Doug Vitale Tech Blog

Browser-based penetration testing with Firefox and Chrome

With the proper extensions installed, you can hack from the comfort of your Firefox or Chrome browser. Within Firefox, add-ons are divided into three categories: extensions, appearance themes, and plugins. Extensions extend the functionality of Firefox past simple web browsing. Appearance themes change the way Firefox looks, and plugins are necessary for Firefox to display specialized non-HTML Web content such as Flash, Java script, multimedia, etc.

The Firefox add-ons interface, accessible via Tools-->Add-ons in the menu bar

The Firefox add-ons interface, accessible via Tools–>Add-ons in the menu bar

Google Chrome labels all add-ons as “extensions”. The Chrome website lists them in the same column as “Apps” and “Themes”.

The Chrome extensions interface, accessible via Chrome Menu-->Tools-->Extensions

The Chrome extensions interface, accessible via Chrome Menu–>Tools–>Extensions

FireCAT

You can turn Firefox into a hacking platform by installing FireCAT, which is a collection of security auditing and assessment tools in the form of browser extensions. Of course, you must first install Firefox before installing the FireCAT suite.

With Firefox installed, you can acquire the FireCAT extensions by individually downloading them on the Firecat 1.5 Mozilla add-ons page or on Santoshdudhade.blogspot.com.

Alternatively you can download all the FireCAT extensions in a single .zip file for offline installation from the Firecat ToolsWatch page or the Firecat Sourceforge page (currently one version behind ToolsWatch). The .zip file contains all the extensions in .xpi format. Additionally it contains an HTML page with links to the extensions’ unique pages on addons.mozilla.org.

Curiously absent from the FireCAT suite are the Firesheep and Fireshark extensions which perform packet sniffing.

Other collections of hacking extensions are available on PenTestLab and addons.mozilla.org. These lists contains several extensions not found in FireCAT, such as HttpFox, ShowIP, CipherFox, and CryptoFox.

Mantra

Mantra is more than a suite of Firefox extensions; it is a customized edition of Firefox itself created by the Open Web Application Security Project (OWASP). It can be downloaded from GetMantra.com or the Mantra SourceForge page. Not only does Mantra contain a slew of useful hacking extensions, but it also comes with dozens of handy links to websites dealing with penetration testing and vulnerability assessments.

Mantra is a portable application, meaning that it does not have to be installed like traditional programs. Instead, you download the Mantra .exe file and extract the contents to a directory of your choice, such as C:\users\yourname\software. The extraction process will create a MantraPortable folder in this location, and inside this folder you will find MantraPortable.exe. Just launch this executable and the Mantra browser will initiate. The benefit of this portability is that you could copy the contents of the MantraPortable folder onto any media (such as a USB drive) and then run Mantra on any computer you connect the drive to.

Mantra v0.91 interface

The Mantra v0.91 interface

Mantra v0.91 links

Some of the URL links that come preinstalled on Mantra

Additional screen shots can be seen on the Mantra Owasp.org page. The Mantra blog is also an interesting place.

KromCAT

KromCAT is just like FireCAT but for the Google Chrome browser. Although the main KromCAT site is currently down, links to the individual Chrome extensions are available from the Google cache snapshot. KromCAT itself can still be obtained from 4-shared.eu.

Chrome extensions

Like Firefox, Chrome can be outfitted with a wide array of hacking-related extensions. You can browse through them on A4AppHack, Anantshri.info, and Security-Shell.

Recommended reading

If you found the content of this article helpful and want to expand your knowledge further, please consider buying a relevant book using the links below. Thanks!

Browser Hacker's Handbook on Amazon Browser Hacker’s Handbook Hacking Exposed on Amazon Hacking Exposed Hacking The Next Generation on Amazon Hacking: The Next Generation

Basic Security Testing with Kali Linux on Amazon Security Testing w/Kali Network Security Bible on Amazon Network Security Bible Network Security Assessment on Amazon Network Assessment

Web Penetration Testing with Kali Linux on Amazon Web Pen Testing with Kali Network Security Auditing on Amazon Network Security Auditing Google Hacking for Penetration Testers on Amazon Google Hacking

Written by Doug Vitale

December 28, 2012 at 3:07 PM

%d bloggers like this: