In order to install the tools that are making Kali what it is, I had to install the metapackages. For me, the easiest option was to install all of them (kali-linux-all).

It sounds simple:

# apt-get install kali-linux-all

but it was failing constantly

Failed to fetch http://http.kali.org/kali/pool/main/##whatever_package## Size mismatch

A little bit of research and trying to download the actual package from the host machine made me realize that the proxy was blocking access to the packages.

I decided to check if Tor traffic is allowed. Luckily it was. So I installed it

# apt-get install tor

started it

# tor &

and used torify to pass all the traffic through Tor

# torify apt-get install kali-linux-all

A few more minutes (6+ GB) and I had my fully featured Kali installation.

I’ve been using EchoMirage for some time but apparently I’ve been using the wrong one. Because when you search for it in Google you normally click the first link. Right? Wrong!

The first link is for the older version from BindShell which works decent under Windows XP and very poorly under Windows 7. Under W7 you’ll get a lot of crashes, fails to inject and a general poor experience. Even when run with XP compatibility enabled.

Now, if you’re smart enough, you may want to check the second link which will direct you to the newer version which supports Windows 7. And to quote, “the primary goal of Echo Mirage 3 was to ensure full Windows 7 support”.

http://www.wildcroftsecurity.com/echo-mirage

Great, now it works. But what’s the usage?

When dealing with intercepting communication from a web application, the process is really easy. Since it’s only using HTTP, you’ll just fire up an intercepting proxy and point your browser to that proxy. You can intercept, modify on the fly, replay requests, etc.

Now, in the case of a thick client the situation is more complicated. Sometimes the thick client is using a standard protocol like HTTP to communicate but it’s not always the case. So you need a tool to intercept and modify requests.

We can identify 5 different communication situations and ways to tackle the communication:

1. Standard protocol, standard (or no) encryption – intercepting proxy like Burp, Fiddler, OWASP ZAP, Charles, etc.
2. Standard protocol, custom encryption – rather uncommon
3. Custom protocol, no encryption -here we use EchoMirage or TCP proxying with Mallory
4. Custom protocol, standard encryption – TCP proxying with Mallory
5. Custom protocol, custom encryption

When I say standard I usually refer to HTTP and for standard encryption I mean SSL.

So, install EchoMirage, fire it up and inject or execute a new process and have fun. You can customize rules for automatic replacement of data, highlight the data you’re interested in and other cool stuff.

There is a general tendency to move everything towards thin clients with standard protocols and standard encryption but we’re going to have fun with thick clients for a while and we’re still going to need tools to have fun.

As stated by the authors:
“In a nutshell the lack of direct access to the game server and having to deal with clients that are far too complex to be easily emulated force us to rely on injecting fuzzing data into a legitimate connections rather than use the standard replay execution approach. Top that with heavily encrypted and complex network protocols and you start to see why we had to become creative to succeed :)”

The problem of an application security analysts is that most of the communication is encrypted and is using custom protocols that can’t be intercepted using standard proxies like Burp or Charles. One’s thoughts on this could go into using Mallory as transport layer proxy and should be fine with some custom protocols but still doesn’t deal with the encryption problem. So reverse engineering and memory analysis and manipulation must be involved.

Techniques proposed by the presenters:
– Combining network traffic analysis with memory analysis (check what happens in the memory when certain packets are sent over the wire)

Challenges involved:
– Intercepting traffic
– Bypassing Encryption
– Reversing the protocol
– Monitoring the results of fuzzing

Traffic interception:
– DLL injection at the application level – direct access to game state
– Write a driver at the OS level
– Pass the traffic through an intercepting box – this is done at the network level; as a side note this can be done on the same box using WireShark; keep in mind that WireShark does not intercept packets sent on the loopback interface and you can use RawCap for this

DLL injection:
– Most application use Windows Winsock API and the interesting functions to watch for are connect, recv and send
– Ways to do it: Microsoft detour library and IAT (Import Address Table) hooking:
o http://sandsprite.com/CodeStuff/Understanding_imports.html
o http://sandsprite.com/CodeStuff/IAT_Hooking.html
– The problem is that protection mechanisms like anti-cheating engines detect hooking

Writing a driver:
– Windows Filter Platform – could be an excellent replacement for Mallory since we don’t need an external machine (even a virtual one) to capture the packets

The presenters then focus on the analysis of the custom LOL (League of Legends) protocol to give a practical example. Among others, they use packet, statistical, n-gram analysis and search for a feasible way to fuzz the protocol. They don’t go into details like tools, usage and how to perform the analysis but stay on a high perspective level.

wget for example is unable to work directly with a socks proxy. Also, configuring wget to work with a http proxy is a pain. You can’t specify the proxy from the command line.

Fortunately, there are transparent ways to make things work.

One option in hand is tsocks (transparent socks). Debian comes with it pre installed. If not just do a:

> apt-get install tsocks

and you’re good to go.

You need to edit the /etc/tsocks.conf. You can specify a lot of thing there but the really important lines are the ones at the end of the file:

server = 127.0.0.1 # socks ip here
server_type = 5 # 5 for socks5, default is 4
server_port = 1080 # well... 

You can use tsocks as simple as this:

> tsocks app args[]

Now we can put it to a test:

> tsocks wget www.whatismyip.com

and test to see if index.html contains the IP of the proxy.

Now, if you want to use a proxy chain you may want to use proxychain. But about this one in another post.