Join Us
Hcon
  • Home
  • Blog
  • HconSTF
    • HconSTF Firebase
    • HconSTF Aquabase
    • HconSTF Docs
    • Contribute
    • Survey
  • Downloads
  • Community
  • Groups
  • About

HconSTF and some misconceptions around it

5/11/2015

0 Comments

 
Recently I have been pointed to a blog post regarding HconSTF,
The main point being that, prebuilt frameworks based on browsers are useless and some arguments/reasons provided to that regard are,

From the blog post:
The major issues that faced Hcon STF are the following: 
 
1. Is not frequently updated

Project has not been updated for years.
The latest version of Hcon STF has been released in April 2013.
This is the main reason that it can be hacked as shown earlier.

2. Plugins are not its latest version
Since project is not well-updated, plugins are also not in its latest version.

3. Project is full of unneeded additions
There are many additions are that these projects provide,
Which are not necessary at all, and is not being used in real-life penetration tests.


Now let’s talk about the real insights, shall we ? Above all, first and foremost it’s NOT 'Hcon STF' but it is 'HconSTF'

Now let’s start with understanding the concept behind HconSTF and why it exists
The whole idea is same as having a penetration testing oriented custom linux distribution like kali linux, In short a base OS, tools, repository, themeing, scripts, modifications, and branding. Why? Because everything is readily available and prepared so you don’t have to! Plethora of tools, more focus on the penetration testing aspect then other. The same goes with HconSTF a base browser, tools = extensions, repository = updates database, themeing, scripts = greasemonky+imacros+js, modifications and branding.

Why? Everything readily available and prepacked, plethora of tools, modifications for enhancement.
 It’s more than just a penetration testing browser or just a browser with some extensions added. As it has search aggregator, IDB - plethora of attack payloads, custom enhancements for security related tasks and much more.
HconSTF is far more feature rich and powerful then other projects/products in same category.

Now let’s come to the points by the blog post regarding HconSTF

1. Is not frequently updated
Yes, I agree on that as the base browser is bit old as firefox 17 some reasons being,

On my side:
Its huge project to maintain when you see the amount of things HconSTF 0.5 provides out of the box.
There is progress for the new 0.6 XLR8 but it’s slow as I am "the only one running the show"
On Firefox side:
The new rapid development model of Firefox, which changes more of the core each release
The australis user interface, very limited when it comes to customizations and Firefox menu
 
So what’s the solution to speed up the HconSTF releases? Contribute back to the project by ideas, testing and giving feedback, suggest tools/scripts/ and more that you use which can be useful to the community.

2. Plugins are not its latest version
First this are not plugins as plugins are external components from other system installed applications such as adobe flash, java etc
This are extensions/add-ons of the browser to add a functionality or feature
We can categorize the available add-ons in HconSTF in 3 categories
1. Maintained and available in the official add-ons site addons.mozilla.org
2. Un-maintained and available in the official add-ons site addons.mozilla.org
3. External not available on the add-ons site and separately maintained by me
So to make this very clear, all the add-ons which are maintained and updated by the authors on addons.mozilla.org are automatically updated so when there is a new update available on the official site you get the same on HconSTF same as getting tools updates on kali linux
As HconSTF uses the same add-ons updates repository as Firefox, addons.mozilla.org
So the 1st and 2nd category add-ons are covered by official add-ons site of Firefox
The 3rd category has only 2-3 add-ons which are not available on official add-ons site and are updated with each new release of HconSTF.

So in contrary to what the blog says the addons in HconSTF are always updated
On a side note this same has been covered in the HconSTF Help Manual, so what you really need is to read and test before writing

3. Project is full of unneeded additions
One should understand that HconSTF is not only limited to webapp pentesting or bug hunting but it’s an all in one tool to aid in many phases of penetration testing assignment. Like web malware analysis, OSINT, and more. So the idea is same kali linux as having all the tools available on a single platform and if you don’t need certain set of tools you can remove them from HconSTF it is very simple.
Just open up ‘H menu’ -> settings -> add-ons and remove the one that you don’t need. But as a project we will continue to add more add-ons/tools/scripts to make it more feature rich and the end user have full control of what he/she wants to remove from or add to HconSTF.
So it is totally WRONG to say that HconSTF is full of unneeded additions or as such.

I am not against criticism but a one without testing HconSTF or having the idea clear enough is not at all accepted.
have questions ? comments ? write it in the comments below
0 Comments

HconSTF Manual

19/4/2014

 
            We conducted the feedback survey and the most asked feature was more documentation and help videos, so as a result we are publishing HconSTF Manual which is only compatible to HconSTF v0.5 codename 'Prime'. so download it and please give us feedback to improve it, contact us via our social media links or via support community forums or via contact form.

Get it from here :
1. Primary download location
2. Secondary download location

Announcements & Information for Projects & Initiatives

17/12/2013

 
            Its been a while that we actually made any news to the public but there are lots of things going on under Hcon, As we turned 3 (13 Oct 2010 - 2013) so there are new projects, new initiatives and lots more

Read More

Hcon Security Testing Framework (HconSTF) with Tor integration

18/4/2013

 
            One of the long awaited feature, to integrate Tor (onion routing) into HconSTF !!that will bring solid anonymity with webapp pentesting, good news is it is going to be public in few days as we are currently testing it and making it more solid for anonymity. the bad news is currently only windows version will be there, after public release of it will work on linux version of it. so far we are do with,
  • HconSTF fully integrated with Tor so every child process will also use Tor by default
  • Total control over
    • user agent
    • Referrer
    • all type of Cookies
    • Http headers fields like x-forwarded-for, client ip, via
    so that you can spoof it or remove it, do as you want.
  • unwanted things disabled like tools and other components which were using continuous internet connection, java, flash, silverlight and other plugins
  • HconSTF is now in ghajini mode - it forgets everything once you close it
We are still working our level best to bring this special edition,a rock solid release
do let us know if you have any suggestions or ideas in Community HERE

HconSTF v0.5 codename 'Prime' for Linux Release

10/4/2013

 
        Linux lovers Finally its here, native binary for Linux operating systems.
This has the same features and awesomeness as the windows binary. so yes it is portable !
Tested on Kali, Backtrack, Backbox,  Ronin and other major Linux distributions. currently binary for Linux x86 is available will soon make for x64 so stay tuned for that. will have also added one more download mirror for HconSTF download will soon add that for Linux version too.

Get Linux version Download : HERE
Test it on your favorite flavor of Linux and let us know the feedback on it.

HconSTF v0.5 codename 'Prime' Release

5/4/2013

 
We are very delighted to announce this, After around 14 months its released, HconSTF v0.5 codename 'Prime'  is here

Read More

Check out our founder Ashish Mistry's interview on EHNĀ 

16/8/2012

 
           We are very delighted, our founder's interview on EHackingNews.com check it out HERE

Announcing Hzine - IT Security / Hacking Magazine

1/8/2012

 
    We are very excited to announce another public project,  Hzine - IT Security / Hacking Magazine
Check the Hzine page for more details HERE

New tutorial series by Ahmed on cross-site scripting (xss)

31/5/2012

 
         Cross-site scripting (xss) is one of the high risk attacks for web , so here we have another author 'Ahmed' with his excellent tutorial series on it. we are very hoping that more security professionals will contribute in Hcon Library and make it a best place to learn and share knowledge. without any delay have a look at articles

Leveraging OSINT in penetration Testing by Ashish Mistry

11/5/2012

 
Here are slides of talk by Ashish Mistry on 'leveraging OSINT in pentest' at null mumbai
with some links and resources check it HERE
<<Previous

Copyright  © Hcon.in 2010-2014

Links | Disclaimer | Contact us