Wednesday, December 30, 2009

Belch v1.0 - Burp external channel manipulator

Belch v1.0 is out.

Belch is a plug-in for burp suite designed to aid protocol analysis and manipulation, it is fairly simple.

When dealing with thin client application (such as jser - java serialization protocol ) most of the time the communication between the client and the server is encrypted and transmitted in binary format.

Most proxy tools cannot manipulate binary packets on the fly with a valuable editor, that is why i wrote Belch.

Belch is aimed at helping protocol analysis be smother, once you understood the protocol concepts and write an encryption/decryption tool, you wish to use it upon live communication.

Enters Belch..

Belch lunches as a burp suite plug-in that interacts with the communication on both ends.
Once a message has been trapped burp forwards it to Belch process.

Belch perform the following action on the message:

1. it logs the message to a file
2. it then execute an external editor (user choice , notepad,sed,awk,perl, etc.) on the file, in this step the editor manipulate the message data.
3. once editor process has terminated Belch reads the file content and forward it to Burp onto the wire.

Bellow is a screen capture of Belch settings:

Enable/Disable : this option enable or disable Belch.

: this button pops up the Logging folder selection GUI, in this folder Belch will record all the traffic that passes throw it.

Trap Requests
: when enabled Belch will pass requests to the External editor for processing.

Trap Responses
: when enabled Belch will pass responses to the External editor for processing.

this button pops up the External editor selection GUI, Belch will execute the editor on each selected message as pre-configured in the requests/responses check-boxes.

Automation Enabled: when checked responses that arrived will be preprocessed by the selected processor and the will be sent to the client side of communication.

Automation Folder (Automator): this button will pop up the Automation responses folder selection, when automation is enabled select the first response to be sent to the processor and the to the client, since Belch records it traffic using the ##_Response.raw convention, Belch automation will iterate on the following responses sequentially.

Processor: this button will pop up the processor selection GUI, Belch will execute this processor on each response prior to forwarding it to the client.

Reset: this button will reset the iteration responses into the first response that was selected.

command line arguments:
Belch will process the following tokens when lunched:
- the external editor to use,
- the folder in which Belch should record its traffic,
- the executable that will be launched on server responses prior to forwarding them to the client.

here is an example of running Belch using notepad as an editor and as an processor

java -Xmx512m -cp burpsuite_v1.2.01.jar;Belch.jar burp.StartBurp Editor="notepad.exe" LogPath=.\temp Processor=notepad.exe

Download from source forge at
Enjoy :)

Monday, December 7, 2009

new tools - new boundaries to explore !

It's been a while since my last post, I was preoccupied writing a new tools set for "on the fly" manipulation of Java Serialization packets.
I got to a great progress and now I am finalizing the tools.
Will post soon with tools.

Wednesday, September 30, 2009

Wrapping it up together

Following my post on Java serialized object capture, I had some time for cleanup, so here goes:

You are trying to pentest a j2ee application, the client - server are deployed using jser protocol for communication (java objects over tcp).
you set up a reverse proxy and capture the conversation on the fly - only thing is that the content of the packets are mainly binary and you don't have anything else to work with except for the Mighty hex-editor :-)

my setup is as follows:
client <-> reverse proxy <-> wrapper batch (ngrep-jser)<-> simple proxy <-> server

The wrapper batches automate the analysis process by repeatedly executing ngrep-jser and forwarding the packet to a java desiralization routine that tampers the data and writes back the (now tampered) object.

The new object can be forward to the server instead of the original one by dropping it at the proxy and injecting the new object instead.

ok enough said here are the files
(warning: very straight to the point no hoo-ha's included):

@echo Requests monitor
@SET /P M=Type dst to listen to:
@SET /P F=Type Flowdirectory to write to:

if exist %F%\requests goto start
md %F%\requests

FOR /L %%i IN (1,1,100) DO @echo "Recording Packet to .\%F%\requests\request_%%i" && ngrep -d 2 -q -m -O .\%F%\requests\request_%%i.pcap -X 0x78 dst %m% && java -jar JSER_Descryptor.jar .\%F%\requests\request_%%i.pcap >> .\%F%\requests\request.log
goto start


@echo Responses monitor
@SET /P M=Type src to listen to:
@SET /P F=Type Flow directory to write to:

if exist %F%\responses goto start
md %F%\responses

FOR /L %%i IN (1,1,100) DO @echo "Recording Packet to .\%F%\responses\response_%%i" && ngrep -d 2 -q -m -O .\%F%\responses\response_%%i.pcap -X 0x78 src %m% && java -jar JSER_Descryptor.jar .\%F%\responses\response_%%i.pcap >> .\%F%\responses\response.log
goto start


Monday, August 3, 2009

Ngrep 1.45 for Java Serialized Objects

Following my last post, a new need for adjusting Ngrep has arose.
We needed to let Ngrep identify JSER communication session and to dump the whole req/res into one file so it can be sent to decryption and further analysis.
To address this issue I have added a new option (-m) to Ngrep that identifies the end of object transmitting and exits the pcap_loop upon it.

usage example: ngrep -d 5 -O output.pcap -m -X 0x78 dst host

Sources and precompiled windows binary tarball here (sourceforge svn)

A .patch file for use with the original 1.45 distribution can be download here

Tuesday, July 14, 2009

Building Ngrep 1.45 on VS2008

update (08-04-2009) check up Ngrep for JSER mod in today's post

Needed to fine tune Ngrep for windows, downloaded the source from the net but it wasn't compatible with the new VS2008 distrib. after some time messing around with it got to a very clean solution, all code changes are marked in green:

  1. download Ngrep sources
  2. download WinCap sources
  3. extract and open with VS2008
  4. fix include lib to point to the WinCap location
  5. open up regex.c and change the regerror() definition
    from this:

    regerror (errcode, preg, errbuf, errbuf_size)
    int errcode;
    const regex_t *preg;
    char *errbuf;
    size_t errbuf_size;

    to this:
    int errcode,
    const regex_t * preg,
    char * errbuf,
    size_t errbuf_size)

  6. open ws2tcpip.h from microsoft SDK (usally under c:\program files\microsoft SDKs) and add an ifndef macro definition of you choice (i name it NGREP_COMPILE) before the NTDDI_VERSION LONGHORN check like this:

    #ifndef NGREP_COMPILE

    close this macro at the end of the LONGHORN and add the endif so it will close the wrapper like this:

    #endif // TYPEDEFS
    #endif // LONGHORN
    #endif //NGREP_COMPILE

  7. in config.h define the macro you set in step 6:

    add macro definition to end of file like this:

    #define USE_DROPPRIVS 0
    #define DROPPRIVS_USER "notused"
    #define NGREP_COMPILE

  8. that's it now compile and build your self-tailored Ngrep for windows.

Tuesday, February 17, 2009

iPC 10.5.6 + ThinkpadR50

Being tackling this one for a week now, just got it all tide up together.

Current works:

Sound AC97
Ethernet Intel Pro 100
ATI Radeon 7500

Not :
Intel 2200 wifi pci

photoes and a quick tutorial in the next days.

Monday, February 16, 2009

a trip to the blacksmith

on my list, among others are:

  1. thinkpad R50
  2. iPC 10.5.6
  3. xCode
  4. pdb
  5. Racket
  6. Rumble
  7. libevent

trying to forge together a new pentest architecture.

Wednesday, February 11, 2009

from black to white

New day, new blog, new job
fading from blak to white.
image by freedigital photos