[ Beneath the Waves ]

This is the personal website of Ben Lincoln.

On The Outside, Reaching In - version 0.3

Version 0.3 of On The Outside, Reaching In has been released. The main new feature is the inclusion of a pair of "generic" modules which can be used to exploit basic XXE vulnerabilities without having to wait for someone to write a full module. For example, if you can obtain content from a target system using the Burp Suite Repeater component, you can copy/paste your request into a template file, make a few modifications, and then be able to use On The Outside, Reaching In's features such as walking the filesystem (for Java-based targets), or doing blind reads of numerous files from a list. A detailed tutorial is available: OTORI - Example 7: Generic XXE Modules.

A few updates

An article I had to cut from the last update due to time constaints has been finished: OTORI - Exploring the Linux Filesystem is about using On The Outside, Reaching In to obtain a variety of useful information from Linux hosts thanks to the pseudo-files in /proc and the special content in a few other locations. This article is the main reason for version 0.2.1 of On The Outside, Reaching In, which includes some lists specifically designed to scrape content from /proc on Linux target systems — see OTORI - Exploring the Linux Filesystem for more details.

I also did some cleanup of the articles related to On The Outside, Reaching In — the FAQ is now a separate document to make the main page less wordy, the Squiz Matrix tutorial (OTORI - Example 2: Squiz Matrix) notes that it (like Mahara) needs to be run on a system without certain very recent libxml2 patches to be vulnerable, etc.

On The Outside, Reaching In, and She Wore A Mirrored Mask

My weekend project on and off since February has been a pair of penetration-testing tools. These are very early "preview" versions, but should work well enough to be useful for some people. I also wanted to be able to finally get some feedback on whether this was a useful direction to go in. It seemed to me like there was not a good tool in this space. Some might argue that there still isn't, of course :). They're both released under version 3 of the GPL.

On The Outside, Reaching In is designed to automate exfiltration of files from servers with XML External Entity ("XXE") vulnerabilities. It uses a Metasploit-style "module" system, because the specific mechanisms for exploiting this type of vulnerability vary too much for a generalized tool.

She Wore A Mirrored Mask is "a webserver with hidden talents" — it pretends to be something innocuous, but actually acts as a partner for On The Outside, Reaching In when using certain types of XXE exploit. In the future, it may do a lot more than that.

I included four detailed tutorials to get people started:

OTORI - Example 1: Apache Solr

OTORI - Example 2: Squiz Matrix

OTORI - Example 3: Mahara

OTORI - Example 4: McAfee ePO

Further updates to the Motorola article

I managed to track down the location-data-collecting component of Motorola's software on my phone - but before you get too excited, it was not enabled at the time. It's called "Little Sister", and I've added a section on it and a few other updates to the Motorola Is Listening article. I've also added a description of the hack/workaround I've used on my own device to prevent it from communicating with Motorola.

In the process of testing that hack/workaround, I learned something about HTTP proxies. Maybe it's common knowledge in some circles, but I sure hadn't run across it before. The details are in the HTTP Proxies and Loopback Addresses article.

I've made some minor corrections to the Multipurpose Man-in-the-Middle VM article as well, so if you've been giving that a shot and have run into trouble, those updates may help.

Looks like I forgot to actually upload the updated version of the XMPPPeek HTML file that included a link to the package with updated traffic-forwarding scripts. Sorry about that. It's been corrected.

MitM VM build guide updates/corrections

I've made a few corrections and additions to the Multipurpose Man-in-the-Middle VM writeup. I'd forgotten to include the steps for manually chaining SSL certificates together when performing a custom MitM (e.g. for XMPP communication and socat), and I've updated the troubleshooting steps I had to use to get the network configuration to "stick" on one of my VMs.

I've also updated the traffic-forwarding scripts that are included with XMPPPeek.

DIY traffic-intercepting Linux VM build guide

As promised in the Motorola Is Listening and XMPPPeek articles, I've created a guide to building the type of Linux VM that I used for my testing: Multipurpose Man-in-the-Middle VM.

Some corrections and minor updates have been made to the XMPPPeek and Motorola Is Listening articles as well.

A few more updates to the Motorola article

Added a bit more information and a table-of-contents to the Motorola Is Listening article.

The hits keep coming

Another update to the Motorola Is Listening article - looks like I failed to notice an authentication-related problem until now.

Uh oh

I realized something while I was in the shower this morning - there may be a more serious security issue exposed by the mechanisms described in the Motorola Is Listening article. I've added a note near the top to this effect. It's entirely theoretical at this point, but I wanted to throw it out there in case anyone has more time to actively research this.


Motorola Is Listening certainly got a lot more attention than I expected. I've added a minor note near the top because a lot of the discussion I've seen is around the "MotoBlur" user interface, which the phone I used (the Droid X2) does not include.

I've also added a link to the UVIR Optics eBay store on the Filters page. They have some really nice filters available made out of hard-to-find (at least in the US) glass, and the prices are quite low.

[ Page Icon ]