sensepost / birp Goto Github PK

Big Iron Recon & Pwnage

Python 100.00%

birp's Introduction

Big Iron Recon & Pwnage (BIRP)

by @singe (Dominic White @ SensePost)

Overview

BIRP is a tool that will assist in the security assessment of mainframe applications served over TN3270. Much like what BURP and other web application proxies do for web application assessments, BIRP aims to do the same for TN3270 application assessments. And, much like with web applications, being able to see and modify fields that the application developer assumed were neither visible nor modifiable allows security assumptions be bypassed.

In particular, BIRP provides two capabilities for the aspiring TN3270 hacker. The first is that it shows all the data returned by the application in the screen. This includes hidden fields. The second is that it allows fields marked as "protected" aka "non modifiable" to be modified. Depending on how the application has been developed, this can allow application functionality to be modified.

Running

./birp.py -h will give you startup help if you want to get running.

All you need is to specify a target with -t . Target specification can include a port with a : after the IP e.g. 10.10.10.10:1023. If no port is specified it will default to :23 as per x3270 default behaviour.

You can use -l to load a previously saved history file into the history. You must always specify a target and cannot just view history yet unfortunately.

Check the pre-requisites below for installing. Unfortunately, this will only run in Unix environments at the moment, no Windows support.

Functionality

Currently, BIRP has a fairly limited set of functionality. These are:

Interactive Mode

Interactive mode is the heart of BIRPs functionality. It will pass keypresses and other commands from BIRP to x3270 and allow the analyst to interact with the application as they would if they were using x3270 directly. However, it will also display the marked up "hacker view" of each screen returned, as well as record "transactions" and store it in the proxy history for later analysis and inspection.

In interactive mode hitting Ctrl-h will print a help screen, Ctrl-k will display a color key, and ESC will exit back to the menu.

BIRP tries to work out when a "transaction" has occurred, and record the before and after screen, as well as the modified fields. Certain keys are usually guaranteed to initiate a transaction such as Enter or any of the PF/PA keys. However, if for any reason the screen requires different keys to function, you can manually "push" a transaction with Ctrl-u right after performing the action.

Finally, if you want to have the screen re-printed hit Ctrl-r.

View History

This will display the history of all transactions BIRP recorded, and allow them to be inspected. Specifically it provides access to the screen submitted, the fields that were modified in that screen (i.e. the data submitted) and the response.

For each screen, only the first row is displayed as context, but the full screen can be printed if you view the transaction.

Also, you can drop into python and examine the screen object directly.

Search History

Here you can perform a case sensitive search to find transactions with screens that contain certain text.

Save History

You can save your history to a file, and load it again later with the -l switch on the command line. You need to save it to a unique filename.

Python Console

The tool is not done yet, and right now there are lots of good reasons to be able to play with the objects directly. You can drop into an IPython embedded shell at various places. BIRP has a fairly useful set of python objects that you can interrogate, and I have made sure they have useful pythonic output (str/repr). The top object is the "history" which contains a list on "transactions". You can interrogate the last transaction added by referring to history.last(). Each transaction has a request and response screen object. So, for example, to get a list of all hidden fields in the last response from the server you could use: history.last().response.hidden_fields

For further detail, it would be best to view the tn3270.py module.

Pre-requisites:

Python libraries: py3270 (v0.3.4), colorama, IPython These can be installed with pip or easy_install. Until py3270 accepts this pull request (py3270/py3270#13) use my py3270 library (https://github.com/singe/py3270).
Hacked x3270 client (v3.6) The patches are included. You can download the source at http://x3270.bgp.nu/download.html then cd to the suite3270 directory once extracted, and patch -p1 < suite3270-full.patch You can use an unmodified client, but then you will not be able to edit protected fields. The patch makes two changes, the first is to allow protected fields to be edited, the other is to make hidden fields visible (shown in reverse text highlighting). This functionality is split into two other patched if you would only like one or the other for some reason.

Design Choices

The key handling functionality I use is my own custom getch implementation. It is pretty horrible, but it works. I would love to use a more mature key handling implementation such as curses, pygame, urwid etc. but they all want to take over your screen too. Personally, I find the scroll back buffer to be invaluable in recording my activities or just being able to scroll up and remember what I did, so I did not want to loose that, hence this approach.

I found py3270 pretty rough and ended up wrapping some of it. I've provided this as a separate wrapper that you can use in your own programs.

Shouts

Thanks to Soldier of Fortran (@mainframed767) for the help figuring out this mainframe stuff.
Andreas Lindh (@addelindh) for the clever name of the tool.
Rogan Dawes for sitting opposite me for most of the writing the tool, always with helpful pointers.
An unnamed client who gave me the opportunity to test their mainframes and develop the tool.

By dominic () sensepost.com (@singe)

License

Big Iron Recon & Pwnage by SensePost is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License (http://creativecommons.org/licenses/by-sa/4.0/) Permissions beyond the scope of this license may be available at http://sensepost.com/contact us/.

birp's People

Contributors

Stargazers

Watchers

birp's Issues

Outdated

Hello,

I have stumbled upon the Birp recently, and it looks promising, probably could be really helpful in the pentest I am struggling now. However I tried to compile your patch with few versions of x3270 from back of 2018 and it looks like dependencies and bunch of stuff isn't going to work the easy way.
Did you manage to build the tool recently? Which version of x3270 have you used?
Did you port py3270 to python 3?

Distribution Request

I am a developer for the ArchAssault project, we would like to add this to our repo but I noticed its missing a license. Can you please add a license and add a tag as well?

unable to install tool

error while compiling the patched binary x3270

Traceback with lastest version from git

It looks like with py3270 using the lastest git src.

[+] Big Iron Recon & Pwnage (BIRP) by @singe
[+] Manual target selection chosen.
[+] Slowdown is : 0
[+] Attack platform : Linux
Traceback (most recent call last):
File "./birp.py", line 528, in
(em,history) = startup()
File "./birp.py", line 514, in startup
em = Emulator(visible=True,delay=results.sleep)
File "/home/spirit/packages/birp-git/src/birp/py3270wrapper.py", line 9, in init
EmulatorBase.init(self, visible)
File "/usr/lib/python2.7/site-packages/py3270/init.py", line 205, in init
raise Exception("EmulatorBase has been replaced by Emulator. See readme.rst.")
Exception: EmulatorBase has been replaced by Emulator. See readme.rst.

impossible to run interactive mod

I compiled birp and x3270 on kali and on BlackArch with same result. I get the folowing stack trace :

Traceback (most recent call last):
File "birp.py", line 544, in menu(em, history)
File "birp.py", line 469, in menu interactive(em,history)
File "birp.py", line 180, in interactive if not em.is_connected(): File "/usr/lib/python2.7/site-packages/py3270/init.py", line 328, in is_connected self.exec_command(b'ignore') File "/usr/lib/python2.7/site-packages/py3270/init.py", line 291, in exec_command c.execute() File "/usr/lib/python2.7/site-packages/py3270/init.py", line 69, in execute return self.handle_result(result.decode('ascii')) File "/usr/lib/python2.7/site-packages/py3270/init.py", line 87, in handle_result raise CommandError(msg.decode('ascii')) py3270.CommandError: Unknown action: ignore

The files have been moved in the new version of x3270 (3.5ga11 stable (26. June 2017)) So the patch doesn't work straight forward.
I'm not sure all the lines are correctly patched, I'll check that tomorrow.

Birp.py crashes on OSX 10.10

When starting birp up, it crashes.

$ ./birp.py
[+] Big Iron Recon & Pwnage (BIRP) by @singe
[+] Manual target selection chosen.
[+] Slowdown is : 0
[+] Attack platform : Darwin
Traceback (most recent call last):
File "./birp.py", line 529, in
(em,history) = startup()
File "./birp.py", line 515, in startup
em = WrappedEmulator(visible=True,delay=results.sleep)
File "/Users/jfbethlehem/Code/mainframe/birp-master/py3270wrapper.py", line 10, in init
Emulator.init(self, visible)
File "/Library/Python/2.7/site-packages/py3270/init.py", line 224, in init
self.app = app or self.create_app(visible)
File "/Library/Python/2.7/site-packages/py3270/init.py", line 236, in create_app
return x3270App()
File "/Library/Python/2.7/site-packages/py3270/init.py", line 105, in init
self.spawn_app()
File "/Library/Python/2.7/site-packages/py3270/init.py", line 113, in spawn_app
stderr=subprocess.PIPE,
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/subprocess.py", line 709, in init
errread, errwrite)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/subprocess.py", line 1326, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or directory

tn5250 terminal support

Can tn5250 emulator be supported by birp ?

windows work around ?

Any chance you could get this working on windows ?
Probably have to write the getch keymap and then
x3270 not supported on Windows warning error

Exception probably handling non-ascii charaters

Hi!

during my last activity on mainframe Birp crashed several times with this Exception in different CICS pages:

Traceback (most recent call last):

  File "birp.py", line 545, in <module>
    menu(em, history)
  File "birp.py", line 470, in menu
    interactive(em,history)
  File "birp.py", line 202, in interactive
    trans = exec_trans(em,history,'enter')
  File "birp.py", line 107, in exec_trans
    em.exec_command('Wait(1,3270Mode)') #Capture the whole 3270 screen
  File "/usr/local/lib/python2.7/dist-packages/py3270-0.3.5-py2.7.egg/py3270/__init__.py", line 299, in exec_command
    c.execute()
  File "/usr/local/lib/python2.7/dist-packages/py3270-0.3.5-py2.7.egg/py3270/__init__.py", line 77, in execute
    return self.handle_result(result.decode('ascii'))
  File "/usr/local/lib/python2.7/dist-packages/py3270-0.3.5-py2.7.egg/py3270/__init__.py", line 95, in handle_result
    raise CommandError(msg.decode('ascii'))
py3270.CommandError: Wait: Timed out

I think it may be an issue related with non-ascii characters, but I'm not sure.

The problem is that when this exception arise Birp and X3270 terminal crash, losing all non-saved data.

Thank you a lot for your great work!

Federico

Unrecognized character sequences

Greetings! I love the work you have done with birp. I have been toting around a jumble of half-polished Ruby scripts to accomplish similar things, but I'm very impressed with what you already have working in birp.

One thing I've run into is that sometimes I get errors and crashes from unrecognized characters as birp is translating from x3270 into Python, etc. For example:

Hitting Enter, any of the PF/PA keys, or Ctrl-u will record a transaction.
Traceback (most recent call last):
  File "birp.py", line 544, in <module>
    menu(em, history)
  File "birp.py", line 469, in menu
    interactive(em,history)
  File "birp.py", line 206, in interactive
    print screen.colorbuffer.decode("utf-16").encode("utf-8")
  File "/usr/lib/python2.7/encodings/utf_16.py", line 16, in decode
    return codecs.utf_16_decode(input, errors, True)
UnicodeEncodeError: 'ascii' codec can't encode character u'\u2219' in position 24: ordinal not in ran

So far, I am working around this with the following small change:

$ git diff
diff --git a/birp.py b/birp.py
index 0ffff33..006c591 100755
--- a/birp.py
+++ b/birp.py
@@ -203,7 +203,7 @@ def interactive(em,history):
                        logger('Enter entered',kind='info')
                elif key == getch.KEY_CTRLr: # Ctrl-r print screen
                        screen = update_screen(em,screen)
-                       print screen.colorbuffer
+                       print screen.colorbuffer.encode("ascii", "ignore")
                        logger('Screen refreshed',kind='info')
                elif key == getch.KEY_CTRLu: # Ctrl-u manually push transaction
                        screen = update_screen(em,screen)

The same occurs when I save a screen as a transaction, and I'm not sure that just ignoring character transcription errors is the "right thing to do".

Have you run into this in your testing?

Thanks!