C0d3S for Pr0F!t AnD FUN: March 2013

I will demonstrate how to use immunity python scripting to sniffing encrypted traffic at the application layer(if you new to this topice then please refer to this post ). Normally to understand how a client or server application interacts with the network, we would use a traffic analyzer like Wireshark. Unfortunately, Wireshark is limited in that it can only see the data post encryption, which obfuscates the true nature of the protocol we are studying. Using a soft hooking technique, we can trap the data before it is encrypted and trap it again after it has been received and decrypted. Our target application will be the popular open-source web browser Mozilla Firefox. For this tutorial we are going to pretend that Firefox is closed source otherwise it wouldn’t be much fun now, ;) and that it is our job to sniff data out of the firefox.exe process before it is encrypted and sent to a server. The most common form of encryption that Firefox performs is Secure Sockets Layer (SSL) encryption, so we’ll choose that as the main target for our tutorial.

There is no “right” spot to place your hook; it is really just a matter of preference. Our Hook point is on the function PR_Write, which is exported from nspr4.dll. When this function is hit, there is a pointer to an ASCII character array located at [ ESP + 8 ] that contains the data we are submitting before it has been encrypted. That +8 offset from ESP tells us that it is the second parameter passed to the PR_Write function that we are interested in. It is here that we will trap the ASCII data, log it, and continue the process. First let’s verify that we can actually see the data we are interested in. Open the Firefox web browser, and navigate to one of my favorite sites, https://www.facebook.com/. Once you have accepted the site’s SSL certificate and the page has loaded, attach Immunity Debugger to the firefox.exe process and set a breakpoint on nspr4.PR_Write. In the top-right corner of the facebook website is a login form; set a username to test and a password to test and click the Login button. The breakpoint you set should be hit almost immediately;

keep pressing F9 and you’ll continually see the breakpoint being hit.

Script :

from immlib import *

class fire (LogBpHook) :

def __init__(self):

self.imm=Debugger();

self.logfile = "D:\\fire_log.txt"

#directory where the log file has to be saved

LogBpHook.__init__(self)

def run(self,regs):

addr=self.imm.readLong(regs['ESP']+8)

str=self.imm.readString(addr)

self.imm.log("PR_Write ( 0x%x) <- %s" % (addr,str) )

fd = open( self.logfile, "a" )

fd.write( str )

fd.close()

# this function run automatically when hook is hit and function code is #executed which logs it in to file and displays on log window of debugger

def main(args) :

imm=Debugger()

wfun=imm.getAddress("nspr4.PR_Write")

#setup hook point

fire_hook=fire()

fire_hook.add( "%08x" % wfun, wfun)

return "[*] READY for ACTION"

How do I run it ??

1. Save the above file with .py extension (firehack.py) ;) …. As it is python file . then copy it in immunity install directory

2. Then type !<filename> (without .py extension for eg !firehack)

3. All the encrypted traffic will to shown on log window of immunity debugger and also logged in the file

4. To find user id and password just do a search in file “username” , “password”,”passwed”,”email” different website use different name facebook uses “email”.

This way we can sniff the data in application before it gets encrypted it can save a lot of reverse engineering time . Such scripting tools can save considerable time in malware analysis , exploit development as reverse engineers task are automated

Immunity Debugger is a powerful new way to write exploits, analyze malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry's first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility.

Immunity Debugger's interfaces include the GUI and a command line. The command line is always available at the bottom of the GUI. It allows the user to type shortcuts as if they were in a typical text-based debugger, such as WinDBG or GDB. Immunity has implemented aliases to ensure that your WinDBG users do not have to be retrained and will get the full productivity boost that comes from the best debugger interface on the market.

Features :

1) A debugger with functionality designed specifically for the security industry
2) Cuts exploit development time by 50%
3) Simple, understandable interfaces
4) Robust and powerful scripting language for automating intelligent debugging
5) Lightweight and fast debugging to prevent corruption during complex analysis
6) Connectivity to fuzzers and exploit development tools

7) The Python API ("Immlib/Lib reference" for full documentation)
8) A full Python based graphing library
9) Full debugger and GUI API access
10) A flurry of cool example scripts such as:
- !heap    A fully working heap dumping script (try the -d option!)
- !searchheap   Searching the heap
- !hippie    Trampoline hooks on RtlAllocateheap/RtlFreeHeap
- !modptr    Dynamic search for function pointers in pages
- !findantidep Find address to bypass software DEP

Interface: Commands can be extended in Python as well, or run from the menu-bar. Python commands can also be run directly from our Command Bar. Users can go back to previously entered commands, or just click in the dropdown menu and see all the recently used commands.

Remote command bar : From the command line menu, you can choose to start a threaded command line server. so you can debug remotely from another computer.

Built in Graphing
Another Immunity Debugger feature is the capability of creating function graphs. Our Python VCG library will create a window inside Immunity Debugger at the click of a button to graph your selected function. No third party software is required.

Immunity Debugger is light
Immunity Debugger strives to absorb as few resources on the system as possible. Being too CPU-heavy will cause heap overflows and other complex vulnerabilities to behave differently than they would under normal load. Likewise, fuzzing and other vulnerability analysis is only possible when the debugger is not causing undue system strain.

Immunity Debugger exposes the information you need
Most debuggers offer only one method to allow you to attach to a process of interest - the pid and the process name. Immunity Debugger offers the pid, process name, services within that process, TCP/UDP ports listened to by that process, complete binary name, and window name. This allows quick and easy access to the exact process you wish to analyze.

Python Scripting : Python scripts can be loaded and modified during runtime. The included Python interpreter will load any changes to your custom scripts on the fly. Sample scripts are included, as is full documentation on how to create your own. Immunity Debugger's Python API includes many useful utilities and functions. Your scripts can be as integrated into the debugger as the native code. This means your code can create custom tables, graphs, and interfaces of all sorts that remain within the Immunity Debugger user experience. For example, when the Immunity SafeSEH script runs, it outputs the results into a table within the Immunity Debugger window. Other scripts can ask for user input with dialogs and combo boxes.Having a fully integrated Python scripting engine means you can easily paint variable sizes and track variable usage, which in turn comes in handy when trying to automatically find bugs!

Python Hooks
Often you will want to run a Python script on certain program events, for example when a breakpoint is hit or an exception is caused. Immunity Debugger hook support includes many debugger events, and more are added with every release.

Python Hooks : Often you will want to run a Python script on certain program events, for example when a breakpoint is hit or an exception is caused. Immunity Debugger hook support includes many debugger events, and more are added with every release.

Immunity Debugger ships with 13 different flavors of hooks, each of which you can implement as either a standalone script or inside a PyCommand at runtime. The following hook types can be used:

BpHook/LogBpHook : When a breakpoint is encountered, these types of hooks can be called. Both hook types behave the same way, except that when a BpHook is encountered it actually stops debuggee execution, whereas the LogBpHook continues execution after the hook is hit.

AllExceptHook : Any exception that occurs in the process will trigger the execution of this hook type.

PostAnalysisHook : After the debugger has finished analyzing a loaded module, this hook type is triggered. This can be useful if you have some static-analysis tasks you want to occur automatically once the analysis is finished. It is important to note that a module (including the primary executable) needs to be analyzed before you can decode functions and basic blocks using immlib.

AccessViolationHook : This hook type is triggered whenever an access violation occurs; it is most useful for trapping information automatically during a fuzzing run.

LoadDLLHook/UnloadDLLHook : This hook type is triggered whenever a DLL is loaded or unloaded.

CreateThreadHook/ExitThreadHook : This hook type is triggered whenever a new thread is created or destroyed.

CreateProcessHook/ExitProcessHook : This hook type is triggered when the target process is started or exited.

FastLogHook/STDCALLFastLogHook :These two types of hooks use an assembly stub to transfer execution to a small body of hook code that can log a specific register value or memory location at hook time. These types of hooks are useful for hooking frequently called functions

C0d3S for Pr0F!t AnD FUN

Thursday, March 14, 2013

Sniffing data before its gets encryted in mozilla https encryption (SSL encryption)

Immunity debugger and support for Python scripting

Total Pageviews

About Me