Keygenning Webservices

[mesagio]

has someone tried to keygen or to get a serial from a web application or webservice like vmware vcloud director (installed on your own server)


How can i intercept the api calls like in an normal exe-Application ?

Which tools are you using ?

[DARKER]

For traffic you can use Wireshark - It's network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible

Home: https://www.wireshark.org/#learnWS
WireShark Tracing Web Services: https://www.youtube.com/watch?v=qAF8FMxFwoQ

[congviet]

Quote:

Originally Posted by mesagio

has someone tried to keygen or to get a serial from a web application or webservice like vmware vcloud director (installed on your own server)


How can i intercept the api calls like in an normal exe-Application ?

Which tools are you using ?

You can try the Fiddler for capture and responds traffic web.
Details at:

Code:

hxtps://www.telerik.com/fiddler

[niculaita]

https://telerik-fiddler.s3.amazonaws.com/fiddler/FiddlerSetup.exe

[Kerlingen]

If the EXE is running on your computer, debug it just like any other EXE. If the EXE is a "real" service, you might have to hex-edit a few values in the header before a debugger will load it, but 99% of the so called "services" are just plain and simple GUI executables which are only executed by the service manager instead of the autostart function.

Capturing traffic will only work if the connection is not encrypted or if the application doesn't check certificates. VMware for example does check certificates. (the update check will fail with "connection refused" if you have any MITM in the certificate chain)

If you control both ends of an encrypted connection using weak SSL/TLS parameters, you can supply some of the capture tools with the private key of the connection and they will be able to decode the saved captures (not the live traffic). But if the programmer isn't totally stupid and the software isn't older than 10 years it's pretty much impossible to decode any properly encrypted traffic.

[mesagio]

yes the service is a setup in an vm on my esx host. Its an appliance (ova) which you deploy and then you have to input an serial. Therefore nothing is going through the wire. I think there is an web application (tomcat) or something like these. I am trying to find out.

i am wondering that there is less information on theses topic in general. A lot of Application are going to be web driven.

[surferxyz]

My general flow for reversing something like this follows these type of steps:

Figure out how to gain access to the VM while it is running for analysis (eg. if the VM guest is linux without disk encryption, than a possibility would be to add a SSH authorized_keys file directly to the disk, then reboot the VM ...).

Now that you have access to the running environment, it is a lot easier to figure out what the "serial accepting" application is. (eg. you can look at the process listing, or see what application is listening on a particular port, or view configuration files...)

In your case you made it sound like it is part of a web application, so now you just need to figure out where that web application is, what language it is written in etc, and reverse engineer it...

You can usually be super lazy and just search the entire disk for the name of one of the web application files (eg. maybe when visiting the appliance you go to /index.php, you can just search the entire disk for index.php and probably you find it.).

If not figure out what the webserver that is handling your request is (you mentioned tomcat), than either look at the configs for that, or be lazy and search the whole disk for associated server files (eg. search the whole disk for .war)

Other than the kinda annoyance to drill down into the VM to find what to analyze, there is no other real differences than regular reverse engineering... although I guess you could say "figuring out what the appliance does" is just regular reverse engineering.

You specifically ask "how to intercept the api calls", well with access to the VM you can do it the same way as you normally would depending on the OS... It kinda sounds like you are confused because you are not familiar with reverse engineering outside of a windows environment... I can give you one good tip, use the IDA remote debug server executables, you can drop the linux server binary into the VM run it, then use the same already familiar IDA debugging environment on windows to debug your target inside the VM

I think you will need to be more specific about what you are trying to reverse, I am guessing a java web application, you can reverse those the same way you would any other java code.