SlideShare a Scribd company logo
1 of 40
Download to read offline
08.11.2018
© Atos
Burp-ing through your cryptography shield
Who am I?
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
▶ rootn uid=0(root) gid=0(root) groups=0(root)
▶ Work and education:
▪ Pentester @Atos Romania
▪ BEng @University “Politehnica” of Bucharest
▪ MEng @University “Politehnica” of Bucharest
▪ MSc @Bucharest Academy of Economic Studies
▪ Member @Romanian Security Team community
▪ Speaker @DefCamp 2017 && @OWASP RO 2018
▪ CEH
▪ Interests:
▪ Web App Security
▪ Infra Security
▪ IoT Device Security
▪ Contact: @matasareanu13
3
~# whoami&&id
Glossary ☺
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
▶ Burping (also known as belching, ructus, eruptus or eructation) is the release of
gas from the digestive tract (mainly esophagus and stomach) through the
mouth.
5
What is Burp-ing?
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
6
What is Burp-ing?
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
7
What is Burp?
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
▶ A thick client, also known as Fat Client is a client in client–server architecture or
network and typically provides rich functionality, independent of the server. In
these types of applications, the major processing is done at the client side and
involves only aperiodic connection to the server.
8
What is a Thick Client?
What is the problem?
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
▶ Be on a pentest assignment with a thick client in front of you
▶ Set up Burp as a system proxy
▶ Manage to finally intercept requests
▶ Cool – SOAP requests
▶ Stumble upon gibberish in the requests and response of the application
10
What is the problem at hand?
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
11
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
Decompile the .NET application
12
What to do?
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
▶ Find the encryption method used
13
What to do?
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
14
What to do?
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
15
What to do?
Find the IV and the Key ☺
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
16
Cyberchef
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
17
Results ☺
▶ We are starting to get there ☺
▶ But decrypting, decoding modifying the parameters, re-encoding, re-encrypting
for each request and for each payload starts to get old very fast.
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
18
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
19
My Google Fu isn’t providing
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
20
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
▶ Getting started:
– “Easy“ way to extend Burp features
– Basic steps:
21
Writing a Burp extension ☺
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
▶ Getting started:
– “Easy“ way to extend Burp features
– Basic steps:
22
Writing a Burp extension ☺
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
23
Writing a Burp extension ☺
Get more info about writing a Extension.
Learn by example ☺
https://portswigger.net/burp/extender#SampleE
xtensions
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
Decide what language you will use??
24
Writing a Burp extension ☺
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
Jython it is ☺
25
Writing a Burp extension ☺
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
26
Writing a Burp extension ☺
https://portswigger.net/blog/sample-burp-suite-extension-custom-editor-tab
Start from
something
they built It’s always easier ☺
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
▶ The encrypted values are found in SOAP requests under two XML tags:
– <writeObj>
– <readObj>
– First step is to look for the pattern:
27
Writing a Burp extension ☺
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
28
Writing a Burp extension ☺
Decrypt the payload ☺
Don’t be that fast
PyCrypto doesn’t want to work in Jython 
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
29
Writing a Burp extension ☺
Decrypt the payload ☺
Don’t be that fast
PyCrypto doesn’t want to work in Jython 
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
30
Writing a Burp extension ☺
https://github.com/csm/jycrypto
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
31
Writing a Burp extension ☺
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
▶ You now have .NET serialized objects…
32
Writing a Burp extension ☺
And now the struggle of Google-ing begins
again..
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
▶ https://github.com/agix/NetBinaryFormatterParser
33
Writing a Burp extension ☺
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
34
Writing a Burp extension ☺
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
35
Writing a Burp extension ☺
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
▶ Problem and solution:
– Burp’s Java StackTrace doesn’t provide any help when using Jython!
– Here comes the solution: https://github.com/securityMB/burp-exceptions
– Put the file in your project folder
– Import it in your code:
– Call it in the end:
– Now any Python exception is thrown in the Extender Output-Tab of Burp
36
Writing a Burp extension ☺
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
37
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
38
| 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
39
Questions? And let’s hope some answers ☺
Atos, the Atos logo, Atos Codex, Atos Consulting, Atos Worldgrid, Bull, Canopy, equensWorldline, Unify,
Worldline and Zero Email are registered trademarks of the Atos group. November 2018. © 2018 Atos.
Confidential information owned by Atos, to be used by the recipient only. This document, or any part of
it, may not be reproduced, copied, circulated and/or distributed nor quoted without prior written
approval from Atos.
Thanks
For more information:
contact@cosminr.me
@Matasareanu13
github.com/Matasareanu
Or you know, in person ☺

More Related Content

Similar to Burp-ing through your cryptography shield

Getting collections online
Getting collections onlineGetting collections online
Getting collections online
Mike Ellis
 

Similar to Burp-ing through your cryptography shield (20)

Get Into Open Source
Get Into Open SourceGet Into Open Source
Get Into Open Source
 
Introduction to the IBM Watson Data Platform
Introduction to the IBM Watson Data PlatformIntroduction to the IBM Watson Data Platform
Introduction to the IBM Watson Data Platform
 
Learnings from govuk
Learnings from govukLearnings from govuk
Learnings from govuk
 
ILOUG 2019 - Autonomous, what does it mean for DBAs
ILOUG 2019 - Autonomous, what does it mean for DBAsILOUG 2019 - Autonomous, what does it mean for DBAs
ILOUG 2019 - Autonomous, what does it mean for DBAs
 
Javascript for Enterprise Application
Javascript for Enterprise ApplicationJavascript for Enterprise Application
Javascript for Enterprise Application
 
LemonLDAP::NG Success Stories presented at OW2con'19, June 12-13, Paris.
LemonLDAP::NG Success Stories presented at OW2con'19, June 12-13, Paris. LemonLDAP::NG Success Stories presented at OW2con'19, June 12-13, Paris.
LemonLDAP::NG Success Stories presented at OW2con'19, June 12-13, Paris.
 
[OW2con19] LemonLDAP::NG success stories
[OW2con19] LemonLDAP::NG success stories[OW2con19] LemonLDAP::NG success stories
[OW2con19] LemonLDAP::NG success stories
 
Computer Vision, Machine Learning and Mobile Robotics
Computer Vision, Machine Learning and Mobile RoboticsComputer Vision, Machine Learning and Mobile Robotics
Computer Vision, Machine Learning and Mobile Robotics
 
QA Fes 2016. Gerlof Hoekstra. E2E Testing the Ministry Of Justice Biometric I...
QA Fes 2016. Gerlof Hoekstra. E2E Testing the Ministry Of Justice Biometric I...QA Fes 2016. Gerlof Hoekstra. E2E Testing the Ministry Of Justice Biometric I...
QA Fes 2016. Gerlof Hoekstra. E2E Testing the Ministry Of Justice Biometric I...
 
Shell Script 4 DBAs
Shell Script 4 DBAsShell Script 4 DBAs
Shell Script 4 DBAs
 
Getting collections online
Getting collections onlineGetting collections online
Getting collections online
 
Service Mesh in the Real World [Raleigh NC Meetup]
Service Mesh in the Real World [Raleigh NC Meetup]Service Mesh in the Real World [Raleigh NC Meetup]
Service Mesh in the Real World [Raleigh NC Meetup]
 
20 Practical tips for a successful internationalisation project
20 Practical tips for a successful internationalisation project20 Practical tips for a successful internationalisation project
20 Practical tips for a successful internationalisation project
 
C3 ec website
C3 ec websiteC3 ec website
C3 ec website
 
Leveraging ChatGPT for Enhanced Virtual Training.pptx
Leveraging ChatGPT for Enhanced Virtual Training.pptxLeveraging ChatGPT for Enhanced Virtual Training.pptx
Leveraging ChatGPT for Enhanced Virtual Training.pptx
 
aOS Kuala Lumpur 2019 Manage sensitive and personal data in O365
aOS Kuala Lumpur 2019 Manage sensitive and personal data in O365aOS Kuala Lumpur 2019 Manage sensitive and personal data in O365
aOS Kuala Lumpur 2019 Manage sensitive and personal data in O365
 
Real User Measurement Insights, NYWebPerf 2018-Aug-09
Real User Measurement Insights, NYWebPerf 2018-Aug-09Real User Measurement Insights, NYWebPerf 2018-Aug-09
Real User Measurement Insights, NYWebPerf 2018-Aug-09
 
Big data internship plan at Contemi Vietnam
Big data internship plan at Contemi VietnamBig data internship plan at Contemi Vietnam
Big data internship plan at Contemi Vietnam
 
Elm at large (companies)
Elm at large (companies)Elm at large (companies)
Elm at large (companies)
 
GitLab: Remote and Open (2018-07-16 @ The New Digital School's Business Of Te...
GitLab: Remote and Open (2018-07-16 @ The New Digital School's Business Of Te...GitLab: Remote and Open (2018-07-16 @ The New Digital School's Business Of Te...
GitLab: Remote and Open (2018-07-16 @ The New Digital School's Business Of Te...
 

More from DefCamp

More from DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 

Recently uploaded

Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 

Recently uploaded (20)

Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Buy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxBuy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptx
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 

Burp-ing through your cryptography shield

  • 1. 08.11.2018 © Atos Burp-ing through your cryptography shield
  • 3. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania ▶ rootn uid=0(root) gid=0(root) groups=0(root) ▶ Work and education: ▪ Pentester @Atos Romania ▪ BEng @University “Politehnica” of Bucharest ▪ MEng @University “Politehnica” of Bucharest ▪ MSc @Bucharest Academy of Economic Studies ▪ Member @Romanian Security Team community ▪ Speaker @DefCamp 2017 && @OWASP RO 2018 ▪ CEH ▪ Interests: ▪ Web App Security ▪ Infra Security ▪ IoT Device Security ▪ Contact: @matasareanu13 3 ~# whoami&&id
  • 5. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania ▶ Burping (also known as belching, ructus, eruptus or eructation) is the release of gas from the digestive tract (mainly esophagus and stomach) through the mouth. 5 What is Burp-ing?
  • 6. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 6 What is Burp-ing?
  • 7. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 7 What is Burp?
  • 8. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania ▶ A thick client, also known as Fat Client is a client in client–server architecture or network and typically provides rich functionality, independent of the server. In these types of applications, the major processing is done at the client side and involves only aperiodic connection to the server. 8 What is a Thick Client?
  • 9. What is the problem?
  • 10. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania ▶ Be on a pentest assignment with a thick client in front of you ▶ Set up Burp as a system proxy ▶ Manage to finally intercept requests ▶ Cool – SOAP requests ▶ Stumble upon gibberish in the requests and response of the application 10 What is the problem at hand?
  • 11. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 11
  • 12. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania Decompile the .NET application 12 What to do?
  • 13. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania ▶ Find the encryption method used 13 What to do?
  • 14. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 14 What to do?
  • 15. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 15 What to do? Find the IV and the Key ☺
  • 16. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 16 Cyberchef
  • 17. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 17 Results ☺ ▶ We are starting to get there ☺ ▶ But decrypting, decoding modifying the parameters, re-encoding, re-encrypting for each request and for each payload starts to get old very fast.
  • 18. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 18
  • 19. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 19 My Google Fu isn’t providing
  • 20. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 20
  • 21. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania ▶ Getting started: – “Easy“ way to extend Burp features – Basic steps: 21 Writing a Burp extension ☺
  • 22. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania ▶ Getting started: – “Easy“ way to extend Burp features – Basic steps: 22 Writing a Burp extension ☺
  • 23. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 23 Writing a Burp extension ☺ Get more info about writing a Extension. Learn by example ☺ https://portswigger.net/burp/extender#SampleE xtensions
  • 24. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania Decide what language you will use?? 24 Writing a Burp extension ☺
  • 25. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania Jython it is ☺ 25 Writing a Burp extension ☺
  • 26. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 26 Writing a Burp extension ☺ https://portswigger.net/blog/sample-burp-suite-extension-custom-editor-tab Start from something they built It’s always easier ☺
  • 27. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania ▶ The encrypted values are found in SOAP requests under two XML tags: – <writeObj> – <readObj> – First step is to look for the pattern: 27 Writing a Burp extension ☺
  • 28. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 28 Writing a Burp extension ☺ Decrypt the payload ☺ Don’t be that fast PyCrypto doesn’t want to work in Jython 
  • 29. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 29 Writing a Burp extension ☺ Decrypt the payload ☺ Don’t be that fast PyCrypto doesn’t want to work in Jython 
  • 30. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 30 Writing a Burp extension ☺ https://github.com/csm/jycrypto
  • 31. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 31 Writing a Burp extension ☺
  • 32. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania ▶ You now have .NET serialized objects… 32 Writing a Burp extension ☺ And now the struggle of Google-ing begins again..
  • 33. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania ▶ https://github.com/agix/NetBinaryFormatterParser 33 Writing a Burp extension ☺
  • 34. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 34 Writing a Burp extension ☺
  • 35. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 35 Writing a Burp extension ☺
  • 36. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania ▶ Problem and solution: – Burp’s Java StackTrace doesn’t provide any help when using Jython! – Here comes the solution: https://github.com/securityMB/burp-exceptions – Put the file in your project folder – Import it in your code: – Call it in the end: – Now any Python exception is thrown in the Extender Output-Tab of Burp 36 Writing a Burp extension ☺
  • 37. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 37
  • 38. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 38
  • 39. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 39 Questions? And let’s hope some answers ☺
  • 40. Atos, the Atos logo, Atos Codex, Atos Consulting, Atos Worldgrid, Bull, Canopy, equensWorldline, Unify, Worldline and Zero Email are registered trademarks of the Atos group. November 2018. © 2018 Atos. Confidential information owned by Atos, to be used by the recipient only. This document, or any part of it, may not be reproduced, copied, circulated and/or distributed nor quoted without prior written approval from Atos. Thanks For more information: contact@cosminr.me @Matasareanu13 github.com/Matasareanu Or you know, in person ☺