Pen Testing the Web

with Firefox:
Website-based Tools
Michael “theprez98” Schearer
Website-based tools (1)
n Out-of-the-box functionality; (mostly) no
installation required
n Browser-independent
n Provides some tool functionality that would
not normally be present in a browser-
only environment
Website-based tools (2)
n Provides some degree of anonymity from
a target because information is being
gathered via a third party (the website)
n Primarily passive information gathering
n Some potential vulnerabilities can be
inferred by interpreting the data
n
Caveats
n Website-based tools may be limited in
functionality as compared to their GUI or
CLI versions
n These examples are not meant to be
exhaustive, but to provide you with a
representative sample of what
penetration testing tools are available to
you in the form of a website
Categories
n Information gathering
n Network tools
n Special purpose
Information gathering (1)
n Information gathering websites are designed
to provide you with information relevant to
user input; typically an IP address, domain
or hostname, email address or DNS data
n Many similar sites that provide (mostly) the
same data
n Some information gathering websites also
provide network tools
Information gathering (2)
n Whois.net
n DomainTools.com
n SamSpade.org + GUI tool (Windows)
n
Network tools (1)
n Network tools websites are designed to
n Many similar websites provide (mostly) the
same data although some may have
additional functionality
n Network tools websites may be limited in
functionality as compared to their GUI or
CLI versions
Network tools (2)
n phaster.com/find_info_net_traffic.shtml
n Network-Tools.com
n HackerWhacker.com
n DNSStuff.com/tools
n just-traceroute.com + example
n CentralOps.net + examples
why not 80?
Special purpose (1)
n Specialized websites are designed to
provide you with information that may
not be available elsewhere
n Often provide you with a front-end for a
tool to which you may not currently have
access
Special purpose (2)
n EDGAR
n Netcraft
n Nmap Online
n Hosted hash crackers
n WiGLE
n FOCA
n SHODAN
n Browser-based shells
EDGAR
n Electronic Data Gathering Analysis and
Retreival
n Searchable depository of the U.S.
Securities and Exchanges Commission
(SEC) corporate filings
n Both domestic and foreign companies
EDGAR searches
n Locate company’s Central Index Key (CIK)
through EDGAR CIK Lookup eliminate
time-consuming searches
n Be specific, use exact company name
n Know what to look for:
 Form 10-K: Annual report
 Form 10-Q: Quarterly report
 Form 8-K: Current report (significant
events)
current report

quarterly report

annual report
dir
ec
t or
s
sa
lar
ies
stockholders
Netcraft (1)
n Internet services company based in Bath,
England
n Provides internet security services,
including anti-fraud and anti-phishing
services, application testing, code
reviews, and automated penetration
testing
n Provides research data and analysis on
many aspects of the Internet
Netcraft (2)
n Information can be gathered manually
from the website or automatically by
installing the Netcraft Toolbar (IE and
FF)
n Toolbar provides links to Netcraft services,
site risk rating, site reports and hosting
providers
n Interpretation of some data may reveal
potential site vulnerabilities
 es ing o rt r
i c ra t rep ste
rv k e o
se ris sit h
Nmap Online
n Web-based version of Nmap
n Scans limited to IPs in the same class C
subnet as your IP address
n Scan limitations per day (8) and week (40)
n Some options are disabled
Hosted hash crackers (1)
n Special purpose websites that serve as a
front-end for a database designed to aid
in the cracking of various cryptographic
hashes
n Takes advantage of pre-computed
rainbow tables and/or distributed
computing to quickly crack hashes
Hosted hash crackers (2)
n MD5, LM, NTLM, SHA1 are most
common; others available too
n Depending upon your client, be wary of
submitting hashes to public databases
Hosted hash crackers (3)
n hashcrack.com
n lmcrack.com
n md5crack.com
n md5.rednoize.com
n freerainbowtables.com
WiGLE
n Wireless Geographic Logging Engine
n Maps of wireless networks as contributed
by its users
n 19+ million networks worldwide
 Admin offices Brandon Shores

Wagner
Public road
 Admin offices Brandon Shores

Wagner
Public road
CEG CEG Admin offices Brandon Shores

CEG CEG

CEG
Wagner
Public road
Fingerprinting Organizations
with Collected Archives (FOCA)
n Developed by Chema Alonso and José
Palzón (SPEAKING TOMORROW!)
n Search and automatically download
documents
n Extract metadata and other hidden
information and lost data
FOCA (2)
n Analyze the information to aid in
fingerprinting a network
n Other than downloading the file, the
process is completely passive
n FOCA is available via download; or
n Documents can be submitted via a web
interface
SHODAN
n SHODAN is a computer search engine
designed by web developer John
Materly (http://twitter.com/achillean)
n SHODAN interrogates ports and grabs the
resulting banners, then indexes the
banners (rather than the web content)
for searching
n
Browser-based shells
n Software that provides shell access inside
a browser window
n CLI access to tools that would not
normally be available in a browser-only
environment
n Typically requires the installation of
software in a third party location (or your
location)
Authors and add-ons
n Netcraft (Netcraft Toolbar)
Pen Testing the Web
with Firefox:
Website-based Tools
Michael “theprez98” Schearer