This is the first major release of PentestBox. Too much refractoring and structural changes are done. Before talking about new features and changes i would like to share intent behind creating PentestBox.

When i started in infosec, i used to run linux pentesting distro in Virtual Machines. After some time i realised that i only require only very small set of tools, so i searched if they are available on windows or not. Some of them were, but still some important tools were missing. I searched about portability of such tools and found that this problem is not new. Many people want to use those tools directly on windows but there are no ways they can do it. If there are ways, they no longer work.

Above are some of the examples of users requiring support for these awesome projects on windows. So this project was made for fellow users like me who want to use pentesting tools directly on windows operating system.

I would like to thank everyone for their awesome feedback i received from the day i released this project. Also there is always demand for more tools in PentestBox. Keeping that in mind, i have included some features(toolsmanager) in this version. You can read about them below. Next major thing i need to do is to provide support for Wireless Pentesting Tools, there are too many problems, didn’t want to discuss it here, let me know if you have suggestion in this regard.

I would also request PentestBox users to share about it. Also if you want to demonstrate PentestBox at some local meetup or conference, let me know at aditya@manifestsecurity.com, i can provide you slides/documentation and other resources if required.

Scroll down to end of the post to view demo video of PentestBox v2.0 .

Below are list of some of the changes:-

• Currently PentestBox contain efficient and popular security tools in their respective categories, but some users require more tools and including every tool is not possible because of size constraint. Keeping that in mind, i have included a toolsmanager in this version which can install/update/remove tools which are included by default in PentestBox. Check about this feature here.

• Consider a environment where you want to use PentestBox on many computers like office, lab, etc. Instead of installing PentestBox on each and every computer, you can just install that on one computer and share that folder as a drive to other computers on the same network. Check about this feature here.

• Earlier we faced an issue with wpscan when because of some recent commit, it stopped working on windows operating systems. I shared about that issue on Facebook and Twitter. To prevent such things happening in future, i forked tools which can have problem in future and now will be served through PentestBox github repo. So, now every saturday new commits will be checked and then only will be pushed.
  Tl;dr : No more tools brekage.

• From this version PentestBox supports 32 bits PC as well, also the tools inside it. Most users aren’t concerened about above thing, as most of the people uses 64 bit systems. But this was introduced to make low-end systems in to a Pentesting Environment. Just to give an idea, i have tested PentestBox on this $200 machine, and it ran on it very smoothly.

• Tools Added – dotdotpwn, joomscan, sublist3r, CMSmap, droopescan, CrackMapExec, Androbugs Framework, ByteCodeViewer, Windump – windows version of tcpdump

• Structural changes

  • Python 2.7.11(32 bit) added.
  • Clink 0.4.7(32 and 64 bit added, automatically detect)
  • Ruby 2.1.8-i386-minigw2 added.
  • Strawberry perl-5.22.1.3-32 bit added.
  • curl 7.34.0-win32 added (newest version had some issue with ruby).

Thanks!

So i will be using a Xposed Framework and JustTrustMe which is an xposed framework module.

• First download Xposed Installer apk from here and install on your device.

• Now download JustTrustMe apk from here and install it on your device.

• Then open up your Xposed Installer App from your device and open modules in it. Then click on the checkbox to activate that module.
  

• Now go to the framework section and choose Soft Reboot to reboot and activate that module.
  

Now if you would try to intercept using your Burp Proxy then you would be able to see the traffic of every apps.

• Switch ON your Genymotion Device.
• Download Google Apps from Cynogenmod
• Drag and Drop the downloaded zip file to Genymotion Device. It will ask for confirmation,confirm it.Then it will start showing some error’s, ignore for the time being and follow the next steps without opening any installed apps now.
• Go to Settings
  
• Tap on Add Account
• Tap on Google
  
• If you have an existing account then click on existing otherwise you can make a new account.
  
• Signin your google account and then allow google update. You will see now your Google account has been linked to this device. Now you easily operate Google Play Store and install other apps through it.
  

• Tap on the build number until it says ” You are now a developer”
  

• Go to the Developer Options.
  

• Tap on USB Debugging .
  

• Connect your Phone with the USB cable and you will see this notification on your Screen .

• Now you can also install Drozer agent on your phone or can also get a shell. Note you will be prompted on your phone while connecting using adb.

• First install Hotspot Shield Free VPN Proxy from Google Play Store.
  

• Now connect using it and choose your required country.
  

• Now go to Settings >> Apps >> Google Play Store and then tap on Force Stop and then on Clear Data.
  

• Open up Google Play Store and now you will be able to search and install the application which is only available in that country.
  

If you would go through Login Activity then you will find that there is a Backdoor. There is a Username-Password combination which turns on some Admin Options.

From the above image we can figure out that

Username: customerservice
Password: Acc0uNTM@n@g3mEnT

If you would login with the credentials given above then you will see a similar Interface given below.

How to check for debuggable flag ?

I will use Sieve to demonstrate this issue.

• Decompile .apk file using apktool then open up the AndroidManifest.xml file.

• Look for android:debuggable value in the AndroidManifest.xml file.
  

Now to see which application are connected to debugging socker(@jdwp-control), type adb jdwp in the console. It will list the PIDs(Process Identifiers) of the applications which can be debugged.

In order to figure out which PID belong to our application, type adb jdwp before running the application you wanted to test.

Now again type adb jdwp after opening the application and you will see that there are PIDs added to last result, so among those PIDs there is one PID which belong to our application. In my case there is only one PID 3894 which is added .

Now check whether or not this PID belong to this application, in case you have got more than one PID. It should output name of the application at the end of result like com.mwr.example.sieve in my case.

Now to simply demonstrate what an debuggable application can do, i will extract data from application private directory.

Now with the help of run-as binary we can execute commands as com.mwr.example.sieve application.

Note: Above is the shell access of my personal phone which is not rooted.

Now you can extract the data or run an arbitary code using application permission like shown below.

But if you would try to access any other directory using this method, it won’t allow you because com.mwr.example.sieve doesn’t have access to it.

How To Fix

Fix is very simple, just set android:debuggable flag to false in AndroidManifest.xml of the application.

• Javascript Injection: The mobile browser is vulnerable
  to javascript injection as well. Android default Browser has also access
  to mobile applications cookies. If you have your Google account attached to device
  then you can use your Google account in Android Browser without authentication.

• Several application interfaces or language functions can accept data and can be fuzzed to make applications crash. While most of these flaws do not lead to overflows because of the phone’s platforms being managed code, there have been several that have been used as a “userland” exploit in an exploit chain aimed at rooting or jailbreaking devices.

• Mobile malware or other malicious apps may perform a binary attack against the presentation layer (HTML, JavaScript, Cascading Style Sheets ) or the actual binary of the mobile app’s executable. These code injections are executed either by the mobile app’s framework or the binary itself at run-time.

How To Fix

• SQL Injection: When dealing with dynamic queries or Content-Providers ensure you are using parameterized queries.
• JavaScript Injection (XSS): Verify that JavaScript and Plugin support is disabled for any WebViews (usually the default).
• Local File Inclusion: Verify that File System Access is disabled for any WebViews (webview.getSettings().setAllowFileAccess(false);).
• Intent Injection/Fuzzing: Verify actions and data are validated via an Intent Filter for all Activities.

Reference

OWASP Top 10 2014 – M7

Session handling is very important part after authentication has been done. Session Management should also be done in secure way to prevent some vulnerable sceanarios. Most of the application have secure mechanism for authentication but very insecure mechanisms for session handling, below i will be describing some of the common scenarios.

No session destruction at server side

I have seen this one most of the times, most of the applications just send a null cookie when user opt for logout but still that session cookie is valid on server side and is not destroyed after user opted for logout feature.

Cookie not set as Secure

The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text.

To accomplish this goal, browsers which support the secure flag will only send cookies with the secure flag when the request is going to a HTTPS page. Said in another way, the browser will not send a cookie with the secure flag set over an unencrypted HTTP request.

Above is the exported broadcast receiver.

If you would see in the AndroidManifest.xml file of FourGoats application then you will find action name is org.owasp.goatdroid.fourgoats.SOCIAL_SMS and component name as org.owasp.goatdroid.fourgoats.broadcastreceivers.SendSMSNowReceiver . So we have to set these parameters in drozer accordingly.

I have also decompiled the FourGoats apk using dex2jar and opened it with Jd-Gui. Below is the snap of this particular Broadcastreceiver sourcecode.

So basically from the above code we can tell that while passing the intent we have to give two inputs “phoneNumber” and “message”.

The above command will try to send the messgae to the number 1234 with message It’s me Aditya.But from Android 4.2 further control has been added on the use of SMS. Android will provide a notification if an application attempts to send SMS to a short code that uses premium services which might cause additional charges. The user can choose whether to allow the application to send the message or block it.

But when i modify the phoneNumber to 123456789 it will not show this confirmation dialog because Android doesn’t conider that number as a Premium Number.

So in this way an mailicious app can take advantage of some exported BroadcastReceiver of another app.