Parsia's Den

Because no one wants to be the other guy from Wham!

Oct 8, 2015 - 7 minute read - Comments - Hipchat Thick Client Proxying

Proxying Hipchat Part 1: Where did the Traffic Go?

This is a slightly different version of a series of blog post that I wrote on our internal blog about proxying. I see that proxying traffic is a time consuming step in testing thick client applications so I thought I would share what I know. I tackled Hipchat. Why Hipchat? Because it uses a known protocol (XMPP) and I thought it’s an interesting application.

I used Hipchat Windows client version 2. At the time of writing version 4 is in beta. In this part we will see how we can identify endpoints from traffic captures even when they are behind a load balancer/shared hosting etc. In next parts we will start proxying.

Aug 1, 2015 - 8 minute read - Comments - Traffic

Network Traffic Attribution on Windows

Thick client assessments come in different flavors. Most of our work is on consumer applications where consumer means either the customer or an employee of our client. But these applications usually have network communications.

When looking at thick client applications from a network traffic perspective, we face two big challenges:

  1. Traffic Attribution or Where does this traffic come from?: How to we identify application’s traffic? The operating system (in this case Windows) is running many applications and services. Each of them may have network connectivity.

  2. Proxying Traffic or How do I look view/modify traffic?: This is more challenging and involves capturing, modifying and in a lot of cases decrypting/decoding target application’s traffic. This could be as easy as setting up Burp via an application setting (EZ-mode) or as hard as setting up your own access point to capture a device’s traffic then developing your own decryption plugin for your proxy tool (good luck).

In this post, I will be talking about the much easier first challenge. I will be talking about some of the tools and techniques that I use to accomplish this. This is not a groundbreaking post ;). We will use a simple application, in this case notepad++.

Jul 26, 2015 - 3 minute read - Comments - Octopress Not Security

Image Popup and Octopress

Update: I have migrated the blog to Hugo and I do not use this anymore. However, it is still in the repository.

I finally realized that I need an image popup plugin. The image plugins that I usually use do not support this. They are fine for normal images but not for larger ones. When I see an screenshot of a tool, I want to be able to zoom in. In my quest I looked at a few plugins and methods and finally decided to use It creates resized thumbnails automatically and the installation procedure is short and simple.

However, it did not work for me out of the box. I created a test post with just an image and while the plugin worked, there are things that I did not like about it.

Jan 6, 2015 - 27 minute read - Comments - Crypto Reverse Engineering

Tales from the Crypt(o) - Leaking AES Keys

This post is part one of a two part internal blog entry on creating a Pintool for an assessment. Unfortunately I cannot talk about it, so I decided to put the first part out. If I find an opensource program similar to the assessment I will try and recreate the tool (but I am not holding my breath). As this part is essentially a build up, it may not be coherent at times. Alterntively, if you really want to read it, you can join us. We are almost always hiring (let me do the referal though ;).

Today we are going to talk about discovering encryption keys in sneaky ways. We will start with simple examples, do a bit of Digital Forensics or DF (for low standards of DF) and finally in part two we will use our recently acquired knowledge of Pintool to do [redacted].

First let’s talk a bit about the inner-workings of AES decryption. By inner-workings of AES I do not mean the following diagrams that you have seen so many times.

Dec 8, 2014 - 11 minute read - Comments - Reverse Engineering

Pin Adventures - Chapter 1 - PinSolver Mk1

While writing the writeups for the Flare On Challenge 6 I came upon an alternative solution by @gaasedelen to use the number of executed instructions as a side-channel. Recently during an engagement I used Pintool to do [redacted]. Now that I have a bit of time, I decided to use the idea to write such a tool.

As an example, we will use a C program that checks input for a hardcoded value using strncmp. We want to see if it’s vulnerable to this side-channel (number of executed instructions).

Nov 18, 2014 - 2 minute read - Comments - Memory Forensics

Building memfetch on Kali + Comments

I’ve used Disqus to add comments. At the moment, guests can comment and comments do not need to be approved (unless they have links). Hopefully there won’t be much spam to sink the ocassional comment that I think will be posted.

Note: I just wanted to make it work in a hurry. There are probably better ways of doing this.

I stumbled upon the very useful tool memfetch by the talented lcamtuf. The utility is quite old (from 2003 if I recall correctly) and I could not build it using the provided makefile.