Post on 30-May-2018
8/14/2019 Pen Testing the Web with Firefox: Introduction
1/46
Pen Testing the Webwith Firefox
Michael theprez98 Schearer
8/14/2019 Pen Testing the Web with Firefox: Introduction
2/46
Pen Testing the Webwith Firefox: Intro
Michael theprez98 Schearer
8/14/2019 Pen Testing the Web with Firefox: Introduction
3/46
8/14/2019 Pen Testing the Web with Firefox: Introduction
4/46
4
Who am I? (2)
Contributing author to Penetration Tester'sOpen Source Toolkit (Volume 2), Netcat
Power Tools and Kismet Hackingn
8/14/2019 Pen Testing the Web with Firefox: Introduction
5/46
5
Course Logistics (1)
n Please do not hesitate to interrupt if youhave a question
n We will take ten minute breaks every 50minutes or so
8/14/2019 Pen Testing the Web with Firefox: Introduction
6/46
6
Course Logistics (2)
n Conference wireless networkSSID: Konferanse
Passphrase: osloerenfinbyn If you havent already, consider upgrading
to the most recent version of Firefox (
http://www.getfirefox.com)n You may want to bookmark the add-on
site (https://addons.mozilla.org)
http://www.getfirefox.com/https://addons.mozilla.org/https://addons.mozilla.org/https://addons.mozilla.org/http://www.getfirefox.com/8/14/2019 Pen Testing the Web with Firefox: Introduction
7/46
7
Legal issues
n Do not install tools on systems on whichyou do not have permission to do so
n Do not access resources to which you donot have permissions
n Do not test web pages or applications of
which you do not have explicitpermission
8/14/2019 Pen Testing the Web with Firefox: Introduction
8/46
8
Whats this all about?
n
n Google for informationgathering
n
n Individual programs forseparate tasks
n
n Different interfaces fordifferent programs
n
n OS specific tools
n
Specialized websites fordetailed research
Firefox as a platform to launchseparate attacks
The browser interface to point,
click and pwn!
(Mostly) OS transparent
Then Now
8/14/2019 Pen Testing the Web with Firefox: Introduction
9/46
9
Bypen testing, I mean
n Black/gray/white box testing
n Ethical hacking
n Security auditing
n Vulnerability assessment
n Standards compliance
n Training
n All of the above
8/14/2019 Pen Testing the Web with Firefox: Introduction
10/46
10
By the web, I mean
n Anything accessible over the Internet
n Anything accessible over Intranets
n All of the above
8/14/2019 Pen Testing the Web with Firefox: Introduction
11/46
11
By Firefox, I mean
n The Firefox browser
n Installed on Windows, Linux, Mac OS
n 95% of the tools demonstrated today canbe used with Firefox on any OS
n In the very few instances when I use
something OS-specific, I will be sure topoint it out to you
8/14/2019 Pen Testing the Web with Firefox: Introduction
12/46
12
Pen Testing the Web with Firefox
n Overview (this brief)
n Google hacking
n Website-based toolsn SHODAN
n Firefox add-ons
n
Add-on management
8/14/2019 Pen Testing the Web with Firefox: Introduction
13/46
13
Why the browser? (1)
n Firewall restrictions
n Limited access accounts
n Internet caf
n Mobile phones
n Generally speaking, an environment
where your ability to install other tools oruse the CLI is severely restricted
8/14/2019 Pen Testing the Web with Firefox: Introduction
14/46
14
Why the browser (2)
n The browser isnt always the only way todo something
n Sometimes it isnt even the easiest wayn However you may encounter situations
when the browser is your only option
n This course is your guide for thosesituations
8/14/2019 Pen Testing the Web with Firefox: Introduction
15/46
15
8/14/2019 Pen Testing the Web with Firefox: Introduction
16/46
16
8/14/2019 Pen Testing the Web with Firefox: Introduction
17/46
17
8/14/2019 Pen Testing the Web with Firefox: Introduction
18/46
18
8/14/2019 Pen Testing the Web with Firefox: Introduction
19/46
19
8/14/2019 Pen Testing the Web with Firefox: Introduction
20/46
20
8/14/2019 Pen Testing the Web with Firefox: Introduction
21/46
21
8/14/2019 Pen Testing the Web with Firefox: Introduction
22/46
22
What are add-ons? (1)
n Software additions to the browser
n Add new features and functionality
n Extend, modify and control browserbehavior
n Modify how the user views web pages
8/14/2019 Pen Testing the Web with Firefox: Introduction
23/46
23
What are add-ons? (2)
n Extensions
n Themes
n Toolbarsn Sidebars
8/14/2019 Pen Testing the Web with Firefox: Introduction
24/46
24
8/14/2019 Pen Testing the Web with Firefox: Introduction
25/46
25
8/14/2019 Pen Testing the Web with Firefox: Introduction
26/46
26
8/14/2019 Pen Testing the Web with Firefox: Introduction
27/46
27
8/14/2019 Pen Testing the Web with Firefox: Introduction
28/46
28
Add-on technologies (1)
8/14/2019 Pen Testing the Web with Firefox: Introduction
29/46
29
Add-on technologies (2)
n Cascading Style Sheets (CSS) is astylesheet language used to describe
the presentation of a document writtenin HTML or XML
n JavaScript is a small, lightweight, object-
oriented, cross-platform scriptinglanguage
8/14/2019 Pen Testing the Web with Firefox: Introduction
30/46
30
Add-on technologies (3)
n XUL is a XML-based language that lets youbuild feature-rich cross platformapplications that can run connected or
disconnected from the Internetn XPCOM is a cross platform component
object model, similar to Microsoft COM; ithas multiple language bindings, letting the
XPCOM components be used andimplemented in JavaScript, Java, andPython in addition to C++
8/14/2019 Pen Testing the Web with Firefox: Introduction
31/46
31
8/14/2019 Pen Testing the Web with Firefox: Introduction
32/46
32
8/14/2019 Pen Testing the Web with Firefox: Introduction
33/46
33
8/14/2019 Pen Testing the Web with Firefox: Introduction
34/46
34
8/14/2019 Pen Testing the Web with Firefox: Introduction
35/46
35
Things you should be aware of
n Users trust add-ons
n Users expect add-ons to be safe
n Malicious add-ons have previously beenapproved
n There are methods to abusing add-ons;
see Abusing Firefox Extensions byRoberto Suggi Liverani and NickFreeman at DEFCON 17
8/14/2019 Pen Testing the Web with Firefox: Introduction
36/46
36
Google hacking
n Complex search engine queries to filter throughlarge amounts of search results for information
n
Combination of advanced operators and specificsearch terms
n Possibly locate private, sensitive informationabout others, such as credit card numbers, site
vulnerabilities, usernames and passwords
8/14/2019 Pen Testing the Web with Firefox: Introduction
37/46
37
Google advanced operators
n Query words that have special meaning toGoogle
n These operators modify the search insome way, or tell Google to do a totallydifferent type of search
n Not all of Googles advanced operatorsare documented
8/14/2019 Pen Testing the Web with Firefox: Introduction
38/46
Google Hacking Database
n The Google Hacking Database is acollection of saved searches using
Google Advanced Operators that locateprivate information includingusernames, passwords and othersensitive data
n Johnny Longs GHDB is the most(in)famous, but not the only one
8/14/2019 Pen Testing the Web with Firefox: Introduction
39/46
Website-based tools (1)
n Out-of-the-box functionality; (mostly) noinstallation required
n Browser-independentn Provides some tool functionality that
would not normally be present in a
browser-only environment
8/14/2019 Pen Testing the Web with Firefox: Introduction
40/46
Website-based tools (2)
n Provides some degree of anonymity froma target because information is being
gathered via a third party (the website)n Primarily passive information gathering
n Some potential vulnerabilities can be
inferred by interpreting the datan
8/14/2019 Pen Testing the Web with Firefox: Introduction
41/46
Categories
n Information gathering
n Network tools
n Special purpose
8/14/2019 Pen Testing the Web with Firefox: Introduction
42/46
SHODAN
n SHODAN is a computer search enginedesigned by web developer John
Materly (http://twitter.com/achillean)n SHODAN interrogates ports and grabs theresulting banners, then indexes thebanners (rather than the web content)
for searchingn
http://twitter.com/achilleanhttp://twitter.com/achillean8/14/2019 Pen Testing the Web with Firefox: Introduction
43/46
8/14/2019 Pen Testing the Web with Firefox: Introduction
44/46
Penetration testing add-ons
n Display capabilities
n Information gathering
PassiveActive
n (Mostly) anonymous browsing
n Vulnerability assessmentPassive
Active
8/14/2019 Pen Testing the Web with Firefox: Introduction
45/46
Add-on management
n Experimental add-onsn Version checksn Ignoring version checksn Override compatibility checkingn Disabling compatibility checkingn Manual compatibility forcingn Add-on utilities (CLEO/FEBE/OPIE)n Other useful add-ons (Xmarks)n Profiles
8/14/2019 Pen Testing the Web with Firefox: Introduction
46/46
Pen Testing the Webwith Firefox: Intro
Michael theprez98 Schearer