TAG | python
Today is a great day, its the day, Loki finally runs on all big operating systems. Im proud to announce the first Loki release for Windows!
There are a few things not working (yet / at all) under Windows. Those are:
- The WLCCP Module – ive not yet managed to build and link against asleap on windows [but time may help (-; ]
- TCP-MD5 Auth for BGP – This will never work, as Windows has no TCP-MD5 impl. in the kernel
- The MPLS Module – Had some hassle here with WinPcap, may be working in the future
The most testing so far was done on Windows 7 were all the other functions work as they do on Linux and Mac.
Download the installer here [1ebf2edbb0cdb631dc2704e82d9c2d778fac703d].
Finally it’s here!
pytacle is a tool inspired by tentacle. It automates the task of sniffing GSM frames of the air, extracting the key exchange, feeding kraken with the key material and finally decode/decrypt the voice data. All You need is a USRP (or similar) to capture the GSM band and a kraken instance with the berlin tables (only about 2TB )
I’ve posted a preview before, take a look at the video to see the tool in action.
The tool is early alpha, so it’s working (for me ), but it’s neither rock stable nor packaged in any way. But still, I’ll be happy to get bug reports.
BTW, talking about Telco security: There will be another TelcoSecDay on 03/12/2013 at next year’s Troopers! We’ve already some quite interesting talks confirmed.
today im releasing a new version of our famous fuzzing framework, dizzy. The version counts 0.6 by now and youll get some brand new features!
see the CHANGELOG:
- ssl support
- server side fuzzing mode
- command output
- new dizz funktions: lambda_length, csum, lambda_csum, lambda2_csum
- recursive mutation mode
- new dizz objects: fill
- new interaction objects: null_dizz
- reconnect option
- additional fuzzing values
find the sources here (90397f9ec11c8ec3db7f14cb4d38dd39e30f9791)
0 Comments | Posted by Timo Schmid
In a .NET environment WCF services can use the proprietary WCF binary XML protocol described here. Microsoft uses this protocol to save some time parsing the transmitted XML data. If you have to (pen-) test such services, it would be nice to read (and modify) the communication between (for example) clients and servers. One possibility is Fiddler.
Fiddler’s strengths include its extensibility and its WCF binary plugins. Sadly, these plugins can only decode and display the binary content as XML text.
Our first tool of choice for webapp pentests (Burp Suite) has also a plugin feature, and one can also find plugins for decoding (and encoding XML back to) WCF binary streams. But all WCF binary plugins out there are based on the .NET library which means one either has to work on MS Windows or with Mono. Another disadvantage is the validation and auto-correction feature of such libraries… not very useful for penetration testing
That’s why we decided to write a small python library according to Microsoft’s Open Specification which enables us to decode and encode WCF binary streams. The library has a rudimentary commandline interface for converting XML to WCF binary and vice versa, as well as a plugin for our python-to-Burp plugin (pyBurp).
One of our favorite tools for conducting penetration tests (especially, but not only, web application tests) is Portswiggers’s Burp Suite. Burp allows to extend its features by writing own plugins. But because Burp is written in Java, it only supports Java classes as plugins. Additionally, Burp only allows to use one plugin at the same time which has to be loaded on start-up.
Now we have written a Burp-Python proxy (called pyBurp) which adds some features to the plugin system:
- write plugins in Python
- load and unload plugins at every time
- load multiple plugins
today I’ll give a short preview of my newest tool, pytacle. It is simply a little helper program to control gnuradio/airprobe/kraken/some_other_tools, convert their input/output and to find a use able clear/cipher text combination to break A5/1. In the end it should record, crack and decode/play a gsm phone call with ~5 mouse clicks.
Take a look at this video:
The code is not available yet, as its not finished the recording and cracking part are working, but the decoding doesn’t. I need to put some more time into the code, but there isn’t much spare in that time of the year
Another day, another tool
Today I’m proudly releasing the first version of apnbf, a small python script designed for enumerating valid APNs (Access Point Name) on a GTP-C speaking device. It tries to establish a new PDP session with the endpoint via sending a createPDPContextRequest. This request needs to include a valid APN, so one can easily distinguish from a valid APN (which will be answered with a createPDPContextResponse) and an invalid APN (which will be answered with an error indication message). In addition the tool also parses the error indication and displays the reason (which should be “Missing or unknown APN” in case of an invalid APN).
Don’t waste time, get the source here (5a122f198ea35b1501bc3859fd7e87aa57ef853a)
So, after having a completely new release yesterday, we will stay with already known but updated software today. You might have heard of gtp_scan before, which is a small python script for scanning mainly 3G and 4G devices and detecting GTP (GPRS Tunneling Protocol) enabled ports. As GTP is transported via UDP and we all know, UDP scanning is a pain, the tool uses the GTP build-in echo mechanism to detect GTP speaking ports. Since the last version I’ve implemented some new features:
- Support of complete GTP spectrum (GTP-C, GTP-U, GTP’)
- Support for scanning on SCTP
- Improved result output, including validity check of response packages
Find the sources here (bbdcc8888ebb4739025395f8c1c253fa5fd2bb15).
have a nice one.
I’m proud to announce, today a new fuzzing framework will see the light of day. It’s called dizzy and was written because the tools we used for fuzzing in past didn’t match our requirements. Some (unique) features are:
- Python based
- Can send to L2 as well as to upper layers (TCP/UDP/SCTP)
- Ability to work with odd length packet fields (no need to match byte borders, so even single flags or 7bit long fields can be represented and fuzzed)
- Very easy protocol definition syntax
- Ability to do multi packet state-full fuzzing with the ability to use received target data in response.
We already had a lot of success using it, now you will be able to know the true promises.
Find the source here (c715a7ba894b44497b98659242fce52128696a17).
Today I’m going to open up the ‘Week of releases’, which means there will be some new software in the next days.
Lets start with a new version of loki. The version goes up to 0.2.7 and there are a lot of new features:
- SCTP support in the base.
- Invalid option and invalid header scan in the ICMP6 module.
- On-line msg updates for neighbor messages in the RIP module.
- New module for rewriting 802.1Q labels
- Lots of small improvements and bug-fixes
- Some new features I won’t tell right now, get the source and find them yourself
Also there are new packages for gentoo, ubuntu-11.04 and fedora-15, also its the first time, packages for amd64 systems are available.
- Package for gentoo – c29a6cca7a1f7394a473d4b50a1766e9f13fd5a5
- Manifest – 9338ebcc6a3cb58478671f00cac3114efe5df337
- Package for ubuntu 11.04 i386 – bf9fa05aa20677ac209126b78c3829940daaa8ee
- pylibpcap – e30c9c8ab1a8e1ee3ddedd05475767dc9f85b526
- Package for ubuntu 11.04 amd64 – 50f5c784f039a15613affd52e304e61fd2a16a58
- pylibpcap – 9457644ef52fd6bfdb0da8790eee759cc4f76c8b
- Package for fedora 15 i686 – 06398d9c8ca5fd0d80b0da65756b01bfe07652b4
- Package for fedora 15 amd64 – 06c1fca3f8390cbe00e8e5c427327379c30222d6