I will demonstrate how to use immunity python
scripting to sniffing encrypted traffic at the application layer(if you new to this topice then please refer to this post ). Normally to
understand how a client or server application interacts with the network, we
would use a traffic analyzer like Wireshark. Unfortunately, Wireshark is
limited in that it can only see the data post encryption, which obfuscates the
true nature of the protocol we are studying. Using a soft hooking technique, we
can trap the data before it is encrypted and trap it again after it has been received
and decrypted. Our target application will be the popular open-source web
browser Mozilla Firefox. For this
tutorial we are going to pretend that Firefox is closed source otherwise it
wouldn’t be much fun now, ;) and that it is our job to sniff data out of the firefox.exe
process before it is encrypted and sent to a server. The most common form
of encryption that Firefox performs is Secure Sockets Layer (SSL) encryption,
so we’ll choose that as the main target for our tutorial.
There is no “right” spot to place your hook;
it is really just a matter of preference. Our
Hook point is on the function PR_Write, which is exported from nspr4.dll. When this function is
hit, there is a pointer to an ASCII character array located at [ ESP + 8 ] that contains the data
we are submitting before it has been encrypted. That +8 offset from ESP tells us that it is the
second parameter passed to the PR_Write function that we are interested in. It is
here that we will trap the ASCII data, log it, and continue the process. First
let’s verify that we can actually see the data we are interested in. Open the
Firefox web browser, and navigate to one of my favorite sites, https://www.facebook.com/. Once you have accepted
the site’s SSL certificate and the page has loaded, attach Immunity Debugger to
the firefox.exe
process
and set a breakpoint on nspr4.PR_Write.
In the top-right corner of the facebook website is a login form; set a username
to test and a password to test and
click the Login button. The breakpoint you set should be hit
almost immediately;
keep pressing F9 and you’ll continually see
the breakpoint being hit.
Script :
from immlib import *
class fire (LogBpHook) :
def
__init__(self):
self.imm=Debugger();
self.logfile
= "D:\\fire_log.txt"
#directory where the log file has to be saved
LogBpHook.__init__(self)
def
run(self,regs):
addr=self.imm.readLong(regs['ESP']+8)
str=self.imm.readString(addr)
self.imm.log("PR_Write
( 0x%x) <- %s" % (addr,str) )
fd
= open( self.logfile, "a" )
fd.write(
str )
fd.close()
# this function run automatically when hook
is hit and function code is #executed which logs it in to file and displays on
log window of debugger
def main(args) :
imm=Debugger()
wfun=imm.getAddress("nspr4.PR_Write")
#setup hook point
fire_hook=fire()
fire_hook.add(
"%08x" % wfun, wfun)
return
"[*] READY for ACTION"
How do I run it ??
1.
Save
the above file with .py extension (firehack.py) ;) …. As it is python file .
then copy it in immunity install directory
2.
Then
type !<filename> (without .py extension for eg !firehack)
3.
All
the encrypted traffic will to shown on log window of immunity debugger and also
logged in the file
4.
To
find user id and password just do a search in file “username” ,
“password”,”passwed”,”email” different website use different name facebook uses
“email”.
This way we can sniff the data in application
before it gets encrypted it can save a lot of reverse engineering time . Such
scripting tools can save considerable time in malware analysis , exploit
development as reverse engineers task are automated