About Me

My Photo
Driven by Curiosity....

Wednesday, June 25, 2014

Passing Parameter to Shortened URL

Hi,

Vulnerability Assessment of an application forced me to look for an URL service which would shorten the URL and pass the parameters to URL after redirection.

E.g.

In goo.gl URL short service we can have a short URL like

 http://goo.gl/xyz../   to  http://www.google.com

What if you want to pass argument form short url to long then?? (think)

E.g

http://goo.gl/xyz../?q=123  to  http://www.google.com/?q=123


Well the above method is not possible in google URL shortener service


However you can pass arguments  using http://snurl.com/   URL shortener service.


E.g. http://snurl.com/xyz123../?q=123 to http://www.google.com/?q=123

In the above case argument q=123 will be appended to the original URL as shown above.

HapKing...


Sunday, June 22, 2014

Xposed framework in Security testing of Android applications

Hey all,

It is quite difficult to perform run time analysis and manipulation of android application. Since every app runs in its own dalvik vm instance it is difficult to hook into the android application and hook methods.

Dont worry we have solution for it. Xposed framework can do the trick for us. Working of xposed framework can be found here . Using xposed framework we can create specific modules which will hook into the android apps methods and change it.

Refer this link https://github.com/rovo89/XposedBridge/wiki/Development-tutorial

HapKing

Sunday, December 8, 2013

ANDROID USB SSH CONNECTION EQUIVALENT TO iOS USBMUX TUNNEL

Here is the trick you can make use of while making SSH connection to android device via USB ( If Android device and PC are on different network i.e. subnet).

Prerequ's 

Rooted Device

Steps

1) Install SSHDroid from play store and turn on  SSH

2) Connect the device to PC using data cable

3) Now type following command

    adb forward tcp:22 tcp:22

4) Now open putty and type host  as 127.0.0.1 and port as 22  and connect to device over USB.. :)

...HAPKING...

Wednesday, December 12, 2012

Intercepting Android HTTPS connection


Intercepting Android HTTPS connection


Setting up proxy and getting it work is very difficult task in android. Now here is the tutorial to set up proxy for android application.
Basically certificates can be kept in android trusted store or may be placed within the application to establish HTTPS connection
Prerequisites
Good idea on SSL ( create ssl certificate using openssl to understand)
Hands on Android emulator
Android trusted store for android versions
Android trusted certificate store is kept in BKS (bouncycastle) format for android version < 4. So it we have to prepare BKS format certificate. Google it for creating BKS format for android version < 4 After creating BKS format certificate we need to push that into the emulator or device and override the present cacert.bks
Android version > 4 have option to install certificate. Go to settings-> security and select Install from sdcard option. You need to push certificate using
adb push “cert path.cer” /mnt/sdcard < create sdcard space using AVD>  
We can install our trusted certificate using that option (very easy in android version > 4)
Trusted certificate
Every https android application will have either CA signed certificate or self signed certificate. If the application is CA signed certificate then we have to compromise Android Trusted store for intercepting SSL request.  If the application is self signed certificate then it may use android trusted store or may use its own local keystore for establishing https connection.
Tools
1)      Dex2jar   
2)      Apktool
3)      Bouncy castle for (BKS) format cert creation
4)      JD-Gui
5)      Burp suite


Steps
·         This was done in emulator
·         Install the android sdk and related tools, may take some time
·         After installing everything launch AVD (android virtual device). Also use following command   “android avd” to launch
·         Create a virtual device and allocate some space in “sdcard” in given options
·         Emulator will be launched. You can check device connected by using “adb devices” command
·         After successfully connecting we need to install apk file that was given to us. Use following command “adb install
·         Application will install. If any dependencies are missing then app will not install. Fix them
·         “Logcat” is the command used to check the logs the application is logging. In order to monitor the application and see its behaviour use following
Adb logcat | findstr    in windows
Adb logcat | grep < app specific keyword> in linux
App specific keyword can be its name or uniquely identified in logs
·         Run the application and verify the logs and its behaviour
·         Now we have to set the proxy for the emulator use following command
Emulator –avd “name of virtual device” –http-proxy http://127.0.0.1:8080
                Run burpsuite on port 8080.
·         Check the proxy by launching the android browser. It should be intercepted.
·         Again run logcat to view the behaviour of the application when it is proxied. If you encounter https connection then the application may not send request to server and it will throw error in the logs that can be verified

Certificate signing
If the connection is intercepted then it is fine. If the https connection is not intercepted then the real challenge comes.
Let’s say we are making use of android version 4. Now we have to find out whether the application uses android trusted store to establish https connection or its local keystore.
Verify the URL it is that it is making use of to connect to server and access that URL using browser. By doing so we can know whether the certificate is self signed or CA signed, usually test sites are self signed.
1)      If CA signed
2)      If self signed
1)
If CA signed then it is quite easy to compromise the android certificate trusted store. Just follow this guide. Look upto installing certificate on emulator.http://blog.opensecurityresearch.com/2012/07/proxying-android-40-ics-and-fs-cert.html . Install certificate. <Note: you will not see your installed certificate on trusted credentials -> user certificate>
2)
If self signed then again we have to follow some other things.
·         Find out the URL that uses to connect to server.
·         Set proxy to browser and use burp suite as proxy server (port as your wish usually 8080). Access the URL (https://name.com/) in pc browser and intercept the connection using burp suite.
·          Browser will display error. Add the certificate to exception list. Then go to tools->options->Advanced->encryption and view certificates button. Check for the portswigger certificate for that particular domain name (E.g . portswigger cert if google is intercepted, the portwigger google certificate).
·         Select the certificate and click on export. Appen (.cer) to the name of the file and save it. A certificate will be created on your desktop

Find local keystore
If we are lucky then we can find in logs the process that is making request to server and accepting response. Use (adb logcat | grep )
Follow steps to find local keystore
·         Use dex2jar application to decompile the application to jar file “d2j-dex2jar< filename.apk>”. locate the code which makes HTTPS connection  and fine  lines like these

KeyStore localKeyStore = KeyStore.getInstance("BKS");
        InputStream localInputStream = this.context.getResources().openRawResource(R.raw.Name _of_file.BKS);
        try
        {
          localKeyStore.load(localInputStream, "pass".toCharArray());  

·         if you find lines then application uses local keystore to create https connection.
·         Now we need to again decompile the application to smali files.
·         Use APKTOOL to decompile it. Use the following command “apktool d ”.  output will be generated. Search for BKS format certificate. If you find it the its bingo. Now we have to replace the certificate with our burp suite public certificate


BKS format certificate creation
Google it for BKS format certificate creation. We have bunch of tutorials. While creating BKS format certificate the “store pass”  should be given as  the keyword specified in the following line (here as pass) <localKeyStore.load(localInputStream,"pass".toCharArray());>  


Final steps
The created BKS format certificate has to be replaced with our own created BKS certificate.
We have to build the application using apktool. Use following command
Apktool b “application directory”
Install the application on emulator using following command
Adb install
Again restart the emulator by setting the proxy ( emulator –avd “virtual device name” –http-proxy http://127.0.0.1:8080 )
Now start the application. BURP suite will definitely intercept the connection .......   J

...HAPKING...

Thursday, December 6, 2012

How ssl or https connection works

Lets see how https connections work and how it behaves when a proxy is set to a https connection.The best way to understand about ssl connection is to create  our own SSL certificate.

Basically there are two concepts involved in ssl certificates
1) public key and private key for encryption and decryption
2) Certificate signing where CA's come into play

1) 

We can find lot of tutorials about working of public key and private key i.e asymmetric encryption.
Lets have a brief look at it. 

The browser requests the https// related URL. The server sends its public key certificate. The browser verifies the certificate and checks for the authority that signed the certificate. If authority that signed the certificate does not exist then Error is raised.

2)

Now the concept of CA's come into play. Browser believes only particular set of CA's (certificate authorities). So every certificate has to be signed by a third party CA so that a browser can trust it.

Lets see how ssl behaves when a proxy is setup


Browser sends https request to proxy server e.g. burp proxy on our pc. Burp internally consist of a certificate and CA as portswigger.
Step 1: Browser does not believe that certificate and issues warning
Step 2: We will be asked to add a exception of certificate
Step 3:  Now again a session is established between proxy server and actual server when sends and receives information by making use of public key of the server.

....hapking....



Friday, October 5, 2012

Wireless Security Tools

Hii
Checkout this site. Have  a bunch of wireless security applications
http://www.corecom.com/html/wlan_tools.html

.....HAPKING........

Wednesday, September 5, 2012

Encoding

Every pentester should have good knowledge on encoding. Encoding is the best technique to bypass the filters. Here is very good info on encoding

http://htmlpurifier.org/docs/enduser-utf8.html 

About Me