Dagah Software

Sign up below to download Dagah!

Sign up for a 30 Day Trial of the Dagah Professional Version

For more information on Shevirah’s testing solutions to mobility risks, please contact us using the form on this page. Shevirah is accepting pilot users for its Shevirah Professional mobile penetration testing software. Contact us to participate in these pilots.

    Your Name (required)

    Your Email (required)

    Your Message

    With Dagah, security analysts can design a campaign of penetration test attacks against targets, launch them, and review the results.  Attacks simulate phishing, harvesting, iOS profile, and malicious application exploitations.  Each attack can be delivered over Short Message Service (SMS), Quick Response (QR) Codes, Near-Field Communications (NFC), or messaging applications.

    In 2014, Georgia Weidman’s best selling Penetration Testing: A Hand-On Introduction to Hacking was released and included detailed instructions on using her DARPA-funded Smartphone Penetration Framework (SPF). The Dagah toolset commercializes and extends SPF to bring that functionality into the enterprise while continuing to provide free functionality with its Community Edition.

    Targets10 (1 per attack)per license, to unlimited
    SMS attacksyesyes
    NFC attacksyesyes
    QR Code attacksyesyes
    Messaging Apps attacksnoyes
    Basic phishingyesyes
    Harvester phishingyesyes
    Android Agent post exploitationnoyes
    iOS Agent post exploitationnoyes
    Multiple targets per attacknoyes
    Multiple attacks per campaignno yes

    Enterprise EditionRoadmap 2018

    API integration

    Continuous monitoring
    Commercial, Government, Educational or Non-Profit OrganizationsN / A
    Professional EditionFree
    30-day trial

    Paid -
    Fully featured testing
    Security Consultants

    Commercial, Government, Educational or Non-Profit Organizations

    Requires a trial or paid subscription key, otherwise reverts to Community functionality
    Community EditionFree

    Basic features

    Replaces SPF

    Security researchers

    No key required
    Smartphone Pentest FrameworkEnd of life 2015

    Replaced by Dagah Community Edition.
    Penetration Testing - A Hands-On Introduction to Hacking , 2014, First Edition bookN/A

    The software consists of four components:

    • An Android Application for the Penetration Tester that bridges the engine to the cellular network for sending SMS and broadcasting via NFC.  A Twilio account can be substituted for the Android Application for sending SMS messages.
    • Android and/or iOS Agents (simulated malicious applications) for targeted phones
    • Server-based engine: which can be interfaced via command line interface (CLI)
    • A web-based GUI: which can be interfaced via a browser

    A penetration tester designs CAMPAIGNs consisting of ATTACKs and runs them against TARGETs. Targets are phone numbers. Any number of attacks can be run within a campaign and a campaign can be run against a set of targets.

    Attacks are of a type:

    • Basic Phishing: Simulating phishing to draw mobile users into following a link
    • Harverster: Simulating a phishing attack to draw mobile users to a fake website to harvest their user credentials
    • Agent: Simulating a phishing attack to trick users into side loading a “malicious” application containing a backdoor remote agent
    • Client Side: Exploiting mobile devices with client-side vulnerabilities
    • Agent: Simulating a phishing attack to trick users into side loading a settings profile or trust chain to the iPhone.

    Each attack can be delivered via four methods:

    • SMS: Text messages
    • QR Codes: A graphic image that contains an encoded URI that can be printed and displayed
    • NFC: A broadcast message that can be received by nearby mobile devices taking them to a URI
    • Messaging Apps Text messages over messaging applications like Twitter or WhatsApp.
    • EXTERNAL: A message delivered outside of dagah such as via emails

    A campaign is designed, staged, and then run against groups of targets. The same campaign can be run against another group of targets later for A/B testing.  Results are reported per campaign.

    For all attacks using SMS or NFC methods, a “modem” is used to bridge to the mobile network. The DagahModemBridge application will need to be installed on a penetration tester’s mobile device and configured to connect to the engine. All SMS and NFC methods will appear to be coming from the phone number of the mobile device running the modem application.