Categories
Cyber Security Mobile App Testing

How to use MobSF to analyze a Mobile Web Application

There are a number of excellent tools that exist when it comes to testing mobile web applications.  Unfortunately many of them cost a significant amount of mulah.  There are a few though that currently are free to use and we are going to take a deep dive into getting you your first Mobile Security Framework report from the Mobile Web App that you are testing today.

Before testing Mobile Web Applications please be sure that your organization has the required documentation and written consent from the organization in order for you to do so.  Typically this will be included in a SOW (Statement of Work) and ROE (Rules of Engagement)

 

 

MobSF Install and Use:

Now that we have the .APK and have it in our Kali box, lets get our Mobile Security Framework up and running.

I would be doing you a disservice if I tried to go step by step on the setup and did not tell you that MobSF and ajinabraham don’t already have excellent tutorials in getting up and running with the MobSF tool, because they do.

Feel free to visit their page or continue on and follow the next few steps.

**For Windows or Mac please see MobSF documentation at this link **

The reason I use Kali in a Virtual Environment is so I can suspend it, have a dedicated MobSF VM, and it saves my MobSF reports in the ‘recent MobSF reports’ so I can actively switch back and forth to it and analyze source code.

https://github.com/MobSF/Mobile-Security-Framework-MobSF/wiki/1.-Documentation

For Kali Linux follow along here and run this syntax:

Pull up your terminal/command line in Kali Linux and run:

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF

clone the file, then switch your directory as shown above.

sudo apt install build-essential libssl-dev libffi-dev python-dev
pip install -r requirements.txt --user

Then install these libraries which are essential to getting up and running, along with installing the requirements and dependencies.

 

Now in every pentest I have been apart of, there is always a pentester who claims to have done the work but has NO report to back it up…..Don’t be that GUY/GAL!

Run this command apt-get install wkhtmltopdf

This will give you the option at the end of uploading your .APK file to download the pdf and have a report to show that the analysis has at least been run, an artifact exists, and that it can be referenced back to.

 

After this, we are ready to start the MobSF Server.

In your terminal run

python manage.py runserver

MobSF server running.PNG

Now you have your server running, but wait there is nowhere to insert my APK file!?

Thats because MobSF is AWESOME!

Pull up your browser and go to http://localhost:8000/

You will now see the Web Interface that is click and drag ready for that .APK file that you have already downloaded from your Google Drive/Dropbox Account

MobSF Analyzing.PNG

Throw it in, and you will see the server in the background have fun analyzing this .APK while you sit back and relax.

MobSF report.PNG

Be sure you are aware of the OWASP Mobile Security Checklist this is essential to making sure you cover your bases as a pentester.  You are not required to know everything, but you are required to have to know how and where to find EVERYTHING.

So hop to it, get analyzing you have your report, at the bottom left side you can see download report as a pdf, but please use the web interface, it allows you to download the Java code for the application and really get your hands dirty along with be more user friendly than the PDF report (which you should still keep as an artifact).

Analysis.PNG

Here is the certificate for the Application which you are able to make sure it is up to industry standards.

permissions.PNG

 

Also make sure the permissions for your application Make Sense!  Go through these while testing the functionality of the application and make sure that the user is asked for the appropriate permissions and they are not assumed (many a lawsuit has happened by the creator of mobile applications assuming that data can be taken and/or shared).

Manifest Analysis.PNG

As you can see in the Manifest Analysis MobSF rates many items as high severity.  There is a fine line between Customer Experience and Security which is why you see what you see, read the description and use your God given critical thinking skills to analyze them, do not just throw this report at your Project Manager or client and say fix these things!  If you find something out of the ordinary, or seriously think you have a few items that may lead to vulnerabilities, do some research, or crazier yet ASK someone!

MobSF allows you to download the Android manifest, the java code, and the smali code.  Unfortunately this tool does generate false positives.  Verify the issues described by Mobile Security Framework by downloading the code and analyzing it. Do your due diligence.  Prove vulnerabilities exist.

Have fun, learn lots.

~Cyber Incision out

 

 

 

Categories
Cyber Security Forensics

The Top Five Computer Forensic Tools

Forensic tools are something that are required to be updated on a regular basis.  Whether because of patches, new hardware, or just a changing technological landscape, tools must be maintained in order to remain relevant.  The ongoing support is just one of the reasons that the tools discussed in this article are the most used in the forensic community.  The capabilities and usability of the tools are what we will discuss here today as to why these tools are some of the most used in my opinion.

Forensics is the retrieval, collection, and interpretation of computer data without the corruption of this data.  Therefore the best tools should be able to contain discoverable unfiltered accounts of suspect’s data, activity, and electronic records.    Guidance Software has developed a phenomenal product in which I discussed in week ones post (EnCase Forensic Imager, 2013).  EnCase Forensic Imager is able to save forensic investigators hours and hours of counting through large amounts of forensic computer data that may or may not be relevant to the case in which they have.  EnCase does this not just through the speed in which it can search and collect data, but also due to the built in automation.  Of course it performs, but it is also one of the top sellers in the forensic community according to their website.  Here is the kicker…. $$$$$.  If you are looking for something to just get your hands dirty with, this is not the tool for you.  This is for the organization who is looking for a new PRODUCT to write off on their taxes!  For getting your hands dirty with a forensic tool kit, look no further than the next line.

SIFT (SANS Investigative Forensic Toolkit) has to come in second place (FREE).  It comes in second place because it is an excellent combination of open source tools that are all updated and worked on by the community (Not to mention a pretty cool acronym).  I am partial to Ubuntu or Linux based systems and this had a lot to do with me choosing it for my number two, along with the fact that anyone who takes a SANS Training course (more to come on these later) will get some serious hands on tSIFTraining with this toolkit. Some of these tools are world class and some of these tools are only usable on specific versions, but none the less because of the popularity of SANS certifications and the amount of people going through their certification process (myself included), I would say this is one of the top five forensic tools.  This is an excellent example of how SANS practices what they preach(keep it up to date as well), and also promote what you preach.  Click on the image to get over to the SIFT Install Directions on YouTube.

ProDiscover Forensics is going to end up as number three on the list.  It will be categorized as one of the top tools used because of a few reason, the first being that it is a free tool.  Free means lots of individuals are able to handle the steep price, and for the quality that comes along with it is acceptable.  This tool specifically goes into preparing legal reports with all of the data that is relevant to the case, previewing all files along with their corresponding meta data, and cross reference of data to make sure nothing is hidden. (Shakeel, 2016).  With this in mind it is an excellent tool for smaller organizations who are getting their Forensics organization either up and running or looking for new tools to expand upon their craft.

Xplico is tool number four, as it is a forensic tool that is used on networks to help reconstruct the contents of packets gained through Wireshark and similar sniffers (Shakeel, 2016).  This tool can take these packets, and then output reconstructed data into multiple types of databases which makes it flexible and there is no size limit on the data entry which makes this tool excellent for any size investigation.  This tool is automatically loaded into many of the main penetration testing Linux images such as Kali Linux by default which will make this one of the most well used tools on the market.

X-Ways Forensics will be one of our final contenders for most used forensic tools.  This is a tool that is capable of running off of a usb drive and will make complete disk images that will identify lost and/or deleted partitions as well.  This is a very popular tool as well, and it lives up to its name.

These in my opinion would be my top five forensic tools, I use Kali Linux frequently so this list is not including any packet sniffers such as Wireshark and web app analysis tools such as burp suite.

References and Tools:

Access Data. (2017). Retrieved June 5, 2017, from http://www.accessdata.com/

Arsenal Recon. (2017). Retrieved June 5, 2017, from http://arsenalrecon.com/apps/recon/

Carrier, B. (2017). Open Source Digital Forensics. Retrieved June 5, 2017, from http://www.sleuthkit.org/

EnCase Forensic Imager v7.06 User’s Guide [PDF]. (2013). Guidance Software Inc.

Guidance Software. (2017). Retrieved June 5, 2017, from https://www.guidancesoftware.com/encase-forensic?cmpid=nav_r

SANS Institute. (2017). SANS Investigative Forensic Toolkit (SIFT) Workstation Version 3. Retrieved from sans.org: https://digital-forensics.sans.org/community/download

Shakeel, I. (2016, December 14). 7 Best Computer Forensics Tools. Retrieved May 18, 2017, from http://resources.infosecinstitute.com/7-best-computer-forensics-tools/#gref

Categories
Cyber Security

Is Cyber Security For You?

I was once looking for an article just like this and asking questions like:

 

Where do I begin?

I am more than ready for a change.

Is this what I want to do?

Cyber Security may look like a daunting major to get involved in, but it truly is like many other types of STEM Degrees.  No matter what you decide to jump into whether you are brand new to college, moving from Associates Degree onto your Bachelors, or going for a more advanced Masters or PhD degree.

If you are going into STEM be prepared to learn a new Language.  No, I am not talking about learning a romance language like Spanish or Italian, I am talking about learning the jargon of the computer trade.  The stuff that right now if you were to talk to ‘That IT guy’  you would not be able to follow along, and I mean-At ALL!

I was sitting in this spot a number of years ago.  Business Major, been taking college courses for Waaayy too long, and working in the finance industry.  I knew I could complete my Business Degree, but then what?

I asked myself this as I watched many new business majors intern and get entry level positions at the organization I already worked at without having my Bachelors.  (Mind you I was tired of dealing with the aftermath of cyber criminals and filing multiple fraud claims a day on customers behalf)  I was ready to make a change and do something about it instead.

So I started searching for articles like the one you are reading now.  What I discovered was that the Cyber security field was growing, and not just growing but Blowing Up.  Forbes said that this field is going to grow from $75 billion in 2015 to $170 billion by 2020 and that there are over 200,000+ jobs open in the US just waiting for a qualified candidate.  This means big opportunities, and extremely competitive salaries for those entering the field.

A bunch of ‘Sorry, you aren’t who we are looking for Mr. Bank Manager’ interviews later, I found one ‘Yes, let’s go hack some things together’ interview.

And Here I am.

14 Certifications later working in the Cyber Security Field (work from home at the moment mind you), and loving every second of it.  My boss is the man (not the stick it to the man type, the one you WANT to work for type), and I learn something new Every. Single. Day.  I may take a break here in an hour or two to go play racquetball with my son, and squeeze and hug the nonsense out of my 10 month old baby daughter because I can, and because I normally spent that time in traffic each and everyday.  Either way I enjoy the extra time I have and am more efficient with the time I put into my work.  I enjoy what I do.  I enjoy learning everyday.  Do you?

So where are you? What are you doing? Most importantly, WHY are you doing it?

If you think that this journey will be like that hacker movie you watched last night (Follow that link for a good laugh or three!), you are going to be most definitely disappointed.  There is another excellent post on the topic of what it is like in the infosec field written by Parisa Tabriz which while is a tad lengthy I challenge you to check out.

cropped-cyber-incision-final.jpg

I realized (and I want you to realize this or at least ponder this by the end of today) that I needed to do this for me because I wanted something different.  I am not sure if you are in the same place or maybe just furthering your career but I urge you to take a leap of faith, try something new, then try harder at it, and take it one step at a time.

I hope and pray you make the right decision for your life, don’t hesitate, just decide.  Be a changer, a shaker, a mover. Be ethical, have integrity, and never ever stop learning.  Sit down and think about next year, 5 years, and 10 years from now.

I look forward to walking with you through all of it, step by step.

Lets begin with your Incision into the Cyber Realm.