Parsia's Den

Because no one wants to be the other guy from Wham!

Oct 19, 2015 - 20 minute read - Comments - Thick Client Proxying Hipchat

Proxying Hipchat Part 3: SSL Added and Removed Here :^)

Finally we are at part 3 of proxying Hipchat. This has been quite the adventure. In part1 we identified the endpoints. In part2 we answered the question “So you think you can use Burp” with yes and proxied some of Hipchat’s traffic with Burp.

In this part we will talk about developing our own proxy in Python to view Hipchat’s traffic to/form hipchatserver.com (which our example Hipchat server). First we are going to discuss how proxies work and we will get over Burp breaking our heart by creating our own proxy in Python to observe and dump the traffic in plaintext.

Related (crappy) code is at: https://bitbucket.org/parsiya/hipchat-proxy/src/.

For a similar effort (although with a much more complex proxy in erlang) look at this post: http://blog.silentsignal.eu/2015/10/02/proxying-nonstandard-https-traffic/.

Oct 9, 2015 - 7 minute read - Comments - Thick Client Proxying Hipchat

Proxying Hipchat Part 2: So You Think You Can Use Burp?

In part1 I talked about identifying Hipchat endpoints and promised to discuss proxying the application. In this post I will show how to proxy some of Hipchat’s traffic using Burp.

This is specific to Hipchat client for Windows. The current version at the time of writing was is 2.2.1361. Atlassian is skipping version 3 and version 4 still in beta.

Oct 8, 2015 - 7 minute read - Comments - Hipchat Thick Client Proxying

Proxying Hipchat Part 1: Where did the Traffic Go?

This is a slightly different version of a series of blog post that I wrote on our internal blog about proxying. I see that proxying traffic is a time consuming step in testing thick client applications so I thought I would share what I know. I tackled Hipchat. Why Hipchat? Because it uses a known protocol (XMPP) and I thought it’s an interesting application.

I used Hipchat Windows client version 2. At the time of writing version 4 is in beta. In this part we will see how we can identify endpoints from traffic captures even when they are behind a load balancer/shared hosting etc. In next parts we will start proxying.

Aug 1, 2015 - 8 minute read - Comments - Traffic

Network Traffic Attribution on Windows

Thick client assessments come in different flavors. Most of our work is on consumer applications where consumer means either the customer or an employee of our client. But these applications usually have network communications.

When looking at thick client applications from a network traffic perspective, we face two big challenges:

  1. Traffic Attribution or Where does this traffic come from?: How to we identify application’s traffic? The operating system (in this case Windows) is running many applications and services. Each of them may have network connectivity.

  2. Proxying Traffic or How do I look view/modify traffic?: This is more challenging and involves capturing, modifying and in a lot of cases decrypting/decoding target application’s traffic. This could be as easy as setting up Burp via an application setting (EZ-mode) or as hard as setting up your own access point to capture a device’s traffic then developing your own decryption plugin for your proxy tool (good luck).

In this post, I will be talking about the much easier first challenge. I will be talking about some of the tools and techniques that I use to accomplish this. This is not a groundbreaking post ;). We will use a simple application, in this case notepad++.

Jul 26, 2015 - 3 minute read - Comments - Octopress Not Security

Image Popup and Octopress

Update: I have migrated the blog to Hugo and I do not use this anymore. However, it is still in the repository.

I finally realized that I need an image popup plugin. The image plugins that I usually use do not support this. They are fine for normal images but not for larger ones. When I see an screenshot of a tool, I want to be able to zoom in. In my quest I looked at a few plugins and methods and finally decided to use https://github.com/ctdk/octopress-image-popup. It creates resized thumbnails automatically and the installation procedure is short and simple.

However, it did not work for me out of the box. I created a test post with just an image and while the plugin worked, there are things that I did not like about it.

Jan 6, 2015 - 27 minute read - Comments - Crypto Reverse Engineering

Tales from the Crypt(o) - Leaking AES Keys

This post is part one of a two part internal blog entry on creating a Pintool for an assessment. Unfortunately I cannot talk about it, so I decided to put the first part out. If I find an opensource program similar to the assessment I will try and recreate the tool (but I am not holding my breath). As this part is essentially a build up, it may not be coherent at times. Alterntively, if you really want to read it, you can join us. We are almost always hiring (let me do the referal though ;).

Today we are going to talk about discovering encryption keys in sneaky ways. We will start with simple examples, do a bit of Digital Forensics or DF (for low standards of DF) and finally in part two we will use our recently acquired knowledge of Pintool to do [redacted].

First let’s talk a bit about the inner-workings of AES decryption. By inner-workings of AES I do not mean the following diagrams that you have seen so many times.