11 July 2012

Getting Keytool to Work With BouncyCastle in Ubuntu

This isn't going to be an earth shattering post of supreme l33t-ness, just a quick note so I don't forget how to do this:

If you want to get the Bouncy Castle provider working in Ubuntu - so you can do things like, say, update the cacerts.bks on an Android device with the PortSwiggerCA.crt to MiTM SSL traffic from a mobile device - you need to do the following things:

  1. Download the Bouncy Castle Provider of your choice. As of this post, the version I'm using is here.
  2. Put the .jar file in the following directory:
    /usr/lib/jvm/java-6-sun/jre/lib/ext
  3. Add the following to /usr/lib/jvm/java-6-sun/jre/lsecurity/java.security:
    security.provider.9=org.bouncycastle.jce.provider.BouncyCastleProvider
  4. Run the following command:
    keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -importcert -trustcacerts -alias PortSwiggerCA -file PortSwiggerCA.crt
For completeness, the cacerts.bks file can be pulled off the Android device using:
adb pull /system/etc/security/cacerts.bks

You'll need to remount the /system file system as read-write to push the modified one back, you can do that using the following command (from the adb shell):
# mount -o rw,remount /dev/block/system /system

A side note: it seems that IE9 and Chromium browser have decided to disallow the export of untrusted CA certificates (Older Firefox still allows it, but newer ones may not - I didn't check). As a result, you may have difficulty getting a copy of the PortSwiggerCA.crt file. If you find yourself in that situation, you're mostly screwed - unless you have the pro version of Burp, which has an export option.

15 March 2012

Configuring Firefox For Web App Pen Testing

You know the routine: you get a gig doing a web app pen test. You break out Burp (or whatever lesser proxy you prefer), and get ready to ruin some developer's day. And then, just as you get ready to load the target URL and start, you see a ton of update requests hit the proxy.

It's annoying. Your logs are polluted, and if you have to turn them over to the client, the extra noise strips some of the professionalism from your image (as a sidenote: Burp's "only save in-scope items" feature helps quite a lot with this).

Here then, is a quick guide on how to tweak Firefox so that it doesn't spew stupid crap in your web app pen test log files. I may come back and explain the "why" behind some of these later, but for now, just the "how" will have to do. (Note: some of these settings reduce the security of the browser. My presumption here is that Firefox will only be used for testing, not for general purpose browsing. The settings below reflect that.)

1) Open about:config
2) Disable Safe Browsing
3) Disable Pipelining
4) Disable Pre-fetching
5) Remove all bookmarks
6) Set homepage to about:blank for startup
7) Make sure history is enabled, but disable search suggestions
8) Disable checking for updates
9) Just say no to helping developers
10) Disable updates for sync

That's it. Now you can go forth, and break all the things, knowing that your log files will be nice and tidy afterwards.