Oh, The usage() Function’s You’ll Write!

Thomas Ptacek | February 27th, 2006 | Filed Under: Bitching About Protocols, Matasano, Reversing

For those of you playing along at home, blackbag has been bumped to 0.6, as I lazily spiral deeper into a fugue state of Unix shell protocol testing one-offs. Don’t worry, you’re not missing anything, my colleagues are as confused by it as anyone else.

Here’s the new stuff you get, all for the low-low price of editing your own cryptic makefile:

• len: read input, tack a binary length to the front, end, or offset, in 8, 16, 32, or 64 bit format, BE or LE.
• shf: instead of dd. chop bytes off beginning or end of a file. chop a byte, try decryption, chop a byte, repeat.
• touchwait: synchronize a shell script on the mtime of a file; telson will also update that file on I/O if you tell it to.
• tsec: “tsec -t .5 yes” prints 500ms of “yes”; more importantly, “cat foo | tsec .1 nc -u victim 161” allows subsecond timeouts for netcat.
• sub: fuzzing printf. take a binary message capture, open it in a hex editor, find the “username”, replace it with “${hex:1000}”, then “cat capture.raw | sub | blit” to send broken message to server. Also, “${shell:echo foo}”.
• asn1: See previous posts on shell-script ASN.1 fuzzing, and note that I am in fact cheating by giving you programs written in C to generate the low-level binary data.

Some other changes:

• telson supports listen mode (for clientside attacks), and may or may not support SSL.
• replug supports UDP mode, because as the deranged Howard Hughes of Unix protocol pen-testing it has become easier for me to write C code than to figure out how to specify a nonstandard port for “snmpwalk”
• b64 and “hexify +” print pretty.
• … and all the programs now have usage statements.

Telson’s hacked-up “listen mode” and “touchwait” allow you to create shell scripts to generate bogus responses to client requests:

telson sync:./oninput @:5555 &
while [ 1 ]
do
touchwait ./oninput
dd if=/dev/random bs=1 count=500 | len | blit
done