Phase - Analysis
Before actual assessment and exploitation, it is recommended to analyse the communication and find out how it works. Analysis is usually done by working with History, Tagger and Logger modules. Sometimes it might be helpful to also use third-party tools like Wireshark, because they support various protocols and can help you understand it.
Understanding the Communication
After starting the application and running it through the PETEP proxy, go to History and start looking at the recorded PDUs. Usually, you will be able to detect different PDUs, which can be distinguished by various type-bytes. Sometimetimes it might be helpful to try modifying the PDUs in Catcher/Repeater to obtain errors, which tell us more about the PDU structure.
In case of our example vulnerable application, we will find out that the PDU has the following format:
- type (4 bytes)
- target (4 bytes)
- length (4 bytes)
- payload (n bytes)
To make our assessment and exploitation easier we can use Tagger and tag different kinds of PDUs with tags. For example, we can tag requests in SQL Injection challenge using "sqli-request" tag by detecting starting bytes of the PDU:
After tagging different PDUs, we can easily filter them inside History module:
Tags are not added to old recorded network communication. You have to configure tagging rules and then execute the actions again to record new PDUs with tags.
Understanding the Communication - Tips
You can create advanced custom conditions inside Tagger by checking the "Custom" option (then you can use &,|,^ and ! logical operators).
There is "Has Tag" subrule for combining various tagger rules together.
Find out whether there are some bytes describing length, separators or any other similar information. (For comfortable hacking it is better to create a script, which fixes these bytes automatically.)
If the PDU structure is very complex or the PDUs are often divided in the middle of the data, it might be better to write new extension to support the protocol of the application.
Create Scripts and/or Extensions
Analysis can often lead to the conclusion that the communication protocol contains mechanisms, which we need to handle automatically. (e.g. length bytes, encoding, ...)
In case that these mechanisms are simple, we can use Scripter extension and write our own script to handle these mechanisms. For example, in our Vulnerable Application Example we can create script for automatically fixing length bytes, so that we do not have to thing about enlargement or reduction of PDU data payloads.
const HEADER_LENGTH = (4 + 4 + 4); // [type][target][length][payload]
const LENGTH_INDEX = (4 + 4); // [type][target][length][payload]
const log = scripter.getLogger();
log.info('Registered script for automatic length fixing.');
scripter.registerInterceptor({
intercept: function(pdu, helper) {
var pduSize = pdu.getSize();
var pduBuffer = pdu.getBuffer();
// Calculate correct payload length and set it into the buffer
var correctPayloadLength = pduSize - HEADER_LENGTH;
var lengthBytes = intToBytes(correctPayloadLength);
pduBuffer[LENGTH_INDEX] = lengthBytes[0];
pduBuffer[LENGTH_INDEX + 1] = lengthBytes[1];
pduBuffer[LENGTH_INDEX + 2] = lengthBytes[2];
pduBuffer[LENGTH_INDEX + 3] = lengthBytes[3];
pdu.setBuffer(pduBuffer, pduSize);
return true;
}
});
function intToBytes(num) {
return new Int8Array([
(num & 0xff000000) >> 24,
(num & 0x00ff0000) >> 16,
(num & 0x0000ff00) >> 8,
(num & 0x000000ff)
]);
}In case that these mechanisms are complex, we can write our own extension to support them. (See Development Guide.)
