This is the first major release of PentestBox. Too much refractoring and structural changes are done. Before talking about new features and changes i would like to share intent behind creating PentestBox.

When i started in infosec, i used to run linux pentesting distro in Virtual Machines. After some time i realised that i only require only very small set of tools, so i searched if they are available on windows or not. Some of them were, but still some important tools were missing. I searched about portability of such tools and found that this problem is not new. Many people want to use those tools directly on windows but there are no ways they can do it. If there are ways, they no longer work.

Above are some of the examples of users requiring support for these awesome projects on windows. So this project was made for fellow users like me who want to use pentesting tools directly on windows operating system.

I would like to thank everyone for their awesome feedback i received from the day i released this project. Also there is always demand for more tools in PentestBox. Keeping that in mind, i have included some features(toolsmanager) in this version. You can read about them below. Next major thing i need to do is to provide support for Wireless Pentesting Tools, there are too many problems, didn’t want to discuss it here, let me know if you have suggestion in this regard.

I would also request PentestBox users to share about it. Also if you want to demonstrate PentestBox at some local meetup or conference, let me know at aditya@manifestsecurity.com, i can provide you slides/documentation and other resources if required.

Scroll down to end of the post to view demo video of PentestBox v2.0 .

Below are list of some of the changes:-

• Currently PentestBox contain efficient and popular security tools in their respective categories, but some users require more tools and including every tool is not possible because of size constraint. Keeping that in mind, i have included a toolsmanager in this version which can install/update/remove tools which are included by default in PentestBox. Check about this feature here.

• Consider a environment where you want to use PentestBox on many computers like office, lab, etc. Instead of installing PentestBox on each and every computer, you can just install that on one computer and share that folder as a drive to other computers on the same network. Check about this feature here.

• Earlier we faced an issue with wpscan when because of some recent commit, it stopped working on windows operating systems. I shared about that issue on Facebook and Twitter. To prevent such things happening in future, i forked tools which can have problem in future and now will be served through PentestBox github repo. So, now every saturday new commits will be checked and then only will be pushed.
  Tl;dr : No more tools brekage.

• From this version PentestBox supports 32 bits PC as well, also the tools inside it. Most users aren’t concerened about above thing, as most of the people uses 64 bit systems. But this was introduced to make low-end systems in to a Pentesting Environment. Just to give an idea, i have tested PentestBox on this $200 machine, and it ran on it very smoothly.

• Tools Added – dotdotpwn, joomscan, sublist3r, CMSmap, droopescan, CrackMapExec, Androbugs Framework, ByteCodeViewer, Windump – windows version of tcpdump

• Structural changes

  • Python 2.7.11(32 bit) added.
  • Clink 0.4.7(32 and 64 bit added, automatically detect)
  • Ruby 2.1.8-i386-minigw2 added.
  • Strawberry perl-5.22.1.3-32 bit added.
  • curl 7.34.0-win32 added (newest version had some issue with ruby).

Thanks!

From last 2-3 months i have been working on some projects related to IoT Security. As there are very less people in IoT Security, it was very difficult to find any resources and learn about it. Nearly one year ago i released MobileSecurityWiki and i got some awesome feedbacks about it from the community members. So i thought to release the same for IoT, but doing that is very difficult task, because there are too many things in IoT and there are different kind of IoT devices. Current version mostly contains research/presentations/talks/studies.

I look forward for your additions/suggestion/feedback for this wiki. Please visit the wiki to know procedure to suggest additions. I think this would be very helpful for the developers and security researchers in the long run.

Thanks

Aditya Agrawal

Below are some of changes which have been made from previous version:-

• It now have Python 32 bit so that even 32 bit systems have no problem with usage.
• Also updated the Conemu framework which i use as a base terminal.
• Although all the tools are now updated in Appie, but in this version i have introduced a simple update script through which you can update all the tools inside Appie without downloading new version of Appie. So at the end this saves your lot of time.
• It is lot more faster now, if you are an existing user of Appie than you will notice that.
• Some new tools have been included in this version:-
  • I have replaced Sublime Text with open-source Atom text editor.
  • ByteCodeViewer
  • jadx
  • SQLite Database Browser
  • SQLmap
  • Included Mozilla Firefox with some security addons.
  • AndroBugs Framework
  • And finally Appie has a logo.
    

Using Update Feature

Using update feature is very simple, currently there are only two options in update script.

Type update in Appie terminal.

With update tools, all tools will get updated inside Appie and with update config, appie configuration files will get updated.

Now you can get news and updates about Appie and android security on Facebook and Twitter page. Email subscription has not been provide because of email privacy issue.

You can download new version of Appie from links given below.

I have also made a short introduction video of Appie, you can watch here.

Thanks

Aditya Agrawal

So i will be using a Xposed Framework and JustTrustMe which is an xposed framework module.

• First download Xposed Installer apk from here and install on your device.

• Now download JustTrustMe apk from here and install it on your device.

• Then open up your Xposed Installer App from your device and open modules in it. Then click on the checkbox to activate that module.
  

• Now go to the framework section and choose Soft Reboot to reboot and activate that module.
  

Now if you would try to intercept using your Burp Proxy then you would be able to see the traffic of every apps.

• Switch ON your Genymotion Device.
• Download Google Apps from Cynogenmod
• Drag and Drop the downloaded zip file to Genymotion Device. It will ask for confirmation,confirm it.Then it will start showing some error’s, ignore for the time being and follow the next steps without opening any installed apps now.
• Go to Settings
  
• Tap on Add Account
• Tap on Google
  
• If you have an existing account then click on existing otherwise you can make a new account.
  
• Signin your google account and then allow google update. You will see now your Google account has been linked to this device. Now you easily operate Google Play Store and install other apps through it.
  

• Tap on the build number until it says ” You are now a developer”
  

• Go to the Developer Options.
  

• Tap on USB Debugging .
  

• Connect your Phone with the USB cable and you will see this notification on your Screen .

• Now you can also install Drozer agent on your phone or can also get a shell. Note you will be prompted on your phone while connecting using adb.

• First install Hotspot Shield Free VPN Proxy from Google Play Store.
  

• Now connect using it and choose your required country.
  

• Now go to Settings >> Apps >> Google Play Store and then tap on Force Stop and then on Clear Data.
  

• Open up Google Play Store and now you will be able to search and install the application which is only available in that country.
  

If you would go through Login Activity then you will find that there is a Backdoor. There is a Username-Password combination which turns on some Admin Options.

From the above image we can figure out that

Username: customerservice
Password: Acc0uNTM@n@g3mEnT

If you would login with the credentials given above then you will see a similar Interface given below.

How to check for debuggable flag ?

I will use Sieve to demonstrate this issue.

• Decompile .apk file using apktool then open up the AndroidManifest.xml file.

• Look for android:debuggable value in the AndroidManifest.xml file.
  

Now to see which application are connected to debugging socker(@jdwp-control), type adb jdwp in the console. It will list the PIDs(Process Identifiers) of the applications which can be debugged.

In order to figure out which PID belong to our application, type adb jdwp before running the application you wanted to test.

Now again type adb jdwp after opening the application and you will see that there are PIDs added to last result, so among those PIDs there is one PID which belong to our application. In my case there is only one PID 3894 which is added .

Now check whether or not this PID belong to this application, in case you have got more than one PID. It should output name of the application at the end of result like com.mwr.example.sieve in my case.

Now to simply demonstrate what an debuggable application can do, i will extract data from application private directory.

Now with the help of run-as binary we can execute commands as com.mwr.example.sieve application.

Note: Above is the shell access of my personal phone which is not rooted.

Now you can extract the data or run an arbitary code using application permission like shown below.

But if you would try to access any other directory using this method, it won’t allow you because com.mwr.example.sieve doesn’t have access to it.

How To Fix

Fix is very simple, just set android:debuggable flag to false in AndroidManifest.xml of the application.

• Javascript Injection: The mobile browser is vulnerable
  to javascript injection as well. Android default Browser has also access
  to mobile applications cookies. If you have your Google account attached to device
  then you can use your Google account in Android Browser without authentication.

• Several application interfaces or language functions can accept data and can be fuzzed to make applications crash. While most of these flaws do not lead to overflows because of the phone’s platforms being managed code, there have been several that have been used as a “userland” exploit in an exploit chain aimed at rooting or jailbreaking devices.

• Mobile malware or other malicious apps may perform a binary attack against the presentation layer (HTML, JavaScript, Cascading Style Sheets ) or the actual binary of the mobile app’s executable. These code injections are executed either by the mobile app’s framework or the binary itself at run-time.

How To Fix

• SQL Injection: When dealing with dynamic queries or Content-Providers ensure you are using parameterized queries.
• JavaScript Injection (XSS): Verify that JavaScript and Plugin support is disabled for any WebViews (usually the default).
• Local File Inclusion: Verify that File System Access is disabled for any WebViews (webview.getSettings().setAllowFileAccess(false);).
• Intent Injection/Fuzzing: Verify actions and data are validated via an Intent Filter for all Activities.

Reference

OWASP Top 10 2014 – M7