Jan 30 2024

Faction: Open-source pentesting report generation and collaboration framework

Category: Pen Testdisc7 @ 8:49 am

Josh Summitt, the creator of Faction, has always disliked the process of writing reports, preferring to focus on uncovering bugs. A key frustration for him was the redundant step of using a separate note-taking app for storing screenshots and findings before compiling the final report.

He envisioned an integrated solution where the report generation tool would serve as the note-taking platform, incorporating all the standard templates typically used in reports. He hopes Faction will help others save time, reduce stress, and improve their information security workflow.

“I built Faction to be extendable in ways like you would extend BurpSuite. It’s designed to be flexible and extended to fit seamlessly in any environment. It is easy for internal teams to build and support their small modules versus a large code base. In addition, I hope the project will get a growing list of prebuilt modules developed by the community to expand capabilities without requiring internal development,” Summitt told Help Net Security.

Faction features

With Faction, you can:

  • Streamline penetration testing and security assessment reporting through automation.
  • Facilitate peer review and monitor modifications in reports.
  • Design docx templates for various assessments and follow-up retests.
  • Collaborate in real-time with assessors using the web application and extensions for Burp Suite.
  • Utilize adaptable vulnerability templates featuring 75 pre-filled options.
  • Oversee assessment teams and monitor organizational progress.
  • Monitor the remediation of vulnerabilities with tailored SLA warnings and notifications.
  • Leverage a comprehensive Rest API for seamless integration with other tools.

Other features:

  • LDAP, OAuth 2.0 and SMTP Integration.
  • Extendable with Custom Plugins similar to Burp Extender.
  • Custom Report Variables.

Future plans

The developer is currently working on enhancing the extendability of Faction by introducing a full app store, reminiscent of those found in platforms like Slack and Burp. This expansion will allow for the inclusion of additional features such as custom UI elements.

“Faction has had a strong focus on penetration testing from an application security mindset. I want to expand that to be more Red and Blue Team inclusive. Not that it won’t work for these teams out of the box but it could be more flexible,” Summitt added.

Faction is available for free on GitHub.

More open-source tools to consider:

Burp Suite Cookbook: Web application security made easy with Burp Suite

To explore Pen Testing

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Pen testing, Pen testing report

Feb 06 2023

75 Best Android Penetration Testing Tools – 2023

Category: Pen Test,Security ToolsDISC @ 10:56 am

Android penetration testing tools are more often used by security industries to test the vulnerabilities in Android applications.

Here you can find the Comprehensive mobile penetration testing tools and resource list that covers Performing Penetration testing Operations in Android Mobiles.

Android is the biggest organized base of any mobile platform and developing fast—every day. Besides, Android is rising as the most extended operating system in this viewpoint because of different reasons.

Android Security Penetration Testing Tools

Online Analyzers

Following are the online analyzers used to pentest the android applications.

ApprayDynamic Analysis Tools for Android and iOS Applications
NowsecureComplete Mobile Security Testing tool for Android & iOS Tools
AppKnoxEfficient Security Testing Tools for Mobile Apps

Static Analysis Tools

AndrowarnDetects and warn the user about potential malicious behaviors developed by an Android application
ApkAnalyserVirtual Analysis Tools for Android Applications
APKInspectorGUI-based Security Analysis
DroidLegacyPentesting Kit
FlowDroidStatic Analysis Tool
Android DecompilerProfessional Reverse Engineering Toolkit
PSCoutA tool that extracts the permission specification from the Android OS source code using static analysis
Amandroidstatic analysis framework
SmaliSCASmali Static Code Analysis
CFGScanDroidScans and compares CFG against CFG of malicious applications
Madrolyzerextracts actionable data like C&C, phone number etc.
SPARTAverifies (proves) that an app satisfies an information-flow security policy; built on the Checker Framework
ConDroidPerforms a combination of symbolic + concrete execution of the app
DroidRAVirtual Analysis
RiskInDroidA tool for calculating the risk of Android apps based on their permissions, with an online demo available.
SUPERSecure, Unified, Powerful, and Extensible Rust Android Analyzer
ClassySharkStandalone binary inspection tool which can browse any Android executable and show important info.

Mobile App Vulnerability Scanner Tools

QARKQARK by LinkedIn is for app developers to scan app for security issues
AndroBugsAndroid vulnerability analysis system
NogotofailNetwork security testing tool
DevknoxAutocorrect Android Security issues as if it was spell check from your IDE
JAADASJoint intraprocedural and inter-procedure program analysis tool to find vulnerabilities in Android apps, built on Soot and Scala

Dynamic Analysis Tools

Androl4bA Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis
Android Malware Analysis Toolkit(Linux distro) Earlier it use to be an online analyzer
Mobile-Security-Framework MobSFMobile Security Framework is an intelligent, all-in-one open-source mobile application (Android/iOS) automated pen-testing framework capable of performing static, dynamic analysis, and web API testing.
AppUsecustom build for pentesting
Cobradroidcustom image for malware analysis
Xposedequivalent of doing Stub based code injection but without any modifications to the binary
InspeckageAndroid Package Inspector – dynamic analysis with api hooks, start unexported activities and more. (Xposed Module)
Android HookerDynamic Java code instrumentation (requires the Substrate Framework)
ProbeDroid Dynamic Java code instrumentation
Android Tamer Virtual / Live Platform for Android Security Professionals
DECAF Dynamic Executable Code Analysis Framework based on QEMU (DroidScope is now an extension to DECAF)
CuckooDroid Android extension for Cuckoo sandbox
Mem Memory analysis of Android Security (root required)
AuditdAndroid Android port of auditd, not under active development anymore
AurasiumPractical security policy enforcement for Android apps via bytecode rewriting and in-place reference monitor.
Appie Appie is a software package that has been pre-configured to function as an Android Pentesting Environment.It is completely portable and can be carried on USB stick or smartphone.This is a one-stop answer for all the tools needed in Android Application Security Assessment and an awesome alternative to existing virtual machines.
StaDynA A system supporting security app analysis in the presence of dynamic code update features (dynamic class loading and reflection). This tool combines static and dynamic analysis of Android applications in order to reveal the hidden/updated behavior and extend static analysis results with this information.
Vezir Project Virtual Machine for Mobile Application Pentesting and Mobile Malware Analysis
MARA Mobile Application Reverse engineering and Analysis Framework
Taintdroid Requires AOSP compilation

Reverse Engineering

Smali/Baksmali apk decompilation
Androguard powerful, integrates well with other tools
Apktool really useful for compilation/decompilation (uses smali)
Android OpenDebugmake any application on device debuggable (using cydia substrate)
Dare .dex to .class converter
Dex2Jar dex to jar converter
Enjarify dex to jar converter from Google
Frida Inject javascript to explore applications and a GUI tool for it
Indroidthread injection kit
Jad Java decompiler
JD-GUIJava decompiler
CFRJava decompiler
KrakatauJava decompiler
ProcyonJava decompiler
FernFlowerJava decompiler
Redexerapk manipulation

Fuzz Testing

Radamsa Fuzzer
An Android port of the melkor ELF fuzzer
Media Fuzzing Framework for Android

App Repackaging Detectors

FSquaDRAAndroid Security tool for detection of repackaged Android applications based on app resources hash comparison.

Market Crawlers

Google play crawler (Java) searching android applications on GooglePlay,
Google play crawler (Python) browse and download Android apps from Google Play
Google play crawler (Node) get app details and download apps from official Google Play Store
Aptoide downloader (Node) download apps from Aptoide third-party Android market
Appland downloader (Node)download apps from Appland third-party Android market

Misc Tools

AXMLPrinter2to convert binary XML files to human-readable XML files
adb autocompleteRepo Downloader
Dalvik opcodesRegistry
Opcodes table for quick referenceRegistry
ExploitMe Android Labsfor practice
GoatDroid for practice
mitmproxyintercepting proxy 
dockerfile/androguardshell environment
Android Vulnerability Test Suite android-vts scans a device for set of vulnerabilities
AppMonAppMon is an automated framework for monitoring and tampering system API calls of native macOS, iOS and android apps. It is based on Frida.

ANDROID SECURITY BOOK: 10 Simple Ways Billionaires Secure Their Android Devices

Checkout our previous posts on “Security Tools”

Computer Forensics

Building a Cybersecurity Toolkit

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Android Penetration Testing Tools, Android security, Pen testing, Security professionals

Feb 07 2022

Hackers breached a server of National Games of China days before the event

Category: Security BreachDISC @ 10:25 am

Researchers at cybersecurity firm Avast discovered that a Chinese-language-speaking threat actor has compromised systems at National Games of China in 2021. The event took place on September 15, 2021 in Shaanxi (China), it is a national version of the Olympics with only local athletes.

The attackers breached a web server on September 3rd and deployed multiple reverse web shells to establish a permanent foothold in the target network.

Experts noticed that the threat actors started a reconnaissance phase in August, they have done some tests to determine which type of file was possible to upload to the server. In order to perform the tests, attackers seem to have exploited a vulnerability in the webserver.

The attackers tried submitting files with different file-types and also file extensions, such as a legitimate image with different file extensions: ico, lua, js, luac, txt, html and rar.

“After gaining knowledge on blocked and allowed file types, they tried to submit executable code. Of course, they started submitting PoCs instead of directly executing a webshell because submitting PoCs is more stealthy and also allows one to gain knowledge on what the malicious code is allowed to do.” reported Avast. “For instance, one of the files uploaded was this Lua script camouflaged as an image (20210903-160250-168571-ab1c20.jpg)”

The attackers reconfigured the web server by uploading a configuration file, camouflaged as a PNG file, that allowed the execution of lua scripts. Experts found evidence that the server was configured to execute new threads in a thread pool which didn’t work for Rebeyond Behinder webshell. Then, as a final payload, the attackers uploaded and ran an entire Tomcat server properly configured and weaponized with Rebeyond Behinder.

After gaining access to the server, the attackers tried to perform lateral movements by brute-forcing services and using exploits in an automated way. Attackers were able to upload some tools (dnscrypt-proxyfscanmssql-command-toolbehinder) to the server and execute a network scanner (fscan) and a custom one-click exploitation framework written in Go and distributed as a single binary.

“The procedure followed by the attackers hacking the 14th National Games of China is not new at all. They gained access to the system by exploiting a vulnerability in the web server. This shows the need for updating software, configuring it properly and also being aware of possible new vulnerabilities in applications by using vulnerability scanners.” concludes the report. “The most fundamental security countermeasure for defenders consists in keeping the infrastructure up-to-date in terms of patching. Especially for the Internet facing infrastructure.”

Avast reported that the security breach appears to have been resolved before the beginning of the games, however, the experts were not able to determine the type of information exfiltrated by the threat actor.

Penetration Testing – Post Exploitation

Tags: Big Breaches, Hackers breached, National Games of China, Pen testing

Dec 26 2021

Penetration Testing Tools for Blue Team

Category: Pen TestDISC @ 10:26 am

Ethical hacking and lock picking

Pen Testing Titles

Tags: Pen testing, Penetration test