Following my post on Java serialized object capture, I had some time for cleanup, so here goes:
Problem:
You are trying to pentest a j2ee application, the client - server are deployed using jser protocol for communication (java objects over tcp).
you set up a reverse proxy and capture the conversation on the fly - only thing is that the content of the packets are mainly binary and you don't have anything else to work with except for the Mighty hex-editor :-)
Solution:
my setup is as follows:
client <-> reverse proxy <-> wrapper batch (ngrep-jser)<-> simple proxy <-> server
The wrapper batches automate the analysis process by repeatedly executing ngrep-jser and forwarding the packet to a java desiralization routine that tampers the data and writes back the (now tampered) object.
The new object can be forward to the server instead of the original one by dropping it at the proxy and injecting the new object instead.
ok enough said here are the files
(warning: very straight to the point no hoo-ha's included):
Requests_monitor.bat
--------------------------------
@echo Requests monitor
@SET /P M=Type dst to listen to:
@SET /P F=Type Flowdirectory to write to:
if exist %F%\requests goto start
md %F%\requests
:start
FOR /L %%i IN (1,1,100) DO @echo "Recording Packet to .\%F%\requests\request_%%i" && ngrep -d 2 -q -m -O .\%F%\requests\request_%%i.pcap -X 0x78 dst %m% && java -jar JSER_Descryptor.jar .\%F%\requests\request_%%i.pcap >> .\%F%\requests\request.log
goto start
--------------------------------
Responses_monitor.bat
--------------------------------
@echo Responses monitor
@SET /P M=Type src to listen to:
@SET /P F=Type Flow directory to write to:
if exist %F%\responses goto start
md %F%\responses
:start
FOR /L %%i IN (1,1,100) DO @echo "Recording Packet to .\%F%\responses\response_%%i" && ngrep -d 2 -q -m -O .\%F%\responses\response_%%i.pcap -X 0x78 src %m% && java -jar JSER_Descryptor.jar .\%F%\responses\response_%%i.pcap >> .\%F%\responses\response.log
goto start
--------------------------------
Showing posts with label Ngrep. Show all posts
Showing posts with label Ngrep. Show all posts
Wednesday, September 30, 2009
Monday, August 3, 2009
Ngrep 1.45 for Java Serialized Objects
Following my last post, a new need for adjusting Ngrep has arose.
We needed to let Ngrep identify JSER communication session and to dump the whole req/res into one file so it can be sent to decryption and further analysis.
To address this issue I have added a new option (-m) to Ngrep that identifies the end of object transmitting and exits the pcap_loop upon it.
usage example: ngrep -d 5 -O output.pcap -m -X 0x78 dst host www.mytarget.com
Sources and precompiled windows binary tarball here (sourceforge svn)
A .patch file for use with the original 1.45 distribution can be download here
We needed to let Ngrep identify JSER communication session and to dump the whole req/res into one file so it can be sent to decryption and further analysis.
To address this issue I have added a new option (-m) to Ngrep that identifies the end of object transmitting and exits the pcap_loop upon it.
usage example: ngrep -d 5 -O output.pcap -m -X 0x78 dst host www.mytarget.com
Sources and precompiled windows binary tarball here (sourceforge svn)
A .patch file for use with the original 1.45 distribution can be download here
Tuesday, July 14, 2009
Building Ngrep 1.45 on VS2008
update (08-04-2009) check up Ngrep for JSER mod in today's post
Needed to fine tune Ngrep for windows, downloaded the source from the net but it wasn't compatible with the new VS2008 distrib. after some time messing around with it got to a very clean solution, all code changes are marked in green:
Needed to fine tune Ngrep for windows, downloaded the source from the net but it wasn't compatible with the new VS2008 distrib. after some time messing around with it got to a very clean solution, all code changes are marked in green:
- download Ngrep sources
- download WinCap sources
- extract and open with VS2008
- fix include lib to point to the WinCap location
- open up regex.c and change the regerror() definition
from this:
size_t
regerror (errcode, preg, errbuf, errbuf_size)
int errcode;
const regex_t *preg;
char *errbuf;
size_t errbuf_size;
to this:
size_t
regerror(
int errcode,
const regex_t * preg,
char * errbuf,
size_t errbuf_size) - open ws2tcpip.h from microsoft SDK (usally under c:\program files\microsoft SDKs) and add an ifndef macro definition of you choice (i name it NGREP_COMPILE) before the NTDDI_VERSION LONGHORN check like this:
#ifndef NGREP_COMPILE
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
close this macro at the end of the LONGHORN and add the endif so it will close the wrapper like this:
#endif // TYPEDEFS
#endif // LONGHORN
#endif //NGREP_COMPILE - in config.h define the macro you set in step 6:
add macro definition to end of file like this:
#define USE_DROPPRIVS 0
#define DROPPRIVS_USER "notused"
#define NGREP_COMPILE - that's it now compile and build your self-tailored Ngrep for windows.
Subscribe to:
Posts (Atom)