top | item 740132

Sniffing the Unsniffable on Windows

26 points| markgamache | 16 years ago |markgamache.blogspot.com | reply

6 comments

[+] est|16 years ago|reply

alternatively if you want SYSTEM privileged cmd.exe on Windows XP (not on Vista, sorry) and you don't have SysInternal's psexec, you can try this:

    C:\> time /t
     9:42
    C:\> at 9:43 /interactive cmd

then at 9:43 a cmd.exe shell pops up.

And HTTPAnalyzer could sniff HTTPS traffic easily. It's DLL injection and it can un-gzip data.

[+] markgamache|16 years ago|reply

AT no longer allows running as local system.

HTTPAnalyzer is great for HTTPS, but not pure SSL, such as LDAPS, in the example.

[+] joshu|16 years ago|reply

"sniffing the unsniffable" sounds way more racy than it ought to.

[+] FahnRobier|16 years ago|reply

stunnel is also a nice way to debug ssl connections when you only control one side of the connection: http://www.stunnel.org/examples/

As a client, you would stunnel local:389 to remote:636. As a server you would stunnel local:636 to local:389.

Then you can sniff on the unencrypted port with wireshark,etc.

Thanks for the pointer to detours.

[+] rawr|16 years ago|reply

I am very pleased to see a legitimate post about hacking on Hacker News. Well played, sir.

I have similar feelings about Detours. Microsoft Research is in their own little world sometimes.

[+] daeken|16 years ago|reply

On the subject of Detours, I suggest checking out EasyHook: http://www.codeplex.com/easyhook

It's under a free license, lets you write hooks not only from C/C++, but also from any .NET language (architecture-independent). It makes any sort of API hooking a breeze.

Edit: Forgot to mention, it automatically sets up a remoting channel for you. That way, you can do IPC between your hooking application and the hookee trivially.