Code Release: Blackbag 0.9 (Binary Protocol Reversing Unix Thingies)

Thomas Ptacek | October 16th, 2006 | Filed Under: Development, Matasano, Reversing, Uncategorized

I sucked it up and copied my current source tree up. You can grab a copy of blackbag 0.9 here.

For those of you just joining us: blackbag is collection of sharp, pointy metal bars that I use to explore protocols and prototype tools. It is an intensely Unix-y answer to classic fuzzing tools like “Spike”, centering on a binary interactive netcat program.

What’s new in this code:

  • All the tools hide behind a shell script called “bkb”, which means you no longer run “blit foo”, but rather “bkb blit foo”, unless you adjust your path.

  • This release includes the source to “unasn”, which reads stdin, attempts to parse it as if it was ASN.1/BER/DER, and spits out a structured shell script that reproduces the same binary. You can read more about unasn here, sort of.

  • Tiny little utilities to handle HTTP hexification.

  • Some example shell scripts, about which more (very) later, but in the meantime you can read a rudimentary implementation of TLS/X509 handshake messages in Bourne Shell.

  • Major improvements to the “sub” tool, about which more later tonight.

  • Minor bugfixes.

Caveats: You aren’t going to be able to build this. I can build it clean under FreeBSD-CURRENT, Mac OS X, and OpenBSD. It has been built under Linux and Solaris in the past. If you make it work somewhere, post how you did it in a comment, and I’ll incorporate your fix.

This is the last time I anticipate releasing this code, for two reasons, one of which I’ll talk about tonight and one of which I’ll talk about (hopefully) next week, both of which reasons are good things.

Here’s what “bkb” tells you given no arguments:

telson host:port &      ;# binary netcat
blit foo                ;# dump data to telson
replug -b host:port &   ;# logging plugboard proxy
rebreak spans*          ;# break logs into individual messages
httpcat post://foo/     ;# like telson but for HTTP
unify foo               ;# ASCII + HTML entities -> UTF16LE
deunify f\00o\00o\00    ;# and back again
b64 foo                 ;# to base64
d64                     ;# and back again
len                     ;# prepend/append binary length
shf                     ;# strip N bytes off a buffer
deezee                  ;# seek and extract zlib-compressed buffers
dezip                   ;# or for ZIP
sub '$\{hex:10\}\'      ;# fuzzing substituter for binaries
hexify                  ;# binary-to-hexidecimal
binhex                  ;# and back again
dedump                  ;# convert 'hexdump -C' to binary
c 1000 c                ;# print 1000 c's
tcbs                    ;# print connections in a pcap file
pstrip                  ;# lose short-snap pcap packets
tsec yes                ;# wait fractional seconds, then abort
unasn foo.der           ;# translate asn1/ber-der into a script
nint 10                 ;# write a binary integer
no < text       ;# NUL->0xFF, or something else
crnl < text             ;# ensure CRNL on all lines
echo "a%20b" | dehexify ;# HTTP-style dehexify
echo "a b" | httphexify ;# HTTP-style hex encoding

Viewing 26 Comments

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus