Hi Guys
My colleague Manish from A&D Labs has posted and released DSer for attacking Java Serialization protocol, using the JVMITM approach check it out here
Showing posts with label java objects. Show all posts
Showing posts with label java objects. Show all posts
Sunday, September 12, 2010
Monday, August 9, 2010
Abusing serialization protocol using JVMITM (JVM in the middle)
A friend of mine asked me to clarify about Belch usage in serialization manipulating, so here goes:
When a serialization channel is created between client and server, all traffic switches from basic http to serialization over http. This makes tracing, manipulating and testing more difficult due to the binary content of the serialization protocol.
This in mind, what you need is a decrytor-encryptor utility to stick in the middle of communication channel, so you can get a better understanding and control over the communication between the client and server. You need it to be very efficient and very fast: enters JVMITM - JVM in the middle.
If you could divert the communication to an Java VM, you could utilize java to translate the serialization protocol into a somewhat better understandable format -say XML. Once in XML format, you abuse it at your will and then redirect it to JVM back. JVM convert it back to serialization protocol and send it down the communication channel.
JVMITM approach support any serialization protocol that Java understand, such as Flash, Java-serialization and more. The only thing you have to do in order to decrypt the protocol, is to include the proper library in your JVMITM classpath
Belch can help you utilize JVMITM by enabling you to redirect the communication to your chosen application (hex-editor ,batch wrapper of a JVM or other self written tool)
Stay tuned as I will publish some example of using Belch to JVMITM against Flash AMF serialization protocol
When a serialization channel is created between client and server, all traffic switches from basic http to serialization over http. This makes tracing, manipulating and testing more difficult due to the binary content of the serialization protocol.
This in mind, what you need is a decrytor-encryptor utility to stick in the middle of communication channel, so you can get a better understanding and control over the communication between the client and server. You need it to be very efficient and very fast: enters JVMITM - JVM in the middle.
If you could divert the communication to an Java VM, you could utilize java to translate the serialization protocol into a somewhat better understandable format -say XML. Once in XML format, you abuse it at your will and then redirect it to JVM back. JVM convert it back to serialization protocol and send it down the communication channel.
JVMITM approach support any serialization protocol that Java understand, such as Flash, Java-serialization and more. The only thing you have to do in order to decrypt the protocol, is to include the proper library in your JVMITM classpath
Belch can help you utilize JVMITM by enabling you to redirect the communication to your chosen application (hex-editor ,batch wrapper of a JVM or other self written tool)
Stay tuned as I will publish some example of using Belch to JVMITM against Flash AMF serialization protocol
Wednesday, September 30, 2009
Wrapping it up together
Following my post on Java serialized object capture, I had some time for cleanup, so here goes:
Problem:
You are trying to pentest a j2ee application, the client - server are deployed using jser protocol for communication (java objects over tcp).
you set up a reverse proxy and capture the conversation on the fly - only thing is that the content of the packets are mainly binary and you don't have anything else to work with except for the Mighty hex-editor :-)
Solution:
my setup is as follows:
client <-> reverse proxy <-> wrapper batch (ngrep-jser)<-> simple proxy <-> server
The wrapper batches automate the analysis process by repeatedly executing ngrep-jser and forwarding the packet to a java desiralization routine that tampers the data and writes back the (now tampered) object.
The new object can be forward to the server instead of the original one by dropping it at the proxy and injecting the new object instead.
ok enough said here are the files
(warning: very straight to the point no hoo-ha's included):
Requests_monitor.bat
--------------------------------
@echo Requests monitor
@SET /P M=Type dst to listen to:
@SET /P F=Type Flowdirectory to write to:
if exist %F%\requests goto start
md %F%\requests
:start
FOR /L %%i IN (1,1,100) DO @echo "Recording Packet to .\%F%\requests\request_%%i" && ngrep -d 2 -q -m -O .\%F%\requests\request_%%i.pcap -X 0x78 dst %m% && java -jar JSER_Descryptor.jar .\%F%\requests\request_%%i.pcap >> .\%F%\requests\request.log
goto start
--------------------------------
Responses_monitor.bat
--------------------------------
@echo Responses monitor
@SET /P M=Type src to listen to:
@SET /P F=Type Flow directory to write to:
if exist %F%\responses goto start
md %F%\responses
:start
FOR /L %%i IN (1,1,100) DO @echo "Recording Packet to .\%F%\responses\response_%%i" && ngrep -d 2 -q -m -O .\%F%\responses\response_%%i.pcap -X 0x78 src %m% && java -jar JSER_Descryptor.jar .\%F%\responses\response_%%i.pcap >> .\%F%\responses\response.log
goto start
--------------------------------
Problem:
You are trying to pentest a j2ee application, the client - server are deployed using jser protocol for communication (java objects over tcp).
you set up a reverse proxy and capture the conversation on the fly - only thing is that the content of the packets are mainly binary and you don't have anything else to work with except for the Mighty hex-editor :-)
Solution:
my setup is as follows:
client <-> reverse proxy <-> wrapper batch (ngrep-jser)<-> simple proxy <-> server
The wrapper batches automate the analysis process by repeatedly executing ngrep-jser and forwarding the packet to a java desiralization routine that tampers the data and writes back the (now tampered) object.
The new object can be forward to the server instead of the original one by dropping it at the proxy and injecting the new object instead.
ok enough said here are the files
(warning: very straight to the point no hoo-ha's included):
Requests_monitor.bat
--------------------------------
@echo Requests monitor
@SET /P M=Type dst to listen to:
@SET /P F=Type Flowdirectory to write to:
if exist %F%\requests goto start
md %F%\requests
:start
FOR /L %%i IN (1,1,100) DO @echo "Recording Packet to .\%F%\requests\request_%%i" && ngrep -d 2 -q -m -O .\%F%\requests\request_%%i.pcap -X 0x78 dst %m% && java -jar JSER_Descryptor.jar .\%F%\requests\request_%%i.pcap >> .\%F%\requests\request.log
goto start
--------------------------------
Responses_monitor.bat
--------------------------------
@echo Responses monitor
@SET /P M=Type src to listen to:
@SET /P F=Type Flow directory to write to:
if exist %F%\responses goto start
md %F%\responses
:start
FOR /L %%i IN (1,1,100) DO @echo "Recording Packet to .\%F%\responses\response_%%i" && ngrep -d 2 -q -m -O .\%F%\responses\response_%%i.pcap -X 0x78 src %m% && java -jar JSER_Descryptor.jar .\%F%\responses\response_%%i.pcap >> .\%F%\responses\response.log
goto start
--------------------------------
Subscribe to:
Posts (Atom)