Spare Clock Cycles Hacking is freedom.

Sergio Proxy – Injecting, Modifying, and Blocking HTTP Traffic

Edit: You can grab new releases of this tool here: https://code.google.com/p/sergio-proxy/downloads/list

I've gotten all settled in my new place (finally), so I figured I should get caught up on my blog again. Lots of posts coming soon, I promise!

Today, I'm releasing a tool that I'll be working on (and with) a lot this summer that I'm calling Sergio Proxy: a Super Effective Regexer of Gathered Inputs and Outputs (download here). Yeah, yeah, I know: there are a billion other HTTP proxies out there that are way better than mine and I should use. I know all about them; I just wanted to make one myself. It's an interesting project, and I've learned a lot about HTTP proxies and the Twisted networking framework in the process. In addition, this tool has made it *much* easier for me to use Python to work with data captured from MITM'd HTTP connections than the other tools that I experimented with. I also blindly stumbled into an awesome topic for my next post too, to be released in the next few days (I'm particularly excited for this one). A big fat warning before we go on though: this is a very alpha release, so don't have your hopes way up. It still has a long way to go (like adding HTTPS support...:P).

So why did I originally start on this project? Mainly because Ettercap filters suck. I mean, really suck. Now, don't get me wrong, they can be useful in some situations, but automatically injecting data into HTTP sessions is not one of them.  So why did I need Ettercap filters to inject data into HTTP sessions? Why, to attack SMB servers by means of challenge-hash cracking of course.

The attack works by injecting specially crafted HTML into a page that the victim is requesting that references a file located on a local samba server.  The browser will then automatically try to authenticate with the remote server using its current user's credentials, exposing challenge hashes of the user's password on the wire, the first 7 characters of which can then be cracked with rainbow tables.  To do this, we obviously need to first be in a position where we can modify the network traffic, which we can easily do using various methods (the most popular probably being ARP poisoning, but Ettercap has a number to chose from). However, once we have our MITM attack working, we are still presented with the problem of injecting our content into the HTML file.

In all the examples I have seen, the attack used Ettercap filters to do this injection, or an email with embedded HTML. Unfortunately, neither is very unreliable.  All the filters that I tried seemed to corrupt the pages in the best case. In the worst case, it even prevented the victim from accessing certain servers, as the attack would try to kill gzip support on servers that required it. Obviously, this kind of degradation would be noticed even by the common computer user. As for the email, you still generally need to trick the user into viewing it before the attack will work. Not incredibly hard, but slower and still less reliable than a forced HTML injection.

After looking through some Wireshark captures, it seemed that the root problem in the Ettercap method was that the HTTP content length wasn't being modified, confusing the browser when it got more  data than it was expecting. While it was probably possible to work around that in a similar manner as the gzip compression was broken, it wouldn't solve the heart of the problem: that trying to modify HTTP traffic at the TCP level is neither effective nor powerful.

Enter Sergio. It was obvious that what I was looking for was a forced, transparent HTTP proxy. I looked at some other proxies, and I probably could have adapted them to my purposes pretty easily. However, I decided I would rather code one myself, and get familiar with the inner workings of these tools, and to let me do everything in Python. I also have had my eye on the Twisted framework for awhile, and figured that this would be the perfect opportunity to familiarize myself with it.

To run this attack, all you need to do is run the included start_smbchall.py file. However, Sergio isn't just limited to evoking SMB authentication attempts of course. Sergio can inject, modify, and delete any content going through a victim's HTTP sessions, meaning that we can do much, much more with it than just this attack. In addition to this SMB fun, just for kicks, I also implemented my version of the classic Upsidedownternet . Beyond these implemented attacks, Sergio makes it easy to insert some malicious Javascript,  replace all the links on the page with links to a malicious site, prevent the victim from accessing any update sites, redirect them to malicious update sites (more on this later), monitor/record all the traffic going over the connection, or (a fun one) replace any exe file being downloaded with our own, backdoored, malicious executable. Unfortunately, I haven't gotten a chance to actually implement these attacks yet (lame), but I'll have a release soon enough with them included.

Anyway, now that you know the capabilities, here's how to use it. I promise, it's easy. You'll only need two files, start_proxy.py and UserMITM.py, and the module sergio_proxy installed somewhere in your PYTHONPATH (when in doubt, just throw it in a subdirectory named sergio_proxy). Example start_proxy and UserMITM files are included in the tarball in the examples folder. Basically, you just create a subclass of the included MITM class in UserMITM and add your own attacks into it. Then, when creating and starting your transparent proxy, you set UserMITM as transparent_proxy's new MITM instance, and you're ready to go. Pretty straightforward.

If you want to know more about what my proxy does and does not do, read the README. Here's the short of it though: does HTTP 1.0, does not do 1.1 (yet), does not MITM HTTPS (yet). Sorry if this is disappointing, but they weren't critical to my initial attack, and I will of course get these things fixed ASAP.

So that's Sergio Proxy. I could talk more, but it's probably easier for you to just download it and mess around. And please, if you implement some attacks with it, submit them! I'd be happy to add them in. As I mentioned earlier, I should be back in a few days will an interesting application of my tool. Until then, keep hacking.