Parsia's Den

Because no one wants to be the other guy from Wham!

Jan 31, 2016 - 5 minute read - Comments - Migration to Hugo Not Security

Why Hugo?

As you may have noticed (well no one reads this so I am fine), I have moved from Octopress to Hugo. I have been trying to make this change for a while but due to laziness and some other matters it did not happen. I am going to talk about why I decided on the move and what I did. In then ext post I will talk about my migration from Octopress to Hugo.

Nov 14, 2015 - 23 minute read - Comments - Reverse Engineering

Intro to .NET Remoting for Hackers

This is a simple tutorial about .NET Remoting. I am going to re-create a very simple RCE and local privilege escalation that I encountered in my projects and use it to explain .NET Remoting and simple debugging in dnSpy.

In this post we will:

  1. Do a brief introduction to .NET Remoting
  2. Develop a simple .NET Remoting client and a vulnerable server in Visual Studio
  3. Observe .NET Remoting traffic
  4. See .NET Remoting in action by doing some basic debugging with dnSpy
  5. Re-create the vulnerable application
  6. Use dnSpy to patch and create modified .NET modules to exploit our sample vulnerable server

If you know of any applications that use .NET Remoting please let me know. I want to look at them.

Oct 19, 2015 - 20 minute read - Comments - Thick Client Proxying Hipchat

Proxying Hipchat Part 3: SSL Added and Removed Here :^)

Finally we are at part 3 of proxying Hipchat. This has been quite the adventure. In part1 we identified the endpoints. In part2 we answered the question “So you think you can use Burp” with yes and proxied some of Hipchat’s traffic with Burp.

In this part we will talk about developing our own proxy in Python to view Hipchat’s traffic to/form (which our example Hipchat server). First we are going to discuss how proxies work and we will get over Burp breaking our heart by creating our own proxy in Python to observe and dump the traffic in plaintext.

Related (crappy) code is at:

For a similar effort (although with a much more complex proxy in erlang) look at this post:

Oct 9, 2015 - 7 minute read - Comments - Thick Client Proxying Hipchat

Proxying Hipchat Part 2: So You Think You Can Use Burp?

In part1 I talked about identifying Hipchat endpoints and promised to discuss proxying the application. In this post I will show how to proxy some of Hipchat’s traffic using Burp.

This is specific to Hipchat client for Windows. The current version at the time of writing was is 2.2.1361. Atlassian is skipping version 3 and version 4 still in beta.

Oct 8, 2015 - 7 minute read - Comments - Hipchat Thick Client Proxying

Proxying Hipchat Part 1: Where did the Traffic Go?

This is a slightly different version of a series of blog post that I wrote on our internal blog about proxying. I see that proxying traffic is a time consuming step in testing thick client applications so I thought I would share what I know. I tackled Hipchat. Why Hipchat? Because it uses a known protocol (XMPP) and I thought it’s an interesting application.

I used Hipchat Windows client version 2. At the time of writing version 4 is in beta. In this part we will see how we can identify endpoints from traffic captures even when they are behind a load balancer/shared hosting etc. In next parts we will start proxying.

Aug 1, 2015 - 8 minute read - Comments - Traffic

Network Traffic Attribution on Windows

Thick client assessments come in different flavors. Most of our work is on consumer applications where consumer means either the customer or an employee of our client. But these applications usually have network communications.

When looking at thick client applications from a network traffic perspective, we face two big challenges:

  1. Traffic Attribution or Where does this traffic come from?: How to we identify application’s traffic? The operating system (in this case Windows) is running many applications and services. Each of them may have network connectivity.

  2. Proxying Traffic or How do I look view/modify traffic?: This is more challenging and involves capturing, modifying and in a lot of cases decrypting/decoding target application’s traffic. This could be as easy as setting up Burp via an application setting (EZ-mode) or as hard as setting up your own access point to capture a device’s traffic then developing your own decryption plugin for your proxy tool (good luck).

In this post, I will be talking about the much easier first challenge. I will be talking about some of the tools and techniques that I use to accomplish this. This is not a groundbreaking post ;). We will use a simple application, in this case notepad++.