Assess web interfaces
Assessing web interfaces with Kraken is a fairly intuitive process. The 'Web Interfaces' page is where the assessing will take place. Pages list 20 hosts by default. That number can be changed by clicking 'Advanced Search' on the right side of the navigation bar. Each host field contains a screenshot of all the web interfaces hosted on that host along with some metadata and a link to open the interface in a new tab.
Click on a thumbnail will open the screenshot in a popup. The popup contains more information on the interfaces and provides the ability to take notes. Notes are stored in the database and can be viewed on the 'Reports' page. Clicking 'Open' or 'KrakenView' in the popup, or clicking the 'open' link on the host field, will open the interface in a new tab and mark the host as 'Reviewed'.
Reviewed hosts can be hidden using the 'Hide Reviewed' checkbox in Advanced Search. This becomes useful whether you are picking up where you left off the day before, or in situations where one or more people are reviewing interfaces in order to avoid double work. The last thing of note here is the target icon next to the 'Default Credentials'. This appears if there is a module for automatically testing default credentials for that type of interface. Kraken uses a list of signatures to identify hosts during the screenshot taking process. Identified hosts will have a more specific 'Product', and this default credential checking functionality if a module has been developed. These credential checking modules are going to be the primary focus with development moving forward. When ran from the popup, you will get immediate feedback whether it is successful or not. If successful, the 'Default Credentials' checkbox will be checked, and the credentials used will be added as a note.
KrakenView is an interesting experimental feature for assessing web interfaces. It opens the interface in a new tab using an iframe. This allows for a navbar at the top of the screen for note taking. This works the same way as the interface popup. An external link is provided, along with any known default credentials to try if the interface was identified during the screenshot taking process. There are some limitations to KrakenView:
- Self-signed certificates cannot be accepted through a frame
- Interfaces that use anti- clickjacking Content-Security-Policy or X-Frame-Options headers will not load in the frame.
Despite its limitations, KrakenView is fundamental to my current workflow, which also happens to be the workflow Kraken was designed for. Now that you are familiar with the key features above, I will walk through the workflow that I use during penetration tests, assuming hosts have already been added and screenshots have been taken.
Run credential checking modules on any hosts that have them. Doing this first is much faster that doing run one at a time later in the assessment process. To do this, go to the 'Optional Actions' section of the Setup page and click 'Test Credentials'. Any host with a module defined will be tested. Notes will be added to any hosts found to have default credentials configured. They will also be marked as having 'Default Credentials' for reporting purposes.
The next step if the beginning of a loop that I go through while reviewing interfaces. First, build a large 'queue' of interesting hosts as new tabs in your browser. I do this by scrolling through the screenshot popup with the left and right arrow keys and alt+clicking/command+clicking 'KrakenView' on all of the interfaces that interest me. Each host that is clicked is automatically marked as reviewed so others will not review the same interfaces you are.
The second step here is slightly convoluted due to security controls in modern browsers when it comes to iframes. Fundamentally, you simply go through each interface, tab by tab, until you are back to just the Kraken interface. Each KrakenView tab will have a toolbar at the top. Here you can assess unencrypted web interfaces and take notes as needed. If the interface was identified by Kraken, possible default credentials will be displayed.
In the case of self-signed certificates or anti-clickjacking headers, you aren't going to be able to assess the interface through the iframe. This adds a couple of steps to assessing the interface. First, click the external link on the left side of the Kraken tool bar to load the interface on its own. Perform your assessment. If notes are needed, use the browser's back button to go back and enter notes into the tool bar before closing the tab.