I’ve been using EchoMirage for some time but apparently I’ve been using the wrong one. Because when you search for it in Google you normally click the first link. Right? Wrong!

The first link is for the older version from BindShell which works decent under Windows XP and very poorly under Windows 7. Under W7 you’ll get a lot of crashes, fails to inject and a general poor experience. Even when run with XP compatibility enabled.

Now, if you’re smart enough, you may want to check the second link which will direct you to the newer version which supports Windows 7. And to quote, “the primary goal of Echo Mirage 3 was to ensure full Windows 7 support”.

http://www.wildcroftsecurity.com/echo-mirage

Great, now it works. But what’s the usage?

When dealing with intercepting communication from a web application, the process is really easy. Since it’s only using HTTP, you’ll just fire up an intercepting proxy and point your browser to that proxy. You can intercept, modify on the fly, replay requests, etc.

Now, in the case of a thick client the situation is more complicated. Sometimes the thick client is using a standard protocol like HTTP to communicate but it’s not always the case. So you need a tool to intercept and modify requests.

We can identify 5 different communication situations and ways to tackle the communication:

1. Standard protocol, standard (or no) encryption – intercepting proxy like Burp, Fiddler, OWASP ZAP, Charles, etc.
2. Standard protocol, custom encryption – rather uncommon
3. Custom protocol, no encryption -here we use EchoMirage or TCP proxying with Mallory
4. Custom protocol, standard encryption – TCP proxying with Mallory
5. Custom protocol, custom encryption

When I say standard I usually refer to HTTP and for standard encryption I mean SSL.

So, install EchoMirage, fire it up and inject or execute a new process and have fun. You can customize rules for automatic replacement of data, highlight the data you’re interested in and other cool stuff.

There is a general tendency to move everything towards thin clients with standard protocols and standard encryption but we’re going to have fun with thick clients for a while and we’re still going to need tools to have fun.

Go to Account Policies, then click on Password Policy.

The options, explained:

• History – how many passwords will Windows store (you won’t be able to reuse these passwords)
• Complexity requirements – if enabled, the Windows complexity requirement states that passwords should be at least 6 characters long, must not contain the username, have at least 3 different character types ([a-z][A-Z][0-9][special characters])
• Minimum length – this overrides the previous length setting
• Store passwords using reversible encryption – self explanatory; note that if the key used for encryption is lost, the password can be retreived
• Maximum age – how long (in days) until the user is forced to change the password
• Minimum age – very interesting option! If left to 0 you can change the password as many times as you like in one day. The problem is in conjunction with History. If, for example, History is set to 5, a user can change 6 passwords in one day and reuse the original password.

More information on: http://windows.microsoft.com/en-au/windows-vista/change-password-policy-settings

For my testing purposes I prefer Oracle VM VirtualBox instead of VMWare. First of all because it’s free for home use and secondly it’s smaller and faster for the applications I run. If you don’t already have it installed you can download it from https://www.virtualbox.org/wiki/Downloads.

You might have noticed that I’m a Debian fan, these is the system I have worked for a long time so it’s more of a habit now. For our clean installation we’ll use the so called NetInstall version. It’s a small ISO image (under 200MB), containing only the basics for the installation, the rest of the applications will be downloaded during the install phase. So you must have internet access during installation (if you read this article you surely do, but pay attention when installing on real hardware). So, download the latest version of Debian NetInstall from http://www.debian.org/CD/netinst/.

Start VirtualBox and let’s create a new Virtual Machine, by selecting New:

Next we select a Name and the type of the OS:

Select how much RAM to give to the Virtual Machine. Note that if you assign more than half of your physical RAM to the VM like I’m doing in the image below you risk RAM starvation on the host machine, you should analyze  the situation depending on your hardware. Anyway, there is a base recommendation of at least 384MB RAM for a Debian. Depending on what you plan with this VM you should assign the RAM. Usually 1GB of RAM will be more than enough.

Now we’ll create a hard-drive for our VM.

Then we select the type of the disk, the format in which it will be stored on disk. If you plan to port this VM to VMWare you should choose VMDK, otherwise VDI which is the default VirtualBox format is fine.

We choose then how will the disk space will be allocated. If you choose Fixed Size, then all the space necessary will be locked by the file used to store the HDD. In Dynamically Allocated mode, the file is only as large as you have files stored on the VM, so it’s a better option in terms of managing resources efficiently.

As for the size of the disk you should know better. By default, VirtualBox is proposing 8GB. I know I need a little bit more space for my applications so I choose 16GB, you should do your math.

We’re done creating our machine, press Create two times and that’s it with this phase.

Let’s modify some important settings of our newly created VM.Press Settings from the main screen.

Go to Storage -> IDE Controller -> Empty, check  the Live CD/DVD check-box and select the ISO image of Debian downloaded earlier.

Under the Network tab, I choose a Bridged Network type to avoid yet another NA. In bridged mode, the network adapter on the VM is practically in the same network as the host machine. I bridged the adapter to my wireless network card which is the one connected to the Internet.

It’s time to start the machine.

If everything is fine the VM should boot from the ISO image of Debian NetInstall. Choose Install in the first screen.

You will the select the Language for the installation, Location -> Locales -> Keymap. If your network adapter is on DHCP then the installer will automatically detect the network and acquire a new IP address for the VM. Otherwise it will prompt to introduce manually the network settings. Next select a Hostname (debian is just fine) -> Domain name (be creative). You will then be prompted for a root password and to create a new user.

Partitioning for beginners is simple with Debian, just choose the defaults.

Confirm Finish partitioning and write to disk. The installer will load the base system then will ask for the mirror which will be used to download the rest of the necessary files. Choose the closest one to your location for faster download.

In the Software Selection screen uncheck all the packages except SSH. Remember, we want a clean install, everything needed will be installed after. So just the SSH daemon for access to the VM (it’s way better than the terminal).

Confirm Loading GRUB to MBR and finish the installation. There you have it, a fresh, clean Debian. Log in, type ifconfig and connect via SSH.

Now let’s make a php function to automate this task. We can use this type of validation to check for example if a user is using a correct address when registering for a service.

The code is explained.

<?php
/*
email_validation.php
Coded by: Pentest ROMANIA; Dan Catalin VASILE; http://www.pentest.ro
*/

function email_validation($email)
{
 //Some vars we will need later
 $timeout = 5; // how much to wait for MX connection in seconds
 $helo = "helo example.com\r\n"; // helo string, feel free to modify but keep in mind that \r\n are necessary at the end of the string to send CR
 $mailfrom = "mail from: <somemail@example.com>\r\n"; // some mail and the domain used before, preferably a valid one

 //First we'll do a quick string validation
 if(filter_var($email, FILTER_VALIDATE_EMAIL))
  {
   //split the email address by the @ sign
   $email_str = explode ("@",$email); 
   //check for MX records
   if (getmxrr($email_str, $mxhosts)) //you could also check the weights of the MX hosts, some other time for me maybe
    {
    
    //opening sock connection to the forst MX host 
    $sock = fsockopen ( $mxhosts[0], 25, $errno, $errstr, $timeout);
     if (!$sock)
     {
      return "INVALID. COULD NOT OPEN CONNECTION TO MX HOST. ERROR: ".$errstr.$errno;
     }
     else
     {
      //sending commands to the MX host
      fwrite ($sock,$helo);
      fwrite ($sock,$mailfrom);
      $rcpt = "rcpt to: <".$email.">\r\n";
      fwrite ($sock,$rcpt);
      //reading responses
      for($j=0;$j<4;$j++)
       {
        $r[$j] = fgets($sock);
      }
      //exploding the last response line which should contain the answer we're looking for
      $r1=explode(" ",$r[3]);
      if($r1[0]=="250")
       return "VALID"; //according to the RFC "250" means valid
      else
       {
        echo "INVALID. ERROR CODE FROM MX SERVER: ".$r1[0];
       }
     }

    }
   else
    return "INVALID. NO MX RECORDS FOUND"; 
   
  } 
 else 
  return "INVALID EMAIL ADDRESS"; // the string submitted to filter_var is invalid 

} 

?>

For this example we will use bogus@pentest.ro. We first need to check the MX record for pentest.ro. In Linux is as simple as:

> dig MX pentest.ro

; <<>> DiG 9.6-ESV-R4 <<>> MX pentest.ro
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53492
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;pentest.ro.                    IN      MX

;; ANSWER SECTION:
pentest.ro.             86400   IN      MX      5 ALT2.ASPMX.L.GOOGLE.COM.
pentest.ro.             86400   IN      MX      10 ASPMX2.GOOGLEMAIL.COM.
pentest.ro.             86400   IN      MX      10 ASPMX3.GOOGLEMAIL.COM.
pentest.ro.             86400   IN      MX      10 ASPMX4.GOOGLEMAIL.COM.
pentest.ro.             86400   IN      MX      10 ASPMX5.GOOGLEMAIL.COM.
pentest.ro.             86400   IN      MX      1 ASPMX.L.GOOGLE.COM.
pentest.ro.             86400   IN      MX      5 ALT1.ASPMX.L.GOOGLE.COM.

;; AUTHORITY SECTION:
pentest.ro.             86400   IN      NS      ns1.pentest.ro.
pentest.ro.             86400   IN      NS      ns2.pentest.ro.
pentest.ro.             86400   IN      NS      ns3.pentest.ro.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jul  2 21:48:05 2011
;; MSG SIZE  rcvd: 261

On Windows platforms there is no integrated dig utility. You can use this app, or you can use a free online check like this one:

http://www.mxtoolbox.com/

Either way you will end up with the MX server or servers for the domain. Notice there is a number in front of the MX servers in the list, that indicates priority (smaller means higher priority). We will use the highest priority server available and if this one fails we can try the next one.

It’s time to connect to the server (from the command line in Linux or Windows):

> telnet ASPMX.L.GOOGLE.COM 25
Trying 74.125.39.27...
Connected to ASPMX.L.GOOGLE.COM.
Escape character is '^]'.
220 mx.google.com ESMTP y26si6167249fag.156
helo mydomain.com
250 mx.google.com at your service
mail from: <me@mydomain.com>
250 2.1.0 OK y26si6167249fag.156
rcpt to: <bogus@pentest.ro>
550-5.1.1 The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at
550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596 y26si6167249fag.156
rcpt to: <somevalidaddress@pentest.ro>
250 2.1.5 OK y26si6167249fag.156
quit
221 2.0.0 closing connection y26si6167249fag.156
Connection closed by foreign host.

The bolded lines are the ones you type, the others are responses from the server.

All servers should abide to RFC 821. Most do, a few don’t. I noticed some servers are accepting all addresses as valid. This is not a standard response but you can check if this occures testing an email like vrWvrtVWRmJU5Jrvrw43t524@domain.com.

The response code you are interested in is 250. This means it’s a valid address. 550 means that the user does not exist. There are other codes as well and you can do further reading in the RFC.

Please note that helo command must be run before anything else. mydomain.com and me@mydomain.com can be changed in anything you please.

To close the connection after validation just type quit.