September 19, 2017

Binary protocol inspection

   Sometimes during testing you need to observe traffic between endpoint and server. Also communication protocol can be proprietary, with no TLS wrapping. So to sniff and see what is going on you need to make some changes. In next few lines I will explain how to make a transparent bridge on L2.

   Here is a scheme how to connect yourself and other devices for convenient sniffing:)

endpoint --------> my switch ------------>my laptop -------->server

   So endpoint and my laptop's first adapter are connected to switch. My second adapter is connected to server. To create bridge I use brctl:

brctl addbr vinegrep - create bridge with name vinegrep

brctl addif vinegrep eth0 - add interface eth0 to bridge

brctl addif vinegrep eth1 - add interface eth1 to bridge


Launch wireshark and enjoy observation:)

   Let's make task a bit more difficult. New goal: intercept traffic and try replay attack. The previous part from above is still relevant as a first step. So next, assign IP address to bridge. Then I load br-netfilter kernel module and force that all traffic will be intercepted by iptables:

ebtables -t broute -A BROUTING -p ipv4 -i vinegrep -j DROP

   As a next step I need to create a rule that will forward traffic to my interception proxy. My proxy is listening on port 5555 and server is using tcp port 2608. 

iptables -t nat -A PREROUTING -i vinegrep -p tcp --dport 2608 -j REDIRECT --to 5555

   Now the most interesting part: proxy. There are not many software to choose. I found three options:

  1. NoPE plugin for Burp (https://github.com/summitt/Burp-Non-HTTP-Extension)
  2. binproxy by NCC (https://github.com/nccgroup/BinProxy)
  3. Trudy VM (https://github.com/praetorian-inc/trudy)
I choose NoPE plugin. There is a good video how to use it here - https://www.youtube.com/watch?v=4K0ZhWImtdw. In my case I did not use DNS, just intercepted packet, sent it to repeater and flood server. Primitive replay attack.


No comments:

Post a Comment