In a previous post, I covered the basics on the popular penetration testing Web browser Mantra. That post contains information on how to download Mantra, as well as installation and basic configuration. The Mantra browser comes with a nice GUI and most of the security and penetration testing related extensions. In this post, I am going to discuss the information gathering extensions of Mantra. This is the second part of the Mantra browser series.
What is Information Gathering?
Information gathering is the first phase of security assessment. In this process, a penetration tester and security experts try to collect as much information as possible about the target application. It is the first and most critical phase of application security testing. Gathered information is further used in breaking the security of the web application.
In this process, we use manual methods and a few tools. With them, we can force the application to leak sensitive information that can help you further in the testing process. Google is also a nice tool for information gathering. We can find many things by using Google search operators. Once you clearly know what information you want, you can design methods that will help you in the information gathering process to collect your desired information about the target web application. The success of information gathering depends on the acquired information and the correctness of the information. So always start with very basic things and try to know your target better.
You can read this whitepaper to learn more about information gathering.
Why is Information Gathering so Important?
The information gathering process helps us to find sensitive and important information about the target. This process is also involved in finding weak points of the target. Suppose you want to find security issues of a website to exploit. If you know that the website is using an older version of WordPress, you can find an exploit available for that WordPress version. You can think about many other similar cases in which you can easily find a way to break into a website if you know a few basic but important things.
You can find more information about information gathering here on the OWASP website.
In this article, we will see what extensions the Mantra browser has to help in the information gathering process. I am just introducing you to these extensions. You will easily learn how to use them if you have already installed the Mantra browser in your system.
Start the Information Gathering Phase with Mantra
To enable the information gathering extension, click the Extensioner icon and then select Information Gathering. Mantra will then enable all extensions related to information gathering.
Figure 1: Enable Information Gathering extensions in the Mantra Browser
If you do not want to enable all these extensions at once, you can manually enable which extensions you want to use. For this, go to Tools and then Extensions. Here you can find the list of all extensions available for the Mantra browser. You can enable and use any of the available extensions, such as:
- jQuery API Browser
- IP Address And Domain Information
- Web Technology Notifier
- W3Spy.net – Spy Any Website
- HPP Finder
- DNS Lookup
- Chrome Sniffer
- The Exploit Database
- Http Requests
- Recx Security Analyzer
Now, we will discuss all extensions in detail.
1. jQuery API Browser:
jQuery API Browser helps while analyzing and performing DOM based XSS attacks via jQuery codes of the webpage. This extension lets you search for various jQuery functions using a list of available parameters with a direct link to the official links of jQuery sites. It also displays all alternate signatures for the current method shown. Just click on the icon and it will open a pop up box with a search box. Start typing in the search box and it will start displaying results in the bottom. It contains a list of all selectors, methods and properties available in the 1.6.2 version of jQuery.
Figure 2: jQuery API Browser Extension on Mantra
The IP Address and Domain Information browser extension lets you check the IP address and DNS information of a website. All information about the website is fetched from the website www.tcpiputils.com. It has various tabs like IP v4, IP v6, My IP, Domain and Options.
It reveals various important things about the website. It also performs SPAM database lookup, Blocklist Lookup, WhoIs lookup and hosting information. It also displays the hosting server location on the map.
Figure 3: IP Address and Domain Information
In the My IP section, you can find useful information about your own IP address. In the Network tools section, it has direct links to Ping, Port scan and Traceroute tools to get more information.
The Options tab has nothing important. It only lets you select the default tab of popup windows with this extension.
This extension also displays SEO information of a website like Alexa ranking, Quantcast ranking, page rank, and social media activity. The only irritating thing about the tool is that it displays advertisements. If you are not sure about this extension, you can check the help section to know more.
Figure 4: Wappalyzer
You can see the snap in which it is revealed that the website is a blog using WordPress. The website also uses Google Font API and Google Analytics. With this information, you can easily detect the CMS of a website and then find the latest exploits available for that CMS.
It also has an Options window to change few options. It seems only one section is useful, which says “Analyze headers automatically on click.” When this option is enabled, with a click on the extension icon it will start analyzing headers.
The Web Technology Notifier displays the web technologies used by websites like Weppalyzer. It can identify modules and technologies used by websites including Phusion Passenger for Ruby applications (as Ruby on Rails and Sinatra frameworks), PHP based applications (like Zend Server or iPyramid), Zope (Python powered), Microsoft ASP.NET, and more.
When you open a website, you will see information (icons of technologies) at the right side of the address bar.
Figure 5: Web Technology Notifier Extension
This browser extension displays information about a website powered by w3spy.net. When I tried the extension, it displayed “forbidden page”. I am not sure whether it stopped working, or it was a temporary problem with website.
HPP finder is an awesome extension for Chrome and comes with Mantra. HPP is known as HTTP Parameter Pollution. This vulnerability was discovered in recent years. This browser extension can find URLs and forms that may be vulnerable to parameter pollution.
Figure 6: HPP Finder browser extension
HPP Finder is not the solution for HTTP Parameter Pollution. But, it helps in detecting what form and URLs might be susceptible to parameter pollution.
In HTTP parameter pollution, an attacker injects multiple HTTP parameters with the same name. It may lead an application to interpret these HTTP parameters in unpredicted ways. An attacker exploits these effects to bypass input validation or modify internal variables. HTTP Parameter Pollution was first analyzed in 2009 and then it received much attention. This attack is performed either at the client side or server side.
DNS lookup is another nice extension used in the information gathering process. It is used for DNS lookup of the currently displayed page. You only need to click on the icon and it will display all returned records. The icon is also replaced with the icon of the flag of the country where website is hosted.
Figure 7: DNS lookup of a website with DNS lookup extension
It also has few options to customize what records it should display. For this, right click on the icon and click on Options. By default, all three options are selected. You can disable what you do not want to see.
Figure 7: DNS lookup options
Chrome Sniffer is a must-have browser extension for security researchers. It can be used to detect Web applications and JS libraries of a website. If this extension is enabled in Mantra, it displays the icon at the right side of the address bar. This icon indicates the detected framework used by the website. Currently, it can detect more than 100 popular CMS and JS libraries. The developers behind this extension are working to add more libraries and CMS detection in the extension.
Figure 8. Chrome Sniffer
The Exploit Database extension in Mantra lets you search the Exploit Database directly from your browser. With this browser extension, you can keep track of the latest exploits, tools, shell codes and white papers. This extension is open source, and source code can be found at: http://github.com/10n1z3d/EDBE
Figure 9. The Exploit Database
You can also modify options to customize what results you want to see.
Figure 10. The Exploit Database Options
HTTP Requests lets users create their own HTTP requests by specifying headers and content of the request. Then this request can be sent to the server using Ajax. With this extension, you can create HTTP requests for various Web service API, specifically HEAD, POST, PUT and Delete methods. By using manual HTTP requests, you can gather various sensitive information about the application. By sending simple HTTP requests or specially crafted HTTP requests, you can force a Web application to leak sensitive information. This information may be in the form of error messages, revealing the version of technology used or other things.
Recx Security Analyzer lets you inspect various security aspects of a website’s HTTP headers, cookies and other key security settings. This extension is developed basically for non security experts including developers and quality assurance tester persons. With this extension, they can quickly identify security issues of Web applications.
Figure 11: Recx Security Analyzer report
It basically displays HTTP header security issues and cookie security issues.
These are the main things this extension inspects:
- Presence of security-relevant HTTP headers.
- Page meta header security options.
- Cookie security attributes.
- HTML form auto-complete security settings.
It also displays recommendations to help you resolve issues.
If you think you know a few other nice browser extensions that can be used for information gathering, you can install and add to your information gathering group. You can read the first part of the series to know how to install and add an extension to the extension groups.
The Mantra browser has 11 extensions for the information gathering process. We all know that information gathering is an important phase of penetration testing. So using Mantra will surely help you to get information about a target application. These tools let you know the WhoIs information, DNS information, hosting information, CMS information, cookies information, headers information and many others. With the Exploit Database extension, you can easily search for the latest exploits available for a CMS.
Although these tools are not enough for the information gathering process, you can get most of your information with these extensions. You can use other tools too for other information. We have also covered few penetration testing Chrome extensions and Firefox add-ons.
Use these information gathering extensions, and share your experience or ask questions via the comments section below.