This is the 2nd part of article Information Gathering.In this article we will learn about Mantra Browser Walkthrough.
In a previous post, I covered the basics of the popular Mantra web browser for penetration testing. This post contains information on how to download Mantra, as well as installation and basic configuration. Mantra browser comes with a nice GUI and most extensions related to security and penetration testing. In this post, I will discuss Mantra’s information gathering extensions. This is the second part of the Mantra browser series.
What is information collection?
Gathering information is the first stage of a security assessment. In this process, the penetration tester and security experts try to gather as much information as possible about the target application. It is the first and most critical phase of application security testing. The collected information is further used to break the security of the web application.
We use manual methods and several tools in this process. We can use them to force an application to leak sensitive information that can help you further in the testing process. Google is also a nice tool for gathering information. We can find many things using Google search operators. Once you know clearly what information you want, you can design methods to help you in the information gathering process to collect the desired information about the target web application. The success of information collection depends on the information obtained and the accuracy of the information. So always start with the very basics and try to get to know your target better.
To learn more about information collection, you can read this whitepaper.
Why is information gathering so important?
The intelligence gathering process helps us find sensitive and important information about the target. This process is also involved in finding the target’s weak spots. Let’s say you want to find the security issues of a website you want to exploit. If you know that the site is using an older version of WordPress, you can find an exploit available for that version of WordPress. You can think of many other similar cases where you can easily find a way to hack a website if you know a few basic but important things.
More information about information collection can be found here on the OWASP website.
In this article, we will see what extensions Mantra browser has to help in the information gathering process. I am just introducing you to these extensions. You can easily learn how to use them if you already have Mantra browser installed on your system.
Begin the information gathering phase with a mantra
To enable the Information Collection extension, click the Extensioner icon and select the Information Collection option. Mantra will then enable all extensions related to information gathering.
Figure 1: Enable Information Gathering extensions in the Mantra Browser
If you don’t want to enable all of these extensions at once, you can manually enable which extensions you want to use. To do this, go to Tools and then Extensions. Here you will find a list of all extensions available for the Mantra browser. You can enable and use any of the available extensions, such as:
jQuery API Browser
IP address and domain information
Web Technology Notifier
W3Spy.net – Spy any website
Recx security analyzer
Now we will discuss all extensions in detail.
- jQuery API Browser:
The jQuery API viewer helps in analyzing and executing DOM-based XSS attacks through jQuery web page codes. This extension allows you to search for various jQuery functions using a list of available parameters with a direct link to the official jQuery site links. It also displays all alternative signatures for the currently displayed method. Just click on the icon and a pop-up window will open with a search field. Start typing in the search box and the results will start to appear at the bottom. Contains a list of all selectors, methods, and properties available in jQuery version 1.6.2.
Figure 2: jQuery API Browser Extension on Mantra
- IP address and domain information
The IP address and domain information browser extension allows you to check the IP address and DNS information of a website. All website information is downloaded from www.tcpiputils.com. It has different tabs like IP v4, IP v6, My IP, Domain and Options.
It reveals various important things about the web. Also performs SPAM database lookup, Blocklist Lookup, WhoIs lookup and hosting information. It also shows the location of the host server on the map.
Figure 3: IP Address and Domain Information
In the My IP section you can find useful information about your own IP address. In the Network Tools section, it has direct links to the Ping, Port scan, and Traceroute tools for more information.
There is nothing important in the Options tab. It only allows you to select the default popup tab with this extension.
This extension also displays SEO information about the website such as Alexa rank, Quantcast rank, Page rank and social media activity. The only irritating thing about the tool is that it displays ads. If you are not sure about this extension, you can check the help section to learn more.
Figure 4: Wappalyzer
You can see a screenshot revealing that the site is a blog using WordPress. The website also uses the Google Font API and Google Analytics. Using this information, you can easily detect the CMS of a website and then find the latest exploits available for that CMS.
It also has an Options window to change several options. Only one section that says “Automatically analyze header on click” seems to be useful. When this option is enabled, clicking the extension icon will start parsing the headers.
- Web Technology Notifier
Web Technology Notifier shows web technologies used by sites like Weppalyzer. It can identify the modules and technologies used by websites, including Phusion Passenger applications for Ruby (like the Ruby on Rails and Sinatra frameworks), PHP-based applications (like Zend Server or iPyramid), Zope (with Python support), Microsoft ASP.NET, and more .
When you open a web page, you will see information (technology icons) on the right side of the address bar.
Figure 5: Web Technology Notifier Extension
- W3Spy.net – Spy any website
This browser extension displays information about websites using w3spy.net. When I tried the extension it said “forbidden page”. I’m not sure if it stopped working or if it was a temporary problem with the website.
- HPP Finder:
HPP finder is an amazing Chrome extension and comes with Mantra. HPP is known as HTTP Parameter Pollution. This vulnerability was discovered in recent years. This browser extension can find URLs and forms that may be susceptible to parameter pollution.
Figure 6: HPP Finder browser extension
HPP Finder is not a solution for HTTP parameter pollution. However, it does help in identifying which form and URLs may be susceptible to parameter pollution.
In HTTP parameter pollution, the attacker injects multiple HTTP parameters with the same name. This can lead the application to interpret these HTTP parameters in unpredictable ways. An attacker uses these effects to bypass input validation or modify internal variables. HTTP Parameter Pollution was first analyzed in 2009 and received a lot of attention after that. This attack is done either on the client side or on the server side.
- DNS lookup
DNS lookup is another nice extension used in the information gathering process. It is used for DNS lookup of the currently displayed page. Just click on the icon and all returned records will be displayed. The icon is also replaced with the flag icon of the country where the site is hosted.
Figure 7: DNS lookup of a website with DNS lookup extension
It also has several options to customize what records to display. To do this, right-click on the icon and click on Options. All three options are selected by default. You can disable what you don’t want to see.
Figure 7: DNS lookup options
- Chrome Sniffer
Chrome Sniffer is an indispensable browser extension for security researchers. It can be used to detect web applications and JS libraries of websites. If this extension is enabled in Mantra, an icon will appear on the right side of the address bar. This icon indicates a detected frame used by the website. Currently, it can detect more than 100 popular CMS and JS libraries. The developers behind this extension are working on adding more libraries and CMS detection in the extension.
Figure 8. Chrome Sniffer
9. The Exploit Database
The Exploit Database extension in Mantra lets you search the Exploit Database directly from your browser. With this browser extension, you can keep track of the latest exploits, tools, shell codes and white papers. This extension is open source, and source code can be found at: http://github.com/10n1z3d/EDBE
Figure 9. The Exploit Database
You can also modify options to customize what results you want to see.
Figure 10. The Exploit Database Options
10. HTTP Requests
HTTP Requests allows users to create custom HTTP requests by specifying request headers and content. Then this request can be sent to the server using Ajax. With this extension, you can make HTTP requests for various web service APIs, specifically the HEAD, POST, PUT, and Delete methods. Using manual HTTP requests, you can collect various sensitive information about the application. By sending simple HTTP requests or specially crafted HTTP requests, you can force a web application to leak sensitive information. This information may be in the form of error messages, revealing the version of the technology used, or other things.
- Recx security analyzer
Recx Security Analyzer allows you to check various security aspects of HTTP headers, cookies and other key website security settings. This extension is primarily developed for security professionals, including developers and QA testers. With this extension, they can quickly identify web application security issues.
Figure 11: Recx Security Analyzer report
It basically shows HTTP header security issues and cookie security issues.
These are the main things this extension checks:
Presence of security-relevant HTTP headers.
Page header meta security options.
Cookie security attributes.
HTML form autocomplete security settings.
It also shows recommendations to help you solve problems.
If you think you know some other nice browser extensions that can be used for information gathering, you can install them and add them to your information gathering group. You can read the first part of the series to know how to install and add extensions to extension groups.
Mantra Browser has 11 extensions for the information gathering process. We all know that information gathering is an important phase of penetration testing. So using Mantra will surely help you to get information about the target application. These tools will give you WhoIs information, DNS information, hosting information, CMS information, cookie information, header information, and much more. With the Exploit Database extension, you can easily search for the latest exploits available for CMS.
Although these tools are not enough for the information gathering process, you can get most of the information using these extensions. You can also use other tools for more information. We’ve also covered several Chrome extensions and Firefox add-ons for penetration testing.