Monthly Archives: May 2013

Using a Throwing Star to Capture Packets

Using a Throwing Star to Capture Packets

Mobile applications are a hot commodity these days.  It seems like everyone and their brother/sister is writing them.  Kevin Johnson even tells a story of a bait/mobile application shop here in Florida somewhere.  When I say bait, you guessed it, I really mean bait as in fishing bait.  Earthworms and such.  With everyone writing these apps, and no real way to know how secure they are it is really up to each of us to take the responsibility to test the apps we want to use.

There are multiple ways to test a mobile application.  One technique, that I won’t be covering in this post, is to hook up a proxy server for your device and intercept the HTTP(s) traffic that is passed around.   Another way, which is the focus of this article, is to capture all of the traffic between the device and the server.  This method not only captures HTTP traffic, but also allows inspecting other protocols that the application may be using.  This is ideal when the application uses raw sockets vs generic HTTP requests.

When testing a mobile application, on a physical device, there are a things that make it easier.  The first step is to have a dedicated wireless router or access point specifically for the mobile device.  For example, I have a Linksys router that is used only for mobile device testing.  The second step is to intercept the traffic from the wireless device to the internet.  This can be done by placing a tap between the wireless router and the other routers and connecting your computer to the Tap. 

I choose to use the Throwing Star LAN Tap Pro from Great Scott Gadgets (http://greatscottgadgets.com/throwingstar/).  There is also a non-pro version, but dust off your soldering skills to put it together.  The setup is really easy.  The following steps are used to do the hardware setup:

   * Wire the Wireless Router/Access Point to the Throwing Star LAN Tap
   * Wire the Throwing Star LAN Tap to the existing infrastructure
   * Wire your computer to the Throwing Star LAN Tap on the interception port

The following image shows the LAN Tap wired up:

Now that we are set up to listen in on the traffic, it is time to fire up a packet capture program.  I use WireShark, but you could use a different program if you prefer.  You can get WireShark from http://www.wireshark.org/.  Setting up Wireshark is pretty quick and easy.

Once you open WireShark, Click on Capture…Interfaces to select an interface (seen below):

After Selecting an interface, click the start button to start capturing traffic.   The following image shows an example of WireShark capturing packets.  

Now that you have packets, you can start to analyze them.  The benefit of capturing this level of detail when testing a mobile application is that it allows you to see more than just the standard HTTP traffic.   It is not uncommon for developers to use direct connections rather than going through the HTTP Protocol.  This technique allows you to view any other connections that the application may be making that a tool such as Burp would not identify. 

I recommend everyone that is testing mobile applications to use this technique to ensure they are not missing any connections the application makes. 

Want to know more about mobile application penetration testing?   Kevin Johnson and James Jardine will be teaching “Assessing and Exploiting Mobile Applications with OWASP Mobisec” at Blackhat USA 2013.  There are two sessions running and this is going to be an excellent course filled with hands-on labs.  For more information: http://www.blackhat.com/us-13/training/assessing-and-exploiting-mobile-applications-with-owasp-mobisec.html

James Jardine is a Principal Security Consultant with Secure Ideas. 
If you are in need of a penetration test or other security consulting
services you can contact him at james@secureideas.com or visit the Secure Ideas – Professionally Evil site for services provided.

Preparing for a Consultant

As security consultants, we regularly travel to clients’ sites and experience a wide range of environments and atmospheres. While some are better than others (and some much worse), it’s very common for the client to not be fully prepared when we arrive. This often results in delays, a less efficient use of the time we… Continue Reading

Autocomplete and actual risk: Why do we look at it?

Autocomplete is always a fun topic to discuss…. ok maybe my idea of fun is not the normal idea. 🙂  During our web penetration testing, we often find where the client’s application allows the password or other sensitive information to be saved by the browser.  When we find it, we often have push back from… Continue Reading

Professionally Evil: This is NOT the Wireless Access Point You are
Looking For

Professionally Evil: This is NOT the Wireless Access Point You are Looking For

I was recently conducting a wireless penetration test and was somewhat disappointed (but happy for our client) to find that they had a pretty well configured set of wireless networks.  They were using WPA2 Enterprise and no real weaknesses that I could find in their setup.  After conducting quite a bit of analysis on network… Continue Reading

The Watering Hole: Is it Safe to Drink?

How many times have you been told you have a vulnerability that you just don’t understand  its relevancy?  Cross-Site scripting comes to mind for many people.   Sure, they get the fact that you can execute scripts in the user’s browser, but often times they really don’t fully understand the impact.  Of course, we determine that… Continue Reading