[转载]Turning Firefox to an Ethical Hacking Platform.
原始链接:http://www.security-database.com/toolswatch/Turning-Firefox-to-an-Ethical.htmlInternet is an amazing virtual world where you can "virtually" do anything : gambling, playing, watching movies, shopping, working, “VoIPying”, spying other people and for sure auditing remote systems.
This article is copyrighted Security-Database.com
The security testers community has a large panel of security tools, methodologies and much more to perform their pentests and audit assessments. But what happens if you find yourself weaponless.
No more Top 100 security tools, no more LiveCDs and no more exploitation frameworks. A security auditor without toolbox is like a cop without gun.
Nevertherless, there is maybe a way to rescue yourself from this nightmare situation.
The magical solution could be Firefox and its extensions developed by ethical hackers and coders.
This article comes as an update for what we posted previously about how to switch your firefox to more than an usual simple browser. It was about application auditing
Here is an updated list of useful security auditing extensions :
Information gathering
Whois and geo-location
ShowIP : Show the IP address of the current page in the status bar. It also allows querying custom services by IP (right mouse button) and Hostname (left mouse button), like whois, netcraft.
Shazou : The product called Shazou (pronounced Shazoo it is Japanese for mapping) enables the user with one-click to map and geo-locate any website they are currently viewing.
HostIP.info Geolocation : Displays Geolocation information for a website using hostip.info data. Works with all versions of Firefox.
Active Whois : Starting Active Whois to get details about any Web site owner and its host server.
Bibirmer Toolbar : An all-in-one extension. But auditors need to play with the toolbox. It includes ( WhoIs, DNS Report, Geolocation , Traceroute , Ping ). Very useful for information gathering phase
Enumeration / fingerprinting
Header Spy: Shows HTTP headers on statusbar
Header Monitor : This is Firefox extension for display on statusbar panel any HTTP response header of top level document returned by a web server. Example: Server (by default), Content-Encoding, Content-Type, X-Powered-By and others.
Social engineering
People Search and Public Record: This Firefox extension is a handy menu tool for investigators, reporters, legal professionals, real estate agents, online researchers and anyone interested in doing their own basic people searches and public record lookups as well as background research.
Googling and spidering
Advanced dork : gives quick access to Google’s Advanced Operators directly from the context menu. This could be used to spider a site or scan for hidden files (this spider technique is used via scroogle.org)
SpiderZilla : Spiderzilla is an easy-to-use website mirror utility, based on Httrack from www.httrack.com.
View Dependencies : View Dependencies adds a tab to the "page info" window, in which it lists all the files which were loaded to show the current page. (useful for a spidering technique)
Security Assessment / Code auditing
Editors
JSView : The ’view page source’ menu item now opens files based on the behavior you choose in the jsview options. This allows you to open the source code of any web page in a new tab or in an external editor.
Cert Viewer Plus : Adds two options to the certificate viewer in Firefox or Thunderbird: an X.509 certificate can either be displayed in PEM format (Base64/RFC 1421, opens in a new window) or saved to a file (in PEM or DER format - and PKCS#7 provided that the respective patch has been applied - cf.
Firebug : Firebug integrates with Firefox to put a wealth of development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page
XML Developer Toolbar:allows XML Developer’s use of standard tools all from your browser.
Headers manipulation
HeaderMonitor : This is Firefox extension for display on statusbar panel any HTTP response header of top level document returned by a web server. Example: Server (by default), Content-Encoding, Content-Type, X-Powered-By and others.
RefControl : Control what gets sent as the HTTP Referer on a per-site basis.
User Agent Switcher :Adds a menu and a toolbar button to switch the user agent of the browser
Cookies manipulation
Add N Edit Cookies : Cookie Editor that allows you add and edit "session" and saved cookies.
CookieSwap : CookieSwap is an extension that enables you to maintain numerous sets or "profiles" of cookies that you can quickly swap between while browsing
httpOnly : Adds httpOnly cookie support to Firefox by encrypting cookies marked as httpOnly on the browser side
Allcookies : Dumps ALL cookies (including session cookies) to Firefox standard cookies.txt file
Security auditing
HackBar : This toolbar will help you in testing sql injections, XSS holes and site security. It is NOT a tool for executing standard exploits and it will NOT learn you how to hack a site. Its main purpose is to help a developer do security audits on his code.
Tamper Data : Use tamperdata to view and modify HTTP/HTTPS headers and post parameters.
Chickenfoot : Chickenfoot is a Firefox extension that puts a programming environment in the browser’s sidebar so you can write scripts to manipulate web pages and automate web browsing. In Chickenfoot, scripts are written in a superset of Javascript that includes special functions specific to web tasks.
Proxy/web utilities
FoxyProxy : FoxyProxy is an advanced proxy management tool that completely replaces Firefox’s proxy configuration. It offers more features than SwitchProxy, ProxyButton, QuickProxy, xyzproxy, ProxyTex, etc
SwitchProxy: SwitchProxy lets you manage and switch between multiple proxy configurations quickly and easily. You can also use it as an anonymizer to protect your computer from prying eyes
POW (Plain Old WebServer) : The Plain Old Webserver uses Server-side Javascript (SJS) to run a server inside your browser. Use it to distribute files from your browser. It supports Server-side JS, GET, POST, uploads, Cookies, SQLite and AJAX. It has security features to password-protect your site. Users have created a wiki, chat room and search engine using SJS.
Misc
Hacks for fun
Greasemonkey : Allows you to customize the way a webpage displays using small bits of JavaScript (scripts could be download here)
Encryption
Fire Encrypter : FireEncrypter is an Firefox extension which gives you encryption/decryption and hashing functionalities right from your Firefox browser, mostly useful for developers or for education & fun.
Malware scanner
QArchive.org web files checker : llowing people to check web files for any malware (viruses, trojans, worms, adware, spyware and other unwanted things) inclusions.
Dr.Web anti-virus link checker : This plugin allows you to check any file you are about to download, any page you are about to visit
ClamWin Antivirus Glue for Firefox : This extension scans every downloaded file automatically with ClamWin.
Anti Spoof
refspoof : Easy to pretend to origin from a site by overriding the url referrer (in a http request). — it incorporates this feature by using the pseudo-protocol spoof:// .. thus it’s possible to store the information in a "hyperlink" - that can be used in any context .. like html pages or bookmarks
Besides, we keep watching new extensions and we are on the way to develop a new extension for Nmap and Nessus. So keep watching us.
Feel free to send us (info[at]security-database[dot]com) any useful information about security and audit oriented firefox extensions. Means:
互联网是您能"virtually" 的一个令人惊讶的虚拟世界; 做任何东西: 赌博, 演奏, 观看电影, 购物、工作, "VoIPying", 暗中侦察人民和肯定验核远程系统。 这篇文章是受著作权保护的安全Database.com 安全测试器社区有安全工具, 方法学和更多的一个大盘区执行他们的pentests 和审计评估。但什么发生如果您找到自己weaponless 。 没有不名列前茅100 个安全工具、没有其他LiveCDs 和没有其他开发框架。安全审计员没有工具箱是象一个警察没有枪。 Nevertherless, 有可能方式抢救自己从这个恶梦情况。 魔术的解答能是Firefox 和它的引伸由道德黑客和编码人开发。 这篇文章来作为一次更新为什么我们早先张贴了关于怎样交换您的firefox 对更多比一个通常简单的浏览器。它是关于应用验核 这有用的安全更新名单验核引伸: 信息汇聚 Whois 和geo 地点 ShowIP: 显示当前时期的IP 地址在状态条。它并且准许询问海关由IP (鼠标右键) 并且Hostname(鼠标左键), 象whois, netcraft 。 Shazou: 产品称Shazou (发出音的Shazoo 它是日语为映射) 使能用户与一点击映射和geo 位于他们当前观看的任一个网站。 HostIP.info Geolocation: 显示Geolocation 信息为一个网站使用hostip.info 数据。工作以所有Firefox 的版本。活跃Whois: 开始活跃Whois 得到关于任何网站所有者和它的主服务器的细节。 Bibirmer 工具栏: 一个全在一起的引伸。但审计员需要演奏与工具箱。它包括(WhoIs, DNS 报告, Geolocation, Traceroute, 砰) 。非常有用对于信息会集阶段列举/fingerprinting 倒栽跳水间谍: 展示HTTP 倒栽跳水在statusbar 倒栽跳水显示器: 这是Firefox 引伸为显示在最高级文件任一个HTTP 响应标题返回由网络服务器的statusbar 盘区。例子: 服务器(), 内容内码, 内容类型, X 供给动力由和其他人。社会工程学寻人和公众纪录: 这个Firefox 引伸是为调查员、记者、法定专家、房地产开发商, 网上研究员和任何人的一个得心应手的菜单工具对做感兴趣他们自己基本的寻人和公众记录查寻并且背景研究。 Googling 和spidering 先进的dork: 给对Google 的先进的操作员的快速存取直接地从上下文菜单。这能被用于蜘蛛站点或扫瞄为隐含文件(这个蜘蛛技术被使用通过scroogle.org) SpiderZilla: Spiderzilla 是一项易使用的网站镜子公共事业, 根据Httrack 从www.httrack.com 。看法附庸: 看法附庸增加一个制表符来"page info" 窗口, 它列出所有文件被装载显示当前时期(有用为一个spidering 的技术) 安全评估/代码验核 编辑 JSView: ' 看法页来源' 菜单项目现在打开文件根据您选择在jsview 选择的行为。这允许您打开任一个网页原始代码在一个新制表符或在一位外在编辑。 Cert 观察者加上: 增加二个选择来证明观察者在Firefox 或雷鸟: X.509 证明可能或被显示在PEM 格式(Base64/RFC 1421 年, 打开在一个新窗口) 或被保存对文件(在PEM 或DER 格式- 和PKCS#7 在各自补丁被应用了- 条件下锎。纵火犯: 纵火犯集成与Firefox 投入财富开发工具在您的指尖当您浏览。您能编辑, 调试, 和监测CSS 、HTML, 和Java 语言活在任一个网页 XML 开发商Toolbar:allows XML 对标准的开发商的用途用工具加工所有从您的浏览器。倒栽跳水操作 HeaderMonitor: 这是Firefox 引伸为显示在最高级文件任一个HTTP 响应标题返回由网络服务器的statusbar 盘区。例子: 服务器(), 内容内码, 内容类型, X 供给动力由和其他人。 RefControl: 控制什么得到送作为HTTP Referer 根据每站点依据。用户代理调转工:Adds 菜单和工具栏按钮交换浏览器的用户代理曲奇饼操作增加N 编辑曲奇饼: 准许的曲奇饼编辑您增加和编辑"session" 并且被保存的曲奇饼。 CookieSwap: CookieSwap 是使您维护许多集合或"profiles" 的引伸; 曲奇饼那您能迅速交换之间当浏览 httpOnly: 作为httpOnly httpOnly 增加曲奇饼支持来Firefox 由编成密码的曲奇饼被标记在浏览器边 Allcookies: 倾销所有曲奇饼(包括会议曲奇饼) 对Firefox 标准cookies.txt 文件安全验核 HackBar: 这个工具栏将帮助您在测试sql 射入、XSS 孔和站点安全。这不是为执行标准盘剥的一个工具并且它不会学会您怎么乱砍站点。它的主要目的将帮助开发商做安全审计在他的代码。堵塞器数据: 使用tamperdata 观看和修改HTTP/HTTPS 倒栽跳水和岗位参量。 Chickenfoot: Chickenfoot 是投入一个程序环境在浏览器的sidebar 的Firefox 引伸因此您能写剧本操作网页和自动化网浏览。在Chickenfoot, 剧本被写在包括特别作用具体对网任务Java 语言的超集。 Proxy/web 公共事业 FoxyProxy: FoxyProxy 是完全地替换Firefox 的代理人配置的一个先进的代理人管理工具。它提供更多特点比SwitchProxy 、ProxyButton 、QuickProxy 、xyzproxy 、ProxyTex, 等 SwitchProxy: SwitchProxy 让您迅速和容易地处理和交换在多种代理人配置之间。您能并且使用它作为anonymizer 保护您的计算机免受撬起的眼睛战俘(简单的老网络服务器): 简单的老网络服务器使用服务器边Java 语言(SJS) 跑一台服务器在您的浏览器里面。使用它分布文件从您的浏览器。它支持服务器边JS, 得到, 张贴,向上作用的负载、曲奇饼、SQLite 和AJAX 。它有安全特点密码保护您的站点。用户创造了一个wiki 、聊天室和搜索引擎使用SJS 。混杂 文丐为乐趣 Greasemonkey: 允许您定做方式网页显示使用小位Java 语言(剧本能是下载这里) 编成密码火Encrypter: FireEncrypter 是给您encryption/decryption和哈希功能从您的Firefox 浏览器, 主要有用为开发商或为教育& 的Firefox 引伸; 乐趣。 Malware 扫描器 QArchive.org 网归档验查员: llowing 的人民检查网文件任何malware (病毒、特洛伊人、蠕虫、adware 、spyware 和其它不需要的事) 包括。 Dr.Web 反病毒链接验查员: 这插入式允许您检查您将下载的任一个文件, 您将参观的任一页 ClamWin Antivirus 胶浆为Firefox: 这个引伸自动地扫描每个被下载的文件与ClamWin 。 反Spoof refspoof: 容易假装对起源从站点由忽略url referrer (在http 请求) 。- 它合并这个特点由使用冒充协议spoof://. 。它因而是可能存储信息在"hyperlink" - 可能被使用在任一上下文。象HTML 页或书签其外, 我们继续观看新引伸并且我们是在途中开发一个新引伸为Nmap 和Nessus 。如此保留观看我们。 感到自由寄发我们(info[at]security-database[dot]com) 关于安全和审计针对的firefox 引伸的任一有用的信息。
Right?
页:
[1]