Embed Size (px)
Citation preview
1
Pen Testing the WebWith Firefox
Michael “theprez98” Schearer
CONFidence 2.0Warsaw, Poland
November 19-20, 2009
2
Who am I?
What’s this really all about?
3
Who am I?
Senior Consultant for Booz Allen Hamilton in central Maryland
Recently separated from 8+ years of active duty in the U.S. Navy as an EA-6B Electronic Countermeasures Officer
Spent 9 months in the ground in Iraq as a counter-IED specialist
Contributor to several Syngress books, including Penetration Tester’s Open Source Toolkit (Volume 2), Netcat Power Tools, and Kismet Hacking
Amateur radio operator and active member of the NetStumbler, DEFCON, and Remote Exploit forums, a football coach, and father of four
4
What’s this all about?
Google for information gathering
Individual programs for separate tasks
Different interfaces for different programs
OS specific tools
Specialized websites for detailed research
Firefox as a platform to launch separate attacks
The browser interface to point, click and pwn!
(Mostly) OS transparent
Then Now
5
Agenda
Penetration Testing Methodologies
Pen Testing the Web with Firefox Stand-Alone Website-based tools Other Firefox plugins/extension Firefox as a Front end Recommended Setup
Places/things to hack safely
6
Penetration Testing Methodologies
Focus is on freely available methodologies Open Source Security Testing Methodology
Manual (OSSTMM) http://www.isecom.org/osstmm/
Open Web Application Security Project (OWASP) http://www.owsap.org/index.php/Main_Page
NIST Special Publication 800-42 and NIST Special and Publication 800-115 (draft) http://csrc.nist.gov/publications/PubsSPs.html
Penetration Testing Framework http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
7
Most Penetration Testing Engagements follow a standard process: Planning and Reconnaissance Scanning and Enumeration Gaining Access or Penetration Maintaining Access and Exploitation Covering Your Tracks
Penetration Testing Methodologies (cont’d)
8
Pen Testing the Web with Firefox
Stand-Alone
Website-based tools
Google Hacks
Firefox plug-ins/extension
Firefox as a Front end
Recommended Setup
9
Using Firefox Stand-Alone
Out of the box Primarily passive reconnaissance Whois – http://whois.net,
http://www.samspade.org DNSStuff – http://www.dnsstuff .com NetCraft (toolbar or browser-based) EDGAR filings Google
Names, locations, email addresses, etc. Mailing lists, newsgroups
1 0
Using Firefox: Website-Based Tools
Website-based tools
Online Nmap scans
Leak checkers
Hosted hash crackers
1 1
12
1 3
1 4
No , th at’s n o t m y IP…
To r ;-)
1 5
On-line Hash Crackers
http://gdataonline.com/seekhash.php
http://www.passcracking.com
http://hash.insidepro.com/
http://www.md5this.com/
http://gdataonline.com
http://us.md5.crysm.net
http://md5.rednoize.com
http://www.milw0rm.com/md5
http://shm.hard-core.pl/md5
1 6
1 7
1 8
Using Firefox –Plugins and Extensions
FireCat Dozens of extensions and growing Strengths Weaknesses
A few examples
Exploit-Me
Tamper Data
Passive Recon
1 9
FireCat 1.4
2 0
Exploit-Me
Suite of lightweight security testing tools Introduced at SecTor ’07 by Nishchal Bhalla and
Rohit Sethi of Security Compass XSS-Me to test for Cross-Site Scripting
vulnerabilities (www.xssed.com) SQL Inject-Me to test for SQL injection
vulnerabilities Access-Me tests access vulnerabilities Future: Web Service-Me, Overflow-Me,
Enumerate-Me, BruteForce-Me
2 3
Tamper Data Acts like a proxy server Allows you to view and modify HTTP/HTTPS
headers and post parameters Trace and time http response/requests Popular for hacking e-commerce sites that don’t
do server-side validation (i.e., of price) Changing high scores on flash-based games
24
Passive Recon
Tool for executing 20+ pre-configured searches
DNS records, Whois, MX records, Netcraft reports
What’s That Site Running?
Uptime reports
25
26
2 7
Passive Recon - Menu
2 8
Passive Recon – DNS Info
2 9
Passive Recon – Domain Tools
3 0
Passive Recon – MX Records
3 1
Passive Recon – What’s This Site Running
3 2
Passive Recon – Link:
Other noteworthy add-ons
Add N Edit Cookies Self explanatory!
Firebug Edit, debug, and monitor CSS, HTML, and JavaScript
live in any web page HackBar
Myriad of security/auditing/pen testing features Obfuscate SQL injection attacks
Web Developer What doesn’t it do? ;-)
3 4
Using Firefox – As a Front End
Proxies Tor Paros Proxy SPIKE Proxy Burp Proxy/Suite
Web Frontends Metasploit Fast-Track Inprotect (web interface for Nessus and Nmap) BASE (Snort)
Others?
3 5
3 7
Recommended Setup
Profiles Concerns:
Too many extensions! Duplicate tasks Memory use/time to load
Fixes: Profile Manager Mode
“everyday” “pen testing”
Install/load only those you use regularly
3 8
Recommended Setup
Add-ons Concerns:
Add-on portability Installing multiple add-ons manually
Fixes: FEBE (Firefox Environment Backup Extension) CLEO (Compact Library Extension Organizer) OPIE (Ordered Preference Import/Export)
3 9
Recommended Setup
Incompatible Add-ons Concerns:
Loss of functionality Slow update to FF3 compatibility
Fixes: Different add-on, same functionality Manually edit add-on:
Sign in Ignore version check Download .XPI Edit “maxVersion” in install.rdf Update archive and install
Incompatible Add-ons
4 1
Places/Things to hack “safely”
OWASP’s WebGoat http://www.owasp.org/index.php/OWASP_WebGoat_Project
Foundstone “Hacme” series http://www.foundstone.com/us/resources-free-tools.asp
De-Ice pen-testing live CDs http://de-ice.net/index.php
PwnOS (VMWare image)
Your own VMWare lab
“Safe” hacking websites
4 2
Conclusion Penetration Methodologies
Using Firefox Stand-alone Website-based tools Google Hacks Firefox plugins/extension Firefox as a Front end Recommended Setup
Places/things to hack safely
The Future
4 3
Questions ?
4 4
Slides
For a copy of these slides, visit
http://www.scribd.com/theprez98
4 5
Credits
John Fulmer
Church of WiFi
Thomas Wilhelm “Grendel”
Laurent Chouraki, Benjamin Picuira and Nabil Ouchn (Security-database.com)
Nishchal Bhalla and Rohit Sethi (Security Compass)
Chuck Baker
Justin Morehouse
4 6
Pen Testing the WebWith Firefox
Michael “theprez98” Schearer
CONFidence 2.0Warsaw, Poland
November 19-20, 2009
