pen testing the web with firefox: introduction

8/14/2019 Pen Testing the Web with Firefox: Introduction

1/46

Pen Testing the Webwith Firefox

Michael theprez98 Schearer


2/46

Pen Testing the Webwith Firefox: Intro



3/46


4/46

4

Who am I? (2)

Contributing author to Penetration Tester'sOpen Source Toolkit (Volume 2), Netcat

Power Tools and Kismet Hackingn


5/46

5

Course Logistics (1)

n Please do not hesitate to interrupt if youhave a question

n We will take ten minute breaks every 50minutes or so


6/46

6

Course Logistics (2)

n Conference wireless networkSSID: Konferanse

Passphrase: osloerenfinbyn If you havent already, consider upgrading

to the most recent version of Firefox (

http://www.getfirefox.com)n You may want to bookmark the add-on

site (https://addons.mozilla.org)
http://www.getfirefox.com/https://addons.mozilla.org/https://addons.mozilla.org/https://addons.mozilla.org/http://www.getfirefox.com/


7/46

7

Legal issues

n Do not install tools on systems on whichyou do not have permission to do so

n Do not access resources to which you donot have permissions

n Do not test web pages or applications of

which you do not have explicitpermission


8/46

8

Whats this all about?

n

n Google for informationgathering

n

n Individual programs forseparate tasks

n

n Different interfaces fordifferent programs

n

n OS specific tools

n

Specialized websites fordetailed research

Firefox as a platform to launchseparate attacks

The browser interface to point,

click and pwn!

(Mostly) OS transparent

Then Now


9/46

9

Bypen testing, I mean

n Black/gray/white box testing

n Ethical hacking

n Security auditing

n Vulnerability assessment

n Standards compliance

n Training

n All of the above


10/46

10

By the web, I mean

n Anything accessible over the Internet

n Anything accessible over Intranets

n All of the above


11/46

11

By Firefox, I mean

n The Firefox browser

n Installed on Windows, Linux, Mac OS

n 95% of the tools demonstrated today canbe used with Firefox on any OS

n In the very few instances when I use

something OS-specific, I will be sure topoint it out to you


12/46

12

Pen Testing the Web with Firefox

n Overview (this brief)

n Google hacking

n Website-based toolsn SHODAN

n Firefox add-ons

n

Add-on management


13/46

13

Why the browser? (1)

n Firewall restrictions

n Limited access accounts

n Internet caf

n Mobile phones

n Generally speaking, an environment

where your ability to install other tools oruse the CLI is severely restricted


14/46

14

Why the browser (2)

n The browser isnt always the only way todo something

n Sometimes it isnt even the easiest wayn However you may encounter situations

when the browser is your only option

n This course is your guide for thosesituations


15/46

15


16/46

16


17/46

17


18/46

18


19/46

19


20/46

20


21/46

21


22/46

22

What are add-ons? (1)

n Software additions to the browser

n Add new features and functionality

n Extend, modify and control browserbehavior

n Modify how the user views web pages


23/46

23

What are add-ons? (2)

n Extensions

n Themes

n Toolbarsn Sidebars


24/46

24


25/46

25


26/46

26


27/46

27


28/46

28

Add-on technologies (1)


29/46

29


n Cascading Style Sheets (CSS) is astylesheet language used to describe

the presentation of a document writtenin HTML or XML

n JavaScript is a small, lightweight, object-

oriented, cross-platform scriptinglanguage


30/46

30


n XUL is a XML-based language that lets youbuild feature-rich cross platformapplications that can run connected or

disconnected from the Internetn XPCOM is a cross platform component

object model, similar to Microsoft COM; ithas multiple language bindings, letting the

XPCOM components be used andimplemented in JavaScript, Java, andPython in addition to C++


31/46

31


32/46

32


33/46

33


34/46

34


35/46

35

Things you should be aware of

n Users trust add-ons

n Users expect add-ons to be safe

n Malicious add-ons have previously beenapproved

n There are methods to abusing add-ons;

see Abusing Firefox Extensions byRoberto Suggi Liverani and NickFreeman at DEFCON 17


36/46

36

Google hacking

n Complex search engine queries to filter throughlarge amounts of search results for information

n

Combination of advanced operators and specificsearch terms

n Possibly locate private, sensitive informationabout others, such as credit card numbers, site

vulnerabilities, usernames and passwords


37/46

37

Google advanced operators

n Query words that have special meaning toGoogle

n These operators modify the search insome way, or tell Google to do a totallydifferent type of search

n Not all of Googles advanced operatorsare documented


38/46

Google Hacking Database

n The Google Hacking Database is acollection of saved searches using

Google Advanced Operators that locateprivate information includingusernames, passwords and othersensitive data

n Johnny Longs GHDB is the most(in)famous, but not the only one


39/46

Website-based tools (1)

n Out-of-the-box functionality; (mostly) noinstallation required

n Browser-independentn Provides some tool functionality that

would not normally be present in a

browser-only environment


40/46

Website-based tools (2)

n Provides some degree of anonymity froma target because information is being

gathered via a third party (the website)n Primarily passive information gathering

n Some potential vulnerabilities can be

inferred by interpreting the datan


41/46

Categories

n Information gathering

n Network tools

n Special purpose


42/46

SHODAN

n SHODAN is a computer search enginedesigned by web developer John

Materly (http://twitter.com/achillean)n SHODAN interrogates ports and grabs theresulting banners, then indexes thebanners (rather than the web content)

for searchingn
http://twitter.com/achilleanhttp://twitter.com/achillean


43/46


44/46

Penetration testing add-ons

n Display capabilities

n Information gathering

PassiveActive

n (Mostly) anonymous browsing

n Vulnerability assessmentPassive

Active


45/46

Add-on management

n Experimental add-onsn Version checksn Ignoring version checksn Override compatibility checkingn Disabling compatibility checkingn Manual compatibility forcingn Add-on utilities (CLEO/FEBE/OPIE)n Other useful add-ons (Xmarks)n Profiles


46/46

Pen Testing the Webwith Firefox: Intro


pen testing the web with firefox: introduction

Documents