Pen Testing the

Web with Firefox

Michael “theprez98” Schearer
twitter.com/theprez98
theprez98@verizon.net
Who am I?
 Associate and network analyst for Booz Allen Hamilton in central
Maryland
 Separated from 8+ years of active duty in the U.S. Navy as an EA-
6B Electronic Countermeasures Officer (Penetration Tester of
Enemy Air Defenses)
 Spent 9 months in the ground in Iraq as a counter-IED specialist
 Contributing author to Penetration Tester's Open Source Toolkit
(Volume 2), Netcat Power Tools and Kismet Hacking
 Amateur radio operator and active member of the NetStumbler,
DEFCON, and BackTrack-Linux forums, a part-time football coach,
and father of four

2
What’s this all about?
Then… Now…
Google for information Specialized websites for
gathering detailed research
Individual programs for Firefox as a platform to
separate tasks launch separate attacks
Different interfaces for The browser interface to
different programs point, click and pwn!
OS-specific tools (Mostly) OS transparent

3
By pen testing, I mean…
 Black/gray/white box testing
 Ethical hacking
 Security auditing
 Vulnerability assessment
 Standards compliance
 Training
 All of the above

4
By the web, I mean…
 Anything accessible over the Internet
 Anything accessible over Intranets
 Anything traversing the tubes
 All of the above

5
By Firefox, I mean…
 The Firefox browser
 Installed on Windows, Linux, Mac OS
 95% of the tools demonstrated today can be
used with Firefox on any OS
 In the very few instances when I use
something OS-specific, I will be sure to point
it out to you
 (Much of this is also browser-transparent)

6
Why the browser? (1)
 Firewall restrictions
 Limited access accounts
 Internet café
 Mobile phones
 Generally speaking, an environment
where your ability to install other tools or
use the CLI is severely restricted

7
Why the browser (2)
 The browser isn’t always the only way to
do something
 Sometimes it isn’t even the easiest way
 However you may encounter situations
when the browser is your only option
 This presentation is your guide for those
situations

8
Pen Testing the Web with Firefox

 (Mostly)* anonymous browsing

 Passive information gathering
 Display capabilities
 Passive vulnerability assessment
 Active vulnerability assessment
 A few more…

9
(Mostly)* anonymous browsing
 Third party website tools
 Public internet terminals
 Web-based HTTP proxies
 Proxy add-ons
 Google cache
Third party website tools
 Allows you to view content through a third
party so as to not alert the target
 Content may be dated
 Allows gathering of:
 Metadata (i.e., centralops.net)
 Context (Google cache, Wayback Machine)
Public internet terminals
 Provides a degree of anonymity due to
third party location, multiple users, and
lack of authentication mechanisms
 Some (i.e., libraries) are free, but many
cost (airports, hotels, etc.)
 Ability to install or add functionality may
be limited
Web-based HTTP proxies
 Hides IP address from target by using a
third party (proxy)
 Works best if the third party is trusted not
to reveal the attacker’s information
 Some proxies may be blocked depending
upon your source location
Proxy add-ons
 Browser-based proxy configuration
 Permits tunneling through open proxies
 Provides plausible deniability during
penetration tests by obscuring the source
of your traffic
Torbutton
 Simple on-off button that switches your
proxy settings between the default (off)
and Tor’s settings (on)
 Requires Tor to be installed
 Does not work with other proxy
configurations
FoxyProxy
 Supports multiple proxy configurations
 Supports Tor (when installed); otherwise
no additional software required
 Initial setup can be a little confusing
Google cache (cache:)
 Display Google’s cached version of a web
page instead of the current version of the
page
 Google will highlight terms in your query
that appear after the cache: search
operator
Greasemonkey
 Allows you to customize the way a
webpage displays using small bits of
JavaScript
 Thousands of installable scripts are
located at userscripts.org
 Google Cache Continue Redux inserts
cache links on Google cache pages
*Caveats
 Some proxy servers (i.e., Squid) use the
X-Forwarded-For tag which can reveal the
originating IP address
 Owners of proxy servers may be subject
to court orders to reveal log information
Passive information gathering
 PassiveRecon
 Passive Cache

28
PassiveRecon
 Provides information security
professionals with the ability to perform
"packetless" discovery of target resources
utilizing publicly available information
 Executes 20+ pre-configured searches
regarding IP, DNS, mail server
information, and Google searches
Passive Cache
 Uses Google's text-only cache service
and Archive.org Wayback Machine to
display historical versions of a specified
web link
 Allows for the viewing of a page, or site,
while avoiding active connections to a
target site
Display capabilities
 Changing the way the page is viewed
depending upon how the browser renders
the code; or based upon the user-agent
string
 May seem trivial, but consider the
following example…

31
IE Tab
 Embeds Internet Explorer inside Firefox
tabs
 Allows viewing of pages in different
browser without having to start/restart IE
 “Switch rendering engine” option allows
quick comparison of page views
 Safari View, Opera View, Chrome View…
javascript:SnapshotWin()
client.html
javascript:SnapshotWin()
client.html
setup/config.html
Passive vulnerability analysis
 Netcraft
 WiGLE
 FOCA
 SHODAN

35
Netcraft (1)
 Internet services company based in Bath,
England
 Provides internet security services,
including anti-fraud and anti-phishing
services, application testing, code
reviews, and automated penetration
testing
 Provides research data and analysis on
many aspects of the Internet
Netcraft (2)
 Information can be gathered manually
from the website or automatically by
installing the Netcraft Toolbar (IE and FF)
 Toolbar provides links to Netcraft
services, site risk rating, site reports and
hosting providers
 Interpretation of some data may reveal
potential site vulnerabilities
WiGLE
 Wireless Geographic Logging Engine
 Maps of wireless networks as contributed
by its users
 19+ million networks worldwide
 Admin offices Brandon Shores

Wagner
Public road
 Admin offices Brandon Shores

Wagner
Public road
CEG Admin offices Brandon Shores
CEG

CEG CEG

CEG
Wagner
Public road
Fingerprinting Organizations
with Collected Archives (FOCA)
 Developed by Chema Alonso and José
Palzón and presented at DEFCON 17
 Search and automatically download
documents
 Extract metadata and other hidden
information and lost data
FOCA (2)
 Analyze the information to aid in
fingerprinting a network
 Other than downloading the file, the
process is completely passive
 FOCA is available via download; or
 Documents can be submitted via a web
interface
What is SHODAN? (1)
 SHODAN (http://shodan.surtri.com/) is a
computer search engine designed by web
developer John Matherly
(http://twitter.com/achillean)
 While SHODAN is a search engine, it is
much different than content search
engines like Google, Yahoo or Bing
What is SHODAN? (2)
 Typical search engines crawl for data on
web pages and then index it for searching
 SHODAN interrogates ports and grabs the
resulting banners, then indexes the
banners (rather than the web content) for
searching
 Optimizing search results requires some
basic knowledge of banners
 SHODAN Search Provider
Firefox Add-on

SHODAN
Helper
Firefox
Add-on
 Surely these HTML links
will require some additional
authentication…
 Nope. No authentication
required for Level 15! No
authentication required for
configure commands
 No authentication required
for Level 15 exec commands
Active vulnerability analysis
 Exploit-Me
 HackBar
 Key-logger
 Tamper Data
 Groundspeed

57
Exploit-Me
 Suite of lightweight security testing tools
 Introduced at SecTor ’07 by Nishchal Bhalla and
Rohit Sethi of Security Compass
 XSS-Me to test for Cross-Site Scripting
vulnerabilities (www.xssed.com)
 SQL Inject-Me to test for SQL injection
vulnerabilities
 Access-Me tests access vulnerabilities
 Future: Web Service-Me, Overflow-Me,
Enumerate-Me, BruteForce-Me

58
HackBar
 Web developer tool designed to help with
security audits on code
 Assists in testing SQL injections, XSS
holes and general site security
 Test security with obfuscation and de-
obfuscation
Key-logger
 Advertised as “never lose a message
board post or email again”
 If you have physical access to the target
machine…
 Records all keystrokes typed in web
pages
 Icon can be hidden from status bar
Tamper Data
 Acts like a proxy server
 Allows you to view and modify HTTP/HTTPS
headers and post parameters
 Trace and time http response/requests
 Popular for hacking e-commerce sites that
don’t do server-side validation (i.e., of price)
 Changing high scores on flash-based games
Groundspeed
 Allows users to manipulate the application
user interface
 Eliminate limitations and client-side
controls
 Useful for penetration testing of web
applications

72
73
A few more…
 Browser-based shells
 nmap-cgi (web-based front end for Nmap)
 Web-based front ends (generally)
 Internet Kiosk Attack Tool (iKAT)
…

74
Credits: Websites
 archive.org
 anonymouse.org
 centralops.net
 ikat.ha.cked.net (Paul Craig)
 informatica64.com/foca/
 netcraft.com
 nmap-cgi.tuxfamily.org
 shodanhq.com
 wigle.net

75
Credits: Add-ons
 Exploit-Me (Security Compass)
 FoxyProxy (Eric H. Jung)
 Google Cache Continue Redux (Jeffery To)
 Greasemonkey ( Anthony Lieuallen, Aaron Boodman, Johan Sundström)
 Groundspeed (Felipe Moreno-Strauch)
 Fiddler (E. Lawrence)
 HackBar (Johan Adriaans)
 IE Tab ( PCMan (Hong Jen Yee), yuoo2k)
 Key-logger (arrumi)
 Passive Cache (Brian Baskin)
 PassiveRecon (Justin Morehouse)
 SHODAN Helper (Gianni Amato)
 SHODAN Search Provider (sagar38)
 Tamper Data (Adam Judson)
 Torbutton (Mike Perry)

76
Your feedback
 These slides are available on
www.scribd.com/theprez98
 This presentation is a small portion of a larger
training class on browser-based penetration
testing
 If you found this interesting, and think it would be
a worthwhile training class at a future Black Hat
event (or other venue), please provide feedback
to both Black Hat and myself

77
Pen Testing the
Web with Firefox
Michael “theprez98” Schearer
twitter.com/theprez98
theprez98@verizon.net