Getting secure with Mantra: An open source penetration testing kit

Mantra is an open source, Firefox-based security testing framework

Mantra is an open source, browser-based framework for penetration testing and security assessments. It's based on Mozilla's Firefox Web browser, so it's cross-platform, and it's part of the Open Web Application Security Project — OWASP. Techworld Australia recently caught up with project leader Abhi M. Balakrishnan to talk about Mantra and its goals

Could you explain a little bit about what Mantra actually is and what its capabilities are?

Mantra can actually be described as an unofficial distribution of Firefox with some extensions bundled with it; mainly extensions that are designed for security assessments. Being based on a browser, Mantra enjoys a nice graphical user interface. It's also compact, portable and ready to run, and it works with Linux, Windows and Mac OS X. From a developer's point of view, it's an interesting platform since they can develop extensions for Mantra very easily thanks to Mozilla.

How did the project come about?

As information security enthusiasts, we always used to try new tools and techniques out of curiosity. We came across many Firefox extensions which were really impressive, but at the same time we felt that many of these extensions are going unnoticed since there is no ecosystem to support them. Seeing the significance of such an ecosystem, we started this project.

The intention behind developing Mantra was to establish an ecosystem that provides security professionals a platform for manual security assessments. Even though it has miles to go before reaching that level, we feel it satisfies the needs of a security toolkit.

What's the target audience for Mantra? Is it mainly useful for security pros or IT students?

We hope Mantra will be helpful to both students and information security professionals, though our target audience isn't limited to that. Our target audience also includes developers, too, since they can enjoy an ecosystem that lets them showcase their skills. Those who are already developers of security-focused extensions can enjoy a new audience, and those who aren't can see it as an emerging platform where they can put their effort. If a good user base exists within such a system, more and more feature requests will come in, and that can be encouraging for developers.

What do you have planned for the future of Mantra? Is it as feature-complete as you would like, or do you have plans to add to it?

We believe that development is a continuous process of changes and there is always room for improvement. Initially we thought about spending a good amount of time on development and releasing a framework straight out of the box. But it would be like a shot in the dark. So we started with a toolkit and are slowly moving towards a framework. It also helps us to analyse what the user demands are and work on that basis. We have miles to go — lots of things to do.!

Is there a broad development community around the project? Are new developers encouraged to get involved?

Of course, yes — hundreds of active developers and thousands of potential testers. You heard it right. We think each extension developer is part of our development community and each user is a potential tester. We are all in the same boat. We are just a link in this long chain and we do really enjoy being able to contribute to this system. There were lots of experiments going on from Mozilla’s side to make extension development easier and more user-friendly. We hope this can motivate and attract more developers.

Do you have any idea of how widespread usage of Mantra is? Is it used in any education institutions, for example?

Thousands of individual downloads from our repositories and the statistics are always growing. Recently some major security distributions showed their interest on Mantra. Offensive Security has already included Mantra in Backtrack 5. A popular German IT magazine has recently supplied software DVDs that include Mantra. We don’t know whether any institutions are using it or not. But we feel that Mantra can be helpful for students because of its shallow learning curve. Having said that, we don't think Mantra is a one-stop solution for all security assessment related tasks and it never will be. It happily joins the broader security community.

On a more general security related note: Have you been surprised by some of the recent, high-profile security breaches (for example Sony's PSN)?

It was unfortunate to see some of the latest security breach incidents. But at the same time, they can prove a lot. Attackers and security professionals are always in competition. Security professionals need to improve along with attackers to prevent security breaches. It's almost like a win-win situation and it always will be. The chance of security breaches increases when attackers escalate in this competition.

A lot of the recent breaches seem to be based off fairly simple exploits (SQL injections, for example). Do you think tools like Mantra actually make these kinds of attacks more likely? Or do you think they're more likely to encourage organisations to take security more seriously; testing their sites for vulnerabilities for example?

We always used to say that each coin has two sides. Like other security assessment tools out there, Mantra can also be used for both offensive and defensive security tasks. The potential of any tool or technique is limited only by the imagination of the user. At the same time, a tool is never an ultimate solution. There are limitations what a tool can do even though it can help them to do the task more easily.

Are there any fundamental flaws with how organisations, or the IT community as a whole, are approaching IT security at the moment? And do you see any new security risks on the horizon that people should be particularly alert to? For example, the increasing use of smartphones, Cloud computing adoption and so on.

The diversity and frequency of the attacks are increasing day by day. Organisations should see information assurance as an on-going proactive plan that integrates a set of defence mechanism that will protect them from as many types of potential attacks as possible.

It's true that there are no systems out there that are completely secure. But it does not mean that you shouldn't close doors of your house when going out! Instead we should employ mechanisms that can make the attacker’s task tougher. Organisations need to understand how these types of attacks can occur and the scale of impact they can have on business.

Smartphones and Cloud computing are both growing platforms and they are imperfect like anything else. Better security mechanisms have to be introduced and are essential in both areas. Considering the amount of personal and confidential formation that Cloud and smartphones handle, improved security is a necessity.

Follow Rohan Pearce on Twitter: @rohan_p

Follow Techworld Australia on Twitter: @techworld_au

Join the CSO newsletter!

Error: Please check your email address.

Tags open sourcesecuritymozilla firefox

More about LinuxMozillaSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Rohan Pearce

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place