Hackerman's Hacking Tutorials

Manual Context is a Bug

Tue, 31 Mar 2026 02:55:00 -0700

I wake up and read the news. Daniel Miessler has only declared my job dead three times this week. Another frontier lab has found a bazillion bugs. Half of LinkedIn is "SAST is dead." The war is, well. Welcome to the age of AI.

In this blog I reflect on "Manual Work is a Bug" and on how AI has changed my workflow. I introduce the (not so novel concept) of "AI-Docs." A knowledge base for both humans and AI. Similar to our manual knowledge base, you should not have to manually fill the context except during the initial creation; the LLM should have everything it needs on hand.

AI-Native SARIF

Thu, 11 Dec 2025 19:00:00 -0700

The "radical" idea to add prompts and code context directly to SARIF files for AI triage.

WTF is ... - AI-Native SAST?

Fri, 31 Oct 2025 01:00:00 -0700

Ladies and gentlemen, my name is Parsia and I'm here to ask and answer one simple question: WTF is AI-Native SAST? (RIP TotalBiscuit).

Spoiler: It's SAST+AI. But that doesn't make it useless. Quite the opposite, I'll make the case for passing all your code to AI while tokens are cheap. Don't believe the marketing, though. Current LLMs need serious hand-holding to go beyond surface-level bug discovery, and that hand-holding comes from static analysis.

So You Wanna Use Your Own LLMs in GitHub Copilot Chat

Wed, 03 Sep 2025 07:00:00 -0700

We want to use custom OpenAI compatible API LLMs with GitHub Copilot Chat in VS Code without API keys. We will use LiteLLM as a proxy for authentication and use the Azure AI model support in Chat as a hack.

Problem Statement

GitHub Copilot Chat in VS Code (moving forward, called Chat¹) allows custom LLM deployments, but only supports API keys and not AAD/Entra ID. API keys are icky and not cool anymore. Using this method I can:

Kusto Detective Agency: Echoes of Deception - 0-8 Solves

Mon, 01 Sep 2025 20:00:00 -0700

Kusto is important at my current employer and one of my work besties does SecOps. So, I've decided to learn more Kusto. Solves for the first eight tasks for Kusto Detective Agency challenge Echoes of Deception.

It turns out Kusto is not just a better looking SQL, it does a lot more. E.g., it can make a graph and find paths (yes, as I've just searched, T-SQL can also do this). It makes me wonder if we can do some esoteric data flow static analysis by converting the AST into rows of data and finding paths from sources to sinks (or am I reinventing CodeQL, again, lol ¹).

How Burp AI Works

Fri, 15 Aug 2025 00:10:43 -0700

This is a quick peek inside Burp AI. I'll show how to proxy its requests, what actually happens when you trigger a feature. This knowledge allows us to redirect Burp AI to your own AI instance. As far as I know, this is not publicly documented.

I covered a shorter version in my DEF CON 33 Bug Bounty Village talk The Year of the Bounty Desktop: Bugs from Binaries. See the extended slides (pages 14–22) (placeholder for video).

Kusto-Mice: Optimizing Kusto joins

Sun, 18 May 2025 14:52:43 -0700

A few weeks ago I wrestled with a complex Kusto query. I shared what I learned at work in a presentation. In this blog, I'll use a public example to walk you through it.

Steam's 'Open in Desktop' Button

Thu, 19 Sep 2024 19:45:53 -0700

This is not a bug, but some notes about the new Steam "Open in Desktop" button. I am going to show how to look for bugs in these kinds of browser-to-desktop interactions.

Knee Deep in tree-sitter CST

Tue, 09 Apr 2024 12:35:35 -0800

We will continue the tree-sitter adventure and tackle the problems we couldn't solve with just tree-sitter queries. We can get results with a combination of queries and the Concrete Syntax Tree (CST).

In the previous post , I focused on just using queries. While they're useful for finding specific nodes, they're not enough.

Code is at https://github.com/parsiya/knee-deep-tree-sitter. Don't forget to populate the submodule, we need it for the last part.

Knee Deep in tree-sitter Queries

Tue, 19 Mar 2024 16:35:30 -0700

tree-sitter is a parser generator. You can use it to parse source code which is the first step of static analysis. For example, GitHub uses it to highlight code, code navigation, and also in CodeQL extractors.

TL;DR: Queries are great for capturing text from code. But to extract anything moderately structured we need to traverse the syntax tree.

And, yes, the title is based on Doom Episode 1 Knee Deep in the Dead. I love the title (and the game), because it lets me relive my edgy days.

A Few Fun Semgrep Experiments

Sun, 21 Jan 2024 02:32:24 -0800

I want to use Semgrep as a light code intelligence tool with a few experiments. I will write custom rules to extract info from code and then process the results.

The type of these experiments is inspired by Martin Jambon who is actually a core Semgrep developer. These are supposed to be self-contained but short experiments. You can see his at https://github.com/mjambon/dev-random.

Some SANS Holiday Hack 2023 Solutions

Wed, 10 Jan 2024 12:29:17 -0800

As is tradition, I started the SANS Holiday Hack and this time I almost did everything.

Previous years' writeups: /categories/holiday-hack/.

Holiday Hack Orientation

Picked up the fishing pole.

Cranberry Pi: Type answer.

Linux 101

Visit Ginger Breddie in Santa's Shack on Christmas Island to help him with some basic Linux tasks. It's in the southwest corner of Frosty's Beach.

Semgrep's Experimental Rule Syntax

Sat, 28 Oct 2023 12:43:08 -0700

Semgrep has an experimental and (IMO) more readable rule syntax. I am converting my own reference into a tutorial.

Some SANS Holiday Hack 2022 Solutions

Thu, 19 Jan 2023 12:29:17 -0800

As is tradition, I started the SANS Holiday Hack and stopped midway. A very fun static analysis problem came along ;)

Previous years' writeups: /categories/holiday-hack/.

YAML Wrangling with Rust

Sun, 16 Oct 2022 11:43:58 -0700

I will talk about how I parsed Semgrep rules in YAML with Rust, how I created Rust structs from JSON schemas for Semgrep rules, and finally, what didn't work. This blog post has different sections with code so you can follow and experiment.

Code Review Hot Spots with Semgrep

Thu, 07 Apr 2022 12:51:57 -0700

I will discuss the (not novel) concept of code review hot spots. Hot spots are parts of the code that might contain vulnerabilities. They are not suitable for automatic reporting, so security engineers should review them manually. I will define what I call a hot spot; I'll find some examples with Semgrep; and finally, I'll show how I collect these rules.

Security Nightmares of Game Package Managers

Mon, 07 Feb 2022 22:37:59 -0800

Let's talk about the security nightmare of handling hundreds of different game installations. Over the years I have become the de facto security engineer responsible for EA's "game package managers" Origin and the EA App and we have our own unique issues.

Some SANS Holiday Hack 2021 Solutions

Fri, 21 Jan 2022 20:06:21 -0800

Here are some of my answers to the SANS Holiday Hack 2021. As usual, it's a pretty fun and accessible challenge.

Previous writeups:

RCE in Visual Studio Code's Remote WSL for Fun and Negative Profit

Mon, 20 Dec 2021 03:22:10 -0800

The Visual Studio Code server in Windows Subsystem for Linux uses a local WebSocket WebSocket connection to communicate with the Remote WSL extension. JavaScript in websites can connect to this server and execute arbitrary commands on the target system. Assigned CVE-2021-43907 and zero bounty. I paid 5 USD for the EC2 machine hosting the proof-of-concept.

It's really funny that PlayStation paid 15K USD for almost the same bug with 2.2 million subscribers (it was out of scope in their program, too), but MSFT doesn't pay for an official extension with more than 10 million installs (obviously, not every install is unique) for one of their most popular products. But you are not here to listen to my rants. So, read on.

This post's target audience was Desktop Application Security People niche. I want to clarify some issues because more people have read it (edit on 2021-12-21):

I didn't get 5 dollars. I paid 5 dollars out of pocket, so it's -5.
"I am not angry, I am just disappointed." I knew it was out-of-scope. This wasn't some bait-and-switch by Microsoft. I am not angry
The vuln is not in VS Code. MSFT says it's in the Remote WSL extension but I think it's in the way VS Code Server works with the remote development extensions.

HackerNews link: https://news.ycombinator.com/item?id=29635300.

A Hands-On Intro to Semgrep's Autofix

Mon, 25 Oct 2021 20:00:47 -0700

Semgrep's experimental autofix feature can automagically modify vulnerable code. A few things can be fixed like this but it's worth exploring. This post is an introduction to creating fixes for your Semgrep rules.

I have included links to the playground for practicing. If you prefer running the rules via the command-line please see the rules and code at https://github.com/parsiya/Parsia-Code/tree/master/semgrep-autofix.

Modify GitLab Repositories from the CI Pipeline

Mon, 11 Oct 2021 01:12:58 -0700

You would think modifying a GitLab repository from its CI job should be straightforward. Well, it's not. Here's how I did it.

Attack Surface Analysis - Part 3 - Resurrected Code Execution

Sun, 26 Sep 2021 20:50:38 -0700

In part 3 of my attack surface analysis series, I will discuss an undisclosed RCE. This bug uses a combination of all tricks introduced in part 2 of the series.

We will see command-line switch injection from a custom protocol handler, loading remote files, reversing a custom scripting engine to instrument the application, and log file injection. Pretty nice chain if I may say so.

The Thick Client Vulns That Weren't

Fri, 30 Jul 2021 20:30:59 -0700

A few days ago I saw a tweet about thick client vulnerability. I am not linking to it because it appeared to be someone new to the industry and very excited.

The Original Tweet

Well, most of these are not vulnerabilities. So, I am compiling my tweets into a blog post.

It's important that we only go after actual vulnerabilities and not spread misinformation.

Funnily, I have talked about several of these in a separate blog post named No, You Are Not Getting a CVE for That

Semgrep: The Surgical Static Analysis Tool

Tue, 22 Jun 2021 18:42:06 -0700

Why are We Here?

What this blog is about:

Why I like Semgrep.
Why I think you should use it.
How I use Semgrep.

What this blog is not about:

What static analysis is.
Semgrep tutorial.

The JavaScript Bridge in Modern Desktop Applications

Tue, 08 Jun 2021 00:53:25 -0700

We have an XSS in a desktop application, what happens next? How can you escalate it to remote code execution? Let's see.

Public Remote File Share in The Cloud

Mon, 31 May 2021 10:20:40 -0700

In Part 2 of the Attack Surface Analysis series I talked about how passing a remote file with a UNC path can lead to unexpected results.

I am documenting how I created a share using an EC2 instance. This guide is for AWS, but it's a Linux machine running in the cloud. You can easily replicate it.

Testing Extensions in Chromium Browsers - Nordpass

Fri, 30 Apr 2021 14:20:40 -0700

Recently, I looked at the NordPass Password Manager browser extension. I could not find any guides on manual testing of browser extensions. I decided to write my own. So, here we are, "pushing the boundaries of science."

Attack Surface Analysis - Part 2 - Custom Protocol Handlers

Wed, 17 Mar 2021 15:14:00 -0800

Custom protocol handlers are an obscure attack surface. They allow us to convert local attacks into remote ones and are an alternative way to jump the browser sandbox without 0days).

Similar to the first part of this series A Novel Way to Bypass Executable Signature Checks with Electron I will analyze this attack surface and discuss a few interesting public bugs. I wanted to discuss two of my undisclosed bugs but the post is already too long.

2021-04-21 updates:

Startup path limitations and possible workarounds.
Positive security's excellent blog released a month after this with a near jar trick.
Allow arbitrary URLs, expect arbitrary code execution.

The article has a great trick for passing parameters when we cannot. Use jar files in UNC paths: \\ip\path\whatever.jar. Search for windows-10-19042 in the page.

Automagically Deploying Websites with Custom Domains to GitHub Pages

Wed, 17 Feb 2021 09:56:33 -0800

Recently, I have started moving my non-critical websites to GitHub pages. I am documenting the process in one place for future me.

Some SANS Holiday Hack 2020 Solutions

Sun, 17 Jan 2021 11:33:47 -0800

This year like last year and unlike 2018, I only did a few of the SANS Holiday Hack challenges. I got invited into this private bug bounty program with a desktop application in scope (those are quite rare) so I had to poke at it. To be fair, I hit the motherlode and submitted $10K of bounties.

Previous writeups:

Attack Surface Analysis - Part 1 - Application Update: 'A Novel Way to Bypass Executable Signature Checks with Electron'

Fri, 08 Jan 2021 22:33:32 -0800

A few months ago I found a way to subvert the update process of an Electron application to get local privilege escalation. The application stores the updater under a path where standard users have write access. But it also checked if the executable was signed by the vendor. I managed to bypass the signing using a backdoored Electron application.

The $15000 PlayStation Bounty

Fri, 01 Jan 2021 15:29:00 -0800

Earlier in December 2020, my PlayStation Now report was disclosed. You can see the report at https://hackerone.com/reports/873614. That is my first paid bounty and my first disclosed report. It was quite exciting. I doubt I can top it.

Customizing Python's SimpleHTTPServer

Sun, 15 Nov 2020 20:57:46 -0800

The other day I customized the Python built-in SimpleHTTPServer with some routes. I did not find a lot of info about it (most use it to serve files). This is how I did some basic customization.

The Same-Origin Policy Gone Wild

Sun, 01 Nov 2020 20:02:53 -0800

I will talk about some edge cases of the Same-Origin Policy (SOP). It affects browser based thickclient platforms so it's not just for web application security. This is a more detailed dive into this topic that I touched briefly in the localghost talk.

localghost: Escaping the Browser Sandbox Without 0-Days

Thu, 13 Aug 2020 20:38:06 -0700

I had the hono(u)r of presenting in the DEF CON 28 Appsec village. Unfortunately, my super-duper awesome $15K PlayStation bug was not disclosed yet so I did not talk about it. Be sure to read it, it's great.

Slides in PDF
Youtube link: https://youtu.be/Cgl51ZcACLg?t=90

No, You Are Not Getting a CVE for That

Sat, 25 Jul 2020 16:21:15 -0700

An intentionally insecure system is insecure. As Raymond Chen says, "You can't make up for the absence of any actual vulnerability by piling on style points and cranking up the degree of difficulty."

Thick Client Proxying - Part 11 - GOG Galaxy and Extract-SNI

Mon, 22 Jun 2020 09:49:35 -0700

In this post we will use our knowledge from Thick Client Proxying - Part 10 - The hosts File to proxy GOG Galaxy 2. I will also introduce some automation to make our lives easier.

Go Slices and Their Oddities

Sun, 17 May 2020 22:37:21 -0700

A friend pointed me to this Go quiz about slices by Serge Gotsuliak. It's an interesting exercise and points out the intricacies of Go slices. I decided to explore it in detail. These oddities might have security implications.

Thick Client Proxying - Part 10 - The hosts File

Sat, 09 May 2020 13:01:59 -0700

Welcome to the 10th installment of Thick Client Proxying. A series running since 2016. Woot! Today I will talk about traffic redirection using the hosts file.

Towards a Quieter Burp History

Fri, 01 May 2020 23:13:24 -0700

This is how I reduce the noise in Burp's HTTP history when testing thick clients. You can use the methods here to create your own Burp configuration file or build upon the one I have created. I am going to identify common noisy requests that appear in Windows and then ignore them in Burp.

The Encrypted Logz - Some Simple Reverse Engineering

Fri, 17 Apr 2020 17:30:22 -0700

I was looking at an application (not related to my day job) and I decided to reverse engineer how it creates logs. I cannot name the app (yet) but hopefully, this is useful.

The Golang int and the Overlooked Bug

Sun, 05 Apr 2020 01:19:36 -0700

This blog is about a GitHub Security Lab Spot The Bug challenge that had an overlooked bug. Github Security Lab's Twitter account tweets code snippets from time to time. The challenge is to spot the bug.

Disclosure: I might be completely wrong because we only have access to the snippet in the picture and people at the GitHub Security Lab are better than me in static analysis.

Time Management For Systems Administrators - Lessons Learned

Fri, 13 Mar 2020 19:25:18 -0700

A while ago I read Time Management for System Administrators by Tom Limoncelli. This blog is my reviewed notes.

You can find my raw notes in my clone at:

https://parsiya.io/automation/time-management-sysadmins-notes/

Tom is also the author of one of my favorite articles Manual Work is a Bug.

I have written about it:

Old ContextIS Challenge Solutions

Sun, 09 Feb 2020 19:08:07 -0800

A few years ago I did the Context Information Security challenges. They used it for recruiting so I never published the results. However, they have now switched to Hack The Box and the old challenges are gone. So I am publishing what I did.

You can see the page with the old challenges using the Wayback Machine at:

http://web.archive.org/web/20181012035146/https://www.contextis.com/en/careers/challenges

I also did some of their xmas 2018 challenges.

Documentation Writing for System Administrators - Notes

Thu, 06 Feb 2020 23:21:57 -0800

These are my notes for the booklet Documentation Writing for System Administrtors. It's from 2003, so some of the tools and procedures are old. However, somethings never change and it's still useful.

https://www.usenix.org/short-topics/documentation-writing-system-administrators

Some SANS Holiday Hack 2019 Solutions

Wed, 15 Jan 2020 00:09:11 -0800

I did some of the solutions for the SANS Holiday Hack Challenge of 2019. Last year I participated for the first time. You can find the solutions below:

SANS Holiday Hack 2018 Solutions

Using Mozilla Rhino to Run JavaScript in Java

Sun, 22 Dec 2019 20:13:09 -0800

This post discusses what I learned about executing JavaScript code in Java with Mozilla Rhino. By the end of this post, you will know:

What Rhino is.
How to use Rhino in your Java application (e.g., a Burp extension).
Some tips and tricks when dealing with Rhino.
Alternative options to using Rhino.

Code is at:

https://github.com/parsiya/Parsia-Code/tree/master/java-rhino

Developing and Debugging Java Burp Extensions with Visual Studio Code

Mon, 02 Dec 2019 19:32:09 -0800

A few days ago, I released the Bug Diaries Burp extension. It's a Burp extension that aims to mimic Burp issues for the community (free) version. For reasons, I decided to rewrite it in Java. This is the first part of my series on what I learned switching to Java.

This part discusses how my environment is set up for development with Visual Studio Code. Things like auto-completion, Gradle builds and most importantly debugging.

Clone the repository to skip some of the steps in the blog. I still recommend doing them yourself if you are not familiar with Gradle and Burp development, clone the following repository:

https://github.com/parsiya/burp-sample-extension-java

Swing in Python Burp Extensions - Part 3 - Tips and Tricks

Tue, 26 Nov 2019 00:24:37 -0800

In the two previous parts, we learned about Jython Swing. Those blogs take a lot of time to write. I think each of them took around 10 hours. I do not want to spend that kind of time but I still want to document what I have learned.

In this blog I will write tips and tricks with a small code snippet instead of creating a complete extension.

Did I tell you I release Bug Diaries, it's a Python Burp extension that aims to bring Burp issues to the community version. It's pretty neat.

Swing in Python Burp Extensions - Part 2 - NetBeans and TableModels

Mon, 11 Nov 2019 12:00:53 -0800

In part 1 we discussed handcrafting Swing GUI items in a form. In this part, we will design a GUI using NetBeans and then convert it to Jython. Then use it in a Burp tab. Next, we will create a custom table model based on objects to handle our issues.

Code is at:

https://github.com/parsiya/Parsia-Code/tree/master/jython-swing-2

Swing in Python Burp Extensions - Part 1

Mon, 04 Nov 2019 00:40:42 -0700

TL;DR: What I learned from creating handcrafted GUIs for Python Burp extensions using Swing. Code is at:

https://github.com/parsiya/Parsia-Code/tree/master/jython-swing-1

Quality of Life Tips and Tricks - Burp Suite

Sun, 13 Oct 2019 20:48:26 -0700

Quality of life patch/update in the context of videogames is a patch that focuses on fixing bugs instead of introducing new content. New features in these patches are not ground-breaking but rather making the game easier to play¹.

I have been using these things to make my life easier. I am publishing them gradually and will refine them into one final page similar to the cheatsheet. This page also pairs really well with automation.

Disabling Cascade Fan's Beep

Sun, 28 Jul 2019 13:23:50 -0700

TL;DR:

Open 11 screws.
Remove the cap on the buzzer.
Done.

Chaining Three Bugs to Get RCE in Microsoft AttackSurfaceAnalyzer

Tue, 18 Jun 2019 13:03:53 -0700

This is a blog post about how I found three vulns and chained them to get RCE in the Microsoft AttackSurfaceAnalyzer (ASA moving forward) GUI version.

ASA uses Electron.NET which binds the internal Kestrel web server to 0.0.0.0. If permission is given to bypass the Windows OS firewall (or if used on an OS without one), a remote attacker can connect to it and access the application.
The web application is vulnerable to Cross-Site Scripting (XSS). A remote attacker can submit a runID with embedded JavaScript that is executed by the victim using the ASA Electron application.
Electron.NET does not have the NodeIntegration flag set to false. This allows the JavaScript payload to spawn up processes on the victim's machine.

Thick Client Proxying - Part 9 - The Windows DNS Cache

Sun, 28 Apr 2019 13:35:00 -0700

This post explains a trick that I have been using for a few years to discover application endpoints on Windows quickly.

It's a simple trick:

Clear the DNS cache.
Take a snapshot of the cache.
Run the application and use different functionalities.
Take another snapshot of the cache.
Compare these two snapshots.
???
Discover (most) endpoints.

Code is at:

https://github.com/parsiya/Parsia-Code/tree/master/dns-cache

Disabling Burp's Update Screen - Part 1 - Analysis and Failures

Sun, 21 Apr 2019 14:58:50 -0700

I tried to disable Burp's update nag screen and failed. This blog post describes the analysis and my effort to date.

Hacky Workaround: Block outgoing requests to 54.246.133.196 but this will also, block installing extensions from the Burp app store.

Part two (if there is one) will discuss more things that I tried and did not work and/or what worked and how you can disable it.

The Dark Side of "Manual Work is a Bug"

Wed, 17 Apr 2019 19:12:33 -0700

This is a revisit of Manual Work is a Bug during my ramp up at my new job. I will discuss my experience doing some automation at my previous job and the flip side to the utopia painted by the article.

Hiding OPTIONS - An Adventure in Dealing with Burp Proxy in an Extension

Sat, 06 Apr 2019 15:30:16 -0700

TL;DR: No matter what you do, your Burp extension cannot modify requests before they hit the HTTP History panel. You can modify requests after that and before they are sent out. We will discuss two ways to modify them with extensions. While the Match/Replace functionality is special, it has the same limitation (note how it has a separate tab that says auto-modified?).

Update October 2019: Latest version using burputils is at:

https://github.com/parsiya/Parsia-Code/tree/master/burp-filter-options

path.Join Considered Harmful

Sat, 09 Mar 2019 20:43:40 -0500

Credit goes to my friend Stark Riedesel. Check out his github profile. One of these days I will bully him into reviving his blog.

TL;DR: Instead of path.join use filepath.Join.

Cheating at Moonlighter - Part 4 - Defense

Thu, 31 Jan 2019 21:11:32 -0500

I am going to talk about defense. This is a mainly non-technical post. It's a bit different from other posts on this topic and in general. With the existence of a trainer and the debug HUD, I decided to can the idea of using Cheat Engine on Moonlighter.

Other parts:

Cheating at Moonlighter - Part 3 - Enabling Debug HUD

Tue, 29 Jan 2019 22:52:01 -0500

In this part, I am going to use dnSpy to enable the Debug HUD. We will analyze how it's enabled and how it can be accessed.

Cheating at Moonlighter - Part 2 - Changing Game Logic with dnSpy

Sun, 27 Jan 2019 20:47:30 -0500

In part 1 we messed a bit with Moonlighter but modifying the save file. In this part, we will modify game logic using dnSpy.

We will modify our damage, player stats and discover a hidden stat.

Cheating at Moonlighter - Part 1 - Save File

Wed, 23 Jan 2019 20:03:08 -0500

Moonlighter is a nice game. Over the new year break, I played it for 10 hours a day for 2-3 days. It's your typical dungeon crawler with a twist. You have a shop and you can sell items in your shop and do a bit of price manipulation based on supply and demand.

It has some grinding. At each dungeon level (there are four), you have grind the items needed for crafting the next level equipment. After farming for multiple hours to get a few drops of one item, I decided to cheat at it.

This post talks about how I discovered the save file and how we can modify it to give ourselves any item in the game. In the next part, I will discuss modifying the game to one-shot enemies and other things. It's a straightforward game for getting into "game hacking."

Notes on Escaping Python Shells

Sat, 19 Jan 2019 22:29:43 -0500

During the SANS Holiday Hack Challenge 2018, I viewed a talk by Mark Baggett about escaping Python shells. These are my notes.

It's part of SANS SEC573: Automating Information Security with Python which looks interesting. Although, I am Go fanatic and will probably will never be able to afford to course anyways. Creating a Go version of the course sounds fun.

SANS Holiday Hack Challenge 2018 Solutions

Tue, 15 Jan 2019 19:33:21 -0500

SANS Holiday hack challenge 2018 was fun. It was also the first one I tried. I liked the talks and that the challenges were accessible to most skill levels. I mean RCE through the -0 bug in v8 is great and all but I want people to be able to have fun and learn new skills.

If being a security consultant has taught me anything, it's that no one has time to read your 100 page report. So here are some quick solutions. I will post my notes from the YouTube videos in different posts.

Cloudflare Concise Christmas Cryptography Challenges 2019 Solutions

Thu, 03 Jan 2019 20:24:15 -0500

Cloudflare had a Christmas crypto(graphy) challenge. Here are my solutions. The first two questions were pretty easy but the 3rd sent me down on a rabbit hole. Apparently, only 15 people solved it which places me in the world top 15 cryptographers (that's how it works right?).

Cryptography in Python Burp Extensions

Mon, 24 Dec 2018 01:00:14 -0500

In this post, I will discuss a few tricks for creating Burp extensions in Python that deal with cryptography. Our example is a Burp extension that adds a new tab to decode and decrypt an application's traffic. This allows us to modify payloads on the fly and take advantage of Repeater (and other tabs). I have used similar extensions when testing mobile and thickclient applications.

The code is at:

https://github.com/parsiya/Parsia-Code/tree/master/python-burp-crypto

AES-CFB128: PyCrypto vs. Go

Sat, 22 Dec 2018 19:25:10 -0500

We have encrypted something with AES-CFB128 in Go. How can we decrypt it with PyCrypto?

This was originally part of the next blog post (about creating Python Burp extensions) but it grew large enough to be a separate post.

Disclaimer: I am not knowledgeable enough to explain cryptography to people. Read actual papers/books/articles to figure things out. If you find mistakes here, please let me know.

Code is at: https://github.com/parsiya/Go-Security/tree/master/aes-cfb128

Python Utility Modules for Burp Extensions

Wed, 19 Dec 2018 22:48:10 -0500

We can create and load Python/Java utility modules in Burp and then use them in extensions. It's a somewhat unknown/unused capability in Burp's Python/Java extensions.

Note: Alternatively, the modules can be placed in the same path as the extension and loaded/used the same way. For example, instead of putting the Burp Exceptions file in the modules folder, store it in the extension directory.

Tiredful API - Part 2 - Comparing Site Maps with Burp

Mon, 17 Dec 2018 01:11:11 -0500

In Part 1 - Burp Session Validation with Macros I discussed using Burp macros to validate sessions. In this part, I will show how to use Burp's sitemap comparison to detect forced browsing/access control/direct object reference issues and the like.

The flow is straightforward:

Navigate around the application as user1. Personally, I just do my normal testing for a couple of days.
Set a session handling rule to do one of the two:
1. Update the cookie from the cookie jar. In this case you login as user2 first and let Burp update cookies.
2. Run a macro to create a valid session for user2 and use the token.
Tell Burp to compare site maps.

Also, read these:

Tiredful API - Part 1 - Burp Session Validation with Macros

Tue, 11 Dec 2018 00:15:07 -0500

Tiredful API is an intentionally vulnerable REST API. I am going to use it to practice a bunch of Burp tricks.

In this part, I want to show how to use Burp macros to detect invalid session and add a custom bearer token header to the requests.

Cheap Integrity Checks with HEAD

Tue, 04 Dec 2018 22:51:03 -0500

tl;dr: HEAD returns file size in Content-Length response header.

A few months ago, I did a side project of creating a Go package for npm. It was before the current dumpster fire that is event-stream. The idea was to be able to query npm and get information and packages.

Pointers Inside for

Sun, 18 Nov 2018 16:57:24 -0500

Do not directly assign the for counter/range variables to a slice as pointers. Read this by Jon Calhoun Variables declared in for loops are passed by reference. "[...] the variables aren't being redeclared with each iteration [...]".

I have written so much buggy code that I am going to write this down.

filepath.Ext Notes

Sat, 10 Nov 2018 00:59:58 -0500

The filepath package has some functions for processing paths and filenames. I am using it extensively in a current project. You can do cool stuff with it, like traversing a path recursively with filepath.Walk.

filepath.Ext returns the extension of a filename (or path). It returns whatever is after the last dot. It has some gotchas that might have security implications.

Code is at: https://github.com/parsiya/Parsia-Code/tree/master/filepath-ext

Windows Filetime Timestamps and Byte Wrangling with Go

Thu, 01 Nov 2018 08:05:47 -0400

For a side project, I have to parse timestamps in a file. These timestamps are in the Windows Filetime format. This post documents what I have learned about them and how they can be converted to a Golang time.Time and then converted to any desirable format after that.

We will start by looking at endian-ness and use a real-world example to practice our newly acquired knowledge.

TL;DR: To convert a Windows Filetime to Go's time.Time:

Read 8 bytes in LittleEndian from the file.
Create a syscall.Filetime.
- Assign the first 4 bytes to LowDateTime field and the other four to HighDateTime.
Convert the resulting Filetime to nanoseconds with Filetime.Nanoseconds().
Convert the resulting value to time.Time.

The code is at:

https://github.com/parsiya/Parsia-Code/tree/master/filetime-bytewrangling

Blackfriday's Parser and Generating graphs with gographviz

Sun, 28 Oct 2018 11:31:34 -0400

I have been working on a personal automation project. In short, I write most of my notes in markdown so I wanted to grab them and store them in a specific format with annotations (e.g. everything under heading deployment notes is labeled as such in the final data file). These are not high volume, large files. I have written them manually, I am talking about a 10-20 KB file (with most content being pasted code/request snippets). I am not looking for efficiency.

Blackfriday is the markdown parser for Hugo, so I was somewhat familiar with it. Since version 2, it has a markdown parser.

In this post, I am going to describe what I learned during the process and how I leveraged Blackfriday's markdown parser in some hacky ways to get annotated data. To visualize the AST (Abstract Syntax Tree) generated by Blackfriday, I used gographviz.

A simple package parse and code can be found here:

https://github.com/parsiya/Parsia-Code/tree/master/markdown-parsing

DEF CON 26 - Tineola - Youtube Video

Fri, 26 Oct 2018 21:56:22 -0400

The DEF CON 26 video is finally released:

https://www.youtube.com/watch?v=xKYIde5jh_8

I sound somewhat comprehensible. That was a nice surprise. Credit goes to Travis for making us do many dry-runs. As usual, I am eternally grateful to Stark for his work.

Airport and TSA diaries, Elon Musk jokes, we have it all.

Gophercises - Lessons Learned

Sat, 06 Oct 2018 00:22:58 -0400

I recently finished Gophercises, a great set of Go practice lessons by Jon Calhoun. I think it took me around a month from start to finish with some stuff in the middle. Most were nice, some were tedious. For example, the last exercise was about PDF generation and went to boring quickly.

After every lesson, I wrote down "Lessons Learned" in the README. This page collects most of them. All code is here:

https://github.com/parsiya/Parsia-Code/tree/master/gophercises

Reflections on "Manual Work is a Bug"

Wed, 03 Oct 2018 00:48:17 -0400

I recently read Manual Work is a Bug by Thomas A. Limoncelli. It's a great article in my opinion. I realized I had been doing some of what it mentions.

If you know me, you know I am a great fan of knowledge bases or clones as I call them. I have my own external clone at parsiya.io. It's also somewhat automated. I have had an internal one for more than two years.

But the automation was not what rhymed with me. It was the documentation.

Tineola: Taking a Bite out of Enterprise Blockchain

Thu, 27 Sep 2018 01:17:59 -0400

So I wrote about Tineola for our corporate blog. The editors fixed my words so it sounds fancy and actually English. You can read it here:

https://www.synopsys.com/blogs/software-security/tineola-enterprise-blockchain/

In the meanwhile, I have been doing Gophercises by Jon Calhoun. I am up to 16. I am documenting my learned lessons in the readme of each directory. I will add them all together and put them somewhere here or in hackingwithgo.com. You can see the code here:

https://github.com/parsiya/Parsia-Code/tree/master/gophercises

Babbling about blockchain at DEF CON 26

DVTA - Part 5 - Client-side Storage and DLL Hijacking

Sat, 25 Aug 2018 13:49:10 -0400

Thick clients store ample information on the device. In this part, we are going to investigate DVTA to see what, how, and where it stores data. We are also going to do some basic DLL hijacking. Our tools are procmon, PowerSploit, and dnSpy.

Previous parts are at:

Committing Insurance Fraud with Tineola

Thu, 23 Aug 2018 21:18:32 -0400

We recently presented our tool at the DefCon 26 conference in Vegas. Amazing time was had. We had a friendly crowd at our talk Tineola: Taking a Bite Out of Enterprise Blockchain. You can see our slides and whitepaper in the repository. The tool is released under MIT and is at:

https://github.com/tineola/tineola

During the talk, Stark demoed our tool and showed how to completely break the Build Blockchain Insurance App. You can see the videos on the DefCon Media Server.

This blog post will teach you how to use Tineola and commit insurance fraud.

DVTA - Part 4 - Traffic Tampering with dnSpy

Thu, 02 Aug 2018 19:41:54 -0400

After doing network recon in part three, it's time to do some traffic manipulation. We will learn how to capture and modify network traffic using dnSpy. This is much easier than trying to intercept and modify traffic after it's transmitted.

Previous parts are at:

DVTA - Part 3 - Network Recon

Mon, 30 Jul 2018 00:35:57 -0400

In this part, we will focus on network traffic. More often than not, thick client applications have some sort of network connectivity. They talk to some server(s) to do things.

Previous parts are:

DVTA - Part 2 - Cert Pinning and Login Button

Sat, 21 Jul 2018 01:38:50 -0400

After setting up the Damn Vulnerable Thick Client Application, we are now ready to hack it.

In this section, we will bypass the certificate pinning, enable the login button, learn how to modify the code in dnSpy through writing C# code and get a quick intro to Common Intermediate Language (CIL).

You can see previous parts here:

Damn Vulnerable Thick Client Application - Part 1 - Setup

DVTA - Part 1 - Setup

Sun, 15 Jul 2018 21:26:41 -0400

I have written a lot about thick clients. However, I have not done more than a few practical examples that I can show my co-workers or anyone else asking questions. Recently, I came across the Damn Vulnerable Thick Client Application by SecVulture at https://github.com/secvulture/dvta.

I am not going to use the original version of the application. Someone has created a fork and added more protections. We will use this fork instead:

https://github.com/nddmars/dvta

Neither fork's setup instructions worked for me. As a result, the first part is actually setting up the application and the necessary back-end in only one VM. But don't worry, we will do a bit of reverse engineering with dnSpy to fix an issue.

Thanks to SecVulture for creating the app and maintainers of the second repository for adding protections.

Istanbul Tips and Tricks

Wed, 04 Jul 2018 05:56:48 -0400

Recently I was in Istanbul for two weeks in June 2018. This blog contains what I learned. Sharing it with the world in case you end up there. It's a nice city and most people are friendly but unfortunately like any other tourist destination, the opportunist minority ruin it for everyone else.

Disclaimer: I loved the city and most people in it but I hated the Taxis and most shopkeepers. Once we started using public transport, the quality of our experience went up drastically.

Here's a picture of us before all the negativity :D

Survived Istanbul

ContextIS xmas CTF Writeup

Tue, 05 Jun 2018 22:34:55 -0400

In January 2018, Context Information Security had a CTF. Here are my write-ups for some of them and write-ups for some I did not figure out. But that's CTF for you. If you manage to walk down the path of designer, you will be fine. Otherwise, you will have a bad time.

But enough complaining, let's see what happens.

On Username Enumeration

Sat, 26 May 2018 21:51:48 -0400

Enumeration is identifying valid resources in a target address space. This sounds academic and I hate academic mumbo jumbo but bear with me.

Username enumeration is identifying valid user identifiers in an application. These are typically usernames or account IDs.

Enumeration is an interesting topic. The concept of enumeration is straightforward but not always obvious. In this post I will explain username enumeration using an example.

Learning Go-Fuzz 2: goexif2

Sat, 05 May 2018 18:01:09 -0400

Previously on Learning Go-Fuzz:

"Learning Go-Fuzz 1: iprange"

This time I am looking at a different package. This is a package called goexif at https://github.com/rwcarlsen/goexif. Being a file parser, it's a prime target for Go-Fuzz. Unfortunately it has not been updated for a while. Instead, we will be looking at a fork at https://github.com/xor-gate/goexif2.

Code and fuzzing artifacts are at:

https://github.com/parsiya/Go-Security/tree/master/go-fuzz/goexif2

Learning Go-Fuzz 1: iprange

Sun, 29 Apr 2018 19:25:10 -0400

Go-Fuzz is like AFL but for Go. If you have a Go package that parses some input, you might be able fuzz it with Go-Fuzz (terms and conditions apply). Not everything can be fuzzed very easily. For example Go-Fuzz does not like cycling imports, so if one of your sub-packages imports the main package then you are in trouble (I am looking at your Chroma).

The rest of the article will show how to use Go-Fuzz to fuzz a Go library named iprange at:

https://github.com/malfunkt/iprange

Code and fuzzing artifacts are at:

https://github.com/parsiya/Go-Security/tree/master/go-fuzz/iprange

Semi-Automated Cloning: Pain-Free Knowledge Base Creation

Tue, 24 Apr 2018 21:18:32 -0400

TL;DR:

Instead of creating an index manually for Github, I am using a Hugo blog for my knowledge base (a.k.a. Parsia-Clone). This blog is about my flow and how I have semi-automated the process. Demo site is at https://parsiya.io (it's served in plaintext because I am making rapid changes and do not want to invalidate CloudFront's cache after every push).

Flow

Flow is pretty simple:

Create the page bundle directory and page in the clone with hugo new. I usually create it under categories\main-category-name. The command will look like:
- hugo new categories\research\hacking-the-gibson\index.md
Run hugo serve to preview the page during the edit.
Fill front matter and write the page in index.md.
Any resources such as pictures and files can be in the same directory. This helps in two ways, they can be referenced in the page (like pictures) and seen on Github (like config files).
When done, git add/commit/push the clone inside the content directory.
???
Profit. See updated blog, built and deployed by Travis CI.

Deploying my Knowledge Base at parsiya.io to S3 with Travis CI

Tue, 24 Apr 2018 01:02:03 -0400

I finally managed to automate deployment of parsiya.io with Travis CI. Not having done this before, I encountered some pitfalls. Additionally I had two extra problems:

The structure of the blog is different from most Hugo deployments. Parsia-Clone only contains the content directory. Parents and everything else are in the parsiya.io repo. So while we push to Parsia-Clone, we need to clone parsiya.io and build the repository there.
I am hosting it out of an S3 bucket. All other examples were using github pages.

Update November 2020: As of late November 2020, I have switched to Github actions for both parsiya.net and parsiya.io. Please see deploy.ymlOLD.

Update February 2021: parsiya.io is now hosted on github pages with a custom domain instead of an S3 bucket. Please see the workflow file at gh-pages.yml.

Adding Custom Chroma Styles to Hugo Themes

Sun, 15 Apr 2018 13:38:57 -0400

Update: Chroma now supports solarized-dark families. Currently, this version is not used in Hugo.

Hugo has switched to Chroma for syntax highlighting from Pygments. While it still supports Pygments, it appears Chroma is much faster. However, Chroma does not support the solarized dark theme that is used by Hugo-Octopress. So I had to generate the CSS and add it manually.

The process is decently simple because Chroma has a built-in tool for converting styles _tools/style.py. You can see the files inside my clone:

https://github.com/parsiya/Parsia-Clone/tree/master/random/chroma-pygments-convert

Blockchain Security Talk at NoVA Hackers

Sat, 17 Mar 2018 20:37:29 -0400

I had a 30 minute talk about Blockchain security at NoVA Hackers on March 12th 2018.

NoVA Hackers is a monthly security meetup for in northern Virginia. Very welcoming event.

You can download the PDF from Google Drive:

https://drive.google.com/file/d/1aXJgpGs6TznOx5uO7U1cvkvi-zVEjPSJ/view

Hopefully I can do more presentations as I learn more.

As usual, please let me know where I messed up.

The Great Hiatus

Thu, 01 Mar 2018 22:22:51 -0500

This is copied to a blog entry on Aug 1 2016.

I did not blog for almost exactly a year from July 28th 2016 to July 8th 2017.

This is not something new, if you look at my blog dates you can see I work in clusters. I do a few blogs about something interesting in quick succession and then don't do anything for a while.

You could call this a problem. Some people recommend holding off posts and then publishing them more steadily. I am not like that, I want to document what I do for future reference right now before I forget.

Extracting PNG Chunks with Go

Sun, 25 Feb 2018 18:27:49 -0500

Yesterday I had to extract some data from hidden chunks in PNG files. I realized the PNG file format is blissfully simple.

I wrote some quick code that parses a PNG file, extracts some information, identifies chunks and finally extracts chunk data. The code has minimal error handling (if chunks are not formatted properly). We also do not care about parsing PLTE and tRNS chunks although we will extract them.

Code is at:

https://github.com/parsiya/Go-Security/blob/master/png-tests/png-chunk-extraction.go

CAP Theorem and Credit Cards

Thu, 22 Feb 2018 20:43:14 -0500

CAP Theorem is another of those blockchain buzzwords.

CAP stands for:

Consistency: Every read should get up-to-date data.
Availability: Every request should get a response.
Partition Tolerance: If a section of the network is partitioned/cut-off (messages are dropped), the network should continue to work.

CAP Theorem: A distributed network can only pick two.

Byzantine Generals' Problem

Wed, 21 Feb 2018 15:58:41 -0500

In the previous blog post, I talked about Byzantine Fault Tolerance. It was sort of a jump into the middle of everything. In this post I will take a step back and look at the history behind BFT. This is my short post about the Byzantine Generals' Problem.

Byzantine Fault Tolerance and the Telephone Game

Sun, 18 Feb 2018 21:14:05 -0500

This distributed ledger thing clicked when I realized a blockchain is just a distributed network. Like any other model, blockchains attempt to solve a few problems and as a result introduce some challenges. Byzantine Fault Tolerance or BFT is one of those buzzwords that go around during nowadays. Blockchains have consensus models that claim to achieve BFT.

Here are my notes on BFT and how it relates to blockchains. I do not claim these notes to be neither complete nor correct. I am still learning. This is not an academic paper. I am just writing down what worked for me in hopes of helping others. That said, if you have any feedback, you know where to find me.

Notes from NISTIR 8202 - Blockchain Technology Overview January 2018 Draft

Thu, 08 Feb 2018 21:52:41 -0500

I read the NISTIR 8202 - Blockchain Technology Overview draft so you do not have to. These are my notes from the January 2018 version of the document.

After reading this, you will know enough buzzwords to add Blockchain Expert to your LinkedIn title/Twitter bio/email signature.

You can find a copy of the draft at:

https://csrc.nist.gov/CSRC/media/Publications/nistir/8202/draft/documents/nistir8202-draft.pdf

VirtualBox Live State File Format

Mon, 29 Jan 2018 00:10:03 -0500

In Mounting Live Snapshots of Encrypted VMs in VirtualBox we mounted a live snapshot and logged into the machine. We also got a sneak peek of what kind of information we can extract from the live snapshot (sav file).

In this post I will talk about parts of the live state file format and show some data that can be extracted from these files. The format is not formally documented but we have access to commented source.

To make it easier, I have uploaded the live state from our previous MysteryVM separately. You can download it from Google Drive (45 MB).

Mounting Live Snapshots of Encrypted VMs in VirtualBox

Tue, 23 Jan 2018 22:24:39 -0500

TL;DR

Problem: We have an encrypted Virtual Machine (VM) disk and the associated VirtualBox (VBox) live snapshot (taken when user was logged in). Mount the VM and restore the live snapshot to get access to the data.

It seems pretty easy, but turns out it's not and looks to be a first of its kind tutorial (at least public). This is surprising because I can imagine this issue being a recurring problem in the forensics community.

A few days ago I did a couple of Forensics challenges. Both involved mounting images and analyzing the contents of a VM. The second challenge was a disk and a live snapshot. Part of the challenge involved mounting the snapshot and restoring the state to log in.

It's an ongoing challenge so I do not want to spill the beans. Instead, I have re-created a VM to show what I did. Hopefully this will help the next person with a similar problem.

Decoding Large Base64 Files with Go

Fri, 19 Jan 2018 22:45:55 -0500

I am working on this challenge and it has a large base64 file. Each line has 2 characters and it has 150+ million lines.

Luckily we can use the Base64 stream decoder. It reads from an io.Reader and returns one that can be copied into an io.Writer. It also takes care of the new lines.

Sample code is at:

https://github.com/parsiya/Go-Security/blob/master/base64-stream-decoder/b64-stream-decoder.go.

Simple SSH Harvester in Go

Fri, 29 Dec 2017 13:40:56 -0500

During my Go SSH adventures at Hacking with Go I wanted to write a simple SSH harvester. As usual, the tool turned out to be much larger than I thought.

I realized I cannot find any examples of SSH certificate verification. There are a few examples for host keys here and there. Even the certs_test.go file just checks the host name. There was a typo in an error message¹ in the crypto/ssh package but I think because this is not very much used, had gone unreported.

Here's my step by step guide to writing this tool by piggybacking on SSH host verification callbacks. Hopefully this will make it easier for the next person.

You can find the code here:

https://github.com/parsiya/SSH-Scanner/blob/master/SSHHarvesterv1.go

TL;DR: verifying SSH servers

Create an instance of ssh.CertChecker.
Set callback functions for IsHostAuthority, IsRevoked and optionally HostKeyFallback.
- IsHostAuthority's callback should return true for valid certificates.
- IsRevoked's callback should return false for valid certificates.
- HostKeyFallback's callback should return nil for valid certificates.
Create an instance of ssh.ClientConfig.
Set HostKeyCallback in ClientConfig to &ssh.CertChecker.CheckHostKey.
CheckHostKey will verify the certificate based on other callback functions.
The certificate can be accessed in IsRevoked callback function.

Windows XP 32-bit SP3 Virtual Machines

Tue, 19 Dec 2017 19:45:22 -0500

There used to be Windows XP virtual machines on modern.ie. I still have a couple of copies around for testing. Unfortunately after XP going out of support, they were removed. But the copies used to be on Azure CDN (credit /u/JoshBrodieNZ. Seems like they recently removed them too.

There's still a way to get Windows XP 32-bit VMs from Microsoft (no 64-bit) through Windows XP mode. It contains a VHD (virtual hard disk) with a 32-bit Windows XP SP3.

EDIT 2022-01-12: The link below is dead. Looks like Windows XP Mode was tied to Windows 7 and removed when it went EOL.

Download Microsoft XP Mode from https://www.microsoft.com/en-us/download/details.aspx?id=8002.
Using 7-zip or any other utility decompress the exe.
Inside sources, there's another file called xpm. Decompress it too. With 7-zip, right click on it and select "Extract to ... ."
One of the extracted files is VirtualXPVHD and around 1.2 GB. Rename it to VirtualXP.vhd.
In VirtualBox (or any other virtualization software that supports importing VHDs), create a new Windows XP 32-bit VM and use this file as the hard disk. When you start the VM, it will start a Windows XP setup. My mouse did not work, but you can use shortcut keys to navigate the installer (e.g. Alt+N for Next).
???
Profit.

For a step by step guide with pictures, check this post from howtogeek.com.

Go and pcaps

Sun, 03 Dec 2017 18:40:26 -0500

I was trying to solve a challenge where the "hidden data" were in ICMP echo payloads. I decided to do it in Go but there were some hiccups on the way. Here are my notes in case (most likely) future me or someone else needs to do the same.

Code is in my clone at:

https://github.com/parsiya/Go-Security/tree/master/pcap-tutorial

"Hacking" Car Mechanic Simulator 2015

Wed, 29 Nov 2017 20:29:30 -0500

Not real hacking!

Tl;dr:

Open this file with a hex editor:
- \AppData\LocalLow\Red Dot Games\Car Mechanic Simulator 2015\profile#\global
Search for money and xp.
Locate the int32 value of each property in little-endian.
Convert your current XP and money to hex to make the search easier.
Overwrite them with6F FF FF FF.
???
You have "hacked" the game.

It does not get easier than this.

cmd Startup Commands

Mon, 27 Nov 2017 23:13:55 -0500

This blog talks about how to run a command automatically every time you open a new command prompt on Windows.

Open registry.
Navigate to the following location:
- HKCU\Software\Microsoft\Command Processor
Double click Autorun and type in your command. For example:
- cd /d C:\Users\IEUser\Desktop\Whatever\
If the Autorun property is missing, create one with type REG_SZ.
Now every cmd will automatically cd to the Whatever directory.

I am going to keep blogging consistently (hopefully). This means breaking my habit of having to write extensive blog posts.

WinAppDbg - Part 4 - Bruteforcing FlareOn 2017 - Challenge 3

Wed, 15 Nov 2017 18:45:04 -0500

Previous parts:

We have learned some good stuff. In this part I am going to talk about the original problem that led me to learning WinAppDbg. This is my writeup for challenge 3 "Greek to me" of FlareOn 2017. This is a bruteforce challenge and is rather easy but instead of bruteforcing it the conventional (and straightforward way), I will show how I traversed arbitrary Assembly blobs using WinAppDbg.

I will (hopefully) mostly talk about solving the challenge and not a lot of recon or other places I was stuck at.

Code is in my clone:

https://github.com/parsiya/Parsia-Code/tree/master/winappdbg

WinAppDbg - Part 3 - Manipulating Function Calls

Wed, 15 Nov 2017 00:30:25 -0500

Previously on WinAppDbg-TV:

As usual, code is in my clone on Github. Download that directory to your VM and follow along:

https://github.com/parsiya/Parsia-Code/tree/master/winappdbg

In part two we learned how to hook functions by hooking IE and Firefox to see pre-TLS traffic. Just looking at function calls is fun but often not enough. We need to be able to modify function parameters and return values.

In this part we will learn how to do that (and a few other things). We will start with something simple and then move on to more complex examples.

WinAppDbg - Part 2 - Function Hooking and Others

Sat, 11 Nov 2017 12:04:48 -0500

In part one we talked about the basics of WinAppDbg. In this part we are going to learn a few new things:

I wrote a simple python module to simplify my use of WinAppDbg. It will most likely be modified later, but I have included a version that works with the tutorials at:
- https://github.com/parsiya/Parsia-Code/tree/master/winappdbg
- We do not need to type the full filename anymore if the executable is in PATH. Note Run Line (win+r) pulls stuff from more locations than PATH, so we cannot call chrome.exe. I have written about it here.
DLL enumeration: We're going to implement one of procmon's features.
Process/Thread tracing: Another procmon feature.
Function Hooking: It's very easy in WinAppDbg and we will learn how to do it a couple of different ways.
- We will hook pre-TLS encryption data for Internet Explorer and Firefox to hack the Gibson.

Copy this directory https://github.com/parsiya/Parsia-Code/tree/master/winappdbg to your VM and let's go.

WinAppDbg - Part 1 - Basics

Thu, 09 Nov 2017 19:22:24 -0500

WinAppDbg by Mario Vilas is perhaps one of the most underrated instrumentation frameworks for Windows. In this day and age where everyone write JavaScript code to hook functions (I am looking at you Frida), writing Python code feels great. Just kidding, Frida is pretty cool too.

Going around the web searching for tutorials did not give me many results. The docs are great, they are some of the most practical docs I have seen. But apart from that, I could not find much. There are some random code here and there where people have documented using it but there were no guides to get me started apart from the docs.

Here's the result of my learning. I am sharing it to fill the gap that I encountered while getting started with the tool. We're going to learn as we go using real-world applications and will write code. We will start from the basics, expanding our code-base as we learn more.

Code is in my clone at:

https://github.com/parsiya/Parsia-Code/tree/master/winappdbg

Silly Attack Using Run Line

Thu, 26 Oct 2017 21:11:55 -0400

Previously we saw how Windows Run Line searches in App Paths registry keys before PATH. We can perform a silly attack and create a registry key for an application in path and point it to another command.

This is a silly attack because we need to be admin to create/edit those keys. But if you ever find yourself in the unlikely situation, you can use this to become delayed admin (i.e. wait for admin to run the app via Run Line).

Run Line vs. cmd vs. PowerShell

Mon, 23 Oct 2017 22:01:50 -0400

Note about the differences between search paths when running stuff via the Windows Run Line (win+r), command line and PowerShell.

We can type iexplore in Run Line to open up Internet Explorer but doing the same in a cmd or PowerShell is not successful.

tl;dr\ Run Line looks in the following registry location then PATH. Credit Vic Laurie at commandwindows.com.

HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths

Search order

cmd searches first in local directory and then in PATH.
PowerShell searches first in PATH and then in local directory.
Run Line searches in App Paths first.

Usual blabbering and needless digging follows.

Thick Client Proxying - Part 8 - Notes on Proxying Windows Services

Sun, 08 Oct 2017 15:00:00 -0400

These are my notes about proxying Windows services. Being run from a different account (usually LocalSystem).

Proxy settings are usually configured per user and are not applicable to Windows services.

If you have to proxy a Windows service, here are some of the things you can try (and hope they work).

There are also some issues when using netsh to set WinHTTP proxies for 32-bit applications on Windows 7 64-bit.

Thick Client Proxying - Part 7 - Proxying .NET Applications via Config File

Sat, 07 Oct 2017 18:30:28 -0400

.NET applications use a configuration file to read some settings. It's an XML file named appName.exe.config. We can pass a proxy address in this file.

These apps usually use WinINET or IE proxy settings. Sometimes, they do not. We can either use an application specific config file or use one for the entire .NET framework for a machine.

Look inside the decompiled code (or just grep the binary files) for references to System.Configuration MSDN-page. Applications use ConfigurationManager and WebConfigurationManager classes to access these settings.

Razer Comms

Thu, 21 Sep 2017 22:45:20 -0400

A couple of years ago I looked at Razer Comms. I found a bunch of stuff that I never reported or pursued. I discovered the application is now retired so I am publishing these.

I did not look very hard but Razer Comms was essentially a webapp running via the Chromium Embedded Framework. There were no checks on channel authorizations. You could read every channel including ones protected with passwords.

You can see my notes at https://github.com/parsiya/Parsia-Clone/tree/master/research/razer-comms.

TLDR: Base64

Sun, 06 Aug 2017 13:54:45 -0400

Some quick notes about base64 encoding. URL safe and avoiding a pitfall when using Burp Decoder.

This document assumes you already know what base64 is and some of the major use-cases.

From Atom to Sublime Text

Sat, 08 Jul 2017 11:56:58 -0400

I have moved from Atom to Sublime. Atom is a nice editor with a lot of features but it has a lot of performance issues for what I want to do.

Below is my setup for reference. When I want to do it again in a year (or a new machine) I can just use everything here or just use the config files. You can find the config files in my clone:

https://github.com/parsiya/Parsia-Clone/tree/master/configs/sublime-text

The Great Hiatus

Mon, 01 Aug 2016 02:04:23 -0400

This is a blog from the future. This is a copy of my post from March 1st 2018.

I did not blog for almost exactly a year from July 28th 2016 to July 8th 2017.

This is not something new, if you look at my blog dates you can see I work in clusters. I do a few blogs about something interesting in quick succession and then don't do anything for a while.

Thick Client Proxying - Part 6: How HTTP(s) Proxies Work

Thu, 28 Jul 2016 02:04:23 -0400

In order to create our own custom proxies, first we need to know how proxies work. When I wanted to write a custom proxy tool (it's a simple Python script) in Hipchat part3, I had to go back and learn how they work. I did not find such a resource online that looked at proxies from an infosec perspective. Most talked about how to configure caching or forwarding proxies and not much about MitM ones. I have briefly talked about it in the section 2 of the same post named How does a Proxy Work?. In this post I am going to take a deep(er) dive. I actually read some RFCs and they were surprisingly well written.

If you want to skip the intro, go to section 3.

Gynvael Coldwind - Garage4Hackers - Notes from March 2014

Thu, 14 Jul 2016 23:03:51 -0400

Back in March 2014, Garage4Hackers had a live stream with Gynvael Coldwind. His talk was named "Data, data, data! I can't make bricks without clay" or a few practical notes on reverse-engineering. You can see the recording on youtube.

Here are my notes that I discovered from 2014.

Windows Netsh Interface Portproxy

Tue, 07 Jun 2016 22:29:49 -0400

I thought I had found the Windows iptables with Portproxy but I was wrong. But I learned something neat in the process and I am documenting it.

Portproxy allows you to listen on a certain port on one of your network interfaces (or all interfaces) and redirect all traffic destined to that interface to another port/IP.

The to that interface is the limitation that unfortunately kills it. This will be a short post.

Go Notes

Wed, 01 Jun 2016 20:35:00 -0400

These notes have moved to https://parsiya.io/dev/go/.

Learning Go

Wed, 01 Jun 2016 20:35:00 -0400

I have decided to learn Go (or Golang). I went through the Tour of Go and made some notes. Some of the items/code are directly copy pasted from there. The notes are just a cheatsheet to help me look things up quickly while learning. I will update that page as I learn more.

You can see the notes at https://parsiya.net/go/.

Thick Client Proxying - Part 5: FileHippo App Manager or the Bloated Hippo

Sun, 15 May 2016 16:55:24 -0400

I have talked a lot about this and that but have done nothing in action. Now I will talk about proxying actual applications. I will start with something easy, the FileHippo App Manager. This app was chosen because it can be proxied with Burp, it does not use TLS and it has its own proxy settings (also works with Internet Explorer proxy settings). The requests are pretty simple to understand. I like the FileHippo website because it archives old versions of software. For example I loved the non-bloated Yahoo! Messenger 8.0 when I used it (it's pretty popular in some places) and used FileHippo to download the old versions.

FileHippo App Manager turned out to be more interesting than I thought and this post turned into some .NET reverse engineering using dnSpy. Here's what I talk about in this post:

The app contains the AWS SDK and a fortunately invalid set of AWS Access/Secret keys. Both the SDK and the keys are in dead code.
Requests have an AccessToken header which is generated client-side. We will discuss how it is generated.
The application has a "hidden" DEBUG mode which unfortunately does nothing special. We will discover how to enable it.

Looking for Apps to Proxy

Mon, 09 May 2016 01:37:41 -0400

It's been a while since Burp part four and I want to continue writing these. It's time to actually proxy applications. However I have three problems:

I was too busy at work.
I could not find a lot of interesting applications that are interesting to proxy and can showcase different Burp functionalities that we talked about.
I found some interesting applications but there were security vulns so I am going through disclosure (unfortunately I may never be able to release them publicly).

The last point was a surprise, these are decently popular apps and I could not believe that no one has looked at them before.

Nevertheless, I will continue soon.

In the meanwhile, Burp version 1.7 has been released. Now we have Burp projects. Instead of saving the state everyday, we can use one project file that contains all the items. Pretty cool. Some of the items have changed, especially options. Now it has User Options and Project Options but the options by themselves are still there.

Cloudfront and TLS

Thu, 14 Apr 2016 20:45:15 -0400

I finally decided to cave in and take advantage of the Amazon Cloudfront free TLS certificate. I know I will end up paying more than what I already do but I pay few bucks each month. Each month I pay one dollar for two hosted zones and another dollar or so for the bandwidth. Even if I was still in my home country, I would have been able to pay this as it is less than a large pizza even where I lived.

If you are interested in free hosting alternatives, you can use Github-pages, Bitbucket or just go with the excellent Gitlab-Pages (which supports Hugo and whole lot of other static website generators natively).

It took me a lot of tries and probably burning a good amount of money on Cloudfront invalidation requests (otherwise I had to wait for a day or so to see the changes) but it finally worked. The trick was to setup the origin policy during creation of the distribution as it cannot be modified through the web portal after that.

Burp part five is still on hold for now because I am doing something else.

Thick Client Proxying - Part 4: Burp in Proxy Chains

Thu, 07 Apr 2016 21:17:25 -0400

In this post I will talk about using Burp as part of a proxy chain. The number of applications that can be proxied by Burp and used with Burp in proxy chains is infinite for documentation purposes. Instead I am going to demonstrate how to use some of more used tools with Burp in proxy chain. All of this is going to happen on a Windows 7 Virtual Machine (VM).

These applications/utilities are:

Cygwin: I will use cURL commands for demonstration purposes.
IBM Appscan Standard: I will use the evaluation version.
Charles Proxy: For when you have to use multiple proxies.
Fiddler: Same as above.
SoapUI

You don't need Burp Pro to play along and apart from Appscan, all application are free to use. For Appscan we will use the evaluation version which is free for its demo test.

Hugo Octopress Update

Sun, 03 Apr 2016 13:13:39 -0400

I have made a good number of changes to the Hugo-Octopress theme. As I have been using the theme more and more, I have realized there were a bunch of bugs (some were pointed out on Github).

Apart from Bugs, I had hardcoded too many settings in the theme. For example, modifying the text in the sidebar could only be accomplished by changing the sidebar template. Ideally user should not need to modify anything in the theme and it should be customizable by just using the config file.

In the end I created a bunch of issues on Github and then closed them myself. I am not quite sure if this is correct git but eh :D

Thick Client Proxying - Part 3: Burp Options and Extender

Sat, 02 Apr 2016 20:22:37 -0400

Previous parts:

Almost there, I will get through Options and Extender in this part and we will actually start doing stuff moving forward.

Thick Client Proxying - Part 2: Burp History, Intruder, Scanner and More

Tue, 29 Mar 2016 19:57:53 -0400

In part1 I talked about some of Burp's functionalities with regards to testing non-webapps. I did not expect it to be that long, originally I had intended to just shared some quick tips that I use. Now you are forced to read my drivel.

In this part I will talk about Target > Scope, Proxy > HTTP History and Intruder/Scanner. I will discuss a bit of Scanner, Repeater and Comparer too, but there is not much to discuss for the last three. They are pretty straightforward.

Thick Client Proxying - Part 1: Burp Interception and Proxy Listeners

Sun, 27 Mar 2016 02:45:03 -0400

Burp is not just used for web application testing. I usually use it during mobile and thick client tests. If the application is using HTTP methods then Burp is your best friend.

I am going to document a bunch of Burp tips and tricks that have helped me during my work. One purpose is to share it with the world and not be the other guy from Wham! (:D) and the other is to have it in an accessible place (similar to the cheat sheet in the menu).

This part one I talk about Interception and Proxy listeners which are configured via Proxy > Options.

At the time of writing the current version of Burp Pro is 1.6.39 and most items should apply to the current Burp Free version (1.6.32). Most settings have not changed since I started working with Burp (v1.5). You can download Burp from: https://portswigger.net/burp/download.html.

When I started this, I did not think I have so much stuff to write about Burp. So I broke it into multiple parts. Please note that these series of posts are not targeted towards web application testing so I have skipped some functionalities. If you have any favorite tips or usecases and want them included with credit please let me know, as usual feedback is always welcome.

Cheat Sheet

Wed, 24 Feb 2016 22:29:57 -0500

You will find those commands and tips that I need from time to time (and usually forget when I need them). This is a page to complement my clone at parsiya.io and gives me a simple repository of how-tos I can access online. Look at the table of contents below or ctrl+f and search for keywords.

Tar

Insert XKCD 1168, hur dur!

Installing Burp Certificate Authority in Windows Certificate Store

Sun, 21 Feb 2016 14:42:41 -0500

I was writing another blog post and I realized that I keep repeating how to do the same things, so I decided to write some tutorial-ish things and just link them.

Burp uses custom certificates to Man-in-the-Middle (MitM) the traffic. All of these certificates are signed by Burp's root Certificate Authority (CA). Each installation of Burp generates its own root CA that needs to be installed in the browser or Operating System's certificate store to be recognized properly. Otherwise browsers will return warnings and some thick client applications will not recognize these certificates as valid.

Each installation of Burp generates its own root CA so it is unlikely that others can gain access to it and sign certificates to MitM your connection. To get the certificate's private key, the attackers need to get to your local machine and if so they have better ways to look at your traffic anyway.

Alternate instructions by Portswigger: https://support.portswigger.net/customer/en/portal/articles/1783075-installing-burp-s-ca-certificate-in-your-browser

For instructions on installing/removing Burp's CA in other browsers and devices please use Portswigger's website: https://support.portswigger.net/customer/en/portal/articles/1783075-installing-burp-s-ca-certificate-in-your-browser.

Note: These instructions are for Burp version 1.6.37 Pro and 1.6.32 Free. As long as I remember (v1.5) these instructions have not changed, although they may change in the future but I really doubt it.

Archive Page in Hugo

Sun, 14 Feb 2016 20:52:45 -0500

This is a re-hash of my answer on Hugo forums about creating a custom archive page. You can see the answer here.

Creating a custom archive page in Hugo is pretty simple. I think there are better ways to do this but this works as of version 0.15.

From Octopress to Hugo

Tue, 02 Feb 2016 22:58:26 -0500

In my previous post I talked about why I moved from Octopress to Hugo. You can also see the last archive of my Octopress blog (previously a private repo on Bitbucket) on github and this is the new site. If I had wanted to use an already existing Hugo theme, it would have not taken more than a few hours.

In this post I am going to talk about how I managed the migration and any interesting things that I encountered in the process. I will also introduce the Hugo-Octopress theme (you are looking at it), which is the classic Octopress theme ported to Hugo. If you like what you see, please go ahead and use it. If there are any issues please use the Github issue tracker or contact me another way. I will try my best to fix them but please remember that I am not a developer and do not know much about css :).

Why Hugo?

Sun, 31 Jan 2016 20:22:19 -0500

As you may have noticed (well no one reads this so I am fine), I have moved from Octopress to Hugo. I have been trying to make this change for a while but due to laziness and some other matters it did not happen. I am going to talk about why I decided on the move and what I did. In then ext post I will talk about my migration from Octopress to Hugo.

Intro to .NET Remoting for Hackers

Sat, 14 Nov 2015 16:22:36 +0000

This is a simple tutorial about .NET Remoting. I am going to re-create a very simple RCE and local privilege escalation that I encountered in my projects and use it to explain .NET Remoting and simple debugging in dnSpy.

In this post we will:

Do a brief introduction to .NET Remoting
Develop a simple .NET Remoting client and a vulnerable server in Visual Studio
Observe .NET Remoting traffic
See .NET Remoting in action by doing some basic debugging with dnSpy
Re-create the vulnerable application
Use dnSpy to patch and create modified .NET modules to exploit our sample vulnerable server

If you know of any applications that use .NET Remoting please let me know. I want to look at them.

Code is at:

https://github.com/parsiya/Parsia-Code/tree/master/net-remoting

Proxying Hipchat Part 3: SSL Added and Removed Here :^)

Mon, 19 Oct 2015 21:42:10 +0000

Finally we are at part 3 of proxying Hipchat. This has been quite the adventure. In part1 we identified the endpoints. In part2 we answered the question “So you think you can use Burp” with yes and proxied some of Hipchat's traffic with Burp.

In this part we will talk about developing our own proxy in Python to view Hipchat's traffic to/form hipchatserver.com (our example Hipchat server). First we are going to discuss how proxies work and we will get over Burp breaking our heart by creating our own proxy in Python to observe and dump the traffic in plaintext.

Related (crappy) code is at now in my clone at:

https://github.com/parsiya/Parsia-Code/tree/master/hipchat-proxy

For a similar effort (although with a much more complex proxy in erlang) look at http://blog.silentsignal.eu/2015/10/02/proxying-nonstandard-https-traffic/.

Proxying Hipchat Part 2: So You Think You Can Use Burp?

Fri, 09 Oct 2015 22:34:37 +0000

In part1 I talked about identifying Hipchat endpoints and promised to discuss proxying the application. In this post I will show how to proxy some of Hipchat's traffic using Burp.

This is specific to Hipchat client for Windows. The current version at the time of writing was is 2.2.1361. Atlassian is skipping version 3 and version 4 still in beta.

Proxying Hipchat Part 1: Where did the Traffic Go?

Thu, 08 Oct 2015 23:05:24 +0000

This is a slightly different version of a series of blog post that I wrote on our internal blog about proxying. I see that proxying traffic is a time consuming step in testing thick client applications so I thought I would share what I know. I tackled Hipchat. Why Hipchat? Because it uses a known protocol (XMPP) and I thought it's an interesting application.

I used Hipchat Windows client version 2. At the time of writing version 4 is in beta. In this part we will see how we can identify endpoints from traffic captures even when they are behind a load balancer/shared hosting etc. In next parts we will start proxying.

Network Traffic Attribution on Windows

Sat, 01 Aug 2015 19:37:42 +0000

Thick client assessments come in different flavors. Most of our work is on consumer applications where consumer means either the customer or an employee of our client. But these applications usually have network communications.

When looking at thick client applications from a network traffic perspective, we face two big challenges:

Traffic Attribution or Where does this traffic come from?: How to we identify application's traffic? The operating system (in this case Windows) is running many applications and services. Each of them may have network connectivity.
Proxying Traffic or How do I look view/modify traffic?: This is more challenging and involves capturing, modifying and in a lot of cases decrypting/decoding target application's traffic. This could be as easy as setting up Burp via an application setting (EZ-mode) or as hard as setting up your own access point to capture a device's traffic then developing your own decryption plugin for your proxy tool (good luck).

In this post, I will be talking about the much easier first challenge. I will be talking about some of the tools and techniques that I use to accomplish this. This is not a groundbreaking post ;). We will use a simple application, in this case notepad++.

Image Popup and Octopress

Sun, 26 Jul 2015 23:02:58 +0000

Update: I have migrated the blog to Hugo and I do not use this anymore. However, it is still in the repository.

I finally realized that I need an image popup plugin. The image plugins that I usually use do not support this. They are fine for normal images but not for larger ones. When I see a screenshot of a tool, I want to be able to zoom in. In my quest I looked at a few plugins and methods and finally decided to use https://github.com/ctdk/octopress-image-popup. It creates resized thumbnails automatically and the installation procedure is short and simple.

However, it did not work for me out of the box. I created a test post with just an image and while the plugin worked, there are things that I did not like about it.

Tales from the Crypt(o) - Leaking AES Keys

Tue, 06 Jan 2015 23:36:48 +0000

This post is part one of a two part internal blog entry on creating a Pintool for an assessment. Unfortunately I cannot talk about it, so I decided to put the first part out. If I find an opensource program similar to the assessment I will try and recreate the tool (but I am not holding my breath). As this part is essentially a build up, it may not be coherent at times. Alteratively, if you really want to read it, you can join us. We are almost always hiring (let me do the referral though ;).

Today we are going to talk about discovering encryption keys in sneaky ways. We will start with simple examples, do a bit of Digital Forensics or DF (for low standards of DF) and finally in part two we will use our recently acquired knowledge of Pintool to do [redacted].

First let's talk a bit about the inner-workings of AES decryption. By inner-workings of AES I do not mean the following diagrams that you have seen so many times.

Pin Adventures - Chapter 1 - PinSolver Mk1

Mon, 08 Dec 2014 20:46:59 +0000

While writing the writeups for the Flare On Challenge 6 I came upon an alternative solution by @gaasedelen to use the number of executed instructions as a side-channel. Recently during an engagement I used Pintool to do [redacted]. Now that I have a bit of time, I decided to use the idea to write such a tool.

As an example, we will use a C program that checks input for a hardcoded value using strncmp. We want to see if it's vulnerable to this side-channel (number of executed instructions).

Building memfetch on Kali + Comments

Tue, 18 Nov 2014 23:21:01 +0000

I've used Disqus to add comments. At the moment, guests can comment and comments do not need to be approved (unless they have links). Hopefully there won't be much spam to sink the occasional comment that I think will be posted.

Update from 2020: Comments without approval were a mistake. I got so much spam and harassment.

Note: I just wanted to make it work in a hurry. There are probably better ways of doing this.

I stumbled upon the very useful tool memfetch by the talented lcamtuf. The utility is quite old (from 2003 if I recall correctly) and I could not build it using the provided makefile.

My Adventure with Fireeye FLARE Challenge

Tue, 23 Sep 2014 02:31:44 +0000

These are my (rather long) solutions to Fireeye's FLARE challenge. This is just not the solution but other ways that I tried. This was a great learning experience for me so I am writing this post to document everything I tried. As a result, this post is somewhat long.

If you have any feedback, please let me know. I spent a lot of time on this writeup and I am always happy to learn new stuff. My email and twitter handle are in the sidebar.

I am a bit late to the party. There ~~were two~~ are now other three solutions posted (that I know of). Check them out.

Detailed Solutions to FireEye FLARE Challenge
A Walk through for FLARE RE Challenges
The FLARE On Challenge Solutions by Fireye
- Part 1 - solutions for challenges 1 to 5
- Part 2 - solutions for challenges 6 and 7

Malware Adventure

Sun, 21 Sep 2014 19:11:43 +0000

Update 28 Oct 2017:\ I have moved most of my code under one repository. Malware adventure is copied at two places:

A fork of PAWS is here:

https://github.com/Moonbase59/PAWS

I finally caved in and started to push some of my code to ~~github~~ bitbucket. It is located at https://bitbucket.org/parsiya and is almost empty ;).

This is Malware Adventure. It's a small adventure game I wrote using PAWS. PAWS is Pyhton Adventure Writing System by Roger Plowman. Get it from http://home.fuse.net/wolfonenet/PAWS.htm. It's great.

Fireeye's FLARE Challenge

Tue, 02 Sep 2014 00:34:00 +0000

It's been a while. I know I should have updated more frequently but lazyness prevails.
Anyway, I was busy doing Fireeye's FlARE challenges for a month or so (it was depressing to see people finish in 10 hours :). You can find the challenges at http://flare-on.com. I learned a lot doing them. They will release solutions in 2 weeks. I am also working on a writeup which I will release then. I think it will be interesting as it will be a n00b's perspective.

Apple's Common Crypto Library Defaults to a Zero IV if One is not Provided

Thu, 03 Jul 2014 01:30:18 +0000

Today I was writing some guidelines about generating keys for mobile applications at work. While providing code examples in Java and Obj-C for AES encryption I happened to look at Apple's [Common Crypto] CCLink library . While going through the source code for [CommonCryptor.c] CCLink2, I noticed that IV is commented as /* optional initialization vector */. This makes sense because not all ciphers use IV and not all AES modes of operation (e.g. ECB mode). However; if an IV is not provided, the library will default to a zero IV.

Piping SSL/TLS Traffic from SoapUI to Burp

Wed, 25 Jun 2014 22:04:53 +0000

Recently I was trying to test a web service. The traffic was over SSL/TLS and everything was fine. As I am better with Burp than SoapUI, I wanted to use Burp as a proxy for SoapUI. This should be an easy matter. Burp will create a custom certificate (signed by its root CA) for each site and effectively Man-in-the-Middle the connection. But this time it was different, I was getting the dreaded Peer not Authenticated error. This meant that SoapUI did not recognize Burp's custom certificate.

Pasting Shellcode in GDB using Python

Sun, 25 May 2014 18:39:58 +0000

A few days ago I was trying to write an exploit for a buffer overflow with GDB. This was a console application and pasting shellcode would mess with it.

There are a few options:

Writing shellcode to a file and then using it as input for GDB.

# you can also include GDB commands like setting up breakpoints (e.g. b * 0xDEADBEEF)
# remember to include a new line after each command
$ python -c 'print "b * 0xDEADBEEF" + "\n" + "\x41"*1000 + "\n"' > input

# $ perl -e for perl

# start debugging with GDB
# -q (quiet mode): no text at startup
$ gdb executable1 -q
(gdb) run < input

After this you can manually debug in GDB.

Amazon S3 and CSS

Tue, 22 Apr 2014 14:03:32 +0000

After I deployed my blog to Amazon S3, I realized that there was no CSS applied to the pages. In Octopress, the look and feel of website is managed by stylesheets/screen.css. It was fine in rake preview but not on the S3 bucket. I looked around for a few hours to no avail. There was one other person who had the same issue on [stackoverflow] stackoverflowlink but no answers. Relevant [xkcd] xkcdlink:

Now hosted on Amazon S3

Sun, 20 Apr 2014 13:20:24 +0000

I moved my blog from Bluehost to Amazon S3. I have not used Cloudfront yet, I doubt my blog has any visitors to justify that.

It was really easy to redirect everything to cryptogangsta.com. parsiya.net, www.parsiya.net and www.cryptogangsta.com should all point to cryptogangsta.com.

I have decided (for n-th time) to start updating this blog. Hopefully I will do it this time, I have some ideas to keep this blog running ;).

How do I TLS Ciphersuite?

Sun, 17 Nov 2013 00:00:00 +0000

“Should we use RC4 or AES-CBC ?” This is a legitimate question. Many have heard of the highly publicized attacks against AES-CBC (CRIME, BEAST etc) and lean towards RC4. If asked (granted no one asks me), my answer would be: If you can control web servers (not feasible in all situations) and users' browsers (almost impossible), upgrade to TLS 1.2 and go with AES-GCM. However, not many browsers supported these and to be honest, more users trumps loss of security in many cases.

Microsoft Bluehat Challenges

Sun, 29 Sep 2013 00:00:00 +0000

Microsoft has released their Bluehat challenges. You answer the challenge, send it out and if correct they will send the next level (at least that is what they say).

There are three categories: Reverse Engineering, Web and Vulnerabilities.

The first Reverse Engineering challenge was quite easy. But it was level 1 and I do not expect anti-debugging techniques. Let's see about the next level.

Anyway, Enjoy. Linkie.

Snow Crash and Malware

Mon, 23 Sep 2013 00:00:00 +0000

So I finished "Snow Crash" and it was quite nice. The concept of linguistic malware was interesting and ahead of its time. I noticed that the term "Virus" was used correctly in the book as the malware was not propagating between people (then it would become a worm). Although I suspect it was due to the fact that most people (read almost everyone) calls any malware a "virus". Nevertheless, it was a very enjoyable read.

Update Inc

Fri, 20 Sep 2013 00:00:00 +0000

So, I transferred my domain from my last provider, it has not taken effect yet. Also, I need to start populating the website with relevant stuff. Hang on, I will be back soon ™!

MarkDown and Cookie Clicker

Sun, 15 Sep 2013 00:00:00 +0000

Markdown looks like an easy-ish language to start (probably not so easy to master of course). Although compared to writing LaTeX source, it is a breeze. During my last year at JHU I started writing the reports and what not directly into LaTeX, I think using MarkDown for blogging and MS Office at work is going to take away my old skills.

On a side note, I am now up to around 500 million cookies per second (CpS) in Cookie Clicker. I was stuck at 200 million CpS for a week or so until I could start making Antimatter Condensers. I may have missed them before as they were not visible in the side-bar and I had to scroll down to see them.

Hello Octopress

Sat, 14 Sep 2013 00:00:00 +0000

** Octopress is here **

To be honest setting it up took a while (I had this feeling that I should set it up on my host but well let's say I am a n00b and am allowed to make mistakes) :D

Now I have to learn markdown which is probably a good thing, unless I can write blog posts in different formats. Note to self: search to see if we can write blogs in LaTeX. That would be too geeky.

Who is this guy?

Tue, 01 Jan 2013 21:40:56 -0500

I am Parsia, I try to do security most days.

2024-Present: Senior Offensive Security Engineer at Microsoft. Ignore my title, I am an application security engineer :).

2022-2024: Sabbatical. Dev contract work for a static analysis tool that automatically generates an OpenAPI spec from the backend source code. Some security research, mainly static analysis and Rust. See Personal Semgrep Server in Rust, semgrep-rs: Rust crate to interact with Semgrep, and some tree-sitter stuff.

All Posts

Mon, 01 Jan 0001 00:00:00 +0000

License

Mon, 01 Jan 0001 00:00:00 +0000

I want people to be able to use anything if they want to with attribution and without warranty. I think these licenses are appropriate. Please let me know if there are better licenses that achieve this goal.

Content License

Except where otherwise noted, my non-code content on this website is licensed under a Creative Commons BY-NC 4.0 (Creative Commons Attribution-Non Commercial 4.0).