Monthly Archives: March 2021

Solving a pentester’s pesky proxy problem

I usually test web applications using Firefox because it uses it’s own proxy settings and is easy to configure with burp. Chrome is then something that is used for googling answers, shitposting on Twitter etc to ensure that such traffic is not logged by Burp. This should sound familiar to most pentesters.

This process falls down when you need to test a thick client/os binary which uses only Internet Explorer’s proxy settings. Because Chrome also uses IE’s settings you will now see all your googling popup.

IE’s Proxy settings can be configured by PAC files. I have known this for a very long time. But I have never actually took the leap to think “oh that means I can tell it to only apply a proxy for the specific backend server the Thick Client uses” before. Proof, if more be needed, that I can be a pretty dull axe at times. I couldn’t chop a cucumber.

Here is a valid proxy configuration file:

function FindProxyForURL(url, host) {
// use proxy for specific domains
if (shExpMatch(host, "*.targetdomain.com"))
    return "PROXY localhost:8080";

// by default use no proxy
return "DIRECT";
}

Change the host you want to match for with your target domain. Save this as a “.js” file someplace you can type the path to and then import it into Internet Explorer’s proxy settings.

Revel in the freedom to live your best life on your terms.

Take care

Letsencrypt certificates for your python HTTP servers

Back in 2016 I blogged about how to do simple HTTP or HTTPS servers with python. You need to use these if you want to temporarily host files, and to investigate SSRF issues properly.

There my skills sat until recently the user-agent that was making the SSRF request was actually verifying the certificate. How rude! So I needed to up my game and generate a proper certificate.

Here are some caveats to the guide which you need to be aware of before you proceed:

  • My OS was Kali Linux (Good for standardisation for penetration testers but won’t be applicable to every one of you legends who are reading this).
  • The server that I am using has it’s own DNS entry already configured. This is the biggest gotcha. You need to have a valid DNS record. Now is the time to buy a cheap domain! Or maybe investigate a domain allowing anyone to add an A record such as “.tk”.

If you can point a DNS entry at your Kali server then you are going to be able to do this.

In one terminal:

mkdir /tmp/safespace
cd /tmp/safespace
python -m SimpleHTTPServer 80

NOTE: I created a new directory in “/tmp” to make sure that there is nothing sensitive in the folder I am about to share. If you share your “/home” folder you are going to have a bad time. While the HTTP listener is running anyone scanning your IP address will be able to list the contents of the folders and download anything you have saved.

From another terminal you need to use “certbot”

apt-get install certbot
certbot certonly
....
pick option 2
set the domain to <your_domain>
set the directory to /tmp/safespace

The “certbot certonly” command runs a wizard like interface that asks you how to proceed. I have given you the options above. What this does is create a file in your /tmp/safespace folder that letsencrypt can download on their end. This proves that you have write permissions to the web root of the server and allows them to trust the request is legit.

The output of the “certbot certonly” command will list the location of your new TLS certificates. They will be here:

/etc/letsencrypt/live/<your_domain>/fullchain.pem
/etc/letsencrypt/live/<your_domain>/privkey.pem

You can go back to your first terminal and kill that HTTP listener. We will no longer be needing it! We have a proper TLS setup so lets go in a Rolls Royce baby, yeaaaah!

You can use python’s “twisted” HTTPs server as shown below

python -m twisted web --https=443 --path=. -c /etc/letsencrypt/live/<your_domain>/fullchain.pem -k /etc/letsencrypt/live/<your_domain>/privkey.pem

That was it. I was able to browse to my new HTTPS listener and I had a shiny trusted certificate.

Hope that helps

Captain’s Log: February 2021

Here is how I did in the new condensed table format.

TargetSummary
11k steps a day5 miles of steps. Every single day.
150 active minutes per weekWeek 1 – Yes
Week 2 – Yes
Week 3 – Yes
Week 4 – Yes
1 technical blog a monthI missed this in January (which seems mad when I had several drafts almost ready to go). So in February I put out two:

Verifying Insecure SSL/TLS protocols are enabled
Pentesting Electron Applications

On track for that. I have a few other ideas for coming months.
Support my partner to exerciseWeek 1 – Yes
Week 2 – Yes
Week 3 – Yes
Week 4 – Yes
Record five songsI have not prioritised it this month.
OSWEI have not prioritised it this month.
Panic AttacksI never actually got to the state of disruptive levels of panic this month. I got pretty close. I had a fairly stressful project to work on at the same time as home schooling while maintaining the daily and weekly exercise tasks. This had me doing some pretty long days which definitely made me stressed. I just knew better when to go and take a lie down. All hail the hour nap.

Other bits

  • Audiobooks 1 – I completed Dune by Frank Herbert. This was a great listen and I thoroughly enjoyed it.
  • Audiobooks 2 – I have started Stealing Light: Shoal, Book 1 by Gary Gibson. This was a recommendation and so far I am not far into it. It is painting an interesting universe for mankind’s future. There is a species that pops up to other sentient species and goes: We can give you a bunch of technology and help you colonise this region of space which is yours. In order to get this you agree to not do X, Y and Z. Which creates a dependence on the Shoal corporation. So far it is some pretty decent Sci-Fi which shows despite the advancement of time we remain just as seedy.
  • Television – I have loved South Park for years. I haven’t been keeping up with it for over a decade. With a bunch of episodes being added to Netflix I have started to catch up. They are masters at talking about issues in an interesting way. You don’t have to agree with everything they say to enjoy it. But it is worth remembering how great this show is (once we get past the initial seasons which were mostly fun but entirely juvenile).
  • Television – A while back I started watching Babylon 5 again when I realised I could get it on Amazon Prime (not free). I watched the show when I was clearly too young to understand it. For some reason I didn’t complete the full watch through even though I was enjoying it. I picked it up again and mid season there was an announcement that the content had been upgraded to HD. This makes it even more watchable. The writing is amazing and the cast do some fantastic things together. It is truly amazing that this was made pre-streaming to be as layered as it is. You had to wait a week for another episode, and they would sometimes not have a thing pay off for years. Now that you can watch this back-to-back I intend to and so should you :D.

That is the log for February.