In the past few years, Web applica-tion security has really got some good atten-tion. Because of this attention, we have so many proxy tools (Burp/Fiddler/Paros) rea-dily available, are making our lives easy at each step of penetration testing.
These tools are helpful when we can configure or force some applications to pass through their already configured proxy set-tings(IP address and port number) but what if some applications we want to test do not have that ability?? What if we have a process running in background(might be malware) and we want to see the packets that EXE is sending to the network?? Yes we can use network analyzer tool like wire-shark to capture and analyze the packets but using these tools you can only capture the packets, there is no option to tamper the packets at the runtime. If there is a require-ment in which you just have to capture the packets and analyze them, wireshark will suffice the needs, but if you really want to tamper the request and response(which we normally do using Paros/fiddler in web ap-plications) you need to have a tool which can capture network packets and has a capa-bility to intercept and tamper them.
To help this I would like to introduce you to a tool called Echo Mirage. This is just another excellent tool from the folks at Bindshell.net, the same folks who created the famous ‘BeEF’. Echo Mirage uses DLL injection and function hooking techniques to redirect network related function calls so that data transmitted and received by local applications can be observed and modified. Using these techniques this tools gives you an advantage that it will attach itself to a particular ‘EXE’, and only packets of that EXE are captured(in case of wireshark we have to use filter as it captures each and every packet with goes out of the machine).
Since the theme for this edition is Mobile/ Telecom Security, I would like to take an example of Android Emulator here. The problem with Android emulator is that, the proxy settings for emulator works only for the browser, it does not work with the apps installed inside the emulator. The best way is to use the base machine itself to cap-ture the packets which emulator (the apps in emulator) is sending. This is where the tool like ECHO MIRAGE becomes very handy. To know how Echo Mirage does this all this, read through the next paragraph.
One way is to directly open an ex-ecutable using echo mirage as shown in the screenshot below. You can also give the path and parameters for executing the exe using Echo Mirage. It will automatically inject the dll and start hooking the functions.
Another way is to inject into a process which is already running. Selecting this option will show you all the processes running on that system. For Echo Mirage to start its injection you just have to select any one of these processes and click on start.
If everything works fine, you will get a win-dow show below which says “Injected into %PROCESS NAME%”.
Echo Mirage is now ready to trap and inter-cept all your requests which are sent through emulator.exe. The screenshot of interceptor below was taken when I tried to open Google Maps application in emulator after setting up Echo Mirage.
The interceptor tool intercepts the function calls in run time and unless you click on OK the request will not move forward. You can even tamper the request and response and then click on OK to move the request forward.
One great advantage of Echo Mirage is that it works on the calls made by process itself and when the request is still within the application, while the other network proxy tools like burp etc intercept the requests when it has left the application.
There are many more features which makes this tool the “God of all proxies”. One of them is that in Echo Mirage, Windows encryption and OpenSSL functions are also hooked so that plain text of data being sent and received over an encrypted session is also available. This feature is not really available in any(almost) of the proxy tools.
Another one is that Traffic can be intercepted in real-time, or manipulated with regular expressions and action scripts.
This is not all, we would recommend you to run this tool and explore the features. The tool has been a life saver for us many times and for many projects we worked on.
I hope this article hits home and proves the necessity of input validations and security testing, even in thick client environments. As tools like Echo Mirage becomes more mature, this type of attack will only become more common and more dangerous. Thanks to Bindshell for developing such a wonderful tool.
About the Tool:
Name: Echo Mirage
Author: Dave Armstrong
Home Page: http://www.bindshell.net/tools/echomirage.html
Latest Version: 1.2 (as on 1st DEC 2011)