TAG | MitM
Hi again and a happy new year 2013!
Lets continue were I left you the last time.
The CTL is basically a binary TLV file with 1 byte type, followed by 2 bytes length and finally the data. But as this is far to easy, some special fields omit the length field and just place the data after the type (I guess those are fields with a fixed length). Here is an example CTL file:
Red fields are the types (counting up), green fields are the length (note the missing length on some fileds) and the purple field contains the data (in this case data with a length of 8 bytes and a type 0×05, which is the signing cert serial number btw. [and yes, this is a real example; Cisco signs phone loads with this 'random' cert]).
The CTL contains a header with types from 0×01 to 0x0f which is padded with 0x0d. The same header is used for the signed files .sgn from the TFTP server later on. The header describes the file version, the header length, the certificate the file is signed by (further called Signing Cert), the corresponding Certificate Authority, the file name, the files time stamp and finally the signature. The header is followed by multiple cert entries, which again use types 0×01 to 0x0f. The cert entry contains a role field 0×04 which describes the use of the cert. We are interested in the CAPF cert (0×04) and the Call Manager cert (0×02).
0 Comments | Posted by Daniel Mende
Some of you may have heard the topic before, as we have spoken about on this years BlackHat Europe, TROOPERS12 and HES12, so this is nothing completely new, but as we’re done with responsible disclosure (finally (-; ) and all the stuff should be fixed, we’re going to publish the code that brought us there. I will split the topic into two blog posts, this one will wrap up the setup, used components and protocols, the next one [tbd. till EOY, hopefully] will get into detail on the tools and techniques we used to break the enterprise grade security.
First lets take a look on all the components involved in the setup:
As you can see in the picture, there are a lot of components and even more certificates involved. From left to right: (more…)
Today is a great day, its the day, Loki finally runs on all big operating systems. Im proud to announce the first Loki release for Windows!
There are a few things not working (yet / at all) under Windows. Those are:
- The WLCCP Module – ive not yet managed to build and link against asleap on windows [but time may help (-; ]
- TCP-MD5 Auth for BGP – This will never work, as Windows has no TCP-MD5 impl. in the kernel
- The MPLS Module – Had some hassle here with WinPcap, may be working in the future
The most testing so far was done on Windows 7 were all the other functions work as they do on Linux and Mac.
Download the installer here [1ebf2edbb0cdb631dc2704e82d9c2d778fac703d].
Today I’m going to open up the ‘Week of releases’, which means there will be some new software in the next days.
Lets start with a new version of loki. The version goes up to 0.2.7 and there are a lot of new features:
- SCTP support in the base.
- Invalid option and invalid header scan in the ICMP6 module.
- On-line msg updates for neighbor messages in the RIP module.
- New module for rewriting 802.1Q labels
- Lots of small improvements and bug-fixes
- Some new features I won’t tell right now, get the source and find them yourself
Also there are new packages for gentoo, ubuntu-11.04 and fedora-15, also its the first time, packages for amd64 systems are available.
- Package for gentoo – c29a6cca7a1f7394a473d4b50a1766e9f13fd5a5
- Manifest – 9338ebcc6a3cb58478671f00cac3114efe5df337
- Package for ubuntu 11.04 i386 – bf9fa05aa20677ac209126b78c3829940daaa8ee
- pylibpcap – e30c9c8ab1a8e1ee3ddedd05475767dc9f85b526
- Package for ubuntu 11.04 amd64 – 50f5c784f039a15613affd52e304e61fd2a16a58
- pylibpcap – 9457644ef52fd6bfdb0da8790eee759cc4f76c8b
- Package for fedora 15 i686 – 06398d9c8ca5fd0d80b0da65756b01bfe07652b4
- Package for fedora 15 amd64 – 06c1fca3f8390cbe00e8e5c427327379c30222d6