Captain’s Log: February 2021

Here is how I did in the new condensed table format.

TargetSummary
11k steps a day5 miles of steps. Every single day.
150 active minutes per weekWeek 1 – Yes
Week 2 – Yes
Week 3 – Yes
Week 4 – Yes
1 technical blog a monthI missed this in January (which seems mad when I had several drafts almost ready to go). So in February I put out two:

Verifying Insecure SSL/TLS protocols are enabled
Pentesting Electron Applications

On track for that. I have a few other ideas for coming months.
Support my partner to exerciseWeek 1 – Yes
Week 2 – Yes
Week 3 – Yes
Week 4 – Yes
Record five songsI have not prioritised it this month.
OSWEI have not prioritised it this month.
Panic AttacksI never actually got to the state of disruptive levels of panic this month. I got pretty close. I had a fairly stressful project to work on at the same time as home schooling while maintaining the daily and weekly exercise tasks. This had me doing some pretty long days which definitely made me stressed. I just knew better when to go and take a lie down. All hail the hour nap.

Other bits

  • Audiobooks 1 – I completed Dune by Frank Herbert. This was a great listen and I thoroughly enjoyed it.
  • Audiobooks 2 – I have started Stealing Light: Shoal, Book 1 by Gary Gibson. This was a recommendation and so far I am not far into it. It is painting an interesting universe for mankind’s future. There is a species that pops up to other sentient species and goes: We can give you a bunch of technology and help you colonise this region of space which is yours. In order to get this you agree to not do X, Y and Z. Which creates a dependence on the Shoal corporation. So far it is some pretty decent Sci-Fi which shows despite the advancement of time we remain just as seedy.
  • Television – I have loved South Park for years. I haven’t been keeping up with it for over a decade. With a bunch of episodes being added to Netflix I have started to catch up. They are masters at talking about issues in an interesting way. You don’t have to agree with everything they say to enjoy it. But it is worth remembering how great this show is (once we get past the initial seasons which were mostly fun but entirely juvenile).
  • Television – A while back I started watching Babylon 5 again when I realised I could get it on Amazon Prime (not free). I watched the show when I was clearly too young to understand it. For some reason I didn’t complete the full watch through even though I was enjoying it. I picked it up again and mid season there was an announcement that the content had been upgraded to HD. This makes it even more watchable. The writing is amazing and the cast do some fantastic things together. It is truly amazing that this was made pre-streaming to be as layered as it is. You had to wait a week for another episode, and they would sometimes not have a thing pay off for years. Now that you can watch this back-to-back I intend to and so should you :D.

That is the log for February.

Pentesting Electron Applications

I recently came across my first Electron application as a target. As is the case I try and take notes as I go and here they are so that I am ready for the next time.

When you are targeting an “app” (various thick client or mobile application targets) I always want to:

  • Decompile it if possible – to enable source code review
  • Modify and recompile if possible – to enable me to add additional debugging to code or circumvent any client side controls.
  • Configure middling of communication channels – to enable testing of the server side API.

That is the general process for this kind of task and the blog post covers how to do all of these for Electron applications.

Extracting .asar Files on Windows

When going to the application’s folder I found that it had a “resources” directory containing a couple of “.asar” files. A quick google uncovered that this is a tar like archive format as per the link below:

This is similar to APKs in the Android app testing realm. To get serious we need to extract these to have a proper look.

First get NodeJs:

After installing this open a new command prompt and type “npm” to check that you have the Node Package Manager working right.

Then install “asar”

npm install --engine-strict asar

As a new user of npm I want to just marvel at the pretty colours for a second:

Oh NPM, you are gorgeous

Also an inbuilt check for vulnerabilities? NPM you are crushing it.. Just crushing it. So how come so many apps have outdated dependencies?

Turns out the above command – while gorgeous – did not stick the “asar” command into the windows path as intended. To do that I subsequently ran this command:

npm install -g asar

Then it was found the command in the path:

Oh asar, I found you, I never knew I needed you 10 minutes ago

I was unclear as to the operation of asar. Specifically, would this extract into the folder in a messy way? In the doubt I created a new folder “app” and copied my target “app.asar” file into that before extracting it:

mkdir app
copy app.asar app
asar e app.asar . 
del app.asar 

Note: that del is important because it stops you packing a massive file back into your modified version later.

I was glad I did copy the target into a folder because extraction did this:

Files Extracted to the Current Directory

Had I done the extraction a directory higher then the target application folder would have been messy.

With access to the source you can go looking for vulnerabilities in the code. I cannot really cover that for you since it will depend on your target.

Modifying the app

If you are half way serious about finding vulnerabilities you will need to modify that source and incorporate your changes when running the target. You need to modify the code and then re-pack the “app.asar” file back.

The best place to start is where the code begins its execution. That is in the “main.js” file within the “createWindow” function as shown:

Showing the createWindow function

I modified this to add a new debugging line as shown:

Added console.log debugging line

The point of this was to tell me that my modified version was running instead of the original. I started a command prompt in the “resources” folder and then executed these commands:

move app.asar app-original.asar
asar pack app app.asar

Note: that move command was about ensuring I have the original “app.asar” on tap if I needed to revert back to it. The pack command would otherwise overwrite the original file.

It turns out that “console.log” writes to stdout which means you can see the output if you run the target application from the command prompt. I prefer to create a .bat file for so that I can view stdout, and stderr easily in a temporary cmd window.

The contents of my bat file were:

target.exe
pause

The first line ran the target exe, and the second ensured that the cmd window would stay open in the event of the target being closed or crashing (until a key is pressed). I saved this in the folder with “target.exe” and called it “run.bat”. Instead of clicking on the exe I just double clicked on run.bat and got access to all of the debugging output.

Much success the first line of output when I load the application was now:

[*] Injecting in here

You can now see if there are any client side controls you can disable.

Allow Burp Suite to proxy the application

You will want to be able to see the HTTP/HTTPS requests issued by your target application. To do that you need to add an electron command line argument. If we look again at the “createWindow” function you can see two examples already:

This image has an empty alt attribute; its file name is image-9.png
createWindow function showing commandLine.appendSwitch

At line number 58 I added this switch which configured localhost port 8080 as the HTTP and HTTPS proxy:

electron_1.app.commandLine.appendSwitch('proxy-server', '127.0.0.1:8080');

Again I had to pack the app folder into app.asar as shown in the previous section.

Electron loads chromium and therefore you will need to install burp’s CA certificate as per this URL:

Once you have done that you should see all the juicy HTTP/HTTPS traffic going into burp.

Congratulations you can now go after the server side requests.

I have covered extracting the Electron application to let you see the code, how to modify the code, and how to middle the traffic. That is more than enough to get going with.

Happy hunting

Verifying Insecure SSL/TLS protocols are enabled

If a vulnerability scanner tells you that a website supports an insecure SSL/TLS protocol it is still on you to verify that this is true. While it is becoming rarer, there are HTTPS services which allow a connection over an insecure protocol. However, if you issue an HTTP request it will respond to the user with a message like “Weak cryptography was in use!”.

I think this was an older IIS trait. But I am paranoid and in the habit of making damn sure that a service which offers say SSLv3 will actually handle HTTP requests over it. If there is a warning about poor cryptography then the chances are a user won’t be submitting passwords which will reduce the risk.

This blog post explains how to use openssl to connect using specific SSL/TLS protocols. It also provides a solution to a major gotcha of the process; the version of openssl that ships with your OS cannot issue insecure connections.

Using openssl to connect with an old protocol

The best way to do this, for me, is to use “openssl s_client” to connect to the service. The command supports the flags “-ssl2” “-ssl3” and “-tls1” to enable you to confirm those respectively. Say you want to verify SSL3 is enabled on a target you would do this:

openssl s_client -connect <host>:<port> -ssl3 -quiet

If the server supports the protocol it will now say this the line above where your cursor landed:

verify return:1

Your cursor will be paused there because you have established an SSL/TLS connection and now it is waiting for you to enter data.

Issuing an HTTP request through that connection

Having established your connection you will want to issue an HTTP request. A simple GET request should be sufficient:

GET / HTTP/1.1
Host: <host>

This simple request will return the homepage of any HTTP server. The subtle part is that there are invisible newline characters. In truth the above can be expressed in a single line as:

GET / HTTP/1.1\r\nHost: <host>\r\n\r\n

Here a pair of “\r\n” is representing the newlines. The exchange ends with “\r\n\r\n” because HTTP wants a blank line after all the headers are done to indicate when the server should start responding.

To be easier we can use “printf” to issue the GET request directly through our openssl connection:

printf "GET / HTTP/1.1\r\nHost: <host>\r\n\r\n" | openssl s_client -connect <host>:<port> -ssl3 -quiet

If the server responds without warning the user about insecure cryptography then you have just confirmed it as vulnerable.

Major Caveat

Most operating systems rightly ship with secured versions of “openssl”. This means that they have been compiled to not support these insecure protocols. The reason for doing this is to protect users from exploitation! This is good for us. If fewer clients can even talk SSLv3 then how much more unlikely is it that exploitation will occur?

To solve this problem I suggest you compile a version of openssl which has been compiled to support insecure versions:

wget https://openssl.org/source/openssl-1.0.2k.tar.gz
tar -xvf openssl-1.0.2k.tar.gz
cd openssl-1.0.2k
./config --prefix=`pwd`/local --openssldir=/usr/lib/ssl enable-ssl2 enable-ssl3 enable-tls1 no-shared
make depend
make
make -i install

Doing it this way creates a local binary (in “openssl-1.0.2k/local/bin”) for you which is not then installed over the system’s maintained one. This keeps your every day “openssl” command in your path secure while giving you the opportunity to confirm vulnerable services.

This solution is adapted from the Gist available here:

For ease I choose to then create an alias for the command as shown below:

alias "openssl-insecure"="/<path>/<to>/openssl-1.0.2k/local/bin/openssl"

I can now call the insecure version by using “openssl-<tab>” to complete with insecure.

Happy insecure protocol verifications to you all.

Captain’s Log: January 2021

A new year has begun.

If we go back to two years to 2019 for a moment. I was diagnosed with a medical condition that is prone to immobilise me periodically for around 2 weeks. There were a few bouts of that. I also had some unrelated chest infections, tonsillitis, and a run of bad health that went through the peak of summer until December 2019. I had been pretty miserable and had seen my weight increase due to the lack of mobility.

By Christmas eve 2019 I had been on medication to control my condition long enough for me to get back to walking around. Sick of the misery I set myself a goal of doing the 10k steps per day that Fitbit offers as good minimum level. Through lockdowns this became an absolute mission but I got it done.

I got through my self-set 2020 challenges, and now I have to ask what next?

I have set some health, lifestyle, and hobby goals for 2021.

Lets get Spectabular!

I am going to introduce you to the table of the six labours, and one thing I need to track monthly:

TargetRationale
11k steps a daySlightly more than 2020. I have increased the number because this should take me over 4 million steps for the year which sounds like a thing. Really I am aiming to do 5 miles a day or greater than 1,825 miles in the year.
150 active minutes per weekThis equates to 22 active minutes every single day. I will get there with a mix of jogging, cycling, using a kettle bell, using my stairs to step exercise, and anything else that comes to mind. This is the REAL target for 2021.
1 technical blog a monthThe main focus of cornerpirate.com should always be technical content. As I will be posting my captain’s log entries once a month it makes sense to at least post something technical every month too.
Support my partner to exerciseI do not live in isolation. It is clear that my goals are only possible because of the love and support they provide. They created swathes of space for me to do so by looking after the kids and putting up with me going out at all hours to mine steps. There should absolutely be quid quo pro on this. They want a Saturday morning every week to be child free for a couple of hours to then do some exercise themselves. Totally onboard with that!
Record five songsI can play guitar. I can sing reasonably badly. But that hasn’t stopped me increasingly putting out content. Usually cover versions thrown together with little skill in a single take. I don’t even practice before hitting record. I do not know the lyrics. I am reading them on screen and playing the chords as they come on some tab or other. Why not try writing some new songs myself and putting a little more effort into it? It is rare for me to get the time to do so meaning that starting with five over a year should be achievable. Looking forward to learning how to use the kit I have collected rather than going “fuck it audacity and the mic that I used for conference calls is sufficient”.
OSWEI have pretty much no certifications to show I am even half way relevant or decent as a penetration tester. There are techniques that I need time to practice which are right there in the course material for OSWE. I am committing here to buying the lab access and using it. It is likely that I will be harvesting some of the technical blog posts based on the learning I do for this. I may or may not go for the certification. But for me I suspect the lab exposure and cost of many many evenings will be beneficial overall. If it looks like I can get a decent run at the exam than I might give it a go.
Panic AttacksThis is not a goal. This is just something I want to note happened or not in a given month. Gathering evidence as to their frequency, triggers, and impact. My logical brain is saying based on 2020 that these happen after a run of poor nights sleep.
Six Labours and One to Track

I will complete this table each month to add a bit more brevity and structure to the rather chaotic approach used last year. Starting from February I should get away with much shorter blogs as a result.

How did I do in January?

Now into the meat.

TargetSummary
11k steps a day5 miles of steps. Every single day.
150 active minutes per weekDone.
1 technical blog a monthA couple of drafts in progress but the day job put this on the back burner.
Support my partner to exerciseWeek 1 – Yes
Week 2 – Yes
Week 3 – Yes
Week 4 – Yes
Week 5 – Yes (though contested by my partner I wasn’t fast enough in getting a kid ready to leave the house on time).
Record five songsI have not prioritised it this month.
OSWEI have not prioritised it this month.
Panic AttacksA clear month.

The Good

  • Board Games – I discovered that someone at the school had taught my eldest how to play chess. We had tried for years to play board games but their lack of patience and attitude to losing at anything was too explosive and caused fights. I bought a compendium of old board games and made the time to play just with them regularly. It has been great fun! I can see they have a logical brain when they are not exploding about losing. Seeing them mature is beautiful.
  • Music – Having setup the Piano over the keyboard over the holidays, and procured a poster which shows the chord shapes, I have been able to belt out a few songs in the evenings. Since I have never had a lesson or loads of time to do this before it has been nice. I am happy mucking about like this. My goal clearly isn’t to master the instrument. Simply to have fun and this has been great.
  • Health – I have lost weight. I am just not terribly interested in the number this time. The focus is the exercise goals and maintaining those and the results will continue. Or not. But I will be healthier regardless of my mass. In most things I find data and statistics comforting. Somehow weighing myself is a mixed bag as it can be as demotivating as it is motivating. Trying it differently this time and not going for weekly weigh ins.
  • Audiobook 1 – I listened to Sandworm by Andy Greenberg. I found this very interesting and should be the kind of book you can recommend to non-infosec humans. It is well delivered. The pace is expertly done.
  • Audiobook 2 – From there I moved on to Dune by Frank Herbert. I would like to state for the record that I didn’t listen to Sandworm (which is a reference to Dune itself) and then decide to buy Dune to listen to. That would be far too logical! I had actually been meaning to read Dune for many years. I had bought it on Audible before I was recommended Sandworm. I let the recommendation jump the queue and was laughing when Sandworm was revealed as a reference to Dune. The audible production of Dune is excellent and is the first I have heard with additional music. It isn’t quite a radio play version but is definitely acted more than just read.

The Bad

  • Maybe not “bad” really. This one is actually a bittersweet. One of my team decided to move on to pastures new to continue their career progression. This is always both a sad and a wonderful thing. Sad because you won’t be talking to them every day anymore. But also wonderful because everyone needs to eventually move on. They were definitely ready to do so. Even though I will miss our wide ranging phone calls that always started “I have five minutes” and ended up an hour later with us both much happier for the exchange.

Captain’s Log: December 2020

This is the final Captain’s Log of 2020. I think I will keep doing this monthly but go me. I have managed this for 12 straight months.

The Good

10k Step Challenge – I have plodded 10 thousand steps a day. Every single day for over a year. The vast majority of that in a locked down flat. It has been a grind at times. But I am happy I have done that.

While several people have been great about my tweeting about this I have to give a special shout out to David Carson. In September I was at a low point as I was sick. I pithily put it out to the universe on Twitter that I was going to just lie down but they dropped a dash of encouragement at the exact right moment if you want to read the thread here:

Thanks to David I got the whole year done and so this video of the final steps on Christmas Eve is in part his responsibility:

150 active minutes a week challenge – December bit hard so my active minutes basically fell by the wayside as I focused on taking care of my family picking up some slack. We will get back to this after the chaos dies down in the new year. I have to set some new targets.

Audiobooks – A recommendation from the Stephanie Hill over at Ascent Cyber was to check out Social Engineering: the science of Human Hacking written by @humanhacker. I have never been into social engineering. I see its value (which can be huge) and understand the basics. Listening to this audiobook has removed some of the fog of war from the social engineering map and has been a worthwhile use of an audible credit. I would recommend it.

Weegiecast – I was invited by fuzz_sh and zephrfish to go onto their Podcast WeegieCast. This was my first ever podcast. It was fun. Though I think some bits of it are clunky now I have listened back to it. I am new to being recorded saying stuff so please forgive me. If you want to hear it then you can get to the links to it via the tweet thread linked below:

Christmas – with the miserable 2020 coming to a close it is worth taking a moment to grab hold of anything that is good and pure. We are each here for whatever time we have in this life. With whatever skills we can learn. Within whatever capabilities we can train our bodies to deliver. Some start with a shittier deck of cards but the player can overcome the odds in some respects.

2020 has had many of us walking up to the edge and peering over into the oblivion. Christmas serves as a circuit breaker for me most years where I unplug. This year I went for it. I ate rather a lot of ALDI’s Christmas related sweets and chocolates (you really should go there as zee Germans really know their confections). I haven’t been to a work Christmas do in years as I cannot travel so actually the remote nature was a nice change of pace:

Whatever this view on Teams is we had a Christmas bash of sorts

Genuine Blog Posts – In December I dragged three actual blog posts out of my drafts folder:

I do enjoy blogging about technical things and that is the real mission of this blog overall. So December was actually a productive month for this site.

Music Time – I know I spam you all with this shit all the time but I do enjoy recording music even if it is on a mobile phone.

  • Rudolph (the Red Team junior) – I was asked by two groups of lovely people to make a sort of novelty Christmas song which was actually pretty good to be asked for! Neither actually panned out but as it happened I delivered a report and had a spare 30 minutes to bash out a version of Rudolph the red nosed reindeer over lunch. I think it is notable for featuring me using several layers (not a hallmark of my silly ditties). Two guitars with different tones, my mouth drum :D, vocals, and even jingle bells via my Christmas Jumper’s embedded bells. Yes the pun is “SamT” instead of “Santa/Samty Clause”. Sam T is our Director of research and I love him:
  • Merry Whatever – Appropriate for new years. A couple of points here. I have never had a piano lesson in my life. I got a keyboard about a year ago but quickly found out I had to hide the power cable or the kids basically refused to do anything BUT discordant noise experiments at maximum volume. Therefore I haven’t actually had time to practice. I bought a poster with the common Piano chords on it and fired into that early on Boxing day to achieve this:

In 2021 I can only guarantee more stupid songs because I get a kick out of them at least.

The Bad

A panic attack (late on Christmas Eve) which ensured I was exhausted for Christmas Day. Nothing much to write home about here I am getting ever better at spotting them coming, dealing with them in the moment, and recovering from them.

The kids didn’t sleep great so by the time I was downstairs with them at 7am I was a total mess of a human. Yelling at them for stupid things such as not eating their breakfasts etc. To be fair it is the biggest fight we have – around them not bloody eating. It just takes on a rather ludicrous dimension when you just want to get through the fucking meal to play games or do absolutely ANYTHING else. I’d look forward to a session of hammering molten nails through the tips of my fingers, if it just meant I didn’t have to fight over the next three bites of toast!

Seriously this was clusterfuck of a day. But after a full nights sleep I declared Boxing Day as Christmas mark 2 and we had an excellent time.

Highlights of the month

Panic attack and my behaviour aside the Christmas break has been amazingly refreshing. I haven’t had a computer turned on until right now on New Years eve to finish up this post. I never “unplug” like this. This has been good.

Happy new year and we’ll meet again.

Firefox Add-Ons that you actually need

In this blog post I will introduce you to a few Firefox Add-Ons which are useful when assessing the security of web applications. There are many, many more Add-ons that people swear by but these ones help me out a lot.

To test a web application you are going to need a web browser to do so. That browser will need to be passed through a local proxy such as OWASP’s Zap or PortSwigger’s Burp Suite Pro if you are on someone’s payroll. I suggest that you pick Firefox for this purpose and that you use a completely separate web browser for keeping up-to-date with Twitter, idling in slack channels etc.

*STOP* In addition to the main point of this post let me park up in this lay by and drop an anecdote on you.

Many moons ago (~2006 I think) I was helping a newbie start their career. I told them to use one web browser for testing and another for their browsing. They didn’t listen to that advice. So when they uploaded their test data for archive it included their proxy logs. As I QAed their report I opened up the proxy logs to check some details and spotted that it included a whole raft of personal browsing and therefore their password which they reused on everything at the time.

I didn’t overly abuse that privileged information before the point was made that you need to keep things separate. Shout out to newbie who still newbs, though they never write or visit anymore. I still love you. Not least because every newbie since has had this anecdote told to them and it has rounded out the point nicely.

Anecdote dropped. Lets discuss the four Add-Ons that help me out loads.

Multi Account Containers

URL: https://addons.mozilla.org/en-GB/firefox/addon/multi-account-containers/

This is amazing. You can setup containers which are completely separate instances of Firefox. This means you can setup one tab to login as an admin level user and another tab to operate as a standard user:

Configuring multiple containers

These containers are marked by the colour you have assigned them and display the name on the far right:

Loading a site in two containers showing the different user levels

This is a game changer honestly. I feel like the way I worked before was in a cave with no light. Now I can line up access control checks with improved ease and more efficiently test complicated logic. Absolutely brilliant.

A shout out to Chris who showed this one to me.

Web Developer Toolbar

URL: https://addons.mozilla.org/en-GB/firefox/addon/web-developer/

I have used this for a very, very long time. It is useful if you want to quickly view all JavaScript files loaded in the current page:

Viewing all JavaScript Files Quickly

You can achieve a lot of other useful things with it. My need for this has diminished slightly as the in-built console when you press F12 has improved over the years. But I still find it useful for collecting all the JavaScript.

Cookie Quick Manager

URL – https://addons.mozilla.org/en-US/firefox/addon/cookie-quick-manager/

Technically you can manipulate cookies using Web Developer toolbar. I just find the interface with this Add-On much easier to use for this one:

Using Cookie Manager to add a new cookie

When you just want to clear a cookie, or maybe try swapping a value with another user this is quick and simple.

User-Agent Switcher and Manager

URL – https://addons.mozilla.org/en-GB/firefox/addon/user-agent-string-switcher/

Sometimes an application responds differently to different User-Agent strings. You can use a Burp match and replace rule or you can use this add-on which has the benefit of a massive list of built in User-Agent strings.

You can also add a little bit to you User-Agent to differentiate your users like this:

Add String to User-Agent

By applying the setting to the container you can mark up which level of user made the request. Now that I do this I have found it absolutely invaluable in sorting out what I was doing.

When you view the requests in your local proxy you will instantly know which user level was making that particular request. This is vital particularly where apps issues lots of teeny tiny annoying requests per minute. When it is otherwise easy to lose which browser container was saying what.

I hope that has helped you. If you have any other Add-ons you think are vital please sling me a comment or a Tweet. I’d like to look into more.

Regards

API testing with Swurg for Burp Suite

Swurg is a Burp Extender designed to make it easy to parse swagger documentation and create baseline requests. This is a function that penetration testers need if they are being asked to test an API.

Our ideal pre-requisites would be:

A Postman collection with environments configured and ready to go valid baseline requests. Ideally setup with any necessary pre or post request scripts to ensure that authentication tokens are updated where necessary.

— Every penetration tester

Not everyone works that way so we often have to fall back to a Swagger JSON file. In the worst cases we get a PDF file with 100s of pages of exposition and from here we are punching up hill to even say hello to the target. That is a cost to the project and isn’t a great experience for your customers either.

If you are reading this post and you are somehow in charge of how you distribute API details to your customers. Then I implore you to NOT rely on that massive PDF approach. This is for your sanity as much as for customers. Shorten your guides to explain how to authenticate and what API calls are required in a sequence to achieve a specific workflow. Then by providing living breathing documentation which is generated from your code you will rarely have to update the PDF. With the bonus that your documentation will be easier to interact with and accurate to the version of the code it was compiled against.

Anyway you have come here to learn how to setup and start using Swurg.

A shout out and thank you to the creator Alexandre Teyar who saw a problem and fixed it. Not all heroes wear capes.

This extender is now in the Burp app store under the name “OpenAPI Parser” so you can install it the easy way.

But if you want to make any changes to the Extender or others in general then the next few sections will be useful.

Check that you have Java in your Path

Open a command prompt and type:

java --version

If you get a warning that the command cannot be located then you need to:

  1. Ensure that you have a version of the JDK installed.
  2. That the path to the /bin folder for that JDK is in the environment’s PATH variable.

Note: after you have added something to the PATH variable you need to load a new command prompt for the change to take effect. There is probably a neat way to bring altered environment variables into the current cmd.exe session but honestly? I have so rarely needed to set environment variables on windows I would not retain the command in memory anyway so a restart suits me.

Installing Git Bash

I already had Git Bash installed but you might need it:

This has a binary installer which works fine and I have nothing more to add your honour.

Installing Gradle on Windows 10

There is a guide (link below) but it missed a few beats for Windows 10:

Step 1 download the latest binary only release from here:

There is no installer for the binary release so you have to do things manually. You will have a zip file. It tells you to extract to “c:\gradle”. Installing binaries in the root of c:\ has historically been exploitable in Windows leading to local privilege escalations. So I get nervous when I see this in the installation guide!

Usually “C:\Program Files\gradle” would be the location for an application to be installed. In Windows 10 you are going to need admin privileges to write to either of these locations. It is generally assumed that basically all developers have this but that is often not the case.

Based on the installation steps you should be able to unzip anywhere you have write access such as “C:\Users\USERNAME\Desktop” or other location.

Having extracted the Zip you should add some environment variables:

  • GRADLE_HOME – set this to point to the folder you extracted. The location should be the parent folder of “/bin”.
  • JAVA_HOME – set this to point to the root folder of a JDK install. This is also going to be the parent folder of “/bin”.

Finally you need to add this this to your PATH variable:

%GRADLE_HOME%/bin

If you ever upgrade to a newer version of gradle (and from the installer I expect there is not an automated update process) then you unzip the new version and change where GRADLE_HOME points to and your updated version will work.

Open yourself a new cmd prompt to ensure the env variables are applied. Type “gradle” and get your rewards:

Now lets get back to Swurg!

Building Swurg

The repository has excellent install instructions here:

But to tie it all together in my single post I’ll replicate what I needed to do.

I used git bash to clone the repository down and then gradle to build the jar:

git clone https://github.com/AresS31/swurg
cd swurg
gradle fatJar

That worked an absolute treat:

That process completes and leaves you a fresh new jar file in the “\build\libs” folder:

Installing Swurg in Burp

Use the “Extender” -> “Add” functionality to select the “swurg-all.jar”:

How to install a plugin manually

Using Swurg

You should now have a new tab and the opportunity to load a swagger file:

We have Swurg working away merrily here

If you load a valid swagger file this will create a full list of endpoints that you can explore.

Right click on an endpoint and you have an excellent place to start launching things from:

Sending things to Burp tabs

That is definitely enough to get going with. In my case I had replaced my target host with localhost to keep things anonymous as to what I was testing.

This worked well for me and was probably worth the setup. I prefer this to using Swagger-EZ which I have been using in the past.

If we are honest what we all want is a properly configured Postman collection which allows you to have fully configurable environment variables and run pre/post scripts for things such as taking the current Bearer token automatically into all subsequent requests.

In lieu of that this is a reasonable starting point which is embedded where you want it right into Burp suite. If I was to make any changes to the Extender I would probably want an option to globally set the host name and base folder locations. One of those “If I ever get the time” projects.

Hope this helps someone.

Preload or GTFO; Middling users over TCP 443.

Your website only has TCP 443 open and has a bulletproof TLS configuration. I hear you scream that I cannot middle your users to exploit them! On the surface of it you are correct. Let me lay out some basics, explain how we got here, and then show you that you are incorrect. We can middle your users (but it is unlikely).

Laying the basics about HTTP and HTTPS

The default port of the Internet is TCP 80 which is where requests prefixed with “http://” will go. This is a plain-text protocol and offers neither confidentiality or integrity of data being sent between the client and server.

The default port for the “https://” protocol is TCP 443. This is an encrypted protocol with the “s” meaning “secure”.

As the Internet matured it became apparent that pretty much every request needed to be secured. An attacker using man-in-the-middle techniques can easily subvert plain-text communication channels. Any personal information being exchanged would be theirs to steal. They would also be able to alter server replies to serve either phishing or malware payloads straight into their victim’s browser.

This opened up a front in the cyber war to force encryption for every connection.

Question: What … all of them?

Answer:


Redirect to secure!

A common strategy has been to leave both TCP 80 and 443 open but to configure a redirect from 80 to 443. Any request over plain-text (http://) is immediately redirected to the secure site (https://).

The problem with this strategy is that the victim’s web browser will issue a plain-text request. If that attacker was there when they did this, then they could still compromise the victim. It only takes a single plain-text request and response to enable them to do so.

Only offer secure

To get around this savvy administrators make no compromises and simply disable TCP port 80. If a web browser attempts an “http://” request the port simply is not open. It cannot establish a TCP session and so will not send the plain-text HTTP request.

The downside of this is that the user might assume the target application is not online. They would go and try and find another domain to buy whatever it was they wanted. This is why redirecting to secure has been such a pervasive strategy. Vendors simply do not want to lose out on important traffic which can drive this quarter’s sales chart.

What is this HTTPS Strict Transport Security (HSTS) stuff?

You can learn more about HSTS here:

My understanding is that HSTS was created to reduce the number of plain-text HTTP requests being issued. There are two modes of operation:

  1. A URL is added to a preload list which is then available to modern web browsers.
  2. An HTTP header (Strict-Transport-Security) is added to server responses which tells the web browser to redirect all “http://” to “https://” before issuing the request.

When a user types a URL into the address bar and hits enter the browser will check to see if the redirection must happen. Where required the redirect happens in memory on the user’s computer BEFORE the TCP connection is established.

For strategy 1. the target site is in the preload list. A well behaved web browser will never issue a single “http://” request to the target site. The problem of middling the connection has been successfully resolved.

For strategy 2. we are arguably no better than the server redirecting from “http://” to “https://“. A single plain-text request will be issued. If the attacker is middling at that point they can alter the response as desired to exploit users.

However, strategy 2. is likely to lead to fewer plain-text requests overall since the browser will not request via “http://” until after an expiry date. Relying on “redirect to secure” alone will result in a single plain-text request per visit the user makes to the site. This increases the number of opportunities to middle the victim’s connection.

Gap Analysis

The reason for writing this blog was because I had an interesting conversation with a customer. They enabled only TCP 443 (https://). They saw this as sufficient and did not want to enable HSTS as recommended in my report. I was challenged to show an exploit route that could work or they would not bother.

Fortunately the edge case I am about to explain has been public knowledge for a long time. So I didn’t have to think too hard to add it in. I am just adding my voice to bounce that beach ball up again for visibility.

Exploit Steps

The exploit route is like this:

  1. An attacker must be able to middle the victim’s traffic.
    • Chances are this is on the same network as the victim.
    • For this reason mass exploitation of users is unlikely and the risk is small as a result.
    • Lets proceed with the steps assuming that this attacker is ABSOLUTELY DETERMINED to exploit this one person.
  2. An attacker crafts a link and sends it to the victim to click on.
    • That link is: http://target:443.
  3. The victim clicks on the link and their browser dutifully establishes a TCP connection to port 443. Because the browser sees a service it can talk to it fires a plain-text “http://” connection.
  4. The server then rejects the connection because it is expecting “https://“. However, the damage had already been done. Our attacker had the single request that they needed for exploitation to occur.

The following screenshot shows the Wireshark capture when this example URL was requested:

URL: http://www.cornerpirate.com:443
DNS lookup and then HTTP request being captured

The only requirement for this to work is that the targeted TCP port is open. It is most likely that 443 is used but you can do the same thing with any open TCP port.

What is the solution?

The optimal solution is to enable HSTS via the preload method. Even if your website only has HTTPS enabled.

Adding a site to the preload list can done here:

All other solutions leave a victim’s web browser issuing at least a single HTTP request.

Unfortunately it takes time for a site to be added to the preload list. Therefore at the same time you should also enable the “Strict-Transport-Security” header as described:

That is the famous belt and braces manoeuvre to reduce the chances of the world seeing you butt.

And you should definitely do as I say and not as I do:

Hope that helps

Captain’s Log: November 2020

The Good

  • 10k a day steps challenge – I have managed this every day again. That-is-11-months. Almost an entire freaking year. If I get to Christmas eve I will have actually done something I said I would do. Which in this whole crazy wreck of a year is something to be celebrated.
  • 150 active minutes a week challenge – I hurt my thigh as I started running again at the end of October. I needed to rest that up for a week or so. But I banged into November with bad news (see “The Bad”) regarding my health. After the thigh issue cleared up I had an excellent run of it (pun gleefully intended). Most weekday mornings I would be out jogging before work and I got both fitter, and thinner as a result. I ordered an exercise bike which was said to be “next day delivery” that I have not seen any more about. I ordered before England locked back down so I was expecting to get a bike :(. Update: It eventually arrived 3 weeks later, but I haven’t had time to build it.
  • Eating well challenge – (see the rabbit food ^^^) I don’t think I really ate too badly before but lockdown definitely accelerated the amount of crap I was eating. After the bad news (see “The Bad”) I went back to tracking calories. The act of having to scan barcodes and weigh spinach is so damn annoying that I definitely eat less as a result. The first bit of weight loss for me always goes really well. So into the baggy clothes and feeling good part of the process. Back to sorta where I was pre-lockdown when I started this series of posts. It is paying off.
  • Audiobooks – I moved back to feeding my brain with Sapiens. It started by reminding me about the Naked Ape which I read a good 20 years ago. I am intrigued by the speculation around what happened 70k years ago when suddenly one of several species of tool using humans came to dominance. The theory is that there was a cognitive revolution after which one species was capable of more complex language allowing both gossip and shared fantasies like religions. This allowed evolution through co-operation instead of time consuming genetics. The most fascinating point was that this is why we have anxiety about various things that logically do not make sense. Genetically speaking we are not apex predators but it turns out we are purely because of cognitive abilities. We get anxiety about things that would kill us on the plains of Africa. We have obesity because sweet things are great for survival (high calorie content) but rare in nature. If a chimp finds a ripe fig tree they immediately gorge the whole supply. Exactly how we cannot stop ourselves with a box of chocolates. Looking forward to where it is going.
  • Testing – I have done several testing projects this month. I learned lots of things. I found lots of things. This is always brilliant.
  • PS5 – There was a whole awful Saga where I can rant about how crap the vendor I ordered from were. But it eventually arrived the day after launch more because of luck that I had a postal redirect setup than the effort of the vendor. It remained in its box until the 29th and then it was an expensive massive brick while it downloaded update upon update upon update. I haven’t really played it. The Spiderman game seems good.

The Bad

  • I was tentatively diagnosed with a liver disease – This was found as a result of blood tests I had ordered due to me feeling extra shitty after moving house for weeks. The results said I had fatty liver meaning that I need to now actively lose weight and eat right for a real reason. We do not know the extent of the problem until I get an ultrasound and other tests done. But the chances are this is extremely early stage and if I lose weight the problem will reverse. That’s the hope. So I have thrown myself into that.

Highlights of the month

Football – Scotland Qualified for Euro 2020 through a delightful playoff win against Serbia. I honestly was calm throughout. I had no doubt we were going to do it and didn’t even waver when Serbia scored in the last minute. I just felt it was going to happen.

To be clear I have supported Scotland for a long time now and I have never once felt like that before. I have been hopeful, but always sort of knew it would implode. Because we had done the penalties so well in the previous game I just expected us to do it again when we had to play extra time.

InfoSec Community – The lovely people over at Ladies of London Hacking Society asked me to do a workshop on CVE bug hunting. Despite me being an absolute fraud with only one CVE to my name I took that on. It seemed like everyone had a good time – me included. It was recorded here. I am starting at 31 minutes and 05 seconds if you just want to see my face:

That’s all folks.

Captain’s Log: October 2020

The Good

  • 10k a day steps challenge – Completed for another month. There were some tricky days. Some extremely tricky days where I was just stressed beyond belief and somehow managed to fight fatigue to stay on target. Probably the hardest month to be fair. The idea of hitting 22 active minutes a day was mostly out the window due to the stress and disorientation of the month (see below).
  • Audiobooks – I completed the Rama series of books this month. Overall I really enjoyed them. The first one for the mystery. The follow ups slowly peel back the mystery and then leave you with a tale of growing old that absolutely rings with me at the moment. I have never felt the aging process so much as I am now. Autumnal thoughts and all that. I would highly recommend this. I then lightened it up a bit with the Alan Partridge: From the Oast house. I was recommended this by Mr Paul Mason in our final conversation and I admit I am chuckling along knowing exactly why he loved it. Hand in glove with the aging thing. You do start to think a bit more Partridge the older you get. The writers and acting play an absolute blinder with this character every time.
  • I moved house – Most of this blog post is going to be dominated by this lets be honest. At its basic level I moved from a flat to a house and gained myself a little garden, and an office space which is outside of my bedroom again. In terms of lifestyle going forward this should be major. Given lockdown(s) are going to continue for a while you need to be more comfortable with the space you have. Now I have options. I can walk away from work, close the door and be done with it when the task is over which is nice. I can play PC games at night with a microphone since I am at least not at the foot of the bed where my partner is trying to sleep.
  • It has a garden – I have completed the majority of my 10k steps a day challenge in a corridor of my flat which was about 1 metre wide by 8 long. The garden is an upgrade and gets me fresh air at the same time. It also has one solid step to elevate the heart rate on before getting onto the light jogging I am capable of. It ain’t much. But as of the 16th of October I have cleared the space and found all the running stuff from the myriad of boxes and am set to get back to the “lets get 22 active minutes a day” side mission.
  • Good weekends – We managed a pretty relaxing weekend or two at the end of the month which helped me recover. While hard to do we built 3 new flat pack beds on a Sunday. A great thing is building furniture with the eldest. They want to help but have been “far too silly” until just about now (I have tried). They got to thwack things with a hammer and screw in screws until they were thoroughly bored of it. We did some Halloween drawing with the kids, we played some board games. It was overall pretty decent.

  • Borat Subsequent Moviefilm – I mean. An absolute stunning work this one. They had a point they wanted to make about #MeToo and politics in general. They went after it and it is as fascinating as is it funny to witness. Making it part of the “freely” available content on Prime instead of charging a fortune for new content shows they wanted to make the point land on as many screens as possible. A truly fascinating project and absolutely worth a watch.
  • Left4Dead 2 – I played a round of L4D2 on Halloween eve. I really like that game when you have a squad to play then it is a satisfying online gaming experience since it rewards teamwork and not lone wolves with sniper rifles. Great times.

The Bad

  • Loss of a friend – The legend that was Paul Mason sadly died the same weekend as my house move. I have covered this a lot already as he was worth his own blog entry and more.
  • Panic Attack(s) – I have not had one in a long time this year fortunately. As this monthly blog tracks them I think the last entry was pre-Glasgow Defcon in February. The month has been a total blip of panics which I have mostly been fine about as the effects are more easily mitigated. However, I believe the stressors are now removed so I hope we get back our regular schedule of hardly any a year. Classical cause reason: poor sleeping patterns.
  • They say moving home is stressful. I have never really experienced that before as it was mostly fun to pack stuff up and cleanse your life from unnecessary possessions and go on a new adventure. The problem with that rosy attitude is I had never experienced the full lawyer experience. If you both have to SELL a property and BUY one you get both barrels of them.
  • There is definitely a blog post in me only about the experience I had on this with a slant on incident management brewing. I may calm down enough to let it lie.

Highlight of the month

I would say actually getting moved and starting to make a new place our home.