Forensic Blogs

An aggregator for digital forensics blogs

by

WebDAV, NTLM & Responder

I was trying to create a capture file with NTLM authenticated WebDAV traffic, using Responder: I couldn’t get it to work. There was WebDAV traffic, but no NTLMSSP headers.

Long story short: there’s a bug in Responder version 2.3.3.9. It manifests itself when the WebDAV client sends a request with just headers, and “Content-Length: 0”, like this:

The code in Responder “sees” just “Content-Length” and waits for more packets:

I made a quick & dirty fix: break out of the loop when we see “Content-Length: 0” (servers/HTTP.py):

And now I have NTLMSSP headers:

I just start my modified version of Responder:

Generate WebDAV traffic from a Windows 7 client:

And Responder participates in the challenge:

This can of course be cracked (if the password is not too complex), with John The Ripper for example:

I also have a blog post with more details about WebDAV traffic from Windows clients.

Once I got Responder to work, I searched on Laurent’s Responder repository, and found a pull-request to fix issues with “Content-Length: 0” requests (this PR has not been merged yet). Hence I’m not going to do my own PR.

You can find the capture file here:

webdav-ntlm-responder.zip (https)
MD5: A427DDBDAF090E93BB75B7A8DE696826
SHA256: 2F92CDD7382DD3622AC1F8769CF9D065C60C235DEF764E6709C32E2C4A7554A8

by

Quickpost: Retrieving an SSL Certificate with nmap

One of my first quickposts, more than 10 years ago, was an howto: using openssl to retrieve the certificate of a web site.

Since then, nmap has a scripting engine, and there is a script to check a certificate with nmap: ssl-cert.nse.

You just have to scan the site and port for which you want to check the certificate, like this: nmap -p 443 –script ssl-cert didierstevens.com

If you want the certificate too, increase verbosity with option -v:

Checking a certificate will not work if you scan a port that is not known to provide SSL/TLS:

In that case, you have to use service discovery (-sV):

 

Quickpost info

by

Overview of Content Published in April

Here is an overview of content I published in April:

Blog posts:

list-interfaces.xlsm Quickpost: Browsers & Content-Disposition Extracting “Stack Strings” from Shellcode Update: translate.py Version 2.5.6 Update: python-per-line.py Version 0.0.6 Update: format-bytes.py Version 0.0.8 Update: jpegdump.py Version 0.0.7

YouTube videos:

Analysis of PDFs Created with OpenOffice/LibreOffice

Videoblog posts:

Maldoc Analysis: Excel 4.0 Macro

SANS ISC Diary entries:

Maldoc Analysis of the Weekend by a Reader Analysis of PDFs Created with OpenOffice/LibreOffice Analyzing UDF Files with Python .rar Files and ACE Exploit CVE-2018-20250 Malicious VBA Office Document Without Source Code Quick Tip for Dissecting CVE-2017-11882 Exploits