Together with Pown.js we are very excited to announce a new pown feature, which allows you to use the tools from the online suite directly from the pown command line.
Introduction
Most security tools are stuck with rudimentary command-line interfaces. While undoubtfully useful and elegant, there are times when you need better tools to explore output interactively in a rich desktop environment.
Pown Apps is a paradigm shift in how we deploy, execute and interact with rich applications from the pown framework. In the context of SecApps this simply means that now you can bring the online applications into your desktop and script them from the command line. This results in a very powerful security testing environment with unmatched potential for extensibility that has never been done before.
This feature not only enables better interactivity but also improves performance especially while doing security research and penetration testing. Furthermore, as a tool creator you can concentrate on delivering the core functionality while leaving the interoperability to us.
To explore some of the use cases of this technology, I would like to show a few basic examples, small enough to fit perfectly in this blog post. At the end of the post, I will also provide some ideas how to extend these concepts further to build your own tools and features.
Interactive Network Mapper
One of the traditional ways to explore nodes in a computer network is by looking at a 2-dimensional table such as the ones produced by tools like tcpdump and wireshark. But what if we can graph the output of these tools such as that not only we learn the communication between the different nodes in the network but perhaps add a lot more context information that we can interact with and explore further with other readily available tools?
For this purpose, we will use Recon and its powerful graphing capabilities. To launch Recon from the command line via the pown apps, we use the following command:
$ pown apps recon
This will launch Recon as a desktop application. You can use it the same way you usually do. But we can also feed it with information from the standard input. For example, in order to create a node in Recon we can use the following:
$ echo '{"id":"1", "label": "Hello world!"}' | pown apps recon
That was simple enough. Notice, that we have effectively piped a JSON object into Recon which subsequently was rendered on the screen and can be run through a bunch of readily available transforms.
Now that we know how to generate nodes, let's make a tool which maps the local network through passive sniffing. For this purpose, we will use ws-pcap2 library in node.
const pcap = require('ws-pcap2')
const map = {}
const session = new pcap.Session(process.argv[2])
session.on('packet', (packet) => {
try {
packet = pcap.decode.packet(packet)
} catch (e) {
return
}
if (!packet.payload || !packet.payload.payload) {
return
}
packet = packet.payload.payload
if (packet.constructor.name === 'IPv4') {
const saddr = packet.saddr.toString()
const daddr = packet.daddr.toString()
if (!map.hasOwnProperty(saddr)) {
map[saddr] = true
console.log(
JSON.stringify({
id: saddr,
label: saddr,
image: 'FaServer',
type: 'ipv4',
props: { ipv4: saddr },
})
)
}
if (!map.hasOwnProperty(daddr)) {
map[daddr] = true
console.log(
JSON.stringify({
id: daddr,
label: daddr,
image: 'FaServer',
type: 'ipv4',
props: { ipv4: daddr },
})
)
}
const link = `${saddr}:${daddr}`
if (!map.hasOwnProperty(link)) {
map[link] = true
console.log(
JSON.stringify({ id: link, type: 'edge', source: saddr, target: daddr })
)
}
}
})
This script simply outputs JSON messages. There is nothing more. What makes it useful is that we can now output it straight into Recon. Let's do that.
$ sudo node t.js | pown apps recon
As you can seen now we have a render. However, we can do slightly better if we save the output to a file and then continuously stream it into Recon. This can be achieved with the following two commands.
$ sudo node t.js > out
...and
$ tail -f out | pown apps recon
Just like that we have a simple but nice looking tool with the ability to interact with graphs using graph theory. Recon also comes with several transforms which can be directly applied to the nodes in the graph to explore the output further, discovering the mysteries of the target network.
Extensive WiFi Monitor
If you are a really good hacker with big capacity to remember a lot of unstructured data, you can build a mental picture of all devices and probe requests sent on the WiFi spectrum. If you are like me, you get lost. The output of aircrack can be very verbose sometimes. Let's make a simple command line tool that sniffs the EEE 802.11 frames and maps out the probes into Recon.
const pcap = require('ws-pcap2')
const map = {}
const session = new pcap.Session(process.argv[2], { isMonitor: true })
session.on('packet', (packet) => {
try {
packet = pcap.decode.packet(packet)
} catch (e) {
return
}
if (!packet.payload) {
return
}
packet = packet.payload
if (packet.constructor.name === 'RadioPacket') {
if (packet.ieee802_11Frame.beacon) {
if (
packet.ieee802_11Frame.beacon.tags &&
packet.ieee802_11Frame.beacon.tags[0] &&
packet.ieee802_11Frame.beacon.tags[0].ssid
) {
const shost = packet.ieee802_11Frame.shost.toString()
const dhost = packet.ieee802_11Frame.dhost.toString()
const ssid = packet.ieee802_11Frame.beacon.tags[0].ssid
if (!map.hasOwnProperty(shost)) {
map[shost] = true
console.log(JSON.stringify({ id: shost, label: shost }))
}
if (!map.hasOwnProperty(dhost)) {
map[dhost] = true
console.log(JSON.stringify({ id: dhost, label: dhost }))
}
if (!map.hasOwnProperty(ssid)) {
map[ssid] = true
console.log(JSON.stringify({ id: ssid, label: ssid }))
}
const link1 = `${shost}:${ssid}`
if (!map.hasOwnProperty(link1)) {
map[link1] = true
console.log(
JSON.stringify({
id: link1,
type: 'edge',
source: shost,
target: ssid,
})
)
}
const link2 = `${dhost}:${ssid}`
if (!map.hasOwnProperty(link2)) {
map[link2] = true
console.log(
JSON.stringify({
id: link2,
type: 'edge',
source: dhost,
target: ssid,
})
)
}
}
}
}
})
Job well done! This script is fairly simple. Like the previous script, we simply extract the information that we need and print some JSON. Now let's hook it to Recon and see what happens.
$ sudo node t2.js | pown apps recon
Beautiful! You did not know it was that easy!
Going Further
In the last two examples, we saw that feeding information in Recon is straightforward with the help of Pown Apps. This is just barely scratching the surface because the reality of the matter is that we brought all tools from the online suite into Pown, which is very interesting and particularly useful in countless of situations.
For example, you can perform web application security scans with the Scanner. You can manipulate requests with Rest. You can even use our powerful Fuzzer. All of these tools are built to behave like desktop tools and take the full advantage of the pown framework. You can use them online or you can use them from the command-line to make powerful mashups with almost no effort. This is what I personally call extensibility - not discrete plugins that work in a particular obscured way - but a true UNIX-like environment.
You can mashup. You can pipe! You can filter the output and you bridge the command-line and the rich desktop applications easily, in whichever way you want. Best of all, you can contribute your own tools to be integrated into pown. Simply fork the project and make a pull request.
Here are a few ideas how to use pown apps in your own research and projects:
- Build interactive network map in Recon by processing PCAP files or a live sniff
- Use HTTPView to Preview and interact with any stream of HTTP traffic (captured live or from file) - automatic vulnerability detection is also possible
- Send HTTP requests from command line apps to Rest to interact and rebuild dynamically using powerful UI controls
- Alternative to Wireshark using SecApps Packets app.
- Reverse-engineer binary files using BinView
- Automatic screenshots for web applications, VNC, RDP and other types of interactive sessions.
These are just a few of the use-cases Pown Apps make possible and we will be delivering a tone more features in the upcoming weeks. It is time for a change.