abb's blog

Finally, a standard Linux 3.2 bridge can forward 802.1x messages!

Finally, a feature to make Linux bridge transparent to 802.1x EAP messages is in the official 3.2 kernel! No more manual kernel patching or messing with openswitch. This feature is mostly useful for pentesting 802.1x-protected networks.

To force a bridge forward 802.1x EAP messages all you needs to do is to set the 4th least-significant-bit in a special sysfs file, something like this:

echo 8 > /sys/class/net/brXXX/bridge/group_fwd_mask

I haven't tried myself yet, but can confirm the sysfs file is there on my Ubuntu 12.04.

Release of sslcaudit 1.0

I would like to announce release of sslcaudit 1.0. This tool is designed to automate testing SSL/TLS clients for resistance against MITM attacks.

There is no proper installation procedure yet (Debian package and distutils-based Python installer are coming soon). For now just fetch the release from GIT repository:

~$ git clone -b release_1_0 https://github.com/grwl/sslcaudit.git
Cloning into sslcaudit...

Tags: 

Release of sslcaudit v1.0 RC1

UPDATE: Newer version of sslcaudit is available here.

Here is sslcaudit v1.0 RC1. The goal of the project is to develop a utility to automate testing SSL/TLS clients for resistance against MITM attacks. The project is GPL-licensed, source code hosted at github. PDF user guide is available at here.

INTRODUCTION

Yet Another Portscanner (in Python)

I've written a custom TCP port scanner, to handle a broken target sporadically responding with SYN-ACKs even on filtered ports. Nmap detect such ports as open (in syn- and connect-scan modes).

$ sudo ./run.sh -s 172.16.33.1 -d 172.16.33.144 --p0 21 --p1 25 -i vmnet8
INFO:Scanner:res 172.16.33.144:24, res=closed)>
INFO:Scanner:res 172.16.33.144:22, res=open)>
INFO:Scanner:res 172.16.33.144:21, res=filtered)>
INFO:Scanner:res 172.16.33.144:23, res=fake-open)>

A tool to search for serialized Java objects in a binary stream

Here is a little tool which help finding and dumping any serialized Java objects in a binary stream. It accepts just one parameter -- the name of the file to load the binary stream.

First run:

$ java -jar jsersearch.jar /tmp/payload.dat
Found objectStream at offset 55, dumping ...
Caught exception while dumping java.lang.ClassNotFoundException: XXXRequestBase
End of dump (from offset 55)
Offset 1756 exception java.io.EOFException

"Proper" pfSense backup script

Well, maybe the title is a bit ambitions, but at least the script below is is an improvement comparing to these two approaches: 1 and 2:
* It validates server-side certificate instead of ignoring them
* Logs out to invalidate the session cookie and wipes the temporary file used to store it
* Does not fetch whole bulk of RRD data


#!/bin/sh -e

user=***
password=***
host=***

cacert=$host-cacert.pem

Ubuntu 11 on Kingston SV100S2/256G SSD

Here are some notes about my attempt to install Ubuntu 11 on Kingston SV100S2/256G SSD (on Dell Latitude E6510 laptop). Just in case somebody else finds it useful.

I have Googled around for information about SSD disk optimization for Linux and found that there are two main things to consider: partition alignment and filesystem options.

It appears to be important to (try to) align disk writes by the boundaries of SDD erase block size. This [1] article talks about LVM volumes alignment.

Pentesting Web Services with Proprietary Formatted Input

Introduction

From time to time I come across a web service that expects its input in some proprietary format, usually JSON distorted in one way or another. A vulnerability scanner knows nothing about that stuff and can't properly fuzz it. (At the time of this writing Acunetix and Burp Pro support JSON only in HTTP responses.) In this case one has to resort to pure manual testing or partially automatic test with a fuzzer. Both approaches have their limitations, and I decided to finally find a way to run an automated scanner against proprietary web services.

Binding Burp to a privileged port

Sometimes it is useful to run an intercepting proxy (running non-root user) on a privileged port. On debian-based systems it is possible using authbind facility.

The first step is to record the necessary port number in authbind config:

$ sudo touch /etc/authbind/byport/443
$ sudo chown abb:abb /etc/authbind/byport/443
$ sudo chmod 755 /etc/authbind/byport/443

After that, run Burp with authbind to let it use privileged port configured above:

Pages

Subscribe to RSS - abb's blog