Insinuator


Some outright rants from a bunch of infosec practitioners.

TAG | tool

Aug/14

25

ERNW’s Top 9 Burp Plugins

In the context of an internal evaluation, we recently had a look at most of the burp plugins available from the BApp store. The following overview represents our personal top 9 plugins, categorized in “Scanner Extensions”, “Manual Testing” and “Misc” in alphabetic order:
(more…)

, | Post your comment here.

Jun/14

25

New Tool: s1ap_enum

As we continue our research in the 3GPP protocol world, there is a new tool for you to play with. It is called s1ap_enum and thats also what it does  ;)

The tool itself is written in erlang, as i found no other free ASN.1 parser that is able to parse those fancy 3GPP protocol specs. It connects to an MME on sctp/36412 and tries to initiate a S1AP session by sending an S1SetupRequest PDU. To establish a S1AP session with an MME the right MCC and MNC are needed in the PLMNIdentity. The tool tries to guess the right MCC/MNC combinations. It comes with a preset of known MCC/MNC pairs from mcc-mnc.com, but can try all other combinations as well.

Download

(more…)

, , , , | Post your comment here.

May/14

8

ASCII Protocol Scheme Generator

As we historically have a strong connection to network technologies (not surprising, given the “NW” in “ERNW” stands for “Networks”), I developed a small script to create RFC-style ASCII representations of protocol schemes. The following listing shows an example created for a fictitious protocol:

 0                   1                   2                   3  
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------------------------------------------------------+
|             type              |              id               |
+---------------------------------------------------------------+
|     flags     |                   reserved                    |
+---------------------------------------------------------------+
|                            payload                            |
+---------------------------------------------------------------+

 

The command line to create this output is

./ascii_header.py 16-type 16-id 8-flags 24-reserved 32-payload

and of course the script also provides a help message which explains the parameters in detail.

Download: https://www.ernw.de/download/ascii_protocol_scheme_generator.zip

Enjoy and feel free to leave feedback and comments,

Benedikt :)

, | Post your comment here.

Feb/14

20

Fresh Meat From the Coding Front

Within the last months I had some time to work on my code and today I’m releasing some of that: a new version of dizzy as well as two new loki modules.

(more…)

, , , , , , | Post your comment here.

With HTML 5 the current web development moves from server side generated content and layout to client side generated. Most of the so called HTML5 powered websites use JavaScript and CSS for generating beautiful looking and responsive user experiences. This ultimately leads to the point were developers want to include or request third-party resources. Unfortunately all current browsers prevent scripts to request external resources through a security feature called the Same-Origin-Policy. This policy specifies that client side code could only request resources from the domain being executed from. This means that a script from example.com can not load a resource from google.com via AJAX(XHR/XmlHttpRequest).

As a consequence, the W3 consortium extended the specification that a set of special headers allows  access from a cross domain via AJAX, the so called Cross-Origin Resource Sharing (CORS). These headers belong to the Access-Control-Allow-* header group. A simple example of a server response allowing to access the resource data.xml from the example.com domain is shown below:

CORS Response

The most important header for CORS is the Access-Control-Allow-Origin header. It specifies from which domains access to the requested resource is allowed (in the previous example only scripts from the example.com domain could access the resource). If the script was executed from another domain, the browser raises a security exception and drops the response from the server; otherwise JavaScript routines could read the response body as usual. In both cases the request was sent and reached the server. Consequently, server side actions are taking place in both situations.

To prevent this behavior, the specification includes an additional step. Before sending the actual request, a browser has to send an OPTIONS request to the resource (so called preflight request). If the browser detects (from the response of the preflight) that the actual request would conflict with the policy, the security exception is raised immediately and the original request never gets transmitted.

Additionally the OPTIONS response could include a second important header for CORS: Access-Control-Allow-Credentials.
This header allows the browser to sent authentication/identification data with the desired request (HTTP-Authentication or cookies). And the best: this works also with HTTP-Only flags :).

As you may notice, the whole security is located in the Access-Control-Allow-Origin header, which specifies from which domains client side code is allowed to access the resource’s content. The whole problem arises when developers either due to laziness or simply due to unawareness) set a wildcard value:

CORS Response Wildcard

This value allows all client side scripts to get the content of the resource (in combination with Access-Control-Allow-Credentials also to restricted resources).

That’s where I decided to create a simple proof of concept tool that turns the victim browser into a proxy for CORS enabled sites. The tool uses two parts. First, the server.py which is used as an administrative console for the attacker to his victims. Second, the jstunnel.js which contains the client side code for connecting to the attacker’s server and for turning the browser into a proxy.

After starting the server.py you could access the administrative console via http://localhost:8888. If no victims are connected you will see an almost empty page. Immediately after a victim executes the jstunnel.js file (maybe through a existing XSS vulnerability or because he is visiting a website controlled by you…) he will be displayed in a list on the left side. If you select a connected victim in the list, several options become available in the middle of the page:

JS Proxy

 

  1. Some information about the victim
  2. Create an alert popup
  3. Create a prompt
  4. Try to get the cookies of the client from the site where the jstunnel.js gets executed
  5. Use the victim as a proxy
  6. Execute JS in the victims browser
  7. View the current visible page (like screenshot, but it is rendered in your browser)

If you select the proxy option and specify a URL to proxy to, an additional port on the control server will be opened. From now on, all requests which you send to this port will be transferred to the victim and rerequested from his browser. The content of the response will be transferred back to the control server and displayed in your browser.
As an additional feature, all images being accessible by JavaScript, will be encoded in base64 and also transferred.

If you like to test it yourself:

  1. You need Python 3.x and tornado
  2. You will find a vulnerable server in the test directory

This kind of functionality is also implemented in the Browser Exploitation Framework (BeEF), but I liked to have some lightweight and simple proof of concept to demonstrate the issue.

Download:

Regards,
Timo

, , , | Post your comment here.

Mar/13

15

TROOPERS13 – The Badge Code

As a lot of people were asking for, here comes the code of your badge. All You need to customize your badge, is a micro controller programmer, like the Pickit (its around 30 to 40 euros) and the build environment, MPLAB which you can get for free. Then just download the code and implement your own super cool features. Let us know what you did, the best hacks will get into the TROOPERS hall of fame (-;
(more…)

, , | Post your comment here.

Hi again and a happy new year 2013!

Lets continue were I left you the last time.

The CTL

The CTL is basically a binary TLV file with 1 byte type, followed by 2 bytes length and finally the data. But as this is far to easy, some special fields omit the length field and just place the data after the type (I guess those are fields with a fixed length). Here is an example CTL file:

Red fields are the types (counting up), green fields are the length (note the missing length on some fileds) and the purple field contains the data (in this case data with a length of 8 bytes and a type 0×05, which is the signing cert serial number btw. [and yes, this is a real example; Cisco signs phone loads with this 'random' cert]).

The CTL contains a header with types from 0×01 to 0x0f which is padded with 0x0d. The same header is used for the signed files .sgn from the TFTP server later on. The header describes the file version, the header length, the certificate the file is signed by (further called Signing Cert), the corresponding Certificate Authority, the file name, the files time stamp and finally the signature. The header is followed by multiple cert entries, which again use types 0×01 to 0x0f.  The cert entry contains a role field 0×04 which describes the use of the cert. We are interested in the CAPF cert (0×04) and the Call Manager cert (0×02).
(more…)

, , , | Post your comment here.

Some of you may have heard the topic before, as we have spoken about on this years BlackHat EuropeTROOPERS12  and HES12, so this is nothing completely new, but as we’re done with responsible disclosure (finally (-; )  and all the stuff should be fixed, we’re going to publish the code that brought us there. I will split the topic into two blog posts, this one will wrap up the setup, used components and protocols, the next one [tbd. till EOY, hopefully] will get into detail on the tools and techniques we used to break the enterprise grade security.

 The Components

First lets take a look on all the components involved in the setup:

As you can see in the picture, there are a lot of components and even more certificates involved. From left to right: (more…)

, , , | Post your comment here.

Nov/12

8

Loki for Windows released

Today is a great day, its the day, Loki finally runs on all big operating systems. Im proud to announce the first Loki release for Windows!

There are a few things not working (yet / at all) under Windows. Those are:

  • The WLCCP Module – ive not yet managed to build and link against asleap on windows [but time may help (-; ]
  • TCP-MD5 Auth for BGP – This will never work, as Windows has no TCP-MD5 impl. in the kernel
  • The MPLS Module – Had some hassle here with WinPcap, may be working in the future

The most testing so far was done on Windows 7 were all the other functions work as they do on Linux and Mac.

Download the installer here [1ebf2edbb0cdb631dc2704e82d9c2d778fac703d].

cheers

/daniel

, , , | Post your comment here.

May/12

23

Releasing dizzy version 0.6

Hi @all,
today im releasing a new version of our famous fuzzing framework, dizzy. The version counts 0.6 by now and youll get some brand new features!

see the CHANGELOG:
v0.6:
- ssl support
- server side fuzzing mode
- command output
- new dizz funktions: lambda_length, csum, lambda_csum, lambda2_csum
- recursive mutation mode
- new dizz objects: fill
- new interaction objects: null_dizz
- reconnect option
- additional fuzzing values

find the sources here (90397f9ec11c8ec3db7f14cb4d38dd39e30f9791)

cheers

/daniel

, , | Post your comment here.

Older posts >>

Contact


Mail | Twitter | Imprint

©2010-2013 ERNW GmbH
To top