Tools – Dan Vasile https://pentest.ro InfoSec Adventures Thu, 10 Dec 2020 11:11:22 +0000 en-US hourly 1 https://wordpress.org/?v=6.2.2 Intercepting custom communication protocols in Windows 7 https://pentest.ro/2014/06/30/intercepting-custom-communication-protocols-in-windows-7/ Mon, 30 Jun 2014 09:15:35 +0000 http://www.pentest.ro/?p=369 Continue reading Intercepting custom communication protocols in Windows 7]]> Actually, the title should have been: “Don’t feel lucky and go beyond the first result in a Google search”.

I’ve been using EchoMirage for some time but apparently I’ve been using the wrong one. Because when you search for it in Google you normally click the first link. Right? Wrong!

EchoMirage

The first link is for the older version from BindShell which works decent under Windows XP and very poorly under Windows 7. Under W7 you’ll get a lot of crashes, fails to inject and a general poor experience. Even when run with XP compatibility enabled.

Now, if you’re smart enough, you may want to check the second link which will direct you to the newer version which supports Windows 7. And to quote, “the primary goal of Echo Mirage 3 was to ensure full Windows 7 support”.

http://www.wildcroftsecurity.com/echo-mirage

Great, now it works. But what’s the usage?

When dealing with intercepting communication from a web application, the process is really easy. Since it’s only using HTTP, you’ll just fire up an intercepting proxy and point your browser to that proxy. You can intercept, modify on the fly, replay requests, etc.

Now, in the case of a thick client the situation is more complicated. Sometimes the thick client is using a standard protocol like HTTP to communicate but it’s not always the case. So you need a tool to intercept and modify requests.

We can identify 5 different communication situations and ways to tackle the communication:

  1. Standard protocol, standard (or no) encryption – intercepting proxy like Burp, Fiddler, OWASP ZAP, Charles, etc.
  2. Standard protocol, custom encryption – rather uncommon
  3. Custom protocol, no encryption -here we use EchoMirage or TCP proxying with Mallory
  4. Custom protocol, standard encryption – TCP proxying with Mallory
  5. Custom protocol, custom encryption

When I say standard I usually refer to HTTP and for standard encryption I mean SSL.

So, install EchoMirage, fire it up and inject or execute a new process and have fun. You can customize rules for automatic replacement of data, highlight the data you’re interested in and other cool stuff.

There is a general tendency to move everything towards thin clients with standard protocols and standard encryption but we’re going to have fun with thick clients for a while and we’re still going to need tools to have fun.

]]> [Tool] Check if an email address is valid – the php way https://pentest.ro/2011/07/04/check-if-an-email-address-is-valid-the-php-way/ Mon, 04 Jul 2011 15:06:54 +0000 http://www.pentest.ro/?p=72 Continue reading [Tool] Check if an email address is valid – the php way]]> In an older post we talked about checking the validity of an email address.

Now let’s make a php function to automate this task. We can use this type of validation to check for example if a user is using a correct address when registering for a service.

The code is explained.

<?php
/*
email_validation.php
Coded by: Pentest ROMANIA; Dan Catalin VASILE; http://www.pentest.ro
*/

function email_validation($email)
{
 //Some vars we will need later
 $timeout = 5; // how much to wait for MX connection in seconds
 $helo = "helo example.com\r\n"; // helo string, feel free to modify but keep in mind that \r\n are necessary at the end of the string to send CR
 $mailfrom = "mail from: <somemail@example.com>\r\n"; // some mail and the domain used before, preferably a valid one

 //First we'll do a quick string validation
 if(filter_var($email, FILTER_VALIDATE_EMAIL))
  {
   //split the email address by the @ sign
   $email_str = explode ("@",$email); 
   //check for MX records
   if (getmxrr($email_str, $mxhosts)) //you could also check the weights of the MX hosts, some other time for me maybe
    {
    
    //opening sock connection to the forst MX host 
    $sock = fsockopen ( $mxhosts[0], 25, $errno, $errstr, $timeout);
     if (!$sock)
     {
      return "INVALID. COULD NOT OPEN CONNECTION TO MX HOST. ERROR: ".$errstr.$errno;
     }
     else
     {
      //sending commands to the MX host
      fwrite ($sock,$helo);
      fwrite ($sock,$mailfrom);
      $rcpt = "rcpt to: <".$email.">\r\n";
      fwrite ($sock,$rcpt);
      //reading responses
      for($j=0;$j<4;$j++)
       {
        $r[$j] = fgets($sock);
      }
      //exploding the last response line which should contain the answer we're looking for
      $r1=explode(" ",$r[3]);
      if($r1[0]=="250")
       return "VALID"; //according to the RFC "250" means valid
      else
       {
        echo "INVALID. ERROR CODE FROM MX SERVER: ".$r1[0];
       }
     }

    }
   else
    return "INVALID. NO MX RECORDS FOUND"; 
   
  } 
 else 
  return "INVALID EMAIL ADDRESS"; // the string submitted to filter_var is invalid 

} 

?>
]]>