Tricking Software License (IP/Hostname) Restrictions
I downloaded a web application security scanner recently to see how it
fared on a website. And well after the download found that that in the demo
state it is horrendously crippled. We maybe its not so much crippled, but it
is certainly unable to scan most of the internet. Now I'm a rather savy
persona, TCP is easy to manipulate, so I decide to figure out how I'm going
to fool this stupid license restriction.
A little about my home-network is necessry to understand. First off I don't run windows, so the box I'm installing these commercial web application security
scanners on is on a VMWare windows XP box which is NAT/Bridged to my local
LAN. My local lan goes through a beautifully old pentium 2 OpenBSD box/router.
Now this router is running nat/rdr rules all over the place as well as running
named for my own internal network names.
Now I figure well, this licensing is probably really stupid and just relies on
the CNAME record in a DNS entry. So I hack up my own entry and redirect it to
my website that I want to scan. Unfortunately the license restriction is on a
per IP basis... so that quick hack was quickly thrown out the window. Damn I
knew it wouldn't be that easy.
So then I figure well damn I've got this firewall and I know PF is awesome,
well damn why don't I just redirect through it. So thats exactly what I finally
decided on. Its a combination of redirect rules and nat rules. Its stupidly
complex and it took me a few minutes to figure out how I wanted to express
this... but these are the PF rules I came out with
rdr pass log (all) on $int_if proto tcp from any to <webappsecsites> port 80 -> 10.13.13.14 port 80
no nat on $int_if proto tcp from $int_if to $int_if
nat on $int_if proto tcp from any to 10.13.13.14 port 80 -> $int_if:0
So <webappsecsites> is a table I made with the different Vendor
internal network (the any can be replaced with a specific IP if you want,
but I didn't care to figure out my vmware machine(s) ip addresses) to my
webserver THAT reached the router (any other requests to my webserver will
be caught by a switch before it hits the router, so this is effectively only
rewriting requests AT the router) and changed the source to the router. Now
my vmware machines are making requests to the websites... getting redirected
at the router and nat'ed. So the packets are getting rewritten to go to my
own webserver.
Now I've been told that this is also the way the scanners actually license
their products... heh. I guess though if you pay for your own license there is
no reason to attack whatever IP you want. But for those of us without tons of
cash and just want to play with the trials this is how ya do it :).
If you just wanted to rewrite the TCP packet to scan any website... all you
have to effectively do is use the first rule. I just had to use the more complicated version to make it work internally. The only gotcha here is that
you have to make sure the receiving server will response to a host header
of another server. This is easy on my own server (ServerAlias ...) but scanning
another random internet server would require more rewriting... Not trivial
but certainly not impossible.
I actually spent a few seconds thinking about it, all all you need to
effectively do is change the Host HTTP header, so if you wrote a app that
sniffs packets off the machine running the scanner things, and saw any requests
going to some sites... you capture those rewrite the dest address and rewrite
the HTTP host header and send it off on its merry way. Wait for a response
and undo those changes. Its a poor mans NAT with some added features. I don't
know of any off the shelf way to fix this though... maybe that would be an
interesting toy to make though :).
Moral of this story... this bullshit liscensing the web app security folks are
doing on their products is totally useless.
-wz
Back - Home