Archive

Archive for June, 2013

Logging Attack Traffic

June 11, 2013 2 comments

When performing a test, it is important that you log all your activity so that you have proof of what you were doing, in case anything goes awry (and it is not your fault!). Here are a couple methods of logging activity:

  • Wireshark: before you start capturing data, in the Capture Options window select “Use multiple files” and in the “Next file every” field specify the upper limit of the file size that you desire (a new file will be created once the current file reaches that limit) – see image below.
  • Tshark (found in the c:\program files\wireshark directory): c:\program files\Wireshark\tshark.exe -i [interface] -w [base file name] -b filesize:[file size in KB]  -p [this flag restricts monitoring to current VM, otherwise all VM traffic will be captured]
    • This option doesn’t put as much strain on your machine as using Wireshark does
  • tcpdump: tcpdump -i [interface, use ‘tcpdump -D’ to get list] -w [base file name] -C [file size in MB]
    • Another low resource option

wireshark

Advertisements

Extracting Certs and Keys from .pfx and using with sqlmap

June 5, 2013 Leave a comment

I only had a .pfx file to work with and needed to extract the key and certificate in order to use sqlmap against a particular site. This site provided all the steps I needed to do that.

  1. Extract private key:
    • openssl.exe pkcs12 -in file.pfx -nocerts -out privKey.pem
  2. Extract certificate:
    • openssl.exe pkcs12 -in file.pfx -clcerts -nokeys -out cert.pem
  3. Remove password from private key:
    • openssl.exe rsa -in privKey.pem -out private.pem

Once that is done run sqlmap with the following flags:

  • sqlmap -u https://www.targeturl.com --auth-cert privatekey.pem,cert.pem

To save time typing in the key and cert locations, if in windows you can just drag the file into the command prompt (not sure about linux/mac).

Option 2:

If you have your client cert loaded into Burp, you could just use the sqlmap option ‘–proxy=”http://localhost:8080″‘ and have sqlmap go through Burp and then not worry about extracting certs/keys.  This would have been easier, but I found out about it later.  Good to know for the future.