Turn your Fx browser into a handy pen-testing tool...

Hi malware fighters,

With some very interesting add-ons the Firefox browser can be turned into a pen-tester tool. See an instruction video here:
http://www.scribd.com/doc/28590479/Black-Hat-Webcast-Pen-Testing-the-Web-with-Firefox

Multi-proxy-switch: https://addons.mozilla.org/en-US/firefox/addon/7330/
or: https://addons.mozilla.org/en-US/firefox/addon/2464/ to quickly change between Burp and Tor
PacketlessRecon https://addons.mozilla.org/en-US/firefox/addon/6196/ gain packet less info on the target
Show Ip https://addons.mozilla.org/en-US/firefox/addon/590/ shows server IP and additional\ IP-adresses in case of
load balancing.
Live HTTP-headers: https://addons.mozilla.org/en-US/firefox/addon/3829/ view HTTP-headers of a page
Wappalyzer: https://addons.mozilla.org/en-US/firefox/addon/10229/
Backend software Information https://addons.mozilla.org/en-US/firefox/addon/10493/ to identify platform frameworks and major apps
Hackbar: https://addons.mozilla.org/en-US/firefox/addon/3899/ to enter POST requests
Add and edit cookies: https://addons.mozilla.org/en-US/firefox/addon/13793/ to inspect cookies and testing
Firebug: https://addons.mozilla.org/en-US/firefox/addon/1843/
& Wilderbug: http://www.command-tab.com/2008/01/19/widerbug-widescreen-firebug/ with all sort of tools and options
Lazarus: https://addons.mozilla.org/en-US/firefox/addon/6984/ will memorize info on web forms
FxIF: https://addons.mozilla.org/en-US/firefox/addon/5673/ for analyzing META information
Fireforce: https://addons.mozilla.org/en-US/firefox/addon/64765/ brute force attacker via GET and POST
Another good tool is the FireCAT: https://addons.mozilla.org/en-US/firefox/collection/firecat1_5_plus
Injection tool testing add-ons I have presented elsewhere here in the forums, together with examples and the use of Firekeeper,

Another specific add-on for the malware fighter is Malware Search https://addons.mozilla.org/en-US/firefox/addon/6718/

For malware analysis there is a specific VM browser malzilla (only for experts), or a visit to jsunpack (Also for experts and NoScript should be installed at all times)
For general script/third party requests protection in Fx and Flock browser use the combination of the NoScript add-on: https://addons.mozilla.org/en-US/firefox/addon/722/
and the RequestPolicy add-on: https://addons.mozilla.org/en-US/firefox/addon/9727/
The latter just to be in control of cross site requests,

Mind you you are only allowed to pen test what belongs to you and/or what you were given explicit authorization to pen test, now you have turned the Firefox browser into a handy pen testing tool,

polonus

Thanks polonus for this nice topic,but i hate FireFox it look like an old tank can take any weapon and modified again and again,i think it is so bloated with its "ADD-ON"and unlike opera or google chrome,which i use.
by the way Komodo edit also look like mozilla firefox and mozilla thunder bird.

Hi superhacker,

If you know of a similar way to turn another browser into just such a hacking tool with the same functionality I like to hear from you, so time to live up to your nick. But I like the term super pen tester ;D better. Do not forget that Google has also all sort of services and applications that could turn your search engine into a pen testing tool of sorts, and not a lot of folks use the Google application to it’s full functionality.
I for one like to go to specific online resources and there is also a wealth of information waiting for the intelligent seeker,
iFrame scanning, site information etc. etc. Your imagination is the only limit there,
Also look here:
http://a4apphack.com/index.php/featured/secfox-turn-firefox-into-an-ultimate-hacking-tool-part-1 (1-7 series)

polonus

Okay just for you i will install it and work on it"sorry chrome even you dont have that ad-weapON".
I like LoveSter more than superhacker,since my name in arabic mean the very very passion and lover one"A rare name who have could be enumerated on fingers,what can i do my father is creative 8) 8)"
I think my big imagination is to see a more weapon-able browser more than FireFox ;D

just one word about Lazarus: it’s a fanatastic add-on, as long as you’re a hundred percent sure to be the only person accessing physically your system. Otherwise it’s a nice keylogger :wink:

What the heck are you talking about ???

Thanks polonus and Logos i start love FF but now i am posting from chrome and customizing my fire fox"changing its look and install some add-ons"

An add-on for pen testing or malcode analyzing could be considered as a weapon if it reach to a bad guy,and i meean fire fox like the GLA tanks in c&c:generals it take any thing and use it nothing would be useless to firefox

Hi superhacker,

The 1-7 series also tells the ins and outs of how to check the Fx browser, but I won’t use Fx, I always like Flock better, with Nightly Tester tools you can enforce every add-on also for Flock. Flock as a Mozilla browser is now version 2.6.1.
I also love the use of Ghostery add-on to block tracking. This could help you Faviconize Tab if you have a lot of tabs open: https://addons.mozilla.org/en-US/firefox/addon/3780 and if you quickly want to control the browser with mouse gestures this is the add-on for ye: https://addons.mozilla.org/en-US/firefox/addon/6366 Pen testers fondly use webproxy a lot to manipulate the HTTP requests created by the browser before it is sent to the web sever. This helps us to verify the the absence of any server side validations or flaw in the client side validations. But feel lucky if you are using Firefox while performing web app security assessments, ’cause we have a cool extension ‘GroundSpeed’ which exactly does that: https://addons.mozilla.org/en-US/firefox/addon/46698
Also an interesting site to look at: http://a4apphack.com/index.php/featured/secfox-http-header-analysis-domain-details-part-2
Domain details: http://img.a4apphack.com/site/a4apphack-download.png Display’s Server Name and Version & Displays IP Address & Webpage fingerprint combined in one add-on SecFox Addon, you could do the same with the webbug tool combined with Intellitamper but why not have it all inside the browser,
Another interesting add-on is AccessMe: https://addons.mozilla.org/en-US/firefox/addon/7595/ to test for access vulnerabilities,

pol

P.S. Why not have two browsers on the desktop your specific version of Flock and GoogleChrome?

Damian

Okay now i work on chrome"installed on all systems as default browser",and firefox on test machine i will give flock a try.
off-topic:when i was 16 years old our teacher in the school talk about browser developing"we just know about IE6 at that time"weeks ago i have an idea to build my own browser from scratch using python,but it was soooooooooo hard i could not finish the project and end up with a GUI if you type google.com in its text box will hang so you should enter http://www.google.com,then you see a web link"un click able one “to gmail,photos,…there is no picture just a fool GUI with one button and one text box and bad colors and if could open a page it will parse just the html no more no less,I think it is nice to know how every browser start to see if their GUI and function was worse than mine"i wish” :wink:
It is the worst project i have ever start.

Hi malware fighters,

Another handy add-on is cookie watcher: https://addons.mozilla.org/en-US/firefox/downloads/latest/1201/addon-1201-latest.xpi?src=oftenusedwith
and the second one is fire-encrypter from within the browser, https://addons.mozilla.org/en-US/firefox/addon/3208
turn txt into

  • AES (Rijndael 128Bit)
  • Affine
  • Caesar
  • XOR
  • OTP (One Time Pad)
  • Vigenere
  • Rail Fence
  • Morse Encoder
  • MD2 Hashing
  • MD5 Hashing
  • SHA1 Hashing
  • SHA256 Hashing
  • SHA384 Hashing
  • SHA512 Hashing
  • Secure password generator.
    A third one is HTTPFox: https://addons.mozilla.org/en-US/firefox/addon/6647/ (run in separate window)

polonus

Hi malware fighters,

I have this functionality in the browser as Domain Details add-on, but you can also look up this info online (logged): http://www.seoconsultants.com/tools/headers

A further great source for info is always Robtex and the Netcraft toolbar, and launching the webbug tool.
Soon I give a review here of the use of the HttpFox extension combined with Fiddler plug-in,

So first the header info here are the single URI results for forum.avast.com/index.php?board=1.0

#1 Server Response: https://forum.avast.com/index.php?board=1.0
HTTP Status Code: HTTP/1.1 200 OK
Date: Thu, 26 Aug 2010 00:09:54 GMT
Server: Apache
X-Powered-By: PHP/4.3.9
Set-Cookie: PHPSESSID=Xxxxxxxxxxxxxxxxxxxx; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: private
Pragma: no-cache
Last-Modified: Thu, 26 Aug 2010 xx:xx:54 GMT
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1

Header Fields (others are ignored)

  1. Method
  2. HTTP-Version
  3. URI
  4. Date
  5. Connection
  6. Authorization
  7. If-Modified-Since
  8. Content-Length
  9. Content-Type

HTTP Status Code - 200 OK

The request has succeeded. The information returned with the response is dependent on the method used in the request.
Now also congrats to the forum site: http://www.htmlhelp.com/cgi-bin/validate.cgi?url=http%3A%2F%2Fforum.avast.com%2Findex.php%3Fboard%3D1.0 Validation says: Congratulations, no errors!

polonus

Hi malware fighters,

I run httpFox add-on in a separate window,

Give in start and you see next to each other: Start Stop Clear Autoscroll
Time Sent Received Method Result Type URL in the top window
and then Headers Cookies Query String POST Data Content click to view
In content you can see javascript for example etc.

I use it together with the bookmarklet for Google Anon to get session id info, also for non-Google sites.
It is in my Favorites,

For connections on the wire I monitor with a tool see attached picture,

polonus

Hi malware fighters,

Additionaly next to Fiddler this can be used to monitor all http http://www.charlesproxy.com/
HttpFox works like a friendly Http sniffer, on concurrent iFrame requests or when a load is aborted, you see NS_BINDING_ABORTED for instance, redirects, for example, will cancel the pre-redirect channel with NS_BINDING_ABORTED.

There are other cases it could come up in as well, watch for queepie code…


#define NS_BINDING_ABORTED \
72     NS_ERROR_GENERATE_FAILURE(NS_ERROR_MODULE_NETWORK, 2)
73 
74 /**
75  * The async request has been "redirected" to a different async request.
76  * (e.g., an HTTP redirect occured).
77  *
78  * This error code is used with load groups to notify the load group observer
79  * when a request in the load group is redirected to another request.
80  */
81 #define NS_BINDING_REDIRECTED \
82     NS_ERROR_GENERATE_FAILURE(NS_ERROR_MODULE_NETWORK, 3) 

Table of possible errors in Mozilla browser https://developer.mozilla.org/en/Table_Of_Errors

polonus

Hi malware fighters,

Here we test for Http-splitting

 advanced%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2035%0d%0a0d%0a<html>Sorry,%20System%20Down</html>

and Firekeeper alerts this: === Triggered rule ===
alert(url_content:“%3Chtml”; nocase; msg:“ tags GET request cross site scripting attempt”; url_re:“/%3Chtml*%3E/i”; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

=== Request URL ===
http://ajax.googleapis.com/ajax/services/search/web?v=1.0&key=ABQIAAAADQJp_C6OaW6hvHOMrOnyTRSJ36dQUZSEtUNltVpyNDSTnR8ihRSMP6upCTiKY-Eecqqq5JsdgenlYg&q=advanced%250d%250aContent-Length%3A%25200%250d%250a%250d%250aHTTP%2F1.1%2520200%2520OK%250d%250aContent-+Type%3A%2520text%2Fhtml%250d%250aContent-Length%3A%252035%250d%250a%250d%250a<html>Sorry%2C%2520System%2520Down<%2Fhtml>
Re: http://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OWASP-DV-016)

HTTP exploits involve using the Web server application to perform malicious activities. These attacks are very common and are growing in popularity because firewalls typically block most traffic from the Internet to keep it away from corporate servers. However, HTTP traffic, used for Web browsing, is almost always allowed to pass through firewalls, on Port 80, unhindered. Thus, attackers have a direct line to the Web server. If they can coerce the Web server into performing malicious activities, they can access resources that would otherwise be unavailable, Metasploit tries HTTP for various exploits:

HTTP Backup File Scanner
This module identifies the existence of possible copies of a specific file in a given path.

HTTP Blind SQL Injection GET QUERY Scanner
This module identifies the existence of Blind SQL injection issues in GET Query parameters values.

HTTP Directory Brute Force Scanner
This module identifies the existence of interesting directories by brute forcing the name in a given directory path.

HTTP SSL Certificate Checker
This module will check the certificate of the specified web servers to ensure the subject and issuer match the supplied pattern and that the certificate is not expired. Note: Be sure to check your expression if using msfcli, shells tend to not like certain things and will strip/interpret them (= is a perfect example). It is better to use in console.

HTTP Copy File Scanner
This module identifies the existence of possible copies of a specific file in a given path.

HTTP Directory Listing Scanner
This module identifies directory listing vulnerabilities in a given directory path.

HTTP Directory Scanner
This module identifies the existence of interesting directories in a given directory path,

Online fuzzer tool: http://digitaloffense.net/tools/axman/demo/

polonus