Penetration Testing and Auditing Toolkit for Android Apps - AndroTickler

A java tool that helps to pentest Android apps faster, more easily and more efficiently. AndroTickler offers many features of information gathering, static and dynamic checks that cover most of the aspects of Android apps pentesting. It also offers several features that pentesters need during their pentests. AndroTickler also integrates with Frida to provide method tracing and manipulation. It was previously published under the name of Tickler.

AndroTickler requires a linux host and a rooted Android device connected to its USB port. The tool does not install anything on the Android device, it only creates a Tickler directory on /sdcard . AndroTickler depends on Android SDK to run commands on the device and copy app's data to TicklerWorkspace directory on the host for further analysis. TicklerWorkspace is the working directory of AndroTickler and each app has a separate subdirectory in TicklerWorkspace which can contain the following (depending on user actions):

• DataDir directory: a copy of the data directory of the app
• extracted directory: Output of apktool on the app, contains smali code, resources, libraries...etc.
• bgSnapshots directory: Contains background snapshots copied from the device.
• images directory: contains any screenshots taken for the app.
• JavaCode directory: Contains app's Java code decompiled by dex2jar and JD tools
• logs directory: contains log files produced by -t -log, as explained below
• transfers: files and directories copied from the device to the host using -copy2host
• AndroidManifest.xml: The manifest file of the app as per apktool
• base.apk: the APK file of the app, installed on the device
• debuggable.apk: a debuggable version of the app, produced by -dbg

libs directory and Tickler.conf configuration file exist in the same directory of the jar file. The configuration file sets the location of TicklerDir directory on the host and Tickler on /sdcard of the android device. If the configuration file does not exist or these 2 directories are not set, then default values will be used (Tickler_workspace on the current directory and /sdcard/Tickler respectively). Tickler_lib directory contains some Java libraries and external tools used by AndroTickler such as apktool and dex2jar.

AndroTickler highly depends on the following tools, so they should exist on your machine before using it:

• Java 7 or higher
• Android SDK tools (adb and friends)
• sqlite3

Other tools are required for some features, but AndroTickler can still run without them:

• Frida
• jarsigner

How to use it

1. Build tool from code
2. Move AndroTickler.jar is to the same directory as Tickler_lib directory and Tickler.conf file (automatically created in build/libs)
3. Connect your Android device with the application-to-test installed on

Install

curl -s "https://get.sdkman.io" | bash
source "$HOME/.sdkman/bin/sdkman-init.sh"
sdk install gradle 4.4
git clone https://github.com/ernw/AndroTickler
cd AndroTickler
gradle build

The current version does the following:
Command help

java -jar AndroTickler.jar -h

Information gathering/Static analysis:
List installed Apps on the device:

java -jar AndroTickler.jar -pkgs

Searches for an app (package) installed on the device, whose package name contains the searchKey

java -jar AndroTickler.jar -findPkg 

package without extra attributes

java -jar AndroTickler.jar -pkg  [other options]

Any command with a -pkg option (whether used with any of the following options or not), does the following actions if they have not been done before:

• Copies the app from the device
• Extracts the Manifest file of the app
• Decompiles the app to Java code using dex2jar and JD tools

General Info

java -jar AndroTickler.jar -pkg  -info

Returns the following information:

• App's user ID
• App's Directories path
• If the app's code indicate usage of external storage
• App's directories that already exist in External storage
• Content URIs in the code
• If the app is backable
• If the app is debuggable
• Data schemes (like iOS IPC)
• The permissions it uses

Code Squeezing

java -jar AndroTickler.jar -pkg  -squeeze [short |  ]

Fetches the following from the decompiled Java code of the app:

• Log messages
• Any indication of possible user credentials
• Java comments
• Used libs
• URLs in code
• Usage of shared preferences
• Usage of external storage
• Common components such as OkHttp and WebView

Unsurprisingly, its output is usually huge, so it is recommended to redirect the command's output to a file
short Squeezes only the decompiled code that belongs to the developer. For example, if an app has a package name of com.notEnaf.myapp, then squeeze short squeezes only the code in com/notEnaf directory.
Squeezes the code only in codeLocation directory. Helpful to limit your search or squeeze the source code if available.

Listing Components

java -jar AndroTickler.jar -pkg  -l [-exp] [-v]

Lists all components of the app
-exp Shows only exported components
-v Gives more detailed information for each component:

• Component type
• Whether exported or not
• Its intent filters
• The tool checks the corresponding Java class to each component and returns all possible intent extras

Listing any kind of components

java -jar AndroTickler.jar -pkg  -l [-act | -ser | -rec | -prov ] [-exp] [-v]

• -act : activities
• -ser : services
• -rec: broadcast receivers
• -prov: Content providers
• -exp: show only exported components of any of the above type

Databases

java -jar AndroTickler.jar -pkg  -db [|e|l|d] [nu]

By default, all -db commands update the app's data storage directory on the host before running the check.
no attribute OR e Tests whether the databases of the app are encrypted. It is the default action in case no option is given after -db flag. l Lists all databases of the app. Encrypted databases might not be detected. d Takes a sqlite dump of any of the unencrypted databases. nu noUpdate: runs any of the above options without updating the app's data directory on the host.

Data Storage Directory Comparison

java -jar AndroTickler.jar -pkg  -diff [d|detailed]

Copies the data storage directory of the app (to DataDirOld) then asks the user to do the action he wants and to press Enter when he's done. Then it copies the data storage directory again (to DataDir) and runs diff between them to show which files got added, deleted or modified.
d|detailed Does the same as the normal -diff command, also shows what exactly changed in text files and unencrypted databases.

Search

Code

java -jar AndroTickler.jar -pkg  -sc  []

Searches for the key in the following locations:

• The decompiled Java code of the app
• res/values/strings.xml
• res/values/arrays.xml

Search is case insensitive.
Replaces the decompiled Java code location with the custom location.

Storage

java -jar AndroTickler.jar -pkg  -sd 

Searches the Data storage directory of the app for the given key

Tickling
Triggers components of the app, by all possible combinations of intents. For example, if an activity has an intent-filter of 2 possible actions and 3 data URI schemes, then AndroTickler will trigger this activity with all possible combinations of this intent. Additionally, AndroTickler captures the intent extras mentioned in the Java class corresponding to the component, assign them dummy values and add them to the possible intent combinations. Only extras of type boolean, string, int and float are supported.
if the -exp option is used, then the components will be triggered without root privileges or any special permissions. If not, then the components will be trigged with root privileges. This helps to test the app in 2 different scenarios: against normal-privileged or high-privileged attackers.
Before triggering components, AndroTickler prints all the commands to be executed. Then for each command, it triggers the component, prints the command then waits for the user. This gives the user enough time to do any extra checks after the command's execution. Before the user moves on to the next command, he's given the option to capture a screenshot of the device for PoC documentation.

java -jar AndroTickler.jar -pkg  -t [-all | -exp] [target] [-log]

target as explained with list command, can be:

• -act : activities. starts the (activity/activities) with all intent combinations as explained above
• -ser : services. starts the service(s) with all intent combinations as explained above
• -rec: broadcast receivers: sends all possible broadcast messages that would match the broadcast receiver(s)
• -prov: Content providers: queries the content provider(s)

if no value, then the target is all of the above
[-comp] Specifies one component only. You can also use directly without -comp flag. -exp AndroTickler uses normal privileges to trigger only the exported targets. -all The default option. AndroTickler uses root privileges to trigger the exported targets -log Captures all logcat messages generated during the triggering session. Log file is saved in logs subdirectory.

Frida:
Frida should be installed on your host machine. Also the location of Frida server on the Android device should be added to Tickler.conf file in the Frida_server_path entry

Capture Arguments and return value

java -jar AndroTickler.jar -pkg  -frida vals    [-reuse]

Displays arguments and return value of this method (only primitive datatypes and String)
reuse In case of vals and set options, Frida creates/updates a Frida script of that functionality. You can modify the created script as you want, then if you want to run it through AndroTickler, then use -reuse option so that it doesn't get overridden.

Modify Arguments or Return Value

java -jar AndroTickler.jar -pkg  -frida set     [-reuse]

Sets the argument number NumberOfArgToModify to newValue (only primitive datatypes and String) If NumberOfArgToModify > NumberOfArgs: sets the return value

Run JS Frida script

java -jar AndroTickler.jar -pkg  -frida script 

Runs a frida JS script located at scriptPath on your host
Enumerate loaded classes:

java -jar AndroTickler.jar -pkg  -frida enum

Other Features

Debuggable version

java -jar AndroTickler.jar -pkg  -dbg

Creates a debuggable version of the app, which can be installed on the device and debugged using any external tool. AndroTickler comes with a keystore to sign the debuggable apk, but it requires jarsigner tool on the host.

Custom version

java -jar AndroTickler.jar -pkg  -apk 

Builds an apk file from a directory, signs it and installs it.

Background Snapshots

java -jar AndroTickler.jar [-pkg ] [-bg|--bgSnapshots]

Copies the background snapshots taken by the device (works with and without -pkg option) to bgSnapshots subdirectory.

Copy files / directories
Copy Data storage directory:

java -jar AndroTickler.jar -pkg  -dataDir  [dest]

Copies Data storage directory to DataDir dest Optional name of the destination directory, which will be located anyway at transfers sudirectory.
Copy any file / directory:

java -jar AndroTickler.jar -pkg  -cp2host  [dest]

Copies files / directories from the android devices.

• source_path is the absolute location of what you want to copy from the android device
• dest: optional name of the destination directory, which will be located anyway at transfers sudirectory.

If dest option is not given then the directory's name will be the timestamp of the transaction.

Screenshot

java -jar AndroTickler.jar [-pkg ] -screen

• Captures the current screenshot of the device and saves them in images subdirectory
• Works with or without the package flag

Note
For the options that do not require -pkg option, their data will be saved at Tickler_Dir/NoPackage

Examples:

java -jar AndroTickler.jar -pkg  -t  -act -exp

Triggers exported activities

java -jar AndroTickler.jar -pkg  -t -prov -log

Queries all content providers and saves logcat messages until the tool stops execution

java -jar AndroTickler.jar -pkg  -t  

Triggers the component, type of triggering depends on the type of the component

Download AndroTickler

Web Service Security Assessment Tool - WSSAT

WSSAT is an open source web service security scanning tool which provides a dynamic environment to add, update or delete vulnerabilities by just editing its configuration files. This tool accepts WSDL address list as input file and for each service, it performs both static and dynamic tests against the security vulnerabilities. It also makes information disclosure controls. With this tool, all web services could be analyzed at once and the overall security assessment could be seen by the organization.

Objectives of WSSAT are to allow organizations:

• Perform their web services security analysis at once
• See overall security assessment with reports
• Harden their web services

WSSAT’s main capabilities include:

Dynamic Testing:

• Insecure Communication - SSL Not Used
• Unauthenticated Service Method
• Error Based SQL Injection
• Cross Site Scripting
• XML Bomb
• External Entity Attack - XXE
• XPATH Injection
• Verbose SOAP Fault Message

Static Analysis:

• Weak XML Schema: Unbounded Occurrences
• Weak XML Schema: Undefined Namespace
• Weak WS-SecurityPolicy: Insecure Transport
• Weak WS-SecurityPolicy: Insufficient Supporting Token Protection
• Weak WS-SecurityPolicy: Tokens Not Protected

Information Leakage:

• Server or technology information disclosure

WSSAT’s main modules are:

• Parser
• Vulnerabilities Loader
• Analyzer/Attacker
• Logger
• Report Generator

The main difference of WSSAT is to create a dynamic vulnerability management environment instead of embedding the vulnerabilities into the code.

This project has been developed as Term Project at Middle East Technical University (METU), Software Management master program.

Download WSSAT

Nix Audit Made Easier - Nix-Auditor

A script to audit linux and unix distributions based mainly on the CIS standards and universal linux hardening guidelines. The value it brings to your auditing set of tools is:

• Speed - one can audit OS in less than 120 seconds and get report
• Accuracy - tested on CentOS and RedHat with 100% accuracy
• Customizeability - it is on github, code is easily customizeable to suit the OS type and the set of controls one needs to check.
• Simplicity - just make it executable an run!

Download Nix-Auditor

Web Application Security Testing Tool - Acunetix v11

London, UK – November 2016 – Acunetix, the pioneer in automated web application security software, has announced the release of version 11. New integrated vulnerability management features extend the enterprise’s ability to comprehensively manage, prioritise and control vulnerability threats – ordered by business criticality. Version 11 includes a new web-based UI for greater ease-of-use and manageability, providing access by multiple users.

For the first time in the marketplace Acunetix is launching an enterprise-level product that integrates sophisticated automated testing technology with vulnerability management, at a price point accessible to every development team. Chris Martin, CEO, Acunetix explains:

“Acunetix has for the past 12 years been at the forefront in web application security with its cutting-edge vulnerability scanning technology. With version 11 we have combined proactive scanning for web application vulnerabilities with the prioritization of mitigation activities. This integration helps security teams gain the intelligence they need to work more efficiently, prioritizing actions, assigning jobs and therefore reducing costs.”

The new web-based interface significantly improves the manageability of the Acunetix on-premises solution, making it easy for less seasoned security personnel to check the vulnerabilities within the company’s web assets. In addition, user privileges can be automatically assigned.

Nicholas Sciberras, CTO, Acunetix, comments: “Version 11 helps organizations engaged heavily in application development by utilising a role-based multi-user system.”

Inbuilt Vulnerability Management

New integrated vulnerability management features allow for the review of aggregated vulnerability data across all Targets, prioritizing security risks and therefore providing a clear view of the business’ security posture, while facilitating compliance.

New inbuilt vulnerability management features include:

• All Targets (web applications to scan) are now stored in Acunetix with their individual settings and can be easily re-scanned.
• Targets are displayed in one interface and classified by business criticality, allowing you to easily focus on the most important assets.
• Vulnerabilities can also be prioritized by the Target’s business criticality.
• Consolidated reports are stored in the central interface.
• Users can choose between “Target reports”, “Scan reports” or “All Vulnerabilities” report.

Web-based user interface

The user interface has been re-engineered from the ground up for greater usability and manageability. The minimalist design focuses on the most widely used and important features, doing away with extras which cluttered the screen. Since the interface is now web-based, multiple users can access it from their browser irrespective of the OS used.

Role-based multi-user system

Acunetix version 11 allows the creation of multiple user accounts, which can be assigned a particular group of targets. Depending on the privileges assigned to the user, the user can create, scan, and report on the targets assigned to him.This is particularly important for large enterprises, which require multiple users to help secure their assets.

Standard, Pro and Enterprise Editions

Acunetix version 11 will be available in three main editions: Standard, Pro and Enterprise.

Standard Edition – is the entry level, ideal for small organisations and single workstation users. The Standard Edition offers the same level of vulnerability detection provided in the Pro and Enterprise Editions and includes Developer, Executive Summary and OWASP Top 10 reports.

Pro Edition – The Pro Edition allows outsourced or insourced security professionals to group and classify asset targets. It integrates with Software Development Life Cycle (SDLC) project management or bug tracking systems, includes comprehensive compliance reports, and integrates with top Web Application Firewalls (WAFs).

Enterprise Edition – includes full multi-user team support and has the ability to deploy multiple scan engines managed by the central system. The Enterprise Edition will be able to scale from 3 to unlimited users and up to 50 Acunetix scan engines.

Download Acunetix v11

SSH Server Auditing - ssh-audit

ssh-audit is a tool for ssh server auditing.

Features

• SSH1 and SSH2 protocol server support;
• grab banner, recognize device or software and operating system, detect compression;
• gather key-exchange, host-key, encryption and message authentication code algorithms;
• output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);
• output algorithm recommendations (append or remove based on recognized software version);
• output security information (related issues, assigned CVE list, etc);
• analyze SSH version compatibility based on algorithm information;
• historical information from OpenSSH, Dropbear SSH and libssh;
• no dependencies, compatible with Python 2.6+, Python 3.x and PyPy;

Usage

usage: ssh-audit.py [-bnv] [-l ] 

   -1,  --ssh1             force ssh version 1 only
   -2,  --ssh2             force ssh version 2 only
   -b,  --batch            batch output
   -n,  --no-colors        disable colors
   -v,  --verbose          verbose output
   -l,  --level=    minimum output level (info|warn|fail)

• batch flag -b will output sections without header and without empty lines (implies verbose flag).
  
• verbose flag -v will prefix each line with section type and algorithm name. 

ChangeLog

v1.6.0 (2016-10-14)

• implement algorithm recommendations section (based on recognized software)
• implement full libssh support (version history, algorithms, security, etc)
• fix SSH-1.99 banner recognition and version comparison functionality
• do not output empty algorithms (happens for misconfigured servers)
• make consistent output for Python 3.x versions
• add a lot more tests (conf, banner, software, SSH1/SSH2, output, etc)
• use Travis CI to test for multiple Python versions (2.6-3.5, pypy, pypy3)

v1.5.0 (2016-09-20)

• create security section for related security information
• match and output assigned CVE list and security issues for Dropbear SSH
• implement full SSH1 support with fingerprint information
• automatically fallback to SSH1 on protocol mismatch
• add new options to force SSH1 or SSH2 (both allowed by default)
• parse banner information and convert it to specific sofware and OS version
• do not use padding in batch mode
• several fixes (Cisco sshd, rare hangs, error handling, etc)

v1.0.20160902

• implement batch output option
• implement minimum output level option
• fix compatibility with Python 2.6

v1.0.20160812

• implement SSH version compatibility feature
• fix wrong mac algorithm warning
• fix Dropbear SSH version typo
• parse pre-banner header
• better errors handling

v1.0.20160803

• use OpenSSH 7.3 banner
• add new key-exchange algorithms

v1.0.20160207

• use OpenSSH 7.2 banner
• additional warnings for OpenSSH 7.2
• fix OpenSSH 7.0 failure messages
• add rijndael-cbc failure message from OpenSSH 6.7

v1.0.20160105

• multiple additional warnings
• support for none algorithm
• better compression handling
  
• ensure reading enough data (fixes few Linux SSH)
  

v1.0.20151230

• Dropbear SSH support
  

v1.0.20151223

• initial version
  

Download ssh-audit

The Ultimate WordPress Audit Trail Plugin - WP Security Audit Log

Why Do You Need a WordPress Audit Trail?

First things first, why would you need a WordPress audit trail? A WordPress audit trail is a record, or better a log of every change that happened on your WordPress, similar to Syslog on Linux/Unix or the Events Viewer on Microsoft Windows. The WordPress audit trail can be used to:

• Keep track of users’ productivity (ideal for multi-users setups),
• Ease the troubleshooting in case something is wrong with the WordPress website,
• Identify any possible malicious WordPress hack attacks before they actually happen,
• Catch hackers red handed if they manage to hack into your WordPress,
• Do all the forensics to track back which security hole the hackers exploited so you can close it down.

The above are just a few reasons mostly related to WordPress security of why you would need to keep a record of all the changes that happen on your WordPress. There are many other reasons related to business and operations, for example to ensure that your business WordPress website meets today’s stringent regulatory compliance regulations, in case you’re using WordPress for your business website.

Getting Started with the WP Security Audit Log Plugin

Install the WP Security Audit Log plugin from your Plugins page in your WordPress dashboard and activate it. By default the WP Security Audit Log will keep track of all these changes on your WordPress. You can also watch the short video below for a quick introduction.

Comprehensive Tracking of WordPress Changes

The comprehensive WordPress audit trail is what sets this plugin apart from the competition. For example while the other audit log plugins simply record that a post was updated, WP Security Audit Log tells you what exactly changed in the post. For example in the screenshot below we can see that the plugin kept a record when all of the below changes happened:

• User opened the post in the editor,
• Author of the post was changed,
• Title of the post was changed,
• URL of the post was changed

In case the content is changed the alert reporting the change in the plugin will allow you to see the revision of changes, as per the below screenshot.

Fully Configurable WordPress Audit Trail Plugin

WP Security Audit Log is also a fully configurable WordPress plugin, therefore it allows you to customize the plugin’s functionality to suite your own needs. Below is an overview of what you can configure.

Enable / Disable Alerts

The plugin keeps a record of all these WordPress changes. If for example you do not want to keep a record each time a logged in user, or a website visitor requests a non-existing page (HTTP 404 Error) navigate to the Enable/Disable Alerts > System Activity tab and disable Alert 6007 as shown in the below screenshot.

Browse through the different categories to find the change you would like to disable or enable back.

Generic Plugin Settings

You can also configure things such as:

• Support for WAFs and reverse proxy (more information on this option),
• Specify who can access the plugin’s settings and manage it,
• Enable logging, developer options,
• And much more.

Audit Trail Settings

In the Audit Log / Trail settings you can configure settings related to the WordPress audit trail, such as:

• Automatic pruning of alerts from the audit trail,
• Who can view the WordPress audit trial,
• The time zone the plugin uses to timestamp the WordPress changes etc.

Exclude Objects from Monitoring

You can also exclude the below from being recorded in the WordPress audit trial:

• Specific users or roles,
• Custom fields,
• IP addresses.

Beefing Up the WordPress Audit Trail

Keeping an audit trail of all the changes that happen is a WordPress security best practice but who has the time to check the log every few minutes? The good news is that you do not need to. WP Security Audit Log has a number of premium add-ons so you can:

• Configure email notifications so you are alerted instantly via email of important changes on your WordPress,
• Do free text based searches so you can find that specific change when troubleshooting an issue,
• Generate reports for managers, to monitor users’ productivity and for regulatory compliance reasons,
• See who is logged in and block multiple sessions from the same username.

 You can add all of the above functionality to get the best out of your WordPress audit trail solution by purchasing the All Add-Ons bundle. Prices start from as low as $89.

Wireless Network Auditing Tool - FruityWifi v2.4

FruityWifi is a wireless network auditing tool. The application can be installed in any Debian based system adding the extra packages. Tested in Debian, Kali Linux, Kali Linux ARM (Raspberry Pi), Raspbian (Raspberry Pi), Pwnpi (Raspberry Pi), Bugtraq.

v2.4

• Utils have been added (replaces "ifconfig -a")
• Kali Linux Rolling compatibility issue has been fixed

v2.3

• monitor mode (mon0) has been fixed (new airmon-ng compatibility issue)

v2.2

• Wireless service has been replaced by AP module
• Mobile support has been added
• Bootstrap support has been added
• Token auth has been added
• minor fix

v2.1

• Hostapd Mana support has been added
• Phishing service has been replaced by phishing module
• Karma service has been replaced by karma module
• Sudo has been implemented (replacement for danger)
• Logs path can be changed
• Squid dependencies have been removed from FruityWifi installer
• Phishing dependencies have been removed from FruityWifi installer
• New AP options available: hostapd, hostapd-mana, hostapd-karma, airmon-ng
• Domain name can be changed from config panel
• New install options have been added to install-FruityWifi.sh
• Install/Remove have been updated

v2.0 (alpha)

• Web-Interface has been changed (new look and feel, new options).
• Nginx has replaced Apache2 as default webserver.
• Installation script has been updated.
• Config panel has been changed.
• Network interfaces structure has been changed and renamed.
• It is possible to use FruityWifi combining multiple networks and setups.
• Supplicant mode has been added as a module.
• 3G/4G Broadband Mobile has been added as a module.
• FruityWifi HTTP webinterface on port 8000
• FruityWifi HTTPS webinterface on port 8443

v1.9

• Service Karma has been replaced by Karma module
• Service Supplicant has been replaced by nmcli module
• Config page has been updated
• Supplicant config has been changed (nmcli module is required)
• dnspoof host file has been removed from config page (dnsspoof module is required)
• Logs page has been updated
• WSDL has been updated
• Hostapd/Karma has been removed from installer (replaced by Karma module)
• NetworkManager has been removed from installer (replaced by nmcli module)
• install-modules.py has been added (install all modules from console)

v1.8

• WSDL has been added
• new status page has been added
• logs can follow in realtime using the new status page (wsdl)

v1.6

• Dependencies can be installed from module windows
• minor fix

v1.5

• New functions has been added
• Source code has been changed (open file function)
• minor fix

v1.4

• New functions has been added (monitor mode)
• config page has been changed
• minor fix

v1.3

• Directory structure has been changed
• minor fix

v1.2

• Installation script has been updated
• SSLstrip fork (@xtr4nge) has been added (Inject + Tamperer options)
• minor fix

v1.1

• External modules can be installed from modules page
• minor fix

v1.0

• init

Download FruityWifi