Aditya Agrawal http://localhost Security Researcher. RailFan. Foodie Tue, 19 Jul 2016 08:14:35 +0000 en-US hourly 1 https://wordpress.org/?v=4.4.4 PentestBox 2.0 Released http://localhost/pentestbox-2-0-released/ http://localhost/pentestbox-2-0-released/#respond Wed, 23 Mar 2016 19:30:00 +0000 http://localhost/?p=18820 Hi,

This is the first major release of PentestBox. Too much refractoring and structural changes are done. Before talking about new features and changes i would like to share intent behind creating PentestBox.

When i started in infosec, i used to run linux pentesting distro in Virtual Machines. After some time i realised that i only require only very small set of tools, so i searched if they are available on windows or not. Some of them were, but still some important tools were missing. I searched about portability of such tools and found that this problem is not new. Many people want to use those tools directly on windows but there are no ways they can do it. If there are ways, they no longer work.


Above are some of the examples of users requiring support for these awesome projects on windows. So this project was made for fellow users like me who want to use pentesting tools directly on windows operating system.

I would like to thank everyone for their awesome feedback i received from the day i released this project. Also there is always demand for more tools in PentestBox. Keeping that in mind, i have included some features(toolsmanager) in this version. You can read about them below. Next major thing i need to do is to provide support for Wireless Pentesting Tools, there are too many problems, didn’t want to discuss it here, let me know if you have suggestion in this regard.

I would also request PentestBox users to share about it. Also if you want to demonstrate PentestBox at some local meetup or conference, let me know at aditya@manifestsecurity.com, i can provide you slides/documentation and other resources if required.

Scroll down to end of the post to view demo video of PentestBox v2.0 .

Below are list of some of the changes:-

  • Currently PentestBox contain efficient and popular security tools in their respective categories, but some users require more tools and including every tool is not possible because of size constraint. Keeping that in mind, i have included a toolsmanager in this version which can install/update/remove tools which are included by default in PentestBox. Check about this feature here.

  • Consider a environment where you want to use PentestBox on many computers like office, lab, etc. Instead of installing PentestBox on each and every computer, you can just install that on one computer and share that folder as a drive to other computers on the same network. Check about this feature here.

  • Earlier we faced an issue with wpscan when because of some recent commit, it stopped working on windows operating systems. I shared about that issue on Facebook and Twitter. To prevent such things happening in future, i forked tools which can have problem in future and now will be served through PentestBox github repo. So, now every saturday new commits will be checked and then only will be pushed.
    Tl;dr : No more tools brekage.

  • From this version PentestBox supports 32 bits PC as well, also the tools inside it. Most users aren’t concerened about above thing, as most of the people uses 64 bit systems. But this was introduced to make low-end systems in to a Pentesting Environment. Just to give an idea, i have tested PentestBox on this $200 machine, and it ran on it very smoothly.

  • Tools Added – dotdotpwn, joomscan, sublist3r, CMSmap, droopescan, CrackMapExec, Androbugs Framework, ByteCodeViewer, Windump – windows version of tcpdump

  • Structural changes

    • Python 2.7.11(32 bit) added.
    • Clink 0.4.7(32 and 64 bit added, automatically detect)
    • Ruby 2.1.8-i386-minigw2 added.
    • Strawberry perl-5.22.1.3-32 bit added.
    • curl 7.34.0-win32 added (newest version had some issue with ruby).

Thanks!

]]>
http://localhost/pentestbox-2-0-released/feed/ 0
IoT Security Wiki Released http://localhost/iot-security-wiki-released/ http://localhost/iot-security-wiki-released/#respond Thu, 03 Mar 2016 18:05:01 +0000 http://localhost/?p=18795 Hi !

From last 2-3 months i have been working on some projects related to IoT Security. As there are very less people in IoT Security, it was very difficult to find any resources and learn about it. Nearly one year ago i released MobileSecurityWiki and i got some awesome feedbacks about it from the community members. So i thought to release the same for IoT, but doing that is very difficult task, because there are too many things in IoT and there are different kind of IoT devices. Current version mostly contains research/presentations/talks/studies.

I look forward for your additions/suggestion/feedback for this wiki. Please visit the wiki to know procedure to suggest additions. I think this would be very helpful for the developers and security researchers in the long run.

Thanks

Aditya Agrawal

]]>
http://localhost/iot-security-wiki-released/feed/ 0
Appie Version 3 Released http://localhost/appie-version-3-released/ http://localhost/appie-version-3-released/#respond Tue, 23 Feb 2016 16:46:57 +0000 http://localhost/?p=16463 So it has been more than a year since Appie was launched, and i have been receiving awesome response from it’s users since then. Thanks a ton for that :)

Below are some of changes which have been made from previous version:-

  • It now have Python 32 bit so that even 32 bit systems have no problem with usage.
  • Also updated the Conemu framework which i use as a base terminal.
  • Although all the tools are now updated in Appie, but in this version i have introduced a simple update script through which you can update all the tools inside Appie without downloading new version of Appie. So at the end this saves your lot of time.
  • It is lot more faster now, if you are an existing user of Appie than you will notice that.
  • Some new tools have been included in this version:-

Using Update Feature

Using update feature is very simple, currently there are only two options in update script.

Type update in Appie terminal.

With update tools, all tools will get updated inside Appie and with update config, appie configuration files will get updated.

Now you can get news and updates about Appie and android security on Facebook and Twitter page. Email subscription has not been provide because of email privacy issue.

You can download new version of Appie from links given below.

Download Appie

I have also made a short introduction video of Appie, you can watch here.

Thanks

Aditya Agrawal

]]>
http://localhost/appie-version-3-released/feed/ 0
Android Application Security Part 26 – Intercept Traffic on Android version after 4.2.2 http://localhost/android-application-security-part-26/ http://localhost/android-application-security-part-26/#respond Wed, 14 Oct 2015 15:02:50 +0000 http://localhost/?p=16210 In this post i will demonstrate to intercept traffic after Android 4.2.2. Most of the android security professionals uses Cydia Substrate and Android-SSL-TrustKiller for intercepting traffic but as Cydia Substrate is not supported after Android 4.2.2 , it may be a problem to some users who want to pentest app which only works on Kitkat(Android 4.4.4) or Lollipop(Android 5.0.0) .

So i will be using a Xposed Framework and JustTrustMe which is an xposed framework module.

  • First download Xposed Installer apk from here and install on your device.

  • Now download JustTrustMe apk from here and install it on your device.

  • Then open up your Xposed Installer App from your device and open modules in it. Then click on the checkbox to activate that module.

  • Now go to the framework section and choose Soft Reboot to reboot and activate that module.

Now if you would try to intercept using your Burp Proxy then you would be able to see the traffic of every apps.

]]>
http://localhost/android-application-security-part-26/feed/ 0
Install Google Play Store in Genymotion http://localhost/android-application-security-part-25/ http://localhost/android-application-security-part-25/#respond Wed, 14 Oct 2015 03:02:00 +0000 http://localhost/?p=16042 In this post i will demonstrate how you can install Google Play Store in a Genymotion Device.

  • Switch ON your Genymotion Device.
  • Download Google Apps from Cynogenmod
  • Drag and Drop the downloaded zip file to Genymotion Device. It will ask for confirmation,confirm it.Then it will start showing some error’s, ignore for the time being and follow the next steps without opening any installed apps now.
  • Go to Settings
  • Tap on Add Account
  • Tap on Google
  • If you have an existing account then click on existing otherwise you can make a new account.
  • Signin your google account and then allow google update. You will see now your Google account has been linked to this device. Now you easily operate Google Play Store and install other apps through it.
]]>
http://localhost/android-application-security-part-25/feed/ 0
Configuring your Device for Pentesting http://localhost/android-application-security-part-24/ http://localhost/android-application-security-part-24/#respond Tue, 13 Oct 2015 22:01:34 +0000 http://localhost/?p=16040 In the First Part of the series i have shown how we can configure a virtual device for pentesting. In this post i will demonstrate how you can actually configure your real device(phone/tablet/smart watch) for pentesting.

  • Tap on the build number until it says ” You are now a developer”

  • Go to the Developer Options.

  • Tap on USB Debugging .

  • Connect your Phone with the USB cable and you will see this notification on your Screen .

  • Now you can also install Drozer agent on your phone or can also get a shell. Note you will be prompted on your phone while connecting using adb.


]]>
http://localhost/android-application-security-part-24/feed/ 0
Spoofing your location in Play Store http://localhost/android-application-security-part-23/ http://localhost/android-application-security-part-23/#respond Tue, 13 Oct 2015 21:56:14 +0000 http://localhost/?p=16031 Many a times you have seen that application which you want to assess is only allowed in selected countries, so in that case you won’t be able to install that application on you android device. But if you can spoof your location to that country in which the application is allowed then you can get access to that application. Below is the procedure of the same.

  • First install Hotspot Shield Free VPN Proxy from Google Play Store.

  • Now connect using it and choose your required country.

  • Now go to Settings >> Apps >> Google Play Store and then tap on Force Stop and then on Clear Data.

  • Open up Google Play Store and now you will be able to search and install the application which is only available in that country.
]]>
http://localhost/android-application-security-part-23/feed/ 0
Android Application Security Part 22 – Developer Backdoor http://localhost/android-application-security-part-22/ http://localhost/android-application-security-part-22/#respond Tue, 13 Oct 2015 21:55:57 +0000 http://localhost/?p=16029 There are sometimes when developer put a backdoor to a particular application. He/She puts that because he doesn’t want somebody else to access that sensitive piece of Information and sometimes that backdoor is for debugging purposes.

If you would go through Login Activity then you will find that there is a Backdoor. There is a Username-Password combination which turns on some Admin Options.

From the above image we can figure out that

Username: customerservice
Password: Acc0uNTM@n@g3mEnT

If you would login with the credentials given above then you will see a similar Interface given below.

]]>
http://localhost/android-application-security-part-22/feed/ 0
Android Application Security Part 21 – Exploiting Debuggable Applications http://localhost/android-application-security-part-21/ http://localhost/android-application-security-part-21/#respond Tue, 13 Oct 2015 21:55:21 +0000 http://localhost/?p=16027 Consider a situation when your mobile is stolen and it is not rooted. If an application is marked as debuggable then any attacker can access the application data by assuming the privileges of that application or can run arbitary code under that application permission. In the case of non-debuggable application, attacker would first need to root the device to extract any data.

How to check for debuggable flag ?

I will use Sieve to demonstrate this issue.

  • Decompile .apk file using apktool then open up the AndroidManifest.xml file.

  • Look for android:debuggable value in the AndroidManifest.xml file.

Now to see which application are connected to debugging socker(@jdwp-control), type adb jdwp in the console. It will list the PIDs(Process Identifiers) of the applications which can be debugged.

In order to figure out which PID belong to our application, type adb jdwp before running the application you wanted to test.

Now again type adb jdwp after opening the application and you will see that there are PIDs added to last result, so among those PIDs there is one PID which belong to our application. In my case there is only one PID 3894 which is added .

Now check whether or not this PID belong to this application, in case you have got more than one PID. It should output name of the application at the end of result like com.mwr.example.sieve in my case.

Now to simply demonstrate what an debuggable application can do, i will extract data from application private directory.

Now with the help of run-as binary we can execute commands as com.mwr.example.sieve application.

Note: Above is the shell access of my personal phone which is not rooted.

Now you can extract the data or run an arbitary code using application permission like shown below.

But if you would try to access any other directory using this method, it won’t allow you because com.mwr.example.sieve doesn’t have access to it.

How To Fix

Fix is very simple, just set android:debuggable flag to false in AndroidManifest.xml of the application.

]]>
http://localhost/android-application-security-part-21/feed/ 0
Android Application Security Part 20 – Client Side Injections http://localhost/android-application-security-part-20/ http://localhost/android-application-security-part-20/#respond Tue, 13 Oct 2015 21:55:07 +0000 http://localhost/?p=16025 Client Side Injections holds 7th position in OWASP Mobile Top 10

  • Javascript Injection: The mobile browser is vulnerable
    to javascript injection as well. Android default Browser has also access
    to mobile applications cookies. If you have your Google account attached to device
    then you can use your Google account in Android Browser without authentication.

  • Several application interfaces or language functions can accept data and can be fuzzed to make applications crash. While most of these flaws do not lead to overflows because of the phone’s platforms being managed code, there have been several that have been used as a “userland” exploit in an exploit chain aimed at rooting or jailbreaking devices.

  • Mobile malware or other malicious apps may perform a binary attack against the presentation layer (HTML, JavaScript, Cascading Style Sheets ) or the actual binary of the mobile app’s executable. These code injections are executed either by the mobile app’s framework or the binary itself at run-time.

How To Fix

  • SQL Injection: When dealing with dynamic queries or Content-Providers ensure you are using parameterized queries.
  • JavaScript Injection (XSS): Verify that JavaScript and Plugin support is disabled for any WebViews (usually the default).
  • Local File Inclusion: Verify that File System Access is disabled for any WebViews (webview.getSettings().setAllowFileAccess(false);).
  • Intent Injection/Fuzzing: Verify actions and data are validated via an Intent Filter for all Activities.

Reference

OWASP Top 10 2014 – M7

]]>
http://localhost/android-application-security-part-20/feed/ 0