Pen Testing the Web

With Firefox

Michael Schearer

1
 Who am I?

What’s this really all about?

2
 Who am I?

 Senior Consultant for Booz Allen Hamilton in

central Maryland
 Recently separated from 8+ years of active
duty in the U.S. Navy as an EA-6B Electronic
Countermeasures Officer
 Spent 9 months in the ground in Iraq as a
counter-IED specialist
 Contributor to several Syngress books,
including Penetration Tester’s Open Source
Toolkit (Volume 2), Netcat Power Tools, and
Kismet Hacking
 Amateur radio operator and active member of
the NetStumbler, DEFCON, and Remote Exploit
forums, a football coach, and father of three
(soon to be four!) 3
 What’s this all about?
Then Now
 Google for information  Specialized websites for
gathering detailed research

 Individual programs for  Firefox as a platform to

separate tasks launch separate attacks

 Different interfaces for  The browser interface to

different programs point, click and pwn!

 OS specific tools  (Mostly) OS transparent

4
 Agenda

 Penetration Testing Methodologies

 Pen Testing the Web with Firefox

 Stand-Alone
 Website-based tools
 Other Firefox plugins/extension
 Firefox as a Front end
 Recommended Setup

 Places/things to hack safely

5
 Penetration Testing
Methodologies
 Focus is on freely available methodologies
 Open Source Security Testing Methodology
Manual (OSSTMM)
http://www.isecom.org/osstmm/
 Open Web Application Security Project
(OWASP)
http://www.owsap.org/index.php/Main_Page
 NIST Special Publication 800-42 and NIST
Special and Publication 800-115 (draft)
http://csrc.nist.gov/publications/PubsSPs.html
 Penetration Testing Framework
http://www.vulnerabilityassessment.co.uk/Penetration

6
 Penetration Testing
Methodologies (cont’d)

 Most Penetration Testing Engagements follow a

standard process:
 Planning and Reconnaissance
 Scanning and Enumeration
 Gaining Access or Penetration
 Maintaining Access and Exploitation
 Covering Your Tracks

7
Pen Testing the Web with Firefox

 Stand-Alone

 Website-based tools

 Google Hacks

 Firefox plug-ins/extension

 Firefox as a Front end

 Recommended Setup

8
 Using Firefox Stand-Alone
 Out of the box
 Primarily passive reconnaissance
 Whois – http://whois.net,
http://www.samspade.org
 DNSStuff – http://www.dnsstuff .com
 NetCraft (toolbar or browser-based)
 EDGAR filings
 Google
 Names, locations, email addresses, etc.
 Mailing lists, newsgroups

9
 Using Firefox:
Website-Based Tools

 Website-based tools

 Online Nmap scans

 Leak checkers

 Hosted hash crackers

10
11
No, that’s
not my
IP…

Tor ;-)

12
13
 On-line Hash Crackers

 http://gdataonline.com/seekhash.php

 http://www.passcracking.com

 http://hash.insidepro.com/

 http://www.md5this.com/

 http://gdataonline.com

 http://us.md5.crysm.net

 http://md5.rednoize.com

 http://www.milw0rm.com/md5

 http://shm.hard-core.pl/md5

14
15
16
 Using Firefox –Plugins and
Extensions
 FireCat
 60+ extensions and growing
 Strengths
 Weaknesses

 A few examples

 Exploit-Me

 Tamper Data

 Passive Recon

17
Proxying / Web Information
Utilities FireCat 1.4
Gathering

Security
Auditing

Editors

Network
Utilities

18
 Exploit-Me

 Suite of lightweight security testing tools

 Introduced at SecTor ’07 by Nishchal Bhalla and
Rohit Sethi of Security Compass
 XSS-Me to test for Cross-Site Scripting
vulnerabilities (www.xssed.com)
 SQL Inject-Me to test for SQL injection
vulnerabilities
 Access-Me tests access vulnerabilities
 Future: Web Service-Me, Overflow-Me,
Enumerate-Me, BruteForce-Me

19
 Tamper Data
 Acts like a proxy server
 Allows you to view and modify HTTP/HTTPS
headers and post parameters
 Trace and time http response/requests
 Popular for hacking e-commerce sites that
don’t do server-side validation (i.e., of price)
 Changing high scores on flash-based games

22
 Passive Recon

 Tool for executing 20+ pre-configured searches

 DNS records, Whois, MX records, Netcraft

reports
 What’s That Site Running?

 Uptime reports

 Google

23
Passive Recon - Menu

24
Passive Recon – DNS Info

25
Passive Recon – Domain
Tools

26
Passive Recon – MX Records

27
Passive Recon – What’s This Site
Running

28
Passive Recon – Link:

29
Other noteworthy add-ons

 Add N Edit Cookies

 Self explanatory!
 Firebug
 Edit, debug, and monitor CSS, HTML, and
JavaScript live in any web page
 HackBar
 Myriad of security/auditing/pen testing features
 Obfuscate SQL injection attacks
 Web Developer
 What doesn’t it do? ;-)
Using Firefox – As a Front End

 Proxies
 Tor
 Paros Proxy
 SPIKE Proxy
 Burp Proxy/Suite

 Web Frontends
 Metasploit
 Fast-Track
 Inprotect (web interface for Nessus and Nmap)
 BASE (Snort)

 Others?

31
32
 Recommended Setup

 Profiles
 Concerns:
 Too many extensions!
 Duplicate tasks
 Memory use/time to load
 Fixes:
 Profile Manager Mode
 “everyday”
 “pen testing”
 Install/load only those you use
regularly

34
 Recommended Setup

 Add-ons
 Concerns:
 Add-on portability
 Installing multiple add-ons manually
 Fixes:
 FEBE (Firefox Environment Backup
Extension)
 CLEO (Compact Library Extension Organizer)
 OPIE (Ordered Preference Import/Export)

35
 Recommended Setup

 Incompatible Add-ons
 Concerns:
 Loss of functionality
 Slow update to FF3 compatibility
 Fixes:
 Different add-on, same functionality
 Manually edit add-on:
 Sign in
 Ignore version check
 Download .XPI
 Edit “maxVersion” in install.rdf
 Update archive and install

36
Incompatible Add-ons
Places/Things to hack “safely”

 OWASP’s WebGoat
http://www.owasp.org/index.php/OWASP_WebGoat_Project

 Foundstone “Hacme” series

http://www.foundstone.com/us/resources-free-tools.asp

 De-Ice pen-testing live CDs

http://de-ice.net/index.php

 PwnOS (VMWare image)

 Your own VMWare lab

 “Safe” hacking websites

38
 Conclusion
 Penetration Methodologies

 Using Firefox
 Stand-alone
 Website-based tools
 Google Hacks
 Firefox plugins/extension
 Firefox as a Front end
 Recommended Setup

 Places/things to hack safely

 The Future

39
Questions ?

40
 Credits

 John Fulmer

 Church of WiFi

 Thomas Wilhelm “Grendel”

 Laurent Chouraki, Benjamin Picuira and Nabil

Ouchn (Security-database.com)

 Nishchal Bhalla and Rohit Sethi (Security

Compass)

 Chuck Baker

 Justin Morehouse 41
Pen Testing the Web
With Firefox

Michael Schearer

42