Saturday, 7 January 2012

Useful Firefox Add-ons regarding Pentesting

There are really a lot of different and useful Add-ons for Firefox that can be used when executing a Pentest. 

A good starting point is the project FireCAT (Firefox Catalog of Auditing exTensions). FireCAT is providing a Mindmap that is categorizing security and audit Add-ons regarding Firefox. You can download this catalogue in HTML or the actual Mindmap. The result of the FireCAT project is also the basis for  Mantra. Mantra is a special Firefox version that has been adapted for students, penetration testers, web application developers, security professionals etc. and contains almost all Add-ons of the FireCAT Mindmap.

As there is already a catalogue of Add-ons maintained by FireCAT I don't want to start my own list here. I just want to point out some Add-ons that are quite useful for me. I'm not using Add-ons for XSS or SQL Injection scanning or tampering HTTP data (especially because Add-ons like XSS Me or SQL Inject Me never worked for me). There are better tools like burp that can do this kind of things. All of these Add-ons are still working with Firefox 9.0.1 and make my life easier when testing a web application:

This toolbar will help you in testing sql injections, XSS holes and site security. It is NOT a tool for executing standard exploits and it will NOT teach you how to hack a site. Its main purpose is to help a developer do security audits on his code. If you know what your doing, this toolbar will help you do it faster. If you want to learn to find security holes, you can also use this toolbar, but you will probably also need a book, a lot of Google and a brain.

Firebug integrates with Firefox to put a wealth of development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.

Web Developer
The Web Developer extension adds various web developer tools to a browser.

Session Manager saves and restores the state of all or some windows - either when you want it or automatically at startup, after crashes or periodically. It can also automatically save the state of open windows individually.

Persistent and private sticky notes for Firefox. This can be very useful as a reminder or just to take a note to a certain area of a website or input field.

Capture the whole page or any portion, annotate it with rectangles, circles, arrows, lines and text, blur sensitive info, one-click upload to share. During a pentest it's very important to document everything (like error messages for example)

A great Add-on for a first scan in the information gathering phase of a pentest to collect some information about an IP or domain.

FoxyProxy is a great tool to switch very convenient between different proxies and is replacing the proxy function provided by Firefox.

Friday, 6 January 2012

Remote Administration of BackTrack

As a next step I wanted to install a remote adminstration software to BackTrack that is supporting a client running natively on Mac OS X. I don't want to start everytime my Windows VM to use Vsphere Client to connect to my ESXi and then jump to the console of BackTrack just to get the GUI of it. SSH is sufficient for most of the tasks in pentesting, but some tools as Burp or Nessus for example need a GUI so I had to choose a remote  administration software.

I did choose (Free-)NX as it is tunneled via ssh and available for a lot of operating systems and is providing a native client for Mac OS X. Another feature of NX are "seamless connections". This means you can reconnect to a previous connection you already closed.

First I installed the latest stable server, version 3.5 that can be downloaded on I downloaded the client, the server and node packages for Debian and installed everything with dpkg on my BackTrack 5 R1 VM. My client is a MacBook with the latest Mac OS X Lion and after downloading the client (also version 3.5) and installing it, this message appeared:

So the Client didn't work, because is still compiling PPC binaries for Mac OS X m(. Fortunately there is a new version of NX-Server available, with a native Intel Client for Mac OS X that can be used with Lion.

Finally I deinstalled the whole NX-Server apps in my BackTrack VM with apt-get autoremove, and installed everything with the latest NX Virtual Desktop Workstation for Linux version 4.0.132-7 (still a preview).

root@bt:~# dpkg -i nxserver_vdw_4.0.132-7_i386.deb

After installation the nxserver service is already running and no update-rc.d has to be executed as this was already done during installation.

The new client is also working on my Intel-Mac. Now it just runs as a charme, and I'm on bleeding edge :-)

To activate sshd in Backtrack when booting up, that is mandatory when using NX, just do the following:

root@bt:~# update-rc.d -f ssh defaults

Before you can start ssh you should generate the dsa and rsa key:

root@bt:~# ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
root@bt:~# ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key

To activate sshd immediately do the following:

root@bt:~# /etc/init.d/ssh start


If you want to configure a secure login to NX via a authentication key instead of username and password you have to do the following steps:

1. Generate a new user in BackTrack (the same username as you are using on your client machine to log in):
#adduser <Username>

2. Create the .ssh directory and authorized_keys2 file in the home directory of the new user in BackTrack:
#su <Username>
#mkdir ~/.ssh
#touch ~/.ssh/authorized_keys2

3. Generate a key-pair on your client machine:
#ssh-keygen -t rsa

4. Copy the content of ~/.ssh/ on your client machine to ~/.ssh/authorized_keys2 in the home directory in BackTrack
#cat ~/.ssh/ | ssh "cat - >> /home/<Username>/.ssh/authorized_keys2"

5. ssh to BackTrack. It should work now after entering your password for your key, or you just have been logged in if you have not provided a password for you key ;-)

If the authentication via your key is working you just have to place your private key in the NX Player on your client. This can be done when creating a new connection by clicking on the three dots after "Use the system login".

Then you just have to select the private key and the login should work. The private key should end with the file extension "key" otherwise you can't select it:

#mv ~/.ssh/id_rsa ~/.ssh/id_rsa.key

When you can't see ".ssh" directory you have to show hidden files.

If you don't mind about login as root via NX you just have to configure step 1 to 5 for the user root. Then you just have to change /usr/NX/etc/server.cfg in BackTrack and set "EnableAdministratorLogin" to 1 and restart nxserver with

#service nxserver restart

Then you are able to login as root via NX. Have fun :-)

Linux Server: NX Virtual Desktop Workstation for Linux (Version 4.0.132-7, 06-01-2012)
NX Player for Mac OS X