Wireshark dissector in Lua for custom protocol over WebSockets


It is fairly easy to write a Wireshark dissector in Lua for your custom protocol over WebSockets. To understand the basics of writing, and using, dissectors for Wireshark in Lua, see Create a Wireshark dissector in Lua.

Here’s a template to get you started with writing your custom dissector. Replace port number 8002, with the port number where your WebSocket server listens for incoming connections, and the dissector should be called.

wireshark-websocket.png

You can also register the dissector using declared WebSocket protocol name. Retrieve the ws.protocol dissector table instead of ws.port, and add your dissector to the dissector table using protocol name (a string) instead of port number.

Self-signed code signing certificates


Some setup and application executables need to be signed so that they are not flagged as a security risk by security software on Windows. Especially those that have virus-like behavior such as embedded executable resources that are extracted, and executed.

The following steps were performed on Windows, from the Developer Command Prompt installed by Visual Studio.

To generate self-signed certificate for code signing, run

makecert.exe -n CN=Test.org(Test) -r -h 0 -eku "1.3.6.1.5.5.7.3.3,1.3.6.1.4.1.311.10.3.13" -e 12/31/2017 -pe -sv Test.pvk Test.cer

Here’s a brief overview of the command line
-n subject name
-r create self-signed certificate
-h max height of tree below this cert
-eku comma separated enhanced key usage ids
-e expiration date
-pe private key is exportable
-sv private key file name

You may specify a password or leave it empty.

To convert self-signed certificate to PFX format for usage with SignTool, run

Pvk2Pfx -pvk Test.pvk -spc Test.cer -pfx Test.pfx

To use SignTool to sign an executable, run

SignTool sign /fd SHA256 /a /f Test.pfx filepath.exe

Install certificate (Test.cer) to local machine before running executable.Screen Shot 2017-02-23 at 09.17.03.png

Signing a Wix Toolset setup bundle

You cannot just sign the setup bundle executable and get it to work, because the embedded executable (engine.exe) remains unsigned and will be flagged as a security risk. Use the following steps to prepare setup bundle for installation without being flagged as a security risk.

First, detach the engine from setup as follows

insignia -ib setup.exe -o engine.exe

Sign engine.exe with your certificate using SignTool

SignTool sign /fd SHA256 /a /f Test.pfx engine.exe

Re-attach the signed engine.exe to the bundle

insignia -ab engine.exe setup.exe -o setup.exe

Sign setup.exe with your certificate

SignTool sign /fd SHA256 /a /f Test.pfx setup.exe

Retrieve OAuth 2.0 authorization code using JavaFX WebView


This post documents a snippet of code that can be added to Browser class in JavaFX WebView sample, to extract OAuth 2.0 authorization code.

Assuming you’ve configured WebView’s WebEngine to load the authorization URL, the authorization service will redirect you to the redirect_uri specified in the authorization URL, after a user logs in successfully. It will pass along the code parameter, that can be extracted as follows

JSON syntax highlighting in ScintillaNET


I am studying the excellent ScintillaNET code editing component, to enable basic JSON editing in a .NET application.

Inspired by the C# code highlighting example, here’s the code snippet to enable basic JSON syntax highlighting

net-scintilla-json.png

Run Buildroot on Ubuntu with Docker


Follow the getting started to install Docker. I prefer using Docker in the PowerShell prompt on Windows 10.

To download ubuntu image, and start a new container with bash shell

docker run -it ubuntu bash

From another command prompt, run the following to find container id

docker ps -l

Add the -a option to see all containers, even those that are stopped.

To exit bash shell and stop container, type exit. To return to the container created earlier

docker start container_id
docker attach container_id

Hit enter once or twice to see the bash shell.

Update apt-get package cache

apt-get update

You should now be able to search for and install your favorite missing tools

apt-cache search wget
apt-get install wget

Obtain and untar Buildroot

wget https://buildroot.org/downloads/buildroot-2016.11.2.tar.gz
tar xvzf buildroot-2016.11.2.tar.gz

Install other core dependencies

apt-get install patch cpio python unzip rsync bc bzip2 ncurses-dev git g++

docker-ubuntu-windows-10.PNG

Go ahead and build your Linux system.

Analyzing iBeacon traffic using nRF BLE Sniffer


I’ve been troubleshooting iBeacons lately, and Bluetooth LE Sniffer from Adafruit is my go-to tool for sniffing Bluetooth LE (BLE) traffic such as iBeacon advertisements. iBeacon detection can vary a lot depending on advertisement interval and timing, and signal strength and its variance with distance, line of sight (or lack thereof), interference with other iBeacons etc.

nRF Sniffer software captures all BLE traffic in libpcap format that can be viewed in Wireshark. Its Wireshark dissector has fallen behind and does not work with latest version of Wireshark. Since I have written Wireshark dissectors in Lua before, I was quickly able to port the native dissector to Lua.

Here’s an iBeacon advertisement dissected using the nordic_ble Lua dissector, and Wireshark’s native btle dissector, on OS X. Note that iBeacon payload proprietary to Apple is not yet decoded by Wireshark’s btle dissector.

btle_adv_ind.png

Using data from the packet shown above, Apple’s proprietary payload has the following format

02 - ID
15 - Length (21 bytes)
3aa46f0c80784773be800255132aefda - 128-bit UUID
e4f2 - major number
e4c1 - minor number
b6 - two's complement of calibrated TX power

A filter such as btcommon.eir_ad.entry.data contains e4:f2:e4:c1 can be used to filter packets based on major and minor numbers.

NXP NTAG I2C NFC Forum tag with Bus Pirate


In this post, I use a Bus Pirate v4.0 to interact with an NXP NTAG I2C NFC Forum tag, over the latter’s I2C interface.

Connect Bus Pirate to the tag board as follows

  CLK ↔ SCL
 MOSI ↔ SDA
+3.3V ↔ VCC
  GND ↔ GND
  Vpu ↔ VCC

Transition to I2C mode, in hardware, clock rate of 100KHz

HiZ>m
1. HiZ
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. KEYB
9. LCD
10. PIC
11. DIO
x. exit(without change)

(1)>4
I2C mode:
 1. Software
 2. Hardware

(1)>2
Set speed:
 1. 100KHz
 2. 400KHz
 3. 1MHz
(1)>1
Ready

Enable power

I2C>W
POWER SUPPLIES ON

Enable pull-ups (the board does not come with any)

I2C>P
Pull-up resistors ON

Search for address of tag device

2C>(1)
Searching I2C address space. Found devices at:
0xAA(0x55 W)

Read one 16-byte block at 0x00 containing serial number et al

2C>[0xAA 0x00][0xAB r:16]
I2C START BIT
WRITE: 0xAA ACK
WRITE: 0x00 ACK
I2C STOP BIT
I2C START BIT
WRITE: 0xAB ACK
READ: 0x04  ACK 0x47  ACK 0x91  ACK 0x52  ACK 0x56  ACK 0x40  ACK 0x80  ACK 0x00  ACK 0x44  ACK 0x00  ACK 0x00  ACK 0x00  ACK 0xE1  ACK 0x10  ACK 0x6D  ACK 0x00
NACK
I2C STOP BIT

Read specified (i.e. 0x00) session register (address 0xFE) byte

I2C>[0xAA 0xFE 0x00][0xAB r]
I2C START BIT
WRITE: 0xAA ACK
WRITE: 0xFE ACK
WRITE: 0x00 ACK
I2C STOP BIT
I2C START BIT
WRITE: 0xAB ACK
READ: 0x01
NACK
I2C STOP BIT