Currently, I am in the process of writing documentation on the Owasp wiki. There are two new mailing lists that you are welcome to join if these things sounds interesting to you:

• Hatkit proxy mailing list
• Hatkit Datafiddler mailing list

My goal was to be able to intercept WebSocket communications between the server and the client, that is

• Intercept messages that are sent to the server
• Intercept messages from the server, before the client application receives them

I also want my solution to not depend on how the application uses websockets, only dependant on the browser API for WebSockets.

To send anything over websockets, a websocket is constructed and the send()-mehtod is called. Therefore, a simple interceptor would look like this:
window.WebSocket.prototype.oldSend = window.WebSocket.prototype.send;
window.WebSocket.prototype.send=function(data){
this.oldSend(prompt("Sending data",data));
}

Simple overloading of the send-function. That was easy.

It turns out however, that there is no similar functionality for receiving. To receive, an application developer must construct a WebSocket and then ‘monkey-patch’ onto it a function called “onmessage”. Llike so:

x=new WebSocket("ws://localhost:8080/ws/");
x.onmessage=function(){alert(message.data);}

This means that the prototype object never really comes into play, since the function is defined only for the actual websocket instance. With some help from Gareth Heyes at sla.ckers.org I instead used the __defineSetter__ property.

The __defineSetter__ is called whenever someone tries to set a property on an object. To get it called, however, I needed to create a wrapped WebSocket object which replaces window.WebSocket. By doing so, the websocket that is created by the application under review will be my ‘special’ websocket, where I can deflect any setting of onmessage and retain my tamper-enabled onmessage function.
var oldWebSocket=window.WebSocket;
function WrappedWebSocket(loc)
{
this.prototype=new oldWebSocket(loc);
this.__proto__=this.prototype;
var wrapper=this;
this.onmessage=function(message)
{
var data = prompt("Receiving data",message.data);
wrapper.trueonmessage({data:data});
}
this.__defineSetter__('onmessage', function(val){
wrapper.trueonmessage=val;
});
}
window.WebSocket=WrappedWebSocket

To finish up, I can merge the two tamper-functions into the same definition, and also (thanks Gareth) put it all inside a closure. The final version became:
window.WebSocket = function(oldWebSocket) {
return function WrappedWebSocket(loc)
{
this.prototype=new oldWebSocket(loc);
this.__proto__=this.prototype;
var wrapper=this;
this.onmessage=function(message)
{
var data = prompt("Receiving data",message.data);
wrapper.trueonmessage({data: data});
};
this.__defineSetter__('onmessage', function(val){wrapper.trueonmessage=val;});
this.send=function(data){this.prototype.send(prompt("Sending data",data));};
};
}(window.WebSocket);

And here is a bookmarklet that you can bookmark and execute the next time you want to tamper with a WebSocket-enabled app:TamperSocket

Nmap nowadays comes with a scripting engine, (Nmap Scripting Engine : NSE). When a particular service is encountered (say, “rmi”) in the service-scan, or a particular port is found open in the port-scan, a script which is “interested” in communicating with that particular port or service can be executed. NSE scripts are written in Lua, which I find very nice to work with. Nmap provides basic functionality for common tasks, such as socket communication, binary conversion, output control etc.

RMI is Java’s remote method invocation, i.e. Java’s native API for distributing application across different hosts. An object which implements the Remote interface can be called by anoher JVM. For example, say there is an object- let’s call it monitor – which resides inside your application and measures statistics for the application, or contains the runtime-configuration. Another application which monitors a cluster of servers may want to connect to each of these and provide real-time monitoring and administration of the services. In order for the cluster-monitor to locate the different monitors, the monitors would first have to make their presence known. They would typically do that by connecting to the RMI Registry.

The RMI Registry is typically found on port 1098 and 1099, often in pairs where one is primary and one is fall-over. It simply keeps tabs on where objects are located. So, the Registry is the natural starting point for anyone trying to gain information about the application which is running.

Over the wire, RMI is mostly java serialization protocol with a few additions (method call invocation, for example). Creating an RMI library for Lua may sound like an odd idea, but it has a few benefits:

• By reimplementing RMI instead of using java native RMI to perform these tests, I did not have to worry about problems arising when java tries to instantiate stubs of remote objects which belong to a class that is not on the current classpath.
• It can be used by Nmap!

Also: by using OpenJDK as a reference, I really just had to translate Java into Lua (and try to avoid the messy parts).

The basics

Nmap provides only the basics of socket programming, and the sockets do not perform any buffering on reads and writes. Therefore, I start off with creating my Lua-version of buffered reader and writer. I’ll just show the reader here:


---
-- BufferedReader reads data from the supplied socket and contains functionality
-- to read all that is available and store all that is not currently needed, so the caller
-- gets an exact number of bytes (which is not the case with the basic nmap socket implementation)
-- If not enough data is available, it blocks until data is received, thereby handling the case
-- if data is spread over several tcp packets (which is a pitfall for many scripts)
--
-- It wraps unpack from bin for the reading.
-- OBS! You need to check before invoking skip or unpack that there is enough
-- data to read. Since this class does not parse arguments to unpack, it does not
-- know how much data to read ahead on those calls.
--@usage:
-- local bWriter = BufferedWriter:new(socket)
-- local breader= BufferedReader:new(socket)
--
-- bWriter.pack('>i', integer)
-- bWrier.flush() -- sends the data
--
-- if bsocket:canRead(4) then -- Waits until four bytes can be read
-- local packetLength = bsocket:unpack('i') -- Read the four bytess
-- if bsocket:canRead(packetLength) then
-- -- ...continue reading packet values

}

A couple of comments: NSE does not provide a very good exception-handling system, so (almost) all functions return multiple return values, where the first is usually the status: true if all is well, false if something went wrong. The function doh(..) is just a wrapper for that :
local function doh(str,...)
stdnse.print_debug("RMI-ERR:"..tostring(str), unpack(arg))
return false, str
end

Once buffering sockets are up and running, I need something which resembles the DataWriter and DataReader from java. NSE provides a bin-library to do binary conversion between formats, and my library uses them. I'll just show the Lua-version of java DataInputStream here:

---
-- The JavaDIS class
-- JavaDIS is close to java DataInputStream. It provides convenience functions
-- for reading java types from an underlying BufferedReader
--
-- When used in conjunction with the BufferedX- classes, they handle the availability-
-- checks transparently, i.e the caller does not have to check if enough data is available
--
-- @usage:
-- local dos = JavaDOS:new(BufferedWriter:new(socket))
-- local dos = JavaDIS:new(BufferedReader:new(socket))
-- dos:writeUTF("Hello world")
-- dos:writeInt(3)
-- dos:writeLong(3)
-- dos:flush() -- send data
-- local answer = dis:readUTF()
-- local int = dis:readInt()
-- local long = dis:readLong()
JavaDIS = {
new = function (self,bReader)
local o = {} -- create new object if user does not provide one
setmetatable(o, self)
self.__index = self -- DIY inheritance
o.bReader = bReader
return o
end,

-- This closure method generates all reader methods (except unstandard ones) on the fly
-- according to the definitions in JavaTypes.
_generateReaderFunc = function(self, javatype)
local functionName = 'read'..javatype.name
local newFunc = function(_self)
--dbg(functionName .."() called" )
if not _self.bReader:canRead(javatype.len) then
local err = ("Not enough data in buffer (%d required by %s)"):format(javatype.len, functionName)
return doh(err)
end
return true, _self.bReader:unpack(javatype.expr)
end
self[functionName] = newFunc
end,
-- This is a bit special, since we do not know beforehand how many bytes must be read. Therfore
-- this cannot be generated on the fly like the others.
readUTF = function(self, text)
-- First, we need to read the length, 2 bytes
if not self.bReader:canRead(2) then-- Length of the string is two bytes
return doh("Not enough data in buffer [0]")
end
-- We do it as a 'peek', so bin can reuse the data to unpack with 'P'
local len = self.bReader:peekUnpack('>S')
-- Check that we have data
if not self.bReader:canRead(len) then
return doh("Not enough data in buffer [1]"=
end
-- For some reason, the 'P' switch does not work for me.
-- Probably some idiot thing. This is a hack:
local val = self.bReader.readBuffer:sub(self.bReader.pos+2, self.bReader.pos+len+2-1)
self.bReader.pos = self.bReader.pos+len+2
-- Someone smarter than me can maybe get this working instead:
--local val = self.bReader:unpack('P')
return true, val
end,
skip = function(self, len)
return self.bReader:skip(len)
end,
canRead = function(self, len)
return self.bReader:canRead(len)
end,
}

It actually only defines readUTF, not the other types. In order to separate a bit between actual *code* and *format*, I define a set of translations between Java format for basic types and the format used by the bin-library:
local JavaTypes = {
{name = 'Int', expr = '>i', len= 4},
{name = 'UnsignedInt', expr = '>I', len= 4},
{name = 'Short', expr = '>s', len= 2},
{name = 'UnsignedShort', expr = '>S', len= 2},
{name = 'Long', expr = '>l', len= 8},
{name = 'UnsignedLong', expr = '>L', len= 8},
{name = 'Byte', expr = '>C', len= 1},
}


It basically specifies that a java short corresponds to the format string ">s" in the bin-library. Once that is done, I monkey-patch the javaDOS with the format definitions:
-- Generate writer-functions on the JavaDOS/JavaDIS classes on the fly
-- Generate writer-functions on the JavaDOS/JavaDIS classes on the fly
for _,x in ipairs(JavaTypes) do
JavaDOS._generateWriterFunc(JavaDOS, x)
JavaDIS._generateReaderFunc(JavaDIS, x)
end

The call to _generateWriterFunc() creates a new function named ("write"+"Short") in the library. The only reason I had to implement UTF a bit 'special' is that the length of the UTF is not known in advance, so the reader cannot know if it can read the entire string until it has read the string length.

RMI

I won't go into the details about RMI implementation details of the library. But to give a brief overview, in order to perform a remote method invocation, a few things are needed.

• Host and port, which Nmap provides.
• Object id: a unique identifier for the object with which you are trying to communicate. The Registry-object has id 0
• Hash code for the remote class of the object you are trying to invoke a method on. The hash for the Registry, (sun.rmi.registry.RegistryImpl_Stub) is 0x44154dc9d4e63bdf
• Operation id: a numeric identifier of what method you are trying to invoke. The Registry has the following methods which will be used: list()=0, lookup(String)=2
• Optional: any arguments which are needed by the method

These values can be located inside the class-files for any Remote class. The RMIRegistry is implemented in OO-fashion inside my RMI library, and looks like this:
---
-- Registry
-- Class to represent the RMI Registry.
--@usage:
-- registry = rmi.Registry:new()
-- status, data = registry:list()
Registry ={
new = function (self,host, port)
local o ={} -- create object
setmetatable(o, self)
self.__index = self -- DIY inheritance
-- Hash code for sun.rmi.registry.RegistryImpl_Stub, which we are invoking :
-- hex: 0x44154dc9d4e63bdf , dec: 4905912898345647071
self.hash = '44154dc9d4e63bdf'
-- RmiRegistry object id is 0
self.objId = 0
o.host = host
o.port = port
return o
end
}
-- Connect to the remote registry.
--@return status
--@return error message
function Registry:_handshake()
local out = RmiDataStream:new()
local status, err = out:connect(self.host,self.port)

if not status then
return doh("Registry connection failed: %s", tostring(err))
end
dbg("Registry connection OK "..tostring(out.bsocket) )
self.out = out
return true
end
---
-- List the named objects in the remote RMI registry
--@return status
--@return a table of strings , or error message
function Registry:list()
if not self:_handshake() then
return doh("Handshake failed")
end
-- Method list() is op number 1
return self.out:invoke(self.objId, self.hash,1)
end
---
-- Perform a lookup on an object in the Registry,
-- takes the name which is bound in the registry
-- as argument
--@return status
--@return JavaClass-object
function Registry:lookup(name)
self:_handshake()
-- Method lookup() is op number 2
-- Takes a string as arguments
local a = Arguments:new()
a:addString(name)
return self.out:invoke(self.objId, self.hash,2, a)
end


The actual NSE-script uses the library like this:

local registry= rmi.Registry:new( host.ip, port.number)
local status, j_array = registry:list()

If all goes well, the variable j_array will contain a list of strings, where each string is the name of an object in the registry. It then loops over the names and queries additional info about each of them:
-- We expect an array of strings to be the return data
local data = j_array:getValues()
for i,name in ipairs( data ) do
--print(data)
table.insert(output, name)
dbg("Querying object %s", name)
local status, j_object= registry:lookup(name)
if status then
table.insert(output, j_object:toTable())
end
end

Testing

To write NSE scripts yourself, just place the scripts (or symlinks to them) into your nmap home scripts-dir, any libraries in the nselib/-dir, and run:
nmap --script "rmi-dumpregistry.nse" -p 1098

In order to perform some real live testing, you can use Nmap's built in functionality to randomly scan internet hosts with the -iR switch. The following command will randomly scan ten thousand addresses on port 1098 and port 1099, and if they are found to be open, the rmi-registry dumper will be executed:
nmap --script rmi-dumpregistry.nse -p 1098,1099 -iR 10000

As I was testing this on the internet, I noticed two things. The first being that the probably most common usage for RMI is JMX. JMX is Java Management eXtensions, basically it is what I mentioned above: a java object which can be used to monitor and modify a java application. These objects are typically named "jmxconsole", and if you locate such an object it is possible to perform bruteforce password guessing against it. This is not implemented in Lua, but is very simple to write in native Java. Anyone with a valid username/password can then use jconsole to connect to a jmx service.

The other thing I noticed was that ColdFusion/Flex disclosed the entire classpath of the application that I had encountered:
-- PORT STATE SERVICE REASON
-- 1099/tcp open rmi syn-ack
-- | rmi-dumpregistry:
-- | cfassembler/default
-- | coldfusion.flex.rmi.DataServicesCFProxyServer_Stub
-- | @192.168.0.3:1271
-- | extends
-- | java.rmi.server.RemoteStub
-- | extends
-- | java.rmi.server.RemoteObject
-- | Custom data
-- | Classpath
-- | file:/C:/CFusionMX7/runtime/../lib/ant-launcher.jar
-- | file:/C:/CFusionMX7/runtime/../lib/ant.jar
-- | file:/C:/CFusionMX7/runtime/../lib/axis.jar
-- | file:/C:/CFusionMX7/runtime/../lib/backport-util-concurrent.jar
-- | file:/C:/CFusionMX7/runtime/../lib/bcel.jar
-- | file:/C:/CFusionMX7/runtime/../lib/cdo.jar
-- [.. the list goes on ...]

What is displayed above is, for each object in the registry:

• The name: cfassembler/default
• The location of the remote object. In this case, the object resides on an internal address, 192.168.0.3. In other cases, it may reveal other publically accessible hosts which were not part of the original scan
• The class hierarchy. In this case "extends RemoteStub which extends RemoteObject". In other cases, it may reveal information about what this application is used for and what the objects represent. It may also reveal the name of a class which is open source - if so, it is possible to download the class definitions and communicate directly with the object using java native RMI - and invoke methods on the objects.
• Any so called 'Custom data', which is data that is encoded in a way which is privy to the class: Java RMI cannot parse custom data without first instantiating an object of said class first. It can contain data of any format that the programmer choose to put in the field. In this case, I noticed that it was a classpath and made a modification to parse that out and prettify for the end user.

While this is far from a 0day, it is definitely not good to send out your internal driveletters, paths and source code details on the tubes.

Conclusion

Writing Nmap scripts is easy to do, if you think the steps above sounds complicated, blame Java (and me). The script itself was committed a while ago, and will be available in the next release (unless you update your nmap from subversion, in which case you already have it).

I can also recommend viewing the presentation from BlackHat 2010 (http://nmap.org/presentations/BHDC10/) given by Fyodor and David Fifield with the title "Mastering the Nmap Scripting Engine". It is an awesome presentation where Fyodor hacks Microsoft and David shows his skills by creating an nmap script from scratch (in front of a live audience - now THAT's hardcore!).

Also, the presentation briefly mentions me by name (blink and you'll miss it!) in the section about upcoming scripts, which is the closest I have come to the stage at BlackHat so far

All source code is available either from nmap subversion repository or my swanky mercurial repositories, the repository nsescripts contains this script and some other NSE-related things I have been working on.

Disclaimer

This tool is provided as a means for a system administrator or security consultant, such as myself, to be able to discover potentially vulnerable services in complex or large environments without having to be an expert at Java RMI. As with all tools of this type, it may just as well be used by attackers - but an attacker with basic knowledge of Java RMI could easily perform all of the above (and more) with a very simple Java program.

Check it out at http://martin.swende.se/hg/ .

I added activity-tabs to all projects, which fetches the latest changelogs with xhr. Some more features that I am working on are support for displaying screenshots and content from README and INSTALL files. This requires some messing with commit-hooks, in order to get hg to extract the relevant files, generate thumbnails and create xml or json-descriptions of what content is available (aswell as publishing that info on the webserver).

The actual ui design comes from jquery-ui api, they have a lot of variants and it it easy to roll your own with the themeroller : http://jqueryui.com/themeroller/. Once I have revamped the other pages aswell, I may submit it to the folks at Selenic and see if they like it.

Example:

$ cat ip.txt | python ipsearch.py -b bingkey.txt
208.201.239.101 :
craftzine.com: CRAFT: Dedicated to the renaissance in the world of ... :

Download or clone ( hg clone http://martin.swende.se/hgwebdir.cgi/ipsearch/ )

It does this:

• Searches each search engine with exclusions for already found domains, such as “site:example.com -site:a.example.com -site:b.example.com” until all search results are exhausted and no more are found.
• Except for google, which only allows 40 keywords. If the search is not exhausted by then, it tries to use google ‘slowsearch’, i.e it uses the last working query and clicks “next page” until it does not find any more results.

Usage:

$ ./subsearch.py -d oreilly.com -b bingkey.txt -y yahoo_app_id.txt
Using domain oreilly.com
Using yahoo search API as well
Using bing search API as well
--------------------------------------------
Yahoo:
www.oreilly.com
radar.oreilly.com
ignite.oreilly.com
tim.oreilly.com
wethemedia.oreilly.com
oreilly.com
en.oreilly.com
--------------------------------------------
Bing:
oreilly.com
radar.oreilly.com
toc.oreilly.com
answers.oreilly.com
digitalmedia.oreilly.com
iphoneapps.oreilly.com
tim.oreilly.com
en.oreilly.com
--------------------------------------------
Google:
oreilly.com
answers.oreilly.com
microsoftpress.oreilly.com
digitalmedia.oreilly.com
iphoneapps.oreilly.com
tim.oreilly.com
radar.oreilly.com
--------------------------------------------
Performing google slow-search
Done
--------------------------------------------
Done: 12 subdomains found:
digitalmedia.oreilly.com
en.oreilly.com
www.oreilly.com
tim.oreilly.com
ignite.oreilly.com
toc.oreilly.com
oreilly.com
microsoftpress.oreilly.com
answers.oreilly.com
iphoneapps.oreilly.com
wethemedia.oreilly.com
radar.oreilly.com


Download or clone ( hg clone http://martin.swende.se/hgwebdir.cgi/subsearch/ )

To use the tool it, you do this :

python googlyhack.py -domain foobar.com

And then it goes through the entire GHDB (which is an XML-file, just drop in a new replacement if you find a newer one. Please also send it to me!). One feature which I missed in w3af and therefore implemented was that If google blocks you, GooglyHack pause until you tell it to continue:

Aborted after 1200 requests
Stopped after 1200 requests (of 1466). Press any key to continue, or ctrl-c to quit

If you choose to abort, you can start it later (or on another computer) to continue again where it left off:
python googlyhack.py -domain foobar.com -i 1200

Here is a snippet of an example run against domain microsoft.com :
List loaded, length 1466
Starting at index 0
0:0 hits
1:0 hits
2:0 hits
3:0 hits
4:0 hits
5:0 hits
6:0 hits
7:2 hits
Example urls:
-Title: http://social.msdn.microsoft.com/Forums/en-US/sqlexpress/thread/30d3b3c9-9bf8-4265-82bb-d192f232cf24
-Url: Need to convert the following mysql to sql server
-Title: http://social.msdn.microsoft.com/forums/pt-BR/520/thread/0e964ff4-0b2e-4a1b-80f6-1151e05aabb5/
-Url: SQL Server Management Studio Express - Exportar com dados?
Query used : site:microsoft.com "# Dumping data for table"
GHDB Description: SQL database dumps. LOTS of data in these. So much data, infact, I'm pressed to think of what else an ev1l hax0r would like to know about a target database.. What's that? Usernames and passwords you say? Patience, grasshopper.....


I thought that google-blocking would be an issue, but using the ajax-api I had no such problems. So no additional steps are taken to bypass blocking, such as using alterating useragents or randomizing the ghdb-list. Apparantly the ajax-api is pretty nice against robotic behaviour.

Complete source can be found at http://martin.swende.se/hgwebdir.cgi/GooglyHack/
Get it either by :
hg clone http://martin.swende.se/hgwebdir.cgi/GooglyHack/

-OR-
wget http://martin.swende.se/hgwebdir.cgi/GooglyHack/raw-file/tip/src/googlyhack.py
wget http://martin.swende.se/hgwebdir.cgi/GooglyHack/raw-file/tip/src/GHDB.xml


Enjoy! (and remember : don’t be evil!)

The idea I had in mind was that I wanted the computer to
- Appear as having lots and lots of open ports
- Each open port should appear to run some service
- Each service should be recognised by nmap
…
- But actually, the incoming packets should be dropped

I got the inspiration for this when reading up on the Sockstress implementation. What we want to avoid is to have any state on the server side, since this is supposed to run on a low-end VPS-machine without affecting the other part of the system. So, how can this be achieved ? This is the basic idea:

1. Using iptables, set up so that packets to the desired ports are put into a netfilter queue.
2. Using python netfilter module, connect the netfilter queue to a python program.
3. In the python program, create a suitable response packet, and send this over a raw socket.
3a. On a SYN-packet, respond with a SYN-ACK. (This makes the port look open). The other part will finish the three-part handshake with an ACK packet.
3b. On the ACK-packet, respond with two piggybacked packets. First, an ACK/PSH with some data that looks like some valid service, e.g “Windows FTP server” or “A-311 Death welcome”. Secondly, close the connection with a FIN/ACK packet.
4. For extra credits, try to answer prudently to any other packets that may come in. Also, try to avoid endless repeating by e.g checking sequence numbers.
5. Remember that the netfilter queue from iptables still waits for a judgement on what to do with this packet? Respond to the kernel with a “DROP” signal. The OS now drops the packet and forgets all about it.

Iptables

To set up so we can fiddle the packets in python, we do this :

#Create a new iptable chain called fuzzywall
iptables -N fuzzywall
#
# Fuzzywall
# We only run it on port 1337 to start off
# - Optionally : send to logging facilties (can be found in syslog)
#iptables -A fuzzywall -p tcp --dport 1337 -j LOG --log-prefix "Sending to queue"
#Add rule to 'fuzzywall', if dest port is 1337, send to netfilter queue
iptables -A fuzzywall -p tcp --dport 1337 -j QUEUE

#Add our chain to INPUT
iptables -A INPUT -j fuzzywall

So, that puts fuzzywall in the INPUT chain. All incoming packets to port 1337 now goes to the netfilter queue.

Python netfilter

We need to get the kernel netfilter queue into our python program. To do this, I used nfqueue library from Pollux (http://www.wzdftpd.net/blog/index.php?2008/06/01/22-nfqueue-bindings ). It is very easy to set up :
q = nfqueue.queue()
q.open()
q.bind(AF_INET)
q.set_callback(callback)
q.create_queue(0)
q.set_queue_maxlen(5000)
print "starting"
try:
q.try_run()
except KeyboardInterrupt, e:
print "interrupted"

print "unbinding"
q.unbind(AF_INET)
print "closing"
q.close()

In addition, a handler needs to be specified which can return the verdict back to iptables :

def callback(dummy, payload):
data = payload.get_data()

payload.set_verdict(nfqueue.NF_DROP)
return

And, of course, it is in handler.handlePacket where the packetcrafting is peformed.

Python Packetcrafting

In order to play with packets, I found two libraries that could be used; impacket (http://pypi.python.org/pypi/Impacket/0.9.5) and dpkt (http://code.google.com/p/dpkt/). They have a few differences, but both can be used to parse and create all kinds of packets. In the end, I used both of them (which maybe was a bit suboptimal – but worth it just to test how they worked). This example uses a dpkt-packet parsed from raw data and generates a default response packet using impacket:

def createReturnPacket(self,packet,seqOffset = 0):

#set the IPs
ip = ImpactPacket.IP()
ip.set_ip_src(dst)
ip.set_ip_dst(src)
#set the ports
tcp = ImpactPacket.TCP()
tcp.set_th_sport(dport)
tcp.set_th_dport(sport)
#Set a window size
tcp.set_th_win(10)
#Bundle the tcp packet inside the ip-packet
ip.contains(tcp)
return (ip,tcp,src)

I can now use this packet to create a SYN/ACK in response to a SYN :
#Is this a SYN or an ACK?
if (in_packet.tcp.flags & dpkt.tcp.TH_SYN) != 0:
out_tcp_packet.set_SYN()
out_tcp_packet.set_ACK()
out_tcp_packet.set_th_seq(0)
out_tcp_packet.set_th_ack(in_packet.tcp.seq+1);
self._send(dst, out_ip_packet)

Once an appropriate return packet is created, it can be sent raw on the socket :

def _send(self, dst, ip):
s = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)
s.setsockopt(IPPROTO_IP, IP_HDRINCL, 1)
s.sendto(ip.get_packet(), (dst, 0))
return


Fooling nmap

The desired functinality was that if an nmap service version scan was performed, such as:
nmap -p 1337 -sV

Nmap should score a match. When a service version in nmap is performed, nmap sends so called ‘probes’ to the port and checks what is returned. It has a list of fingerprints for known services. For example, one service probe called “TCP GetRequest” sends “GET / HTTP/1.0\r\n\r\n”, and if the response matches “HTTP/1\.[01] \d\d\d.*\r\nDate: .*\r\nServer: Apache\r\n”, it is identified as an Apache server. If it does NOT match, nmap goes through the rest of the probes – which we definitely want to avoid, as we want as little overhead as possible.

First of all, nmap has the so called ‘Null probe’, which means that it connects to the port and waits for a few seconds to check if the service will volunteer some info without the client sending any data. It is in this segment I wanted to have my matches, since it is the first test. All service fingerprints are located in a file called nmap-service-probes, and look something like this :

To match ‘acap’, we must send some data that matches the expression after between the first pipes. It is trivial to write such a match : \* ACAP (IMPLEMENTATION “CommuniGate Pro ACAP 3.3″) would be identified as acap version 3.3. However, there are a couple of thousand fingerprints on the Null probe, and I want to randomly use them all. Therefore, I wrote a tool to reverse the regexps and put them into a python declaration.

Regexp reverse engineering

I was surprised to find that I could not locate any existing library to reverse regular expressions in the way I wanted : from a regexp, create ONE simple string that matches it. The closest I could find was a perl implementation which found as many matches it could given a regexp and a fixed length. Therefore, I wrote my own tool.

Maybe it is pretty simple to reverse a regexp, if you are a great programmer who knows what you are doing. It took me a while, though – and still I used the parts building the object-tree represention of the regexp from the built-in python regexp implementation. Basically, it does this :
* Remove all optional groups (foo)* => gone
* Insert 1 for digits, insert a for alpha, etc…
* Insert the first char in any group-of-characters [abcd] => a
* Insert the first in any OR (abc|def) => abc
… the list goes on a bit. It gets tricky when it comes to group-references and stuff. The source is available at http://martin.swende.se/hgwebdir.cgi/pxeger/file/tip/Revexpy.py

Putting it together

So, did it work? Well, yes :
#: nmap -p 82 66.249.7.26 -sV

PORT STATE SERVICE VERSION
82/tcp open nngs No Name Go Server


Alas, also no. After a while, the python process died – probably because it was running on a machine with 128 MB of memory, which it had to share with Apache and Mysql…

Disclaimer

While this was a really fun project which touched on a lot of interesting fields, I did not do it as a security-tool to actually use in a real scenario.

All the codez are available at:
http://martin.swende.se/hgwebdir.cgi/fuzzywall/
http://martin.swende.se/hgwebdir.cgi/pxeger/