Air Defenses) Spent 9 months in the ground in Iraq as a counter-IED specialist Contributing author to Penetration Tester's Open Source Toolkit (Volume 2), Netcat Power Tools and Kismet Hacking Amateur radio operator and active member of the NetStumbler, DEFCON, and BackTrack-Linux forums, a part-time football coach, and father of four


What’s this all about?
Then… Now…

Google for information gathering Individual programs for separate tasks Different interfaces for different programs OS-specific tools

Specialized websites for detailed research Firefox as a platform to launch separate attacks The browser interface to point, click and pwn! (Mostly) OS transparent


By pen testing, I mean…
Black/gray/white box testing  Ethical hacking  Security auditing  Vulnerability assessment  Standards compliance  Training  All of the above


By the web, I mean…
Anything accessible over the Internet  Anything accessible over Intranets  Anything traversing the tubes  All of the above


By Firefox, I mean…
  

The Firefox browser Installed on Windows, Linux, Mac OS 95% of the tools demonstrated today can be used with Firefox on any OS In the very few instances when I use something OS-specific, I will be sure to point it out to you (Much of this is also browser-transparent)

Why the browser? (1)
Firewall restrictions  Limited access accounts  Internet café  Mobile phones  Generally speaking, an environment where your ability to install other tools or use the CLI is severely restricted


Why the browser (2)
The browser isn’t always the only way to do something  Sometimes it isn’t even the easiest way  However you may encounter situations when the browser is your only option  This presentation is your guide for those situations


Pen Testing the Web with Firefox
(Mostly)* anonymous browsing  Passive information gathering  Display capabilities  Passive vulnerability assessment  Active vulnerability assessment  A few more…


(Mostly)* anonymous browsing
Third party website tools  Public internet terminals  Web-based HTTP proxies  Proxy add-ons  Google cache

Third party website tools
Allows you to view content through a third party so as to not alert the target  Content may be dated  Allows gathering of:

 Metadata

(i.e.,  Context (Google cache, Wayback Machine)

Public internet terminals
Provides a degree of anonymity due to third party location, multiple users, and lack of authentication mechanisms  Some (i.e., libraries) are free, but many cost (airports, hotels, etc.)  Ability to install or add functionality may be limited

Web-based HTTP proxies
Hides IP address from target by using a third party (proxy)  Works best if the third party is trusted not to reveal the attacker’s information  Some proxies may be blocked depending upon your source location

Proxy add-ons
Browser-based proxy configuration  Permits tunneling through open proxies  Provides plausible deniability during penetration tests by obscuring the source of your traffic

Simple on-off button that switches your proxy settings between the default (off) and Tor’s settings (on)  Requires Tor to be installed  Does not work with other proxy configurations

Supports multiple proxy configurations  Supports Tor (when installed); otherwise no additional software required  Initial setup can be a little confusing

Google cache (cache:)
Display Google’s cached version of a web page instead of the current version of the page  Google will highlight terms in your query that appear after the cache: search operator

Allows you to customize the way a webpage displays using small bits of JavaScript  Thousands of installable scripts are located at  Google Cache Continue Redux inserts cache links on Google cache pages

Some proxy servers (i.e., Squid) use the X-Forwarded-For tag which can reveal the originating IP address  Owners of proxy servers may be subject to court orders to reveal log information

Passive information gathering
PassiveRecon  Passive Cache


Provides information security professionals with the ability to perform "packetless" discovery of target resources utilizing publicly available information  Executes 20+ pre-configured searches regarding IP, DNS, mail server information, and Google searches

Passive Cache
Uses Google's text-only cache service and Wayback Machine to display historical versions of a specified web link  Allows for the viewing of a page, or site, while avoiding active connections to a target site

Display capabilities
Changing the way the page is viewed depending upon how the browser renders the code; or based upon the user-agent string  May seem trivial, but consider the following example…


IE Tab
Embeds Internet Explorer inside Firefox tabs  Allows viewing of pages in different browser without having to start/restart IE  “Switch rendering engine” option allows quick comparison of page views  Safari View, Opera View, Chrome View…

javascript:SnapshotWin() client.html

javascript:SnapshotWin() client.html setup/config.html

Passive vulnerability analysis
Netcraft  WiGLE  FOCA  SHODAN


Netcraft (1)
Internet services company based in Bath, England  Provides internet security services, including anti-fraud and anti-phishing services, application testing, code reviews, and automated penetration testing  Provides research data and analysis on many aspects of the Internet

Netcraft (2)
Information can be gathered manually from the website or automatically by installing the Netcraft Toolbar (IE and FF)  Toolbar provides links to Netcraft services, site risk rating, site reports and hosting providers  Interpretation of some data may reveal potential site vulnerabilities

Wireless Geographic Logging Engine  Maps of wireless networks as contributed by its users  19+ million networks worldwide

Admin offices

Brandon Shores


Public road

Admin offices

Brandon Shores

Wagner Public road



Admin offices CEG

Brandon Shores


Public road

Fingerprinting Organizations with Collected Archives (FOCA)
Developed by Chema Alonso and José Palzón and presented at DEFCON 17  Search and automatically download documents  Extract metadata and other hidden information and lost data

FOCA (2)
Analyze the information to aid in fingerprinting a network  Other than downloading the file, the process is completely passive  FOCA is available via download; or  Documents can be submitted via a web interface

What is SHODAN? (1)
SHODAN ( is a computer search engine designed by web developer John Matherly (  While SHODAN is a search engine, it is much different than content search engines like Google, Yahoo or Bing

What is SHODAN? (2)
Typical search engines crawl for data on web pages and then index it for searching  SHODAN interrogates ports and grabs the resulting banners, then indexes the banners (rather than the web content) for searching  Optimizing search results requires some basic knowledge of banners

SHODAN Search Provider Firefox Add-on

SHODAN Helper Firefox Add-on

Surely these HTML links will require some additional authentication…

Nope. No authentication required for Level 15! No authentication required for configure commands

No authentication required for Level 15 exec commands

Active vulnerability analysis
Exploit-Me  HackBar  Key-logger  Tamper Data  Groundspeed



 

Suite of lightweight security testing tools Introduced at SecTor ’07 by Nishchal Bhalla and Rohit Sethi of Security Compass XSS-Me to test for Cross-Site Scripting vulnerabilities ( SQL Inject-Me to test for SQL injection vulnerabilities Access-Me tests access vulnerabilities Future: Web Service-Me, Overflow-Me, Enumerate-Me, BruteForce-Me

Web developer tool designed to help with security audits on code  Assists in testing SQL injections, XSS holes and general site security  Test security with obfuscation and deobfuscation

Advertised as “never lose a message board post or email again”  If you have physical access to the target machine…  Records all keystrokes typed in web pages  Icon can be hidden from status bar

Tamper Data
    

Acts like a proxy server Allows you to view and modify HTTP/HTTPS headers and post parameters Trace and time http response/requests Popular for hacking e-commerce sites that don’t do server-side validation (i.e., of price) Changing high scores on flash-based games

Allows users to manipulate the application user interface  Eliminate limitations and client-side controls  Useful for penetration testing of web applications



A few more…
Browser-based shells  nmap-cgi (web-based front end for Nmap)  Web-based front ends (generally)  Internet Kiosk Attack Tool (iKAT) …


Credits: Websites

       (Paul Craig)

Credits: Add-ons
              

Exploit-Me (Security Compass) FoxyProxy (Eric H. Jung) Google Cache Continue Redux (Jeffery To) Greasemonkey ( Anthony Lieuallen, Aaron Boodman, Johan Sundström) Groundspeed (Felipe Moreno-Strauch) Fiddler (E. Lawrence) HackBar (Johan Adriaans) IE Tab ( PCMan (Hong Jen Yee), yuoo2k) Key-logger (arrumi) Passive Cache (Brian Baskin) PassiveRecon (Justin Morehouse) SHODAN Helper (Gianni Amato) SHODAN Search Provider (sagar38) Tamper Data (Adam Judson) Torbutton (Mike Perry)


Your feedback
 

These slides are available on This presentation is a small portion of a larger training class on browser-based penetration testing If you found this interesting, and think it would be a worthwhile training class at a future Black Hat event (or other venue), please provide feedback to both Black Hat and myself


Pen Testing the Web with Firefox
Michael “theprez98” Schearer