Dagah Software
Sign up below to download Dagah!
Sign up for a 30 Day Trial of the Dagah Professional Version
For more information on Shevirah’s testing solutions to mobility risks, please contact us using the form on this page. Shevirah is accepting pilot users for its Shevirah Professional mobile penetration testing software. Contact us to participate in these pilots.
With Dagah, security analysts can design a campaign of penetration test attacks against targets, launch them, and review the results. Attacks simulate phishing, harvesting, iOS profile, and malicious application exploitations. Each attack can be delivered over Short Message Service (SMS), Quick Response (QR) Codes, Near-Field Communications (NFC), or messaging applications.
In 2014, Georgia Weidman’s best selling Penetration Testing: A Hand-On Introduction to Hacking was released and included detailed instructions on using her DARPA-funded Smartphone Penetration Framework (SPF). The Dagah toolset commercializes and extends SPF to bring that functionality into the enterprise while continuing to provide free functionality with its Community Edition.
| Features | Community | Professional |
|---|---|---|
| Targets | 10 (1 per attack) | per license, to unlimited |
| SMS attacks | yes | yes |
| NFC attacks | yes | yes |
| QR Code attacks | yes | yes |
| Messaging Apps attacks | no | yes |
| Basic phishing | yes | yes |
| Harvester phishing | yes | yes |
| Android Agent post exploitation | no | yes |
| iOS Agent post exploitation | no | yes |
| Multiple targets per attack | no | yes |
| Multiple attacks per campaign | no | yes |
| Support | no | yes |
| Name | Availability | Audience | Location |
|---|---|---|---|
| Enterprise Edition | Roadmap 2018 API integration Continuous monitoring | Commercial, Government, Educational or Non-Profit Organizations | N / A |
| Professional Edition | Free 30-day trial Paid - Fully featured testing | Security Consultants Commercial, Government, Educational or Non-Profit Organizations | shevirah.com/downloads/ Requires a trial or paid subscription key, otherwise reverts to Community functionality |
| Community Edition | Free Basic features Replaces SPF | Students Security researchers | shevirah.com/downloads/ No key required |
| Smartphone Pentest Framework | End of life 2015 Replaced by Dagah Community Edition. | Penetration Testing - A Hands-On Introduction to Hacking , 2014, First Edition book | N/A |
The software consists of four components:
- An Android Application for the Penetration Tester that bridges the engine to the cellular network for sending SMS and broadcasting via NFC. A Twilio account can be substituted for the Android Application for sending SMS messages.
- Android and/or iOS Agents (simulated malicious applications) for targeted phones
- Server-based engine: which can be interfaced via command line interface (CLI)
- A web-based GUI: which can be interfaced via a browser
A penetration tester designs CAMPAIGNs consisting of ATTACKs and runs them against TARGETs. Targets are phone numbers. Any number of attacks can be run within a campaign and a campaign can be run against a set of targets.
Attacks are of a type:
- Basic Phishing: Simulating phishing to draw mobile users into following a link
- Harverster: Simulating a phishing attack to draw mobile users to a fake website to harvest their user credentials
- Agent: Simulating a phishing attack to trick users into side loading a “malicious” application containing a backdoor remote agent
- Client Side: Exploiting mobile devices with client-side vulnerabilities
- Agent: Simulating a phishing attack to trick users into side loading a settings profile or trust chain to the iPhone.
Each attack can be delivered via four methods:
- SMS: Text messages
- QR Codes: A graphic image that contains an encoded URI that can be printed and displayed
- NFC: A broadcast message that can be received by nearby mobile devices taking them to a URI
- Messaging Apps Text messages over messaging applications like Twitter or WhatsApp.
- EXTERNAL: A message delivered outside of dagah such as via emails
A campaign is designed, staged, and then run against groups of targets. The same campaign can be run against another group of targets later for A/B testing. Results are reported per campaign.
For all attacks using SMS or NFC methods, a “modem” is used to bridge to the mobile network. The DagahModemBridge application will need to be installed on a penetration tester’s mobile device and configured to connect to the engine. All SMS and NFC methods will appear to be coming from the phone number of the mobile device running the modem application.