Get the script

Screenshot

Backtrack5 Update Script

Source: backtrack-linux.org

Backtrack5 Update Script Info
App Name	Backtrack5 Update Script
License	free
Type	code
App URL
More Info	link

This is not made to encourage piracy/plagiarism in any case.

How To

1. Extract batch file and lib folder to C:\apk2java\ (or any folder that doesnt have space in its path)

2. Backup the target app’s apk from phone to PC via ASTRO Browser (check this post for details)

3. Keep the target apk in the root folder where batch file is present

4. Run ‘apk2java.bat target.apk’ in cmd

c:\apk2java>apk2java.bat target.apk

5. Result : java and resource files available in ‘src’

Note: This batch just automates the sequence in which various tools are initiated and does not handle any error events. You will have to go through the cmd verbose to figure out the problem.

Note 2: ‘lib’ folder contains apk-tool files (apk-tool.jar, aapt.exe), jad.exe, 7zip (7za.exe), dex2jar files (all other jars).  If required, update each of those tools by replacing it with latest copy from links mentioned below.

Requirements

• Windows (but can be ported to *NIX)
• JRE 1.6 (Java Runtime Environment)

Tools in lib

• Dex2jar – Converts Android dex format to jar (link)
• JAD – Java Decompiler CLI (link)
• 7Zip – Unarchival  (link)
• apk-tool – Extracts resources from apk (link)
• aapt – Android Asset Packaging Tool (link)
• aapt commands (link)

apk2java Info
App Name	apk2java
License	free
Type	code
App URL
More Info	link

Download .apk file from market

1. Search in market for the app you want to decompile and install it on your phone.
2. Install Astro File Manager from market (link). Open Astro > Tools > Application Manager/Backup and select the application to backup on to the SD card .
3. Mount phone as USB drive and access '\backups\apps\' folder to find the apk of target app (lets call it targetapp.apk) . Copy it to your local drive.

Decomiling apk to Dex format

1. Download Dex2Jar (link) (Android runs applications which are in Dalvik Executable (.dex) format).
2. Run the command to convert apk to jar

dex2jar targetapp.apk file(./dex2jar targetapp.apk on terminal)

File ‘targetapp.apk.dex2jar.jar’ is created

Viewing/Decompiling the Jar files to Java

Method 1 : Use JavaDecompiler (JD)

1. Open ‘targetapp.apk.dex2jar.jar’ with jd-gui (link)
2. File > Save All Sources to sava the class files in jar to java files.

Method 2: JAD

1. Extract contents of jar file on to a folder named src. Use and unarchival utility like 7zip
2. Keep ‘src’ folder in the same directory where JAD and targetapp jar is present
3. Open JAD in cmd and execute the following command
4. jad -o -r -sjava -dsrc src/**/*.class (./jad on terminal)

Now src will contain decompiled Java files ready for manual code review.

Tools Used

1. Sample app – RemoteDroid (Opensource – link)
2. Astro File Manager (Android Market – link)
3. Dex2Jar (link)
4. jd-gui (link)
5. JAD (link)

Dex2Jar Info
App Name	Dex2Jar
License	free
Type	portable code
App URL
More Info	link

Note: Below table will be updated regularly. If you find any addons that are not listed but might be useful while conducting pentests, please mention in comments.

This will be one must-have addition to the chrome addons that helps for security testing which we had discussed earlier here. While conducting blackbox security assessments, we normally do analysis on communication between the server and the browser (client). This is done with the help of various software proxy interceptors such as Paros, Webscarb, Burp etc. by redirecting traffic to these proxies.

Most of the times its required to change the browser proxy settings to
1. Change the port to switch the listener (proxy) that intercepts web traffic
2. Filter the URLs that are not in our scope to reduce the overhead on the proxy.
3. Match the URLs to send to different listeners based on certain patterns.

Proxy switch can help to easily overcome the situations mentioned above.

Features

- Manage and switch between multiple proxy profiles.
- Change the proxy configuration of Chrome and IE in one click.
- URL based switch rules.
- Supports Socks v4 and v5.
- Change LAN and VPN/Dial-up proxy settings.
- Quickly add rules for currently active websites.
- Quick proxy switch between two profiles or cycle all profiles.
- Online rule list support (AutoProxy compatible), more details here.
- Export switch rules as PAC/RuleList file.
- Backup/Restore options.
- Proxy change monitoring.
- Colorful profiles and icons.
- Supports Windows, Linux (32/64 bit) and Mac OS X.

Screenshots

Proxy Switchy! Info
App Name	Proxy Switchy!
License	free
Type	portable
App URL
More Info	link

Adblock can be made more efficient by adding custom patterns for the elements to be filtered.. This feature of AdBlock can be extended to block not only the ads but also the malicious content those are injected in seemingly genuine sites. This is done by adding MalwareDomains subscription to our Adblock preferences. MalwareDomain contains a list of domains that are known to be used to propagate malware and spyware. Adblock verifies whether there are any cross domain content loaded from any of malicious websites present in that list and if there is, then it blocks those elements.

Note: Subscribing to this list can increase the load time of the site. Increase in security at the cost of slight reduction in performance.

Here, we illustrate the steps to add the MalwareDomain list to our Adblock addon available for Chrome and Firefox browsers.

I. Adding MalwareDomain Subscription in Chrome

Download Adblock for Chrome here.

1. Access the AdBlock Options from the Chrome Extensions page and add MalwareDomains URL (http://malwaredomains.lanik.us/malwaredomains_full.txt)

2. Entered URL will now display in the subscriptions list. Make sure that its checked.

II. Adding MalwareDomain Subscription in Firefox

Download AdBlock Plus for Firefox here.

1. Open the Adblock Plus Preferences and click on the ‘Add Filter Subscription’ from the Filters menu.

2. Click on ‘Add a different subscription’ link.

3. Add the MalwareDomains URL in the subscription entry (http://malwaredomains.lanik.us/malwaredomains_full.txt)

4. List of domains to be filtered will be displayed under the filter which we have newly subscribed. Make sure that its enabled.

Links

• MalwareDomains List
• Other AdBlock Suscriptions
• AdBlock for Chrome
• AdBlock for Firefox

MalwareDomains Subscription List Info
App Name	MalwareDomains Subscription List
License	free
Type	online
App URL
More Info	link

But the ideal solution would be to choose a password which takes longer time to crack. Hackers can find someway to crack our password, all we have to make them try stronger and harder. Passwords are usually cracked using a method called as Bruteforce attack where a malicious tool tries to match all the type of password combination available against the target system. More complex the password is, more are the combinations to be tried and less probable it becomes for the tool to guess our password right.

This website, HowSecureIsMyPassword, gives us an idea on how long it takes to crack a password with a normal desktop PC. We can try various combinations, longer password/different character sets and analyze the results.

So as mentioned earlier we should choose a password which takes at least more than ‘a year’ to crack. This arbitrary value – ‘a year’ is based on the assumption that we would change our passwords once in every year so by the time the cracker obtains our password, we would have changed it

Guys from Whatsmypass have published a list of Top 500 worst passwords, check it out here, and make sure that you don’t use any one of them.

Another site provides crack time matrix of different types of character sets, length based on the system which is used for cracking it. HowSecureIsMyPassword assumes that the cracker uses class D and estimates the time, link.

Check the site to calculate approx time taken to crack your password.

HowSecureIsMyPassword

How Secure Is Your Password Info
App Name	How Secure Is Your Password
License	free
Type	online
App URL
More Info	link

Updated: Added Screenshots for IE

1. Firefox

Go to the Mozilla Addons Page and add Google SSL Search Plugin

Select ‘Start using it right away in the dialog box that displays – Add “Google SSL” to the list of engines available in the search bar?

2. Chrome

Right Click on Chrome Omnibar(Address bar) and Select ‘Edit Search Engines’.

In the Edit Search Engines Dialog box add https://www.google.com/search?q=%s in the URL field and click on Make Default Button.

Dont forget to check the Chrome Extensions List for Security Testers, here (Internal Post)

3. Internet Explorer

• Access the Add Search Providers page

• In the Create Your Own enter https://www.google.com/search?q=TEST in the URL field

Click on the Install Button to see the following screen. Check the ‘Make this my default search provider’

Now the Search box in IE will display Google.

via Google Blog and TechDows

Update: Jarlsberg is now Gruyere

This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you’ll get a chance to do some real penetration testing, actually exploiting a real application. Specifically, you’ll learn the following:

• How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).
• How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.

Documentation Here

Some Exploit Screenshots

Information Disclosure – Read the contents of the database off of a running server by exploiting a configuration vulnerability.

Debug Dump Page URL – http://google-gruyere.appspot.com/457262944951/dump.jtl

The id changes based on your session.

Reflected XSS

Alert Dialog box which indicates the presence of Cross Site Scripting Vulnerability present in Jarlsberg

Stored XSS alert

Features

Jarlsberg includes a number of special features and technologies which add attack surface.

• HTML in Snippets: Users can include a limited subset of HTML in their snippets.
• File upload: Users can upload files to the server, e.g., to include pictures in their snippets.
• Web administration: System administrators can manage the system using a web interface.
• New accounts: Users can create their own accounts.
• Template language: Jarlsberg Template Language(JTL) is a new language that makes writing web pages easy as the templates connect directly to the database. Documentation for JTL can be found in gruyere/jtl.py.
• AJAX: Jarlsberg uses AJAX to implement refresh on the home and snippets page. You should ignore the AJAX parts of Jarlsberg except for the challenges that specifically tell you to focus on AJAX.

Vulnerabilities In Gruyere

• Cross-Site Scripting (XSS)
  • File Upload XSS
  • Reflected XSS
  • Stored XSS
  • Stored XSS via HTML Attribute
  • Stored XSS via AJAX
  • Reflected XSS via AJAX
• Client-State Manipulation
  • Elevation of Privilege
  • Cookie Manipulation
• Cross-Site Request Forgery (XSRF)
• Cross Site Script Inclusion (XSSI)
• Path Traversal
  • Information disclosure via path traversal
  • Data tampering via path traversal
• Denial of Service
  • DoS – Quit the Server
  • DoS – Overloading the Server
• Code Execution
• Information disclosure
• AJAX vulnerabilities
  • DoS via AJAX
  • Phishing via AJAX
• Buffer Overflow and Integer Overflow
• SQL Injection

Explore hosted version of Jarlsberg and start uncovering the vulnerabilities

Gruyere Hosted Version

Gruyere (Previously Jarlsberg) Info
App Name	Gruyere (Previously Jarlsberg)
License	free
Type	online code
App URL
More Info	link

1. WebDeveloper

2. Firebug Lite

3. Pendule

4. Chrome Web Developer Tools

5. Simple REST Client

6. View Selection Source

7. Domain Details

8. Chrome Sniffer

9. User-Agent Switcher

10. Unencrypted Password Warning

11. JSONView

12. Cookie Editor

View and Edit the Cookies created by the site visible in the active page

13. Light Shot

14. Note Anywhere (Bonus)