Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

PenTest Magazine Teaser - Mobile Hacking


Published on

Download the Full Magazine at :

Published in: Technology, News & Politics
  • free download here link 100% working:
    Are you sure you want to  Yes  No
    Your message goes here

PenTest Magazine Teaser - Mobile Hacking

  1. 1. EDITOR’S NOTE 05/2011 (05) Dear Readers, How do you feel when you read yet another piece of news about yet another tabloid journalist hacking into yet another celebrity / politician / accident victim / etc. mobile and extracting confidential information from their voice mail (The News of The World thank you very much for making the news)? I believe that people who use their mobiles like their cars (you don’t have to know what’s under the bonnet to know how to drive it – so the vast majority of us) are perplexed at the idea that their precious secrets can be disclosed so easily and their TEAM indispensible mobile friends can be hacked into by nameless agents, lurking somewhere out of their sight. But how a hacker Editor: Sebastian Bula feels? I believe – offended, because how can you call trying out a 4-digit code (which is most likely 1,2,3,4, or the year of Betatesters / Proofreaders: Massimo Buso, Ankit Prateek, the user’s birth, or something equally impenetrable) till you Santosh Rana, Rishi Narang, Davide Quarta, Gerardo Iglesias Garvan, Steve Hodge, Jeff Weaver, Santosh Rana find the correct sequence? I might be a bit biased here, but I find calling it brute-forcing a bit of an overstatement. Senior Consultant/Publisher: Paweł Marciniak Thus, we’ve decided to devote our September edition to mobile CEO: Ewa Dudzic security, seen, as always, from a pentester perspective. The mobile apps market is growing rapidly, and so are attempts Art Director: Ireneusz Pogroszewski of compromising its security. Nowadays everyone can be a „hacker”, as we have already mentioned, but securing yourself DTP: Ireneusz Pogroszewski from a real threat is another pair of shoes. And what better way of managing security issues than penetration testing? Production Director: Andrzej Kuca The centerpiece of this issue’s focus is Aditya K Sood’s Marketing Director: Sebastian Bula Breaking Down the i*{Devices}, concentrating on data testing, decrypting and mobile apps developers „wrongdoings”, who sometimes tend to disregard security issues at a scale Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 which can be described as at least inappropriate, taking Phone: 1 917 338 3631 into consideration the expanding market. Cory Adams will encourage you to Act Like a Criminal while Leveraging Android Malware for Improved Penetration Testing Results, Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, Bill Mathews will share his views on Attacking the Mobile concerning the results of content usage. Infrastructure, and Devesh Bhatt will take you Inside Android All trade marks presented in the magazine were used only for informative purposes. Applications, concentrating on manifest configuration. Some general points of Mobile Application Security Testing will be All rights to trade marks presented in the magazine are presented to you by Iftach Ian Amit. reserved by the companies which own them. To create graphs and diagrams we used program by There are of course other articles worth looking at in this issue of PenTest Magazine. I can definitely recommend Arthur Gervais’ New Penetration Business Model – the idea behind Mathematical formulas created by Design Science MathType™ his Hatforce project, based on crowd-sourcing. It might be another step in the field of IT security, surely worth looking at DISCLAIMER! and taking further. The techniques described in our articles may only Enjoy your reading be used in private, local networks. The editors Sebastian Buła hold no responsibility for misuse of the presented techniques or consequent data loss. & Penetration Test Magazine Team05/2011 (5) September Page 2
  2. 2. CONTENTSPOINT OF VIEW Attacking the Mobile Infrastructure 26 by Bill Mathews Isn’t Social Engineering the Safest04 We will explore a few philosophies for attacking a Form of Pentesting? mobile management infrastructure. The article will cover by Ankit Pratek the differences in testing mobile stuff vs “everythingOne might argue over this, but for a student and a budding else” as well as reusing some of the things you know topentester like me, this is the truth and holds water. Social demystify the mobile won’t call your work illegal unless you harm ToneLoc and Load – Useful For a 30someone personally or cause some financial loss. Plus,since you don’t have certifications at competitive prices, Pentester?no one even wants you to be a certified Social Engineer by Chris McAndrewat that unaffordable price. When on average it takes less than half an hour to bypass the security of many voicemail systems and the Trust Pentesting Team. Do you?06 rewards can be over L250,000 for a weekends work, it’s by Rishi Narang no wonder that phreaking telephone systems is enjoyingWith the advent of security and its counterpart, a large a resurgence.share of vulnerabilities has been due to human errors Inside Android Applications 34in the software lifecycle. These errors have either creptin mistakenly, or the loop holes have been intentionally by Devesh Bhattinserted with ‘malicious’ intentions. By the end of 2011, the number of Smartphone shipments around the world will explode to nearly 468 million unitsFOCUS and the android operating system would have a fifty Breaking Down the i*{Devices}08 percent market share. This would increase the number of by Aditya K Sood attacks on mobile applications and also the investment inSmartphones have revolutionized the world. The securing the applications from the world is grappling with severe security andprivacy issues. The smartphone applications require an (NEW) STANDARDS New Penetration Testing Business 36aggressive approach of security testing and integrityverification in order to serve the three metrics of security Modelsuch as confidentiality, integrity and availability. by Arthur Gervais Today everybody can become a hacker. The knowledge Act Like A Criminal16 spreads all over the Internet. A lot of hackers are showing by Cory Adams their know-how by sharing the results of their attacks.What, act like a criminal? That would usually be Why do not use this knowledge through crowd-sourcingconsidered bad advice, but having an understanding of in order to globally improve the security? Starting fromhow cyber criminals conduct business will lead to better this fundamental idea, a business model has beenpenetration testing results. In-depth malware analysis developed by Hatforce.will reveal criminals’ tactics, techniques, and procedures.These can be utilized to generate improved penetration HOW-TO Building Your Own Pentesting 42testing abilities by allowing the tester to view the targetas a would-be intruder does. Application by Dhananjay D.Garg Mobile Application Security Testing22 Although even today web browsers serve the primary by Iftach Ian Amit purpose of bringing information resources to the user,Thriving vendor marketplaces (such as iTunes and the they no longer represent a software application withAndroid store) encourage the rapid development and bare bones support for just HTML. Today, web browsersdeployment of mobile applications to consumers and like Mozilla Firefox come with the support of add-ons,businesses alike. Additionally, alternative 3rd-party which are small installable enhancements to a browser’sdownload and install markets open up as software writers opportunities, outside the walled gardens providedby the mainstream stores. 05/2011 (5) September Page 3
  3. 3. POINT OF VIEWIsn’t Social Engineeringthe Safest Form of PenTesting?If it’s permitted, registered and certified, it’s pentesting, and if it’snot, it’s just plain words scary hacking.O ne might argue over this, but for a student and for my own virtual machine which has no anti-virus. a budding pentester like me, this is the truth Accessing other PCs myself than accessing it remotely and holds water. Social engineering won’t call has so far worked pretty good for me. I’m often filledyour work illegal unless you harm someone personally with guilt that I make friends just to add them to myor cause some financial loss. Plus, since you don’t have stolen passwords list… But that’s a different story, let’scertifications at competitive prices, no one even wants not get there. Watching desktop screens of your friendsyou to be a certified Social Engineer at that unaffordable at night and clicking their picture remotely at that veryprice. moment aren’t on the list of the most interesting things, As a learner I don’t think any of the two should but one still might enjoy doing it for fun and, of course,be your main concerns. Just knowing the password learning. But try not to go for the easy way, which isand some browsing using it should be enough for an implanting the .pdf in your friend’s laptop, who uses anencouragement. I can get someone drunk and get his older version of Adobe Reader. Removing my devicepasswords rather than doing phishing and other stuff. from my friend’s Facebook was the coolest correctionGetting picked up by girls from a bar and then using that I’ve done so far (oh, try Konqueror, it impressedtheir laptop or desktop with an excuse to check my me). Getting the phone number to stay in touch is easy,mails is what I have been doing lately. The fun part is to then updating Facebook status from that number is sodiscover the lover’s files and saved passwords… Okay, much fun, thanks to the websites the names of whichmaybe I am not being picked up by girls in the bar, but can’t be disclosed here.they do give me their laptops to use the Internet (not in Moving on, the only method I’ve found to protect mythe bar of course, well the bar was supposed to sound own Facebook wall from sms spoofing is by not sharingcool). Anyways, other moves are: offering my laptop to my phone number with anyone. Sms spoofing is so easy,others to change passwords or login into any account. simple and free a non-geek can do it. Against caller idSome smart ones check the anti-virus inclusion list to spoofing, those who can crack astrisk aren’t idle enoughtrack keyloggers, some trust me, others have not heard to try me, so I feel pretty much safe. I am not so sure ifabout firefox addons, or the changed script that enables Facebook knows they have this vulnerability, since it’sstoring all passwords without offering to remember. still on the go. I really hope they buy this issue. Trojans haven’t helped me much, nor has any exploit Upon being caught when the secret was somehowfrom Metasploit that I know of (some 3 or 4), except revealed to people, saying that I was pentesting your 05/2011 (5) September Page 4
  4. 4. POINT OF VIEWTrust Pentesting Team.Do You?With the advent of security and its counterpart, a large shareof vulnerabilities has been due to human errors in the softwarelifecycle. These errors have either crept in mistakenly, or the loopholes have been intentionally inserted with ‘malicious’ intentions.T he last decade witnessed millions of small or Pentesting team has limited timeslots or has limited critical vulnerabilities and most of them duly time windows to perform such assessments. On a fixed, mitigated or remediated, but what about standard note, a client should always make a note ofthe human link, the human mistakes, the human the IP addresses allowed for the pentester, and exemptintentions. It can never be fixed but early detections and it on perimeter security (if really needed) else, keep thea keen eye can save you from unintentional handing the rest of security postulate on its toes. IT team shouldsecret keys to a thief. always check the logs and look for anything that is In my professional and personal experience, beyond the scope of pentesting contract like,there have been very few clients and customerswho are actually aware of what is happening during • Check the resources being accessed via thetheir pentest phase. They are aware about the application and/or server logs.vulnerabilities reported; the calls and explanations • Check the internal and/or public IP addresses beingpresented by the pen-testing team, but are oblivious accessed via the network the network facts and access rights. Most of clients • Any discrepancy in the logs reflecting thehave a strict objectives mentioned in the contract. pentesters’ IP address should result in blocking thatThese objectives include guidelines that refrains a IP address till a satisfactory explanation is providedpentester from DOS attacks on service or system, by the team.persistent threats, intrusiveattacks or code executions In my professional and personal experience, there In the worst case scenario,etc. if the system is live have been very few clients and customers who are if the attacker (hidden underand production as this can actually aware of what is happening during their a pseudonym) renders hisresult in disruption of their pentest phase. services to a firm wearingservices. Wherein, if the system is a dummy clone, a white hat and steals database information, sourcesuch genre of attacks can be permitted by the client code, or even the credentials etc. Later, even if thein controlled conditions. But how many customers vulnerability has been mitigated, he still possessesactually verify the attempts by the pentesting team critical information at his disguise. If the logs showthrough the logs – system as well as the network that some of the critical files have been dumpedlogs. during the pentesting phase, a client can (and should) 05/2011 (5) September Page 6
  5. 5. FOCUSBreaking Downthe i* {Devices}Penetration Testing Like a HackerSmartphones have revolutionized the world. The online world isgrappling with severe security and privacy issues. The smartphoneapplications require an aggressive approach of security testingand integrity verification in order to serve the three metrics ofsecurity such as confidentiality, integrity and availability.T his paper sheds a light on the behavioral testing always aligned with the virtual memory pages. Data and security issues present in Apple’s IOS structure contains various sections of data which are devices and applications. Primarily, this paper mapped through the segments defined in the loaderrevolves around penetration testing of iPhone device structure. Usually, there are text and data segments.and its applications. The paper does not discuss the For example: considering an Objective C, there areiPhone application source code analysis and reverse segments defined as __OBJC which are private to theengineering. Objective C compiler. The internals of Mach-O format can be read here [1]. Figure 1 shows the genericMach-O Format and IPhone Architecture layout of iPhone architecture.Mach-O is the primary file format that is used for The application binaries (Mach-O) format arerunning applications and programs on Apple devices. encrypted in nature when these are retrieved from theThis format is stored as an application binary Apple store. In order to perform source code analysisinterface on the respective MAC OS X operating these files are required to be decrypted by the processsystem. Mach-O provides support for intermediate of reverse engineering.(debug) and final build (released) of the binaries.This is quite helpful in debugging as MACH-O formatsupports both dynamic and statically linked codefiles. Mach-O format is basically divided into threemain components stated as header structure, loadstructure and data structure. The header structureexplicitly specifies the environment information of thebinary which is required by the kernel to differentiatebetween the code execution on different processorsand architectures. Load structure comprises of thevarious segments which define the byte size andmemory protection attributes. When the code isexecuted dynamically, the segments map the desiredbytes into virtual memory as these segments are Figure 1. iPhone architecture 05/2011 (5) September Page 8
  6. 6. classes which should be verified in every penetrationtesting project. This set of issues has been derived onthe same benchmark of web applications but in realitythere is a difference in security testing due to architectureand deployment environment of the applications. In anycase, the top 10 mobile risks should be incorporated into the methodology of iPhone testing. During the course of this paper, it has been shownthat there are a lot of developments that have takenplace in the iOS world and testing should be executedaccordingly. In the past, iPhone testing has been donein relation to specific scenarios, but nowadays iPhoneapplications require more aggressive testing to ensuresecurity.AcknowledgementI would like thank Itzik Kotler (CTO, Security Art) forreviewing the paper and providing deep insight into theiPhone penetration testing.I would also like to thank Dr.Richard J Enbody for providing continuous support indoing security research.ConclusionThe world is changing fast due to mobile revolution.This paper deliberated upon the iPhone architecturefrom perspective of penetration testing. The architectureplays a crucial role in developing security testingmethodologies. In this paper, iPhone detailed securitytesting vectors have been discussed which includetesting of data at rest, decrypting files and insecuredesign practices followed by the application developers.For a full matured security assessment of iPhones, allthe discussed vectors should be tested appropriately sothat secure applications can be developed.ADITYA K SOODAditya K Sood is a Senior Securitypractitioner, researcher and PhDcandidate at Michigan StateUniversity. He has already workedin the security domain for Armorize,COSEINC and KPMG. He is also afounder of SecNiche Security Labs, an independent securityresearch arena for cutting edge computer security research.He has been an active speaker at industry conferencesand already spoken at RSA , HackInTheBox, ToorCon,HackerHalted, Source. TRISC, AAVAR, EuSecwest , XCON,Troopers, OWASP AppSec US, FOSS, CERT-IN (07)etc. He haswritten content for HITB Ezine, Hakin9, ISSA, ISACA, CrossTalk,Usenix Login,Elsevier Journals such as NESE,CFS. He is also aco author for debugged magazine. 05/2011 (5) September
  7. 7. FOCUSAct Like A CriminalLeveraging Android Malware for Improved PenetrationTesting ResultsWhat, act like a criminal? That would usually be considered badadvice, but having an understanding of how cyber criminalsconduct business will lead to better penetration testing results.In-depth malware analysis will reveal criminals’ tactics, techniques,and procedures. These can be utilized to generate improvedpenetration testing abilities by allowing the tester to view thetarget as a would-be intruder does.W ith the emergence of the Android Operating repurposed and used in new attack weapons. The System (OS) into the mobile market, reason most defensive and offensive professionals do nation state hackers and criminals alike not conduct in-depth malware analysis is twofold. First,are actively conducting attacks against the OS and they do not properly understand the benefits of doingits users for information gathering and financial so and secondly they lack the knowledge necessarygain. A high reward tool in an attacker’s arsenal is to do so. (well, maybe they have limited time, but I ammalicious software, also known as malware, which biased and believe everyone should conduct malwareallows information to be analysis.) Both of thesegathered and extracted from The Android OS is here to stay and with issues will be addressedtargeted mobile devices. so many Android users out there utilizing with solutions comprised ofIt is commonplace to rely the Android software, a large attack base is the benefits for conductingon Anti-Virus (AV) as a provided to attackers. Android malware analysisbasis for the mobile security model and trust that and details to setup an Android malware analysisAV will identify malware. If AV does successfully environment.detect malware most people will simply remove themalicious software and think that the threat has Why target Android?been mitigated, with no work left to be done. This The Android Operating System (OS) has burst ontois a flawed and incomplete approach that does not the scene and taken a huge portion of the Smartphoneleverage the intelligence that can be gained from market share from Symbian OS and the iOS to becomeanalyzing the malware sample. the market leader. This surge is in large part due to Analysis can provide security professionals further the fact that Google makes the source code to theinsight into attack details such as: the intent, was Android OS available. This has led to applications beingthis a targeted attack, persistence mechanism, developed for the Android OS at a pace exceeding thepropagation technique, etc. Analysis can also supply popular iOS, though the iOS still has significantly moreattack professionals the same information, allowing for applications available. This is evidence proves thethe attack to be replayed during penetration testing. Android OS is here to stay. With so many Android usersThis data provides a developer with the ability to out there utilizing the Android software, a large attackextract interesting pieces of malware samples to be base is provided to attackers. 05/2011 (5) September Page 16
  8. 8. Smartphone running the version of Android youselect is active within the analysis environment;now the malicious application can be loaded. Thisis accomplished using Adb and issuing the followingcommand:adb.exe install <sample.apk>(Note: Replace sample with the title of the malwaresample you are analyzing.) The following table (Table 1) is a list (not com-prehensive) of free tools available to Android malwareanalysis to aid during the examination of a malwaresample. Many in the security field view malware analysis asthe reactive response to an attack, but the oppositeapproach can be taken to help mitigate damages priorto this. Penetration testers can analyze or use malwareanalysis results to understand what an attacker is after,persistence mechanisms, propagation techniques, andadvanced methods being utilized. This intelligenceallows penetration testers the ability to replay realworld attacks and ensure the highest quality results areprovided to the customer.CORY ADAMSCory Adams has been in the informationsecurity �eld for over 7 years. He iscurrently a Reverse Engineer with a Fortune100 company. He specializes in malwareanalysis as well as vulnerability analysis.Follow Cory on twitter @SeedyAdams. COMMENT We are open for suggestions and discussion. Don’t hesitate to comment on the articles which you’ve read in this issue. Share your opinion on the subject matter brought up, back up or confront the point of view of the author. The best comments will be published on our site and in our next issue. 05/2011 (5) September
  9. 9. FOCUSMobile ApplicationSecurity TestingMobile apps are more than the sum of their componentsThriving vendor marketplaces (such as iTunes and the Androidstore) encourage the rapid development and deploymentof mobile applications to consumers and businesses alike.Additionally, alternative 3rd-party download and install marketsopen up as software writers seek opportunities, outside the walledgardens provided by the mainstream stores.H aving your software purchased and downloaded • Insecure Connections by millions of people worldwide has long been • Simplified User Experience the holy grail of mobile software developers, butit also attracts the attention of fraudsters who recognize Insecure Connectionsthe accessibility and lack of security features of these Mobile devices are used in a number of unknown andplatforms. The mobile platform opens several attack often insecure connection profiles (from public Wi-avenues for malicious software and opportunities to Fi, through rogue cells that proxy communication).defraud victims due to its lax control mechanisms, and This makes them vulnerable to simple attacks notlack of standardization of the user experience offering. considered in the threat modeling of a traditional webTherefore, mobile applications should be designed, application. Additionally, insecure communications aredeveloped, and tested having security in mind, much often used to overcome platform limitations and designlike web applications that handle sensitive information. considerations such as: battery consumption profiles, The design and development of mobile applications is processing speed, and communication overhead.significantly different to that Insecure communicationsof traditional client-servers Any foreign code that runs on the mobile for mobile applicationsor web applications. Mobile platform has the potential to alter the user expose several exploitationapplications should take experience and manipulate the locally stored avenues (including local andinto account both the data as well as the data in transit. remote), and enable fraudulentenvironment (platform, application creation usinglibraries, capabilities), together with major differences in extremely simple tools and techniques that are freelyend-user expectations. Mobile users demand a simple available in the market. This not only puts the end useruser experience (in terms of details), and often require at risk of data loss, but also allows attackers an easycompletely different business processes compared with access path into the organization that provides servicesother interaction channels. through the mobile applications. Any foreign code that runs on the mobile platform has the potential to alterSecurity Challenges the user experience and manipulate the locally storedThere are two main security challenges to mobile data as well as the data in transit. Thus fraudsters gainapplications that stem from their usage and limitations: a prime opportunity to conduct their attacks. 05/2011 (5) September Page 22
  10. 10. ������������������� ���������������������������������������������������������������� ����������������� ����������������� ������������ � ���� � ���� � � � � � � � ��� � � � �� � � ��� �������� � �� � �����������������������
  11. 11. FOCUSAttacking the MobileInfrastructureWe will explore a few philosophies for attacking a mobilemanagement infrastructure. The article will cover the differencesin testing mobile stuff vs “everything else” as well as reusing someof the things you know to demystify the mobile world.I would like to point out that I am by no means an Mobile smart phones and tablets do have a few key expert in mobile devices or their management differences that I wanted to outline: infrastructures. This article was as much a learningexperience for me as a writing project. I chose, • They are by and large single user systems with rootdeliberately to not make this a terribly technical article or admin restricted by defaultand more of a how to approach this article because I • They run specialized operating systems but relythink sometimes in our industry we get hopelessly lost heavily on web interactionsin the this will be so cool that we forget the this is the • Often they aren’t controlled or managed by IT,right, practical approach. Hope you enjoy. users bring in their personal phones for business As penetration testers we often times get mired in use (we’re not focusing on these)trying to craft attacks and finding 0-days when we should • Tablets (well the iPad anyway) are quicklybe fixating on our jobs, that is to provide an assessment becoming a great way to work from conferenceof the security posture of a given system with practical rooms, meetings, etc. They are really a hybridscenarios. Though I see the between smart phone and avalue in crafting new attacks, As penetration testers we often times get mired laptop.I’m not sure it’s the job of a in trying to craft attacks and finding 0-daystraditional penetration tester when we should be fixating on our jobs, that is to Now before we dig too muchbut that’s another article. It’s provide an assessment of the security posture of a deeper I want to say that I’mhard enough to resist that given system with practical scenarios. not going to focus too muchtemptation when dealing with on attacking the phones/web applications and Windows systems that have been tablets themselves, there is quite a bit of researcharound forever and are pretty well understood but throw and work being done in those areas already and Iin something new and our geek buzzers start buzzing doubt I could add much to it. I have always takenovertime. Whenever we’re asked to test some new a more practical approach to penetration testingthing, in this case a mobile infrastructure, out come the (right or wrong), I start with the simplest, widestcompilers and debuggers. We should start by asking reaching techniques first then move out to the moreourselves the most boring question possible, is this stuff difficult methods of attack. I’m not discounting directreally THAT different than what we’re used to? phone attacks I just find them to be more of a pain 05/2011 (5) September Page 26
  12. 12. FOCUSToneLoc and LoadUseful For a Pentester?When on average it takes less than half an hour to bypass thesecurity of many voicemail systems and the rewards can be over£250,000 for a weekends work, it’s no wonder that phreakingtelephone systems is enjoying a resurgence.W ritten off by many as Old Hat or Lo Tech and 1993(ish) ToneLoc: ( definitely Belonging to the 1980’s does the /tools/auditing/pstn/ Short for Tone Locator was Wardialler still have a place in the modern created by Minor Threat and Mucho Maas. It is DOS-basedpen testers toolkit? but also runs on Win95+ platforms. It dials numbers, and I would suggest that this question is best answered saves the login session to be viewed someone that is currently suffering from a Theft of 1995 THC-Scan, the worlds most used crossService attack against their PBX and is haemorrhaging platform wardialler was released and approximatelycash at £30 to £40k per day. 10 years later THC-Scan evolved into THC-ScanNG The attack may not be new, the technology may have (Next Generation). Once again van Hauser created abeen around for many years but it is still very effective masterpiece; TSNG was distributed if you have a pool ofand increasingly popular. 1000 modems – no problem! One master server could Wardialling originally was the practice of dialling all of control a vast array of zombies allowing the war diallingthe telephone numbers in a range in order to find those to be controlled remotely. TSNG can be downloadedwhich were answered with a modem. These days it is from more accurate to say that the goal is to classify 1998 Sandstorm (now NIKSUN) released Phone-all the responses as accurately as possible, in fact if Sweep the Corporate War Dialler. PhoneSweepyou visit the web sites for the last two war diallers in offered a safe platform (no hackers using it to distributemy brief timeline you will see that both make a point of Trojans) which utilised a GUI interface runningsaying that they can classify / attack PBX and voicemail under Windows 95. PhoneSweep is still availablesystems. (commercially) today. PhoneSweep offers three distinct Wardialling first came into the spotlight in the 1983 film modes Connect, Identify or Penetrate and is capable ofWar Games where David Lightman, the hacker, uses a classifying phones, faxes and modems in a single callwardialler, appropriately called the war games dialler to utilising their patented Single Call Detect methodology.unwittingly accesses WOPR, the supercomputer, which is Additional product information is available from http://programmed to predict possible outcomes of nuclear war he nearly starts World War III. As with most things to do 2001 SecureLogix release version 3 of their Telesweepwith computing the original name just has to be shortened Wardialler, Telesweep offers both passive: (the first callso the war games dialler became the war dialler. into a number is in voice mode – no tones are sent) 05/2011 (5) September Page 30
  13. 13. FOCUSInside AndroidApplicationsBy the end of 2011, the number of Smartphone shipments aroundthe world will explode to nearly 468 million units and the androidoperating system would have a fifty percent market share. Thiswould increase the number of attacks on mobile applications andalso the investment in securing the applications from the attacks.T he most important part of performing an presents essential information about the application to application pentest for an android application the Android system. High-level permissions restricting is understanding the manifest configuration. access to entire components of the system or applicationAnalyzing a manifest file is one of the most important can be applied through the AndroidManifest.xml. Theand tedious task while performing a penetration testing manifest file does the following:assessment on the world’s most popular mobile Os. Android is a privilege-separated operating system, in • It describes the components like the activities,which each application runs with a distinct system identity. services, broadcast receivers, and content providersAt install time, Android gives each package a distinct Linux that the application is composed of. These declarationsuser ID. The identity remains constant for the duration of let the Android system know what the components arethe package’s life on that device. On a different device, the and under what conditions they can be launched.same package may have a different UID; what matters is • It determines which processes will host applicationthat each package has a distinct UID on a given device. components. Every android application must have an Android • It declares which permissions the application mustManifest.xml file in its root directory. The manifest have in order to access protected parts of the API and interact with other applications.Figure 1. AndroidManifest.xml natively obfuscated Figure 2. Decoding apk application �le 05/2011 (5) September Page 34
  14. 14. (NEW) STANDARDSNew PenetrationTesting Business ModelCrowd-sourcing For IT-SecurityToday everybody can become a hacker. The knowledge spreads allover the Internet. A lot of hackers are showing their know-how bysharing the results of their attacks. Why do not use this knowledgethrough crowd-sourcing in order to globally improve the security?Starting from this fundamental idea, a business model has beendeveloped by Hatforce.A lmost daily we can see on the news that a new money to people who find vulnerabilities within their IT system has been attacked by hackers. Even if products. For example, Mozilla has been rewarding it is about Sony [1] or the CIA website [2], these people who found security weaknesses of their well-attacks, harmful in 90% of the cases, show that behind known browser [3]. Google is also running a very wellthere lies a competent community who has a high paid bounty program for their chrome browser and theirIT security potential. We ask ourselves then: Where websites and are ready to pay important amounts ofdo these hackers come from? Are they employed money [4]. Facebook also adopted this new trend andprofessionals? Do they act with a well-defined purpose, started at the end of July 2011 to reward vulnerabilityor are they just smart individuals who don’t know what researchers [5].else to do with their knowledge and free time? A possible explanation for this recent action may The beliefs of a hacker may be not easy to understand be the fact that companies start to become aware ofand gloomy. A hacker’s profile can extend from a rogue the potential skilfulness that hackers might possess.high-school teenager to an experienced professional. Consequently, the companies start to cooperate withWhile some hackers have the chance to fructify their the hacker communities, instead of taking legal actionknowledge in a legal environment, others gain their against them (like Sony did for example [6]).living following illegal activities. Nevertheless, they all Considering that the cooperation between hackersshare a common passion for IT security and they have and companies can stand while there is enough benefitan important potential. on both sides, the startup Hatforce came up with an As the modern cybercrime is continuously developing idea.and turning into a financial motivating market, there is astrong need of reinforcements. We should give to every The ideaIT-security talented person the opportunity to show their came up with an idea which can beskills and use them for a good cause. Why not use their called an open market crowd-sourcing platform forpassion in order to turn them to the right side. penetration tests. The principle is simple: using the worldwide hacker community in order to findCurrent situation vulnerabilities in every IT system possible (websites,Over the last couple of years, an interesting trend is servers, software, etc.) and reward them for thevisible in the world of IT: large companies start paying vulnerabilities they found. 05/2011 (5) September Page 36
  15. 15. �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� �������������������������� �������������������������������������������������������������������������������������������������������������������������������������������������������������������������� �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
  16. 16. HOW-TOBuilding Your OwnPentesting ApplicationAlthough even today web browsers serve the primary purposeof bringing information resources to the user, they no longerrepresent a software application with bare bones support for justHTML. Today, web browsers like Mozilla Firefox come with thesupport of add-ons, which are small installable enhancements to abrowser’s foundation.T hese add-ons when installed inside a browser Pen Testing Add-ons can add additional functionality to the browser Tor and this additional functionality can be used on Tor: Experts always suggest that it’s best to hidethe web pages that are viewed by the user. your identity before getting involved in any security The best part about these add-ons is that they enable related operations. Tor allows user to maintain onlinethird-party developers to add new features without anonymity. Tor basically has a worldwide network ofinterfering with the original source code of the host servers that helps route the internet traffic and thus,application. These add-ons are dependent on the disguise a user’s geographical location. The best thingservices that are provided by the host application to about Tor is that it’s open-source and anybody can useregister themselves. Thus, third party developers can Tor network for free.update their add-ons without making any changesto the host application as the host application • To setup Tor, you need to first downloadoperates independently. These add-ons can serve for the Tor Browser Bundle from Link: https://scatterbrained as well as for informative purposes like, penetration testing, and more. This bundle will will ask your permission to extract a bundle of files to the location where Tor installerMozilla Firefox Add-ons was downloaded.Mozilla Add-ons (https:// • Now, Start Tor Browser. Once you’re to the Tor Network, the browser (Firefox 3.6.20)firefox/) is a huge repository will automatically open up with a congratulationsfor add-ons that support message that your IP address is now changed. ForMozilla software like Mozilla example, my IP address changed to,Firefox browser. These add- which is located in Netherlands.ons are submitted by many developers from acrossthe globe for end-users. Using the privacy and security WHOISadd-ons from this gallery, we can build a good browser WHOIS: Internet resources such as domain name,based application for penetration testing and security IP addresses or controller systems are registeredpurposes. in database systems. WHOIS is used to query the 05/2011 (5) September Page 42
  17. 17. Say Hello to Red Team Tes�ng!Security Arts Red Team service operates on all fronts on behalf of the organiza�on, evalua�ng all informa�on security layers for possible vulnerabili�es. Only Red Team tes�ng provides you with live feedback on the true level of your organiza�onal security. Thinking crea�vely! That’s our approach to your test.Security Art’s Red-Team methodology Ready to see actual consists of: benefits from your next security review?1. Informa�on and intelligence gathering2. Threat modeling info@security-art.com3. Vulnerability assessment4. Exploita�on Or call US Toll free: 5. Risk analysis and quan�fica�on of 1 800 300 3909 threats to monetary values UK Toll free: 6. Repor�ng 0 808 101 2722