Donnerstag, 16. August 2012

WATOBO Running SQLMap

In WATOBO version 0.9.9 I introduced a new plugin which builds a bridge between WATOBO and sqlmap (http://sqlmap.org).

To bring up the plugin right-click on the request you want to test and select 'Send to' -> SQLmap:


The plugin provides an easy to use interface:




There are predefined menus for typical sqlmap options like Technique, Risk and Level. You also can add any command line option manually, e.g. for further enumeration tasks.

When you press the start button WATOBO will first write the request to a file in the temp directory which will be parsed by sqlmap (-r option). Then it opens a new command window and runs sqlmap.

Have Phun!
-andy

WATOBO 0.9.9 Supports Transparent Mode

"Cool, WATOBO can act as a transparent proxy. But why do I need this feature?"
Right, most of the time when you're pentesting a web application you only have to configure your browser to use a proxy. This will work for most of the applications designed for web browsers.
But there are more and more apps for mobile devices, e.g. iPhones or Androids which also rely on web based applications. Sometimes these apps are not able to use a proxy or even refuse to use one.
For these special cases a transparent proxy is the only way to intercept and modify the communication - beside modifying or hooking the app itself.

Running Transparent

Some very special requirements must be met by the proxy and by the Operating System (IP Stack) in order to run a web proxy in transparent mode - especially when SSL connections must be handled.

These are the main tasks which have to be fulfilled:
- intercept the request before the request arrives at the proxy
- keep track of the original destination of the request
- get the certificate of the original destination to extract the CommonName
- create a fake certificat with the correct CommonName
- redirect the request to the proxy
- proxy must lookup the original destination
- lookup for the correct certificate
- do the SSL handshake

Because some of these tasks need a direct access to the routing process of the operating system it is only possible (with a minimum effort) on a Linux system. Most of this magic is done with IPTables and NetfilterQueues. The later is an IPTables interface to analyze and modify IP packets from within the userland.

Note:
At the time of this writing I'm not aware of any other web testing proxy supporting transparent mode. If you know one, please let me know.

Lab Setup

The folling steps will show you how to setup a system running WATOBO as a transparent proxy.

You must met some requirements before working with this tutorial:
- BackTrack 5R2
- DHCPD (dhcp3-server)
- DNS (bind9) server
- HostAP Daemon up and running to connect your mobile device

The following link might help you if you have problems installing bind9 or dhcp3-server.
http://www.backtrack-linux.org/backtrack/upgrading-to-backtrack-5-r2/

Our lab setup is as follows:


Here's the interface configuration (/etc/network/interfaces):
auto eth0
iface eth0 inet dhcp

auto wlan0
iface wlan0 inet static
address 192.168.33.1
netmask 255.255.255.0

Note:
If you only want to test the transparent feature without a mobile device you don't need hostapd. Any other additional interface, e.g. eth1 will also work.
But don't forget to adjust the example scripts and commands.

Testing Basic Communication

Before you continue with setting up WATOBO this would be a good time to test your general network setup. So, we first convert our system into a simple router which hides our internal IP addresses (NAT). For this, we have to enable IP forwarding and NATing:
echo "Turn on NATing"
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo "Enable IP forwarding"
echo 1 > /proc/sys/net/ipv4/ip_forward

Now you should have a working internet connection with your mobile device. If not, you must work on your setup - try harder ;)

Time To Install WATOBO

 Just download and run the installer script.

wget http://watobo.sourceforge.net/extras/watobo-installer.sh

Start And Configure WATOBO 

After the installation script finished open a new shell and type watobo_gui.rb.
Then start a new project and open the Interceptor settings menu  (Settings -> Interceptor).


Enable the transparent mode and don't forget to change the Bind Address to make WATOBO listening on the correct interface. In our lab we set it to 0.0.0.0  => listen on all interfaces.


You must restart WATOBO after changing the interceptor settings. After re-open the project the port information in the statusbar should be highlighted in red.



Import The WATOBO CA Certificate

To prevent your app or your browser from complaining (or even stop working) about a wrong certificate you should make your device trust the WATOBO CA. This CA is used to generate the fake server certificates. The CA certificate is generated the first time you start WATOBO and is written to /root/.watobo/CA/cacert.pem

To make your iPhone trust this certificate, send the cacert.pem file via email to your device and install it.







Start Netfilter Server

Next we have to start the Netfilter Server. This is our userland process which handles incoming requests before they are redirected to the proxy necessary to keep track of the original destination. I first tried to implement this service inside the WATOBO core process but I run into problems crashing WATOBO imediately. I guess there were some conflicts with other IO streams. My second attempt was to implement it as an XML/RPC service but the same problems occured. Now the process is implemented as a DRb (Distributed Ruby) service which seems to be much more stable. You can get more infos about DRb here.

So, to run this service type:
nfq_server.rb


Note:
Unfortunately this service also crashes or hangs from time to time. So just keep an eye on the shell where you started the service. If you see any error message or the service stopped working a simple restart will let the communication continue without any problems.

If I find some time I will write a watchdog service or maybe you want to do it? ;)

Configure IPTables

Ok, now IPTables comes on the scene. We use it for two tasks:
First, we have to redirect incoming traffic imediatly to our Netfilter Server before routing takes place. This can be done with the mangle table of the pre-routing chain. You can find detailed information about IPTables packet-flow here: http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables
In our lab setup we only redirect traffic using port 443 because we have to keep track of the original destination of encrypted connections - we don't get a CONNECT request when running transparent. This is not necessary for regular HTTP traffic. Here we can extract the original destination from the HTTP Server Header. Anyway, to not slow down communication too much we only want to redirect SYN packets. This can be done with the following command:

iptables -t mangle -A PREROUTING -p tcp -m state --dport 443 --state NEW -j NFQUEUE --queue-num 0


After the packet has been processed by our Netfilter Server it's passed back to the regular packet-flow of IPTables.

The second task is to redirect the traffic to the WATOBO proxy. We do this for the ports 80 and 443:

iptables -t nat -A PREROUTING -i wlan0 -p tcp -m tcp -j REDIRECT --dport 443 --to-ports 8081
iptables -t nat -A PREROUTING -i wlan0 -p tcp -m tcp -j REDIRECT --dport 80 --to-ports 8081

You can download a little script which does all the necessary IPTables commands for you here or using wget:

wget http://watobo.sourceforge.net/extras/watobo-transparent.sh

 Start Analyzing Your App

Finally just start the app you want to analyze. You don't have to configure a proxy. If everything went well you should see all the requests in the conversation table of WATOBO - ready to perform some nice checks ;)



Have Phun!
-andy

Freitag, 29. Juni 2012

Installing WATOBO on BackTrack 5R2

The following script installs all necessary gems on your BackTrack system:
#!/bin/bash
# WATOBO-Installer for BackTrack 5R2 - may work on other distros too.
# Version: 1.0
# Date: 26.06.2012
# Author: Andreas Schmidt
info() {
printf "\033[36m$*\033[0m\n"
}
head() {
printf "\033[31m$*\033[0m\n"
}
head "##############################################"
head "# W A T O B O - I N S T A L L E R #"
head "##############################################"
echo "Adding /root/.gem/ruby/1.9.2/bin/ to your PATH .."
echo 'export PATH=$PATH:/root/.gem/ruby/1.9.2/bin/' >> /root/.bashrc
export PATH=$PATH:/root/.gem/ruby/1.9.2/bin/

echo "Installing needed gems ..."
for G in selenium-webdriver mechanize fxruby net-http-digest_auth net-http-persistent nokogiri domain_name unf webrobots ntlm-http net-http-pipeline watobo
do
info ">> $G"
gem install --user-install $G
done

info "Installation finished."
echo "Type watobo_gui.rb to start WATOBO."
echo "For manuals/videos and general information about WATOBO please check:"
echo "* http://watobo.sourceforge.net/"

Get the most recent script [here].
wget http://watobo.sourceforge.net/extras/watobo-installer.sh


Enjoy!

[as]


Donnerstag, 1. März 2012

IRB Hacking Extensions

I just wrote a little .irbrc file which extends the IRB to an easy to use hacking tool. Most of the features ("Monkey Patches") are only a kind of command aliasing to satisfy my laziness. But there are also some neat methods, like hexdump or decode_cisco7 which provide more complex functionalities.

Current features:
* IRB: Output Limit, TAB_Completion
* String: en/decode_url, en/decode_uri, en/decode_b64, decode_cisco7, hexdump, printable, to_md5, to_sha1


[EXAMPLE] TAB Completion

>> "this is a string".dec|TAB|TAB|TAB|
.decode_b64 .decode_cisco7 .decode_uri .decode_url
>> "this is a string".decode_

[EXAMPLE] Hexdump a range of a binary file

>> bin = File.open('c:\windows\system32\calc.exe').read
=> "MZ\x90\x00\x03\x00\x00\x00\x04\x00\x00\x00\xFF\xFF\x00\x00\xB8\x00\x00\x00\x
00\x00\x00\x00@\x00\ ..."
>> bin.hexdump :range => (0x00..0x16)
000000: 4D 5A 90 00 03 00 00 00 - 04 00 00 00 FF FF 00 00 :MZ..............
000010: B8 00 00 00 00 00 :......
=> true
>>


[EXAMPLE] Decode Cisco 7 Passwords

>> "07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D".decode_cisco7
=> "You really need a life."


INSTALLATION [UPDATE]

Install the extension gem:

$gem install pentex


To get the extensions persitently loaded on starting the IRB add the following line to your .irbrc file which in general resides in your home directory.
Note: You may need to create this file.

require 'pentex'


To determine the right directory you can use one of the following commands depending on your platform:
  • [Windows] echo %userprofile%
  • [Xnix] echo $HOME
  • [IRB] ENV['HOME']


If the installation was successful you should see something like this after starting irb:

== HACKING EXTENSIONS ==
>> loading libs
.........
>> monkey patching ...
>>

DOCUMENTATION
The most recent documentation is available via RubyGems.

Enjoy!

[as]