Thursday, April 10, 2014

Convert values to / from integer, hex string and raw data in Python 2.x / 3.x

I often use quick and dirty Python scripts to deal with binary protocols dissection, packet capture analysis, and to work with raw binary files.

If you are in the same situation, you may find this useful. Just keep the following library somewhere and use it whenever needed in your scripts.

No external libraries are required, and it works natively with Python 2 and 3.

Note however that it can be prone to unwanted behaviour. For example, if you call int2bytes() with an input integer between 2^16 and 2^24, it will return 3 bytes, while you probably want 4 (with a leading "\x00"). Just keep that in mind.

def bytes2int(str):
 return int(str.encode('hex'), 16)

def bytes2hex(str):
 return '0x'+str.encode('hex')

def int2bytes(i):
 h = int2hex(i)
 return hex2bytes(h)

def int2hex(i):
 return hex(i)

def hex2int(h):
 if len(h) > 1 and h[0:2] == '0x':
  h = h[2:]

 if len(h) % 2:
  h = "0" + h

 return int(h, 16)

def hex2bytes(h):
 if len(h) > 1 and h[0:2] == '0x':
  h = h[2:]

 if len(h) % 2:
  h = "0" + h

 return h.decode('hex')

Monday, April 7, 2014

Add Burp Root CA into a Java Trust Store

Recently during a pentest I stumbled upon a thick client in Java that came with a configuration file (*.properties) referring to a Java Trust store:

# The following property specifies where the TrustStore file
# containing the trusted CA certificates or trusted certificates 
# can be found.
javax.net.ssl.trustStore=cert/clientTrustStore.jks

An SSL trust store is basically a container that includes all the server certificates that are trusted by the client.
This client was making a SSL connection to an endpoint web service. To be able to put myself in the middle of the protocol, I had to add Burp's CA certificate into this trust store.

1. Brute force the truststore password.

Here, a good old bash loop calling keytool with a dictionary file did the trick:

$ for pwd in $(cat ~/pentest/dictionary/most_used_pwd.txt); do (keytool -list -keystore cert/clientTrustStore.jks -storepass $pwd 2>/dev/null) && echo FOUND PASSWORD $pwd; done
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 5 entries

(hidden), 06/06/2013, trustedCertEntry,
Certificate fingerprint (MD5): 8D:B8:(hidden):41:1B
(hidden), 25/02/2014, trustedCertEntry,
Certificate fingerprint (MD5): 15:37:(hidden):25:E9
(hidden), 02/04/2014, trustedCertEntry,
Certificate fingerprint (MD5): E4:61:(hidden):59:BE
(hidden), 06/06/2013, trustedCertEntry,
Certificate fingerprint (MD5): 32:DE:(hidden):BB:4D
(hidden), 25/02/2014, trustedCertEntry,
Certificate fingerprint (MD5): CB:17:(hidden):FA:1C
FOUND PASSWORD password


2. Add Burp's CA certificate to the trust store

Well, ok, here the password was "password". So I could list the contents of my client trust store. Now, adding burp's root CA is easy. Just create a listener within Burp, use that as a proxy, browse to any https website, display the certificate chain. Save the root CA certificate to a file.

Then, to add this root CA to your trust store:
keytool -import -keystore cert/clientTrustStore.jks -file PortSwiggerCA.cer -storepass password

3. Start playing

To confirm whether your certificate has correctly been added to the trust store, list its contents with the keytool "-list" command used in the bruteforce above:
$ keytool -list -keystore cert/clientTrustStore.jks -storepass password
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 6 entries

(hidden), 06/06/2013, trustedCertEntry,
Certificate fingerprint (MD5): 8D:B8:(hidden):41:1B
(hidden), 25/02/2014, trustedCertEntry,
Certificate fingerprint (MD5): 15:37:(hidden):25:E9
(hidden), 02/04/2014, trustedCertEntry,
Certificate fingerprint (MD5): E4:61:(hidden):59:BE
(hidden), 06/06/2013, trustedCertEntry,
Certificate fingerprint (MD5): 32:DE:(hidden):BB:4D
(hidden), 25/02/2014, trustedCertEntry,
Certificate fingerprint (MD5): CB:17:(hidden):FA:1C
portswiggerca, 02/04/2014, trustedCertEntry,
Certificate fingerprint (MD5): E4:61:D7:52:FB:7A:28:61:71:0F:FF:09:9A:47:59:BE
Now you can proxy your client app through Burp and start playing with the protocol!