Saturday 27 December 2008

After a long while...

Hi!

After a long while Hugo & I decided to prepare the new Inguma version (Release 0.1.0) with some new features. There are new modules in the new version, as the ASNQuery module or the NMap fronted both created by Hugo, and new features & tools.

The 2 most interesting new tools added to the framework are, for sure, the PCAP-based fuzzer and the OpenDis Binary Navigator.

The PCAP based fuzzer works this way: Record with your favourite sniffer a session communicating with your target server application, save the recorded session as one PCAP file and create a new PCAP based fuzzer as the following:

-----------------------------------------------------------------------------------
import sys
from scapy import *
from fuzzpcap import *
from lib import libfuzz

def main(pcapFile, dest, destPort):

replayList = []

pktList = rdpcap(pcapFile)

for pkt in pktList:
tcpPkt = pkt[TCP]
flags = tcpPkt.sprintf("%flags%")
dst = pkt.sprintf("%IP.dst%")
dstPort = tcpPkt.sprintf("%TCP.dport%")

if flags == "PA" and dst == dest and dstPort == destPort:
# Get the packet's data
pktBuf = str(tcpPkt[Raw])
replayList.append(pktBuf)

replayer = CReplayFuzzer(dest, destPort, replayList)
replayer.verbose = False # Show every packet that will be sent?
replayer.timeout = 0.3   # Time to wait for a response?
replayer.waitResponse = True # Wait for a response?
replayer.startPacket = 0     # Start from packet number 0
replayer.dontWaitFor = xrange(0, 1024) # Don't wait for a response for these packets
replayer.fuzz() # Start fuzzing now!
-----------------------------------------------------------------------------------


That easy. For some (undocumented) protocols this is a fast way to start fuzzing a complete communication session without having any knowledge about the communication protocol.

Another interesting tool (as previously pointed) is the OpenDis Binary Navigator. It's a frontend for OpenDis databases (the format of the databases changed from cpickle objects to SQLite format databases). With this tool you might upload (this is a webserver, bind it to 127.0.0.1 if you don't want to open this to your network) programs to be analyzed by OpenDis and generate an SQLite based database. This database can be navigated using the OpenDis Binary Navigator.

The most curious features of OpenDis Binary Navigator right now are the ability to generate basic block diagrams (you need Graphviz) and the option to calculate the CC (Cyclomatic Complexity) of a procedure. You might see screenshots at the end of this post.

Well, that's all at the moment. I will try to upload the new version of Inguma to sourceforge before the end of the year. Happy XMas and happy new year!





Tuesday 9 September 2008

More toys for Inguma

Hi all,

Last days we have keep working on more modules for Inguma, so let's see the result of this work.

First we have two new modules that could be very useful when used together with the DnsSpoof; both modules are located under the Gather category and are a TCP proxy and a Web Server with some basic crawling capabilities.
inguma> info webserver
crawl = 
target = 
port = 

inguma> info tcpproxy
target = 
port = 
newport = 
inguma>

The web server will crawl a web page, if crawl variable is set to 'True', and after that will start serving that page at the specified port.
inguma> info webserver
crawl = 
target = 
port = 
inguma> crawl = True
inguma> target = 'http://mail.google.com'
inguma> port = 80
inguma> webserver
Crawl True
Crawling page: http://mail.google.com
Parsing image links...
Parsing href links...
Crawled page saved at /home/hteso/Proyectos/inguma-dev/data/web/index.html
serving at port 80
localhost - - [09/Sep/2008 23:08:17] "GET / HTTP/1.1" 200 -
localhost - - [09/Sep/2008 23:08:17] "GET /favicon.ico HTTP/1.1" 404 -

This can be funny ;)

On the other hand we have the TCP Proxy...
inguma> info tcpproxy
target = 
port = 
newport = 
inguma> target = 'http://www.google.es'
inguma> port = 80
inguma> newport = 80
inguma> tcpproxy
Starting TCP proxy
Redirecting: localhost:80 -> http://mail.google.com:80
inguma> Creating new session for 127.0.0.1 55231 
Creating new pipe thread   ( ('127.0.0.1', 55231) -> ('74.125.39.104', 80) )
1 pipes active
Creating new pipe thread   ( ('74.125.39.104', 80) -> ('127.0.0.1', 55231) )
2 pipes active

0010   6D 65 74 61 20 68 74 74 70 2D 65 71 75 69 76 3D    meta http-equiv=
0020   22 63 6F 6E 74 65 6E 74 2D 74 79 70 65 22 20 63    "content-type" c
0030   6F 6E 74 65 6E 74 3D 22 74 65 78 74 2F 68 74 6D    ontent="text/htm
0040   6C 3B 63 68 61 72 73 65 74 3D 75 74 66 2D 38 22    l;charset=utf-8"
0080   79 20 7B 66 6F 6E 74 2D 66 61 6D 69 6C 79 3A 20    y {font-family: 
0090   61 72 69 61 6C 2C 73 61 6E 73 2D 73 65 72 69 66    arial,sans-serif
...

One of the next improvements for this module will be the ability to trap and modify requests and answers.

Finally we have added a new section called RCE that will group all the tools for working with binaries:
inguma> show rce

List of rce modules
-------------------

debugger                Userland Debugger
hexdump                 A simple HexDump utility

The first tool is a simple Hexdump utility.

inguma> info hexdump
target = < Target file >
lines = 
inguma> target = '/bin/cat'
inguma> hexdump

/bin/cat
--------------------------------------------------------------------------
000000: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 | ELF............
000010: 02 00 03 00 01 00 00 00 c0 8c 04 08 34 00 00 00 | ........�...4...
000020: 78 66 00 00 00 00 00 00 34 00 20 00 07 00 28 00 | xf......4. ...(.
000030: 1b 00 1a 00 06 00 00 00 34 00 00 00 34 80 04 08 | ........4...4...
000040: 34 80 04 08 e0 00 00 00 e0 00 00 00 05 00 00 00 | 4...�...�.......
000050: 04 00 00 00 03 00 00 00 14 01 00 00 14 81 04 08 | ................
000060: 14 81 04 08 13 00 00 00 13 00 00 00 04 00 00 00 | ................
000070: 01 00 00 00 01 00 00 00 00 00 00 00 00 80 04 08 | ................
000080: 00 80 04 08 c0 63 00 00 c0 63 00 00 05 00 00 00 | ....�c..�c......
000090: 00 10 00 00 01 00 00 00 c0 63 00 00 c0 f3 04 08 | ........�c..�
0000a0: c0 f3 04 08 dc 01 00 00 64 03 00 00 06 00 00 00 | ��..�...d.......
0000b0: 00 10 00 00 02 00 00 00 d4 63 00 00 d4 f3 04 08 | ........�c..�
0000c0: d4 f3 04 08 d0 00 00 00 d0 00 00 00 06 00 00 00 | ��..�...�.......
0000d0: 04 00 00 00 04 00 00 00 28 01 00 00 28 81 04 08 | ........(...(...
0000e0: 28 81 04 08 20 00 00 00 20 00 00 00 04 00 00 00 | (... ... .......
0000f0: 04 00 00 00 51 e5 74 64 00 00 00 00 00 00 00 00 | ....Q�td........
000100: 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 | ................
000110: 04 00 00 00 2f 6c 69 62 2f 6c 64 2d 6c 69 6e 75 | ..../lib/ld-linu
000120: 78 2e 73 6f 2e 32 00 00 04 00 00 00 10 00 00 00 | x.so.2..........
--------------------------------------------------------------------------
jump to... 

And the last tool that we will review today is a ring 3 debugger coded in python and that you can find in this web site.
inguma> debugger
Loading VDB Modules: 
... Complete
vdb > help

Documented commands (type help ):
========================================
alias     bpedit  config  fds     maps     mode    regs    snapshot  threads 
attach    break   detach  go      mem      ps      script  stepi     vstruct 
bestname  bt      dis     ignore  memdump  python  server  struct    writemem
bp        call    exec    lm      meta     quit    signal  syms    

Undocumented commands:
======================
EOF  help  sections

vdb > ps
[Pid]   [ Name ]
1       /sbin/init
2764    /sbin/udevd --daemon 
4458    /sbin/portmap 
4482    /sbin/rpc.statd 
4611    /sbin/getty 38400 tty4 
4612    /sbin/getty 38400 tty5 
4614    /sbin/getty 38400 tty2 
4617    /sbin/getty 38400 tty3 
4618    /sbin/getty 38400 tty6 
4813    /usr/sbin/acpid -c /etc/acpi/events -s /var/run/acpid.socket 
...

Actually the module just starts the debugger (either in console or graphical mode) but we are working on a more deep integration of the tool with Inguma and, may be, a programmatic RCE environment with the debugger, OpenDis, ...

That's all for the moment, stay tuned!!

Hugo Teso

Sunday 31 August 2008

New libraries in the Inguma Framework

Hi!

The, currently in development, new version of Inguma will include modules for Informix and IBM DB2 databases. Right now, for IBM DB2 databases we don't have many things, just a discover module (at the moment) but I'm working in a Python module for the DRDA protocol.

Also, and it's almost finished, I'm working in a pure Python Informix library. This library just "works". It generates valid packets for login, queries and various other Informix commands (such as DBList, etc...). It wasn't a hard job! I will explain a bit how the Informix communication protocol works:

The 1st packet the client sends to the database server is a pure ASCII packet with the following format:
buf = "sq"
buf += base64.b64encode("the total size of the packet").strip("==")
buf += "BPQAAsqlexec"

data  = ' %s -p%s %s %s -d%s -f%s DBPATH=%s DBMONEY=%s CLIENT_LOCALE=%s'
data += ' SINGLELEVEL=%s '
data += 'LKNOTIFY=%s LOCKDOWN=%s NODEFDAC=%s CLNT_PAM_CAPABLE=%s '
data  = data % (self.username, self.password, self.version, self.serialNumber,
self.databaseName,
self.ieee, self.databasePath, self.databaseMoney,
self.clientLocale, 
self.singleLevel, self.lkNotify, self.lockDown, 
self.noDefDac,
self.clientPamCapable)

When the server receives this packet validates the username and the password (which is, BTW, sent in plain text) and, also, the database name if it was passed. Regardless of whether the username and password are valid, the server will always answer with interesting data to the client, such as the install path, complete version, etc... (BTW, there is a working module to gather information from an Informix Database in the private version of Inguma and will be released in the next release).

The response sent from the server to the client will have the following format:

"0x00 0x05 0x02 0x00*12 ieee name banner serial dbpath protocol hostname terminal installpath"

The first byte (0x00 or 0x01) is the "isValidUser" byte. If the username and password are OK, the server will answer with a value of 0x01. Otherwise, the value will be 0x0. The 2nd and 3rd bytes indicates if the database selected exists and the user has privilege to connect to. A normal answer (if the database exists and, also, the username & password are both valid) is 0x05 0x02. All the rest of the data are C strings.

After this, if both username and password are valid, the user may start sending commands in a new (binary) protocol format. The protocol will have the following structure (not 100% accurate...):

0x00 OPCODE 0x00 0x00 0x00 STRING_DATA 0x00 0x00 0x16 0x00 0x31 0x00 0x0c

The first byte is static and the second one is the OPCODE. The opcode is an index to an internal function pointers array. In example, the OPCODE 0x01 is for executing SQL commands, the OPCODE chr(26) will list all the databases in the server, etc.. These function pointers are stored in the global array "jmpsql".

Well, I hope that we will release a new version in about 1 month or so with modules for DB2 and Informix.

Regards,
Joxean Koret

First post!

This is the Inguma project's development blog. In the near future (we hope) we will update the blog with information about the new libraries, modules, etc... added to the Inguma framework.

Contributors