Wednesday, September 30, 2009

Wrapping it up together

Following my post on Java serialized object capture, I had some time for cleanup, so here goes:

Problem:
You are trying to pentest a j2ee application, the client - server are deployed using jser protocol for communication (java objects over tcp).
you set up a reverse proxy and capture the conversation on the fly - only thing is that the content of the packets are mainly binary and you don't have anything else to work with except for the Mighty hex-editor :-)

Solution:
my setup is as follows:
client <-> reverse proxy <-> wrapper batch (ngrep-jser)<-> simple proxy <-> server

The wrapper batches automate the analysis process by repeatedly executing ngrep-jser and forwarding the packet to a java desiralization routine that tampers the data and writes back the (now tampered) object.

The new object can be forward to the server instead of the original one by dropping it at the proxy and injecting the new object instead.

ok enough said here are the files
(warning: very straight to the point no hoo-ha's included):

Requests_monitor.bat
--------------------------------
@echo Requests monitor
@SET /P M=Type dst to listen to:
@SET /P F=Type Flowdirectory to write to:

if exist %F%\requests goto start
md %F%\requests


:start
FOR /L %%i IN (1,1,100) DO @echo "Recording Packet to .\%F%\requests\request_%%i" && ngrep -d 2 -q -m -O .\%F%\requests\request_%%i.pcap -X 0x78 dst %m% && java -jar JSER_Descryptor.jar .\%F%\requests\request_%%i.pcap >> .\%F%\requests\request.log
goto start

--------------------------------


Responses_monitor.bat
--------------------------------
@echo Responses monitor
@SET /P M=Type src to listen to:
@SET /P F=Type Flow directory to write to:


if exist %F%\responses goto start
md %F%\responses


:start
FOR /L %%i IN (1,1,100) DO @echo "Recording Packet to .\%F%\responses\response_%%i" && ngrep -d 2 -q -m -O .\%F%\responses\response_%%i.pcap -X 0x78 src %m% && java -jar JSER_Descryptor.jar .\%F%\responses\response_%%i.pcap >> .\%F%\responses\response.log
goto start

--------------------------------