I was on a pentest the other day and investigating a proprietary protocol to a management agent and wanted to replay this traffic from a script. I knew I could capture the traffic in wireshark but didnt really know how to replay this or even parts to send a command to the port. Well it took me a little while to get it all working as I wanted but to send a command and a few reply to various responses after an initial connect. To do this I used Zulu from Andy Davies (NCC) and created a python script with some useful hexdump commands.
This blog will allow you to re-create or replay a management station type scenario with a client and opens a whole load of new attack scenarios. First you need to man-in-the-middle the traffic from the client to the management server within Zulu and/or Wireshark.
Installing Zulu can be found here.
Open Zulu and setup you network proxy to intercept the traffic like the following image:
Once you have successfully captured all the requests and responses you can save out the requests to a file. Now you have all the valid requests that a client would send and all the valid responses that the manager would respond with. So now you want to create and edit your python handler to act as a server.
Read and edit the # commented sections to suit your needs and add and edit the hex content. To easily convert the hex content from a file that you may have piped from nc or downloaded from wireshark or zulu use the following hexdump & sed command below.
If you are using the Zulu files, remove the first two lines from each of the “In” files and then cat each specific file you would like to use the hex from to respond as:
cat hexfile.txt | hexdump -v -e ‘”0x” 1/1 “%02X” ” “‘|sed -e ‘s/ 0x/\\x/g’|sed -e ‘s/0x/\\x/g’
The output is like as follows:
Then you can add it to your python script:
print “Connection from : “+ip+”:”+str(port)
Anyway it took me a while to be able to create such a server or even an exploit sender with specific hex values and thought it may be useful to the community.
Have fun 🙂
Any feedback or comments are highly appreciated.