Using nogotofail to test web application

[khongt...@gmail.com]

Hi all,

I'm investigating whether can apply the nogotofail tool to test the web application. My diagram looks like as below:

   My PC with browser i.e Firefox, Chrome  -----> Linux server with MiTM is starting-----> Web Application

I've already setup the nogotofail and started MiTM successfully in Linux server with below command:

$ python -m nogotofail.mitm -v -a --mode socks --port 8080 --serverssl server.crt

But there is no clue to use web browser to connect Web Application thru MiTM. Could you give me some instructions?

[mk...@bu.edu]

I think you can just use the proxychains command to check a web application by url with "self-signed" attack/

[yzn...@gmail.com]

That's a good question Khong... Are u trying to test through a browser on an Android device or on windows/linux/Mac os computer?
I have tried testing on a browser on my android device and I used the Android nogotofail (ngtf) client as well as the ngtf server running on my Linux (proxy) device.

The design document is worth reading:
https://github.com/google/nogotofail/blob/dev/docs/design.md

It says the ngtf client application is optional, but the client does provide 2 way communication between the app you are testing (in your case the browser) and the ngtf server, and the messages recorded will report more information.

If you are running your browser on a Linux pc you could use the linux.pyblame client - but u can run the server without running the client if you want. If you running the browser on windows or mac there isn't any client available (I'm assuming Linux.pyblame won't run on a mac).

The getting started page has info on how to use the Linux ngtf client.
M

[yzn...@gmail.com]

Apologies Khong - I think I was wrong. If you are testing a Web app using a browser and the linux/android ngtf client, I believe ngtf will only test your browser (not the Web server).

To test a Web app (on the webserver) I believe you would have have to run the nogotofail.mitm proxy service with proxychains/wget - as the other respondent suggested.

You could be able to use a browser to generate traffic to test your Web app though - I'm not sure how you would do it.

[Khong Tuoc]

Hi yzn,

Thanks for your reply.

My focus is to scan the security vulnerability of my Web Application server. So I setup a linux machine with OpenVPN server and nogotofail.mitm installed. Then redirect all my VPN client ( this is window PC in my case and I didn't setup any ngtf client) traffic through OpenVPN server. It seems work now. When trying to reach my web application on VPN client via Web Browser, I see the information log in nogotofail.mitm console. But I really confusion about how to combine/use many scan mode in nogotofail.mitm ( using -d -a option). Do you have any idea?

[yzn...@gmail.com]

Hi khong - I found it easier to use a configuration file to specify the attacks to run. I started with the example.conf file in the github project root directory, and used the -c option in the nogotofail.mitm command line (I left out the -D and -A).
In the conf file just uncomment the "attacks" and "data" options.
You probably already know, the nogotofail.mitm -h option shows u the full list of data and connection handlers.
I experimented with different combinations.
When I have time (prob next week unfortunately) I'll post some configuration file handler combinations that worked for me.

[yzn...@gmail.com]

Also, here is a post which talks about handler combinations for the invalid host name, selfsigned, and sslstrip attacks. https://groups.google.com/forum/m/#!topic/nogotofail/VDlDBySTgkQ

[mk...@bu.edu]

Hey Khong,

I'm struggling at this same step. I've a OpenVpn client running. I'm not sure how to route all client traffic through vpn tunnel.

My goal is to test a andriod app installed on my android device usinn ngtf. Please provide me some detailed explanations.

On Thursday, January 8, 2015 at 4:10:37 AM UTC-5, Khong Tuoc wrote:

[yzn...@gmail.com]

Khong - here is a copy of the ngtf configuration files I have been using. I have been running specific attacks against apps, rather than running all attacks. However there is nothing to stop you specifying all attacks in the configuration file. 

Here are 4 samples I used for ngtf v1.0.0. You should be able to comment out the "verbose=True" option for v1.1.0 as verbose mode is now default.

//----------------------------------------------

1. Run self-signed certificate and invalid hostname attacks.

[nogotofail.mitm]

verbose=True

port=8080

probability=0.25

attacks=selfsigned invalidhostname

serverssl=/nogotofail/server.crt

logfile=/var/log/nogotofail/ngtf-acah.log

eventlogfile=/var/log/nogotofail/ngtf-acah.event

trafficfile=/var/log/nogotofail/ngtf-acah.traffic

//-------------------------------------------------

2. Run heartbleed detection and anonymous server attacks.

[nogotofail.mitm]

verbose=True

port=8080

probability=0.3

attacks=clientheartbleed anonserver

data=httpdetection

serverssl=/nogotofail/server.crt

logfile=/var/log/nogotofail/ngtf-hrtanon.log

eventlogfile=/var/log/nogotofail/ngtf-hrtanon.event

trafficfile=/var/log/nogotofail/ngtf-hrtanon.traffic

//------------------------------------------------

3. Run sslstrip attack.

[nogotofail.mitm]

verbose=True

port=8080

probability=0.3

data=sslstrip httpdetection 

serverssl=/nogotofail/server.crt

logfile=/var/log/nogotofail/ngtf-sslstrip.log

eventlogfile=/var/log/nogotofail/ngtf-sslstrip.event

trafficfile=/var/log/nogotofail/ngtf-sslstrip.traffic

//------------------------------------------------

4. Run a number of different attacks at once.

[nogotofail.mitm]

verbose=True

port=8080

probability=0.25

attacks=invalidhostname selfsigned dropssl

data=sslstrip httpdetection weaktlsversiondetection insecurecipherdetection httpauthdetection customrequest blockhttp disablecdcpencryption rawlogger

serverssl=/nogotofail/server.crt

logfile=/var/log/nogotofail/ngtf-all-attacks.log

eventlogfile=/var/log/nogotofail/ngtf-all-attacks.event

trafficfile=/var/log/nogotofail/ngtf-all-attacks.traffic

Hope this helps.