Title: [Article]-Video: An Insiderís Look at the Smartphone Pentest Framework
Post by: don on September 25, 2012, 11:26:14 AM
As promised, we're heading in the direction of being more technical in Georgia's column. The first one was needed to give readers a good overview. This article is meant to give you a solid foundation from which to start mobile hacking. And next month, Georgia goes a little deeper into SPF. After we have a firm grasp of how to use SPF for pen testing, then the following months will start to get even more technical. Should be fun!!
Be sure to check out her free webcast (http://www.trainingcamp.com/global/webinar/?w=5) and lowcost online training!! (http://www.trainingcamp.com/global/itandmanagement/security/mobilesec2.aspx) ;)
Permanent link: [Article]-Video: An Insiderís Look at the Smartphone Pentest Framework (http://www.ethicalhacker.net/content/view/445/24/)
By Georgia Weidman (http://www.ethicalhacker.net/content/category/7/46/24/), M.S., CISSP, NIST 4011, OSCP
In, Mobile Hacking 101 (http://www.ethicalhacker.net/content/view/438/24/), the first article in my new column on The Ethical Hacker Network, I felt it was appropriate to start from the beginning. Offer up a primer if you will to give the readers a brief synopsis of where weíve been and where weíre heading in regards to smartphones, their security and their determined march into the enterprise. Now that the basics have been covered, itís now time to start digging deeper into the technical aspects of smartphone security. The logical next step is to set the foundation of a mobile penetration testing lab and eventually enter the live testing phase. Thatís where the Smartphone Pentest Framework (SPF) (http://www.bulbsecurity.com/smartphone-pentest-framework/download/) enters the picture. Being the developer of this project, I thought it might be interesting to give you a personal tour.
Often when I try to tell people about SPF, they naturally jump to the conclusion that this is a tool to let you run Nmap or Metasploit on a smartphone. While that is certainly cool, it's been done before. SPF takes the opposite angle. Instead of pentesting from a smartphone (though some attacks in SPF can be launched from an on-device app), our goal is to instead perform a pentest of the mobile devices themselves. As mobile devices are joining more corporate networks every single day, do organizations have a security standard in place? If so, is it being properly enforced? Even if it is, do the smartphones in the environment open you up to total compromise as they access internal networks with direct access to sensitive resources, receive and store sensitive emails, and a wide variety of other security red flags? For this reason, all mobile devices should be in your organizationsí penetration testing activities. Like Metasploit for network pen testing, SPF is a tool to help make it easier to pen test those pesky mobile devices.
As always, let us know what you think of these articles and if there's something specific you'd like Georgia to cover,
Title: Re: [Article]-Video: An Insiderís Look at the Smartphone Pentest Framework
Post by: hayabusa on September 25, 2012, 11:32:30 AM
Thanks, Georgia. Looking forward to more of the same, and seeing what's next.