SlideShare uma empresa Scribd logo

Shameful secrets of proprietary network protocols

Slawomir Jasek
Slawomir Jasek

There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices. To demonstrate, we will show a few case-studies - most interesting examples from real-life industry software, which in our opinion are a quintessence of "security by obscurity". We will challenge the security of proprietary protocols in pull printing solutions, FOREX trading software, remote desktops and home automation technologies.

Tecnologia
1 de 62
Baixar para ler offline
Shameful secrets of proprietary protocols Sławomir Jasek Jakub Kałużny SecuRing Photo: https://www.flickr.com/photos/ektogamat/2687444500
Who are we ● Pentesters @ ● Security assessments of applications, networks, systems... Sławomir Jasek Jakub Kałużny
Agenda ● Case studies – proprietary protocols – Home automation – Pull printing #1 – Remote desktop – Pull printing #2 – Trading ● Cheatsheet for architects & developers ● How to hack it
Proprietary network protocols • A pentester will encounter one. • Don’t have the protocol specs nor tools to attack it • How to hack it? • decompile the client? • search for some tools? • watch the raw packets? • Let’s try! https://www.flickr.com/photos/canonsnapper/2566562866
Home automation remote control ● „Plug the device, configure your router for port forwarding (and dynamic dns if necessary), set password.” ● Proprietary TCP protocol, direct connection from Internet to device, password protected access http://www.flickr.com/photos/99832244@N07/9436065073/
Protocol – a few packets ab 55 41 00 15 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 02 01 00 00 a9 39 64 64 34 65 34 36 31 32 36 .....9dd 4e46126 aa 55 41 00 14 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 ab 55 41 00 15 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 0c 02 00 00 a4 39 64 64 34 65 34 36 31 32 36 .....9dd 4e46126 aa 55 41 00 14 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 aa 53 41 02 01 01 f0 f1 f1 f1 f1 00 be f1 f1 00 .SA..... ........ c4 00 e1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 ........ ........ f1 f1 f1 00 64 00 00 00 01 00 f0 f0 0a f1 00 02 ....d... ........ 0f 0f e7 S E R V E R C L I E N T
And what if we change the password? Password 1: Password 2 Password 3
Home automation protocol Internal command (5 bytes) MD5(password) – first 10 bytes Status returned by the appliance (sensors, settings, etc).
Home automation - failures ● Sniffing ● MITM ● Connect directly to the appliance - sniffed hash is enough ● Recommendation: SSL!
Home automation - SSL ● Vendor: OK, we have added SSL support! sslcontext = SSLContext.getInstance("TLS"); atrustmanager = new TrustManager[1]; atrustmanager[0] = new EasyX509TrustManager(null); sslcontext.init(null, atrustmanager, null); • Empty TrustManager – accepts all certificates
Side effect How to build your own appliance: socat tcp4-listen:1234,fork,readbytes=5 /dev/ttyUSB0,vmin=51
Side effect And for the new version with SSL support: socat openssl-listen:1234,key=s.key, cert=s.crt,verify=0,fork,readbytes=5 /dev/ttyUSB0,vmin=51
Pull Printing Solutions
Why hack pull printing? • Widely used • Confidential data • Getting popular
Threat modelling – key risks sniffing print queues accountability users’ data
Attack vectors Other users’ data Access to other print queues Sniffing, MITM Authorization bypass User/admin interface vulnerabilities
Pull Printing #1 – access control “With its roots in education and the full understanding that college kids “like to hack”, our development processes continually focus on security.”
Pull Printing #1 – access control “With its roots in education and the full understanding that college kids “like to hack”, our development processes continually focus on security.” “Secure print release (…) can integrate card-swipe user authentication at devices (…) ensuring jobs are only printed when the collecting user is present.”
Pull Printing #1 – binary protocol S E R V E R P R I N T E R HELLO USER: user1 token HASH(password + token) Password ok Release my print queue OK Just copied 100 pages
Pull Printing #1 – closer look Release my print queue Just copied 100 pages User permissions beginDeviceTransaction (…) guest-xyz S E R V E R P R I N T E R
Charge user “guest-xyz” for copying 100 pages Pull Printing #1 – closer look Release my print queue Just copied 100 pages User permissions beginDeviceTransaction (…) guest-xyz Release print queue for user “guest-xyz” S E R V E R P R I N T E R
Pull printing #1 - consequences sniffing print queues accountability users’ data
Pull printing #1 - vendor gets notified • Gave access to KB and support service • And all versions of software • Responded in few hours and patched in few days • Was happy to be pentested
Remote desktop protocol ● X-win „on steroids” (encryption, compression, access control...) ● Mainframe access for critical business operations ● „More than 100,000 users around the world” ● „Prevents unauthorized eavesdropping FIPS 140-2 Validated End-to-end data encryption” http://en.wikipedia.org/wiki/X_Window_System_protocols_and_architecture
Remote desktop protocol 00000000 0b 00 00 00 .... C L I E N T S E R V E R 00000000 01 01 00 00 .... 00000004 16 03 00 00 6d 01 00 00 69 03 00 52 8d e8 02 cf ....m... i..R.... 00000014 88 d3 96 14 f4 a3 7c 47 f3 0d 85 57 58 d6 c9 f7 ......|G ...WX... 00000024 18 24 95 15 2e 05 82 27 b7 1e ff 00 00 42 00 3a .$.....' .....B.: 00000034 00 39 00 38 00 35 00 34 00 33 00 32 00 2f 00 1b .9.8.5.4 .3.2./.. 00000044 00 1a 00 19 00 18 00 17 00 16 00 15 00 14 00 13 ........ ........ 00000054 00 12 00 11 00 0a 00 09 00 08 00 07 00 06 00 05 ........ ........ SSL
Remote desktop protocol 00000000 0b 00 00 00 .... C L I E N T S E R V E R 00000000 01 01 00 00 .... 00000000 01 00 00 00 ....00000000 01 00 00 00 .... LOGIN ENCODED PASSWORD Protocol version without encryption
Password Encoding key / algorithm? 54657374696e6750617373776f72643132333454657374696e6750617373776f7264 1c101e1900000032080117572c1d095c475d5d3704071d060014702d1a1e1e1b1700 Cleartext password: TestingPassword1234TestingPassword Encoded password
Password 54657374696e6750617373776f72643132333454657374696e6750617373776f7264 XOR 1c101e1900000032080117572c1d095c475d5d3704071d060014702d1a1e1e1b1700 = 48756d6d696e676269726420436f6d6d756e69636174696f6e73204c696d69746564 Cleartext password: TestingPassword1234TestingPassword Encoded password Encoded password is the vendor's name: [redacted] Communications Limited
Remote Desktop - SSL C L I E N T CLIENTHELLO! cipher suites: SSL_DHE_RSA_WITH_AES_256_CBC_SHA SSL_DHE_DSS_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA (...) default configuration SERVERHELLO! I don’t have any certificate! cipherSuite: SSL_DH_anon_WITH_AES_256_CBC_SHA OK, no problem! You have to be the right server if you say so, don’t you?
Remote Desktop - SSL C L I E N T CLIENTHELLO! certificates configured SERVERHELLO! Certificate Non-anonymous cipher suites: (...) 1st connection: OK, certificate stored! Following connections: OK, certificate valid / ALERT: MITM ATTACK!
Remote Desktop - SSL C L I E N T CLIENTHELLO! certificates configured SERVERHELLO! Certificate Non-anonymous cipher suites: (...) 1st connection: OK, certificate stored! Following connections: OK, certificate valid / ALERT: MITM ATTACK! SERVERHELLO! I don’t have any certificate! cipherSuite: SSL_DH_anon_WITH_AES_256_CBC_SHA I have your certificate, but since you don’t offer it any more, I won’t check it. OK, let’s connect!
Remote desktop protocol - vendor ● „We don’t know PGP, use zip with our CEO’s name as password” ● Do not plan to solve the issues (?) ● > /dev/null 2>&1 ● Full disclosure! ● ... and a few weeks later the mysterious shut down of our beloved ;)
Pull Printing #2 - encryption “is a modern printing solution that safeguards document confidentiality and unauthorized access to print, scan, copy and e-mail functions. Its user-authentication provides air-tight security on your shared MFPs that function as personal printers.”
Vendor ensures „Documents are delivered only into the right hands” „Information is kept confidential. No risk of being left unattended at the printer” „Document collection is safe anytime and anywhere — no “print and sprint”.” „Integration with other enterprise applications and workflows is kept secure through single sign-on”
Pull Printing #2 – binary protocol First look on communication: • TCP, 2 ports • No cleartext, no SSL • Seems to follow some scheme…
Ex1: Deeper sight on traffic S E R V E R P R I N T E R constant 263B 96B, “X” B, 128B always different 64 B many identical 16B blocks HELLO HELLO, CERTIFICATE SESSION KEY PostScript, ECB mode
Ex1: Deeper sight on traffic S E R V E R P R I N T E R constant 263B 96B, “X” B, 128B always different 64 B many identical 16B blocks HELLO HELLO, CERTIFICATE SESSION KEY PostScript, ECB mode https://en.wikipedia.org/wiki/ECB_mode
Pull Printing #2 - Reverse-engineered • Hardcoded RSA certificate in printer embedded software • No trust store • AES-128 ECB used for traffic encryption • Same protocol in admin interface
Pull Printing #2 - Consequences sniffing print queues accountability users’ data
“Many of the devices do not have the CPU power that allows a fast login response and at the same time establish a high security level” Pull Printing #1 - vendor gets notified
“Many of the devices do not have the CPU power that allows a fast login response and at the same time establish a high security level” For example changing ECB to CBC mode encryption will be more CPU intensive and introducing that may cause slower performance of the devices, which the customers are very reluctant to see implemented.” Pull Printing #1 - vendor gets notified
“Many of the devices do not have the CPU power that allows a fast login response and at the same time establish a high security level” For example changing ECB to CBC mode encryption will be more CPU intensive and introducing that may cause slower performance of the devices, which the customers are very reluctant to see implemented.” Pull Printing #1 - vendor gets notified “(…) system has been deployed at many high security customers and has passed internal audits.”
Trading protocol ● An online application for instant financial operations ● A proprietary, binary protocol, designed in order to minimise delays ● TCP in SSL tunnel https://www.flickr.com/photos/tradingrichmom/5571144428/
Trading protocol – a few packets
Trading protocol – a few packets
Trading protocol – a few packets
Trading protocol – a few packets
Trading protocol – a few packets
Thats interesting!
Thats interesting!
And what if we...
And how about...
RegisterUser <soapenv:Body> <registerUserResponse soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <registerUserReturn xsi:type="xsd:string"> &lt;error code=&quot;266&quot; &gt;Incorrect login&lt;/error&gt; </registerUserReturn> </registerUserResponse> </soapenv:Body> • Incorrect password • Incorrect first name • Group with name null doesn't exist • Group with name admin doesn't exist • Group with name Administrator doesn't exist • And how about „root”?
Game Over <soapenv:Body> <registerUserResponse soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <registerUserReturn xsi:type="xsd:string"> User was registered sucessfully with id=5392745 </registerUserReturn> </registerUserResponse> </soapenv:Body> So now we can manage all the other accounts and spend their money!
Architecture
Cheat sheet – owners While deploying a proprietary solution: • Get it pentested • Verify vendor claims • Ask the vendor for secure development lifecycle, procedures of addressing vulnerabilities, previous bugs
Cheat sheet - developers ● Protocol is NOT secure by its secrecy ● Proper encryption. Use known standards, implement them with care. ● Input validation, access control, many layers of security, least privilege principle...
How to hack protocols? Decompile client? Inject code? Search for the specs? Use some tools? Watch the packets? https://www.flickr.com/photos/nkphillips/2865781749
Decompile client ● Sometimes easy – e.g. not obfuscated Android application byte abyte3[] = pass.getBytes(); byte abyte4[] = MessageDigest.getInstance("MD5").digest(abyte3); ● Sometimes really hard & time consuming. ● May be fun, but often leads astray: Sywek1?-# 45Schtirlitz&Pianistka
Look for the fine manual ● There may be an unofficial client, or e.g. wireshark plugin ● Ask for the docs  ● Search for them – Yes, we have found internal protocol specification by google hacking!
Watch the packets ● Various tools to analyze proprietary protocols – time consuming, usually do not work ● Raw, just try to spot some scheme – of course with a little help of your friends: wireshark, tcpdump, ssldump etc. ● Your favourite scripting language
The end? slawomir.jasek@securing.pl jakub.kaluzny@securing.pl www.securing.pl Work with us! careers@securing.pl Talk with us! you are welcome to our stand!

Recomendados

IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hackSlawomir Jasek
 
Gattacking Bluetooth Smart devices - introducing new BLE MITM proxy tool
Gattacking Bluetooth Smart devices - introducing new BLE MITM proxy toolGattacking Bluetooth Smart devices - introducing new BLE MITM proxy tool
Gattacking Bluetooth Smart devices - introducing new BLE MITM proxy toolSlawomir Jasek
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Sergey Gordeychik
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment Sergey Gordeychik
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Positive Hack Days
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
Home Automation Benchmarking Report
Home Automation Benchmarking ReportHome Automation Benchmarking Report
Home Automation Benchmarking ReportSynack
 

Recomendados

IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hackSlawomir Jasek
 
Gattacking Bluetooth Smart devices - introducing new BLE MITM proxy tool
Gattacking Bluetooth Smart devices - introducing new BLE MITM proxy toolGattacking Bluetooth Smart devices - introducing new BLE MITM proxy tool
Gattacking Bluetooth Smart devices - introducing new BLE MITM proxy toolSlawomir Jasek
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Sergey Gordeychik
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment Sergey Gordeychik
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Positive Hack Days
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
Home Automation Benchmarking Report
Home Automation Benchmarking ReportHome Automation Benchmarking Report
Home Automation Benchmarking ReportSynack
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...RootedCON
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksPriyanka Aash
 
Internet of things (IoT) Architecture Security Analysis
Internet of things (IoT) Architecture Security AnalysisInternet of things (IoT) Architecture Security Analysis
Internet of things (IoT) Architecture Security AnalysisDaksh Raj Chopra
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones HijackingPriyanka Aash
 
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysHow Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysPriyanka Aash
 
IoT on Raspberry Pi
IoT on Raspberry PiIoT on Raspberry Pi
IoT on Raspberry PiJohn Staveley
 
Deauthentication Attack with Node MCU & Esp8266
Deauthentication Attack with Node MCU & Esp8266Deauthentication Attack with Node MCU & Esp8266
Deauthentication Attack with Node MCU & Esp8266Akash Thakur
 
[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan Novikov[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan NovikovOWASP Russia
 
Holland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_videoHolland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_videorobbuddingh
 
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsDefcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsPriyanka Aash
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fCyber Security Alliance
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3qqlan
 
A 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCA 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCSlawomir Jasek
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Wireless security
Wireless securityWireless security
Wireless securityAurobindo Nayak
 
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015CODE BLUE
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreveerababu penugonda(Mr-IoT)
 
Esp8266 basics
Esp8266 basicsEsp8266 basics
Esp8266 basicsEueung Mulyana
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsPROIDEA
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 

Mais conteúdo relacionado

Mais procurados

D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...RootedCON
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksPriyanka Aash
 
Internet of things (IoT) Architecture Security Analysis
Internet of things (IoT) Architecture Security AnalysisInternet of things (IoT) Architecture Security Analysis
Internet of things (IoT) Architecture Security AnalysisDaksh Raj Chopra
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones HijackingPriyanka Aash
 
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysHow Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysPriyanka Aash
 
Deauthentication Attack with Node MCU & Esp8266
Deauthentication Attack with Node MCU & Esp8266Deauthentication Attack with Node MCU & Esp8266
Deauthentication Attack with Node MCU & Esp8266Akash Thakur
 
[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan Novikov[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan NovikovOWASP Russia
 
Holland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_videoHolland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_videorobbuddingh
 
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsDefcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsPriyanka Aash
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fCyber Security Alliance
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3qqlan
 
A 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCA 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCSlawomir Jasek
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015CODE BLUE
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
 

Mais procurados (20)

D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne Cyberattacks
 
Internet of things (IoT) Architecture Security Analysis
Internet of things (IoT) Architecture Security AnalysisInternet of things (IoT) Architecture Security Analysis
Internet of things (IoT) Architecture Security Analysis
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones Hijacking
 
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysHow Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
 
IoT on Raspberry Pi
IoT on Raspberry PiIoT on Raspberry Pi
IoT on Raspberry Pi
 
Deauthentication Attack with Node MCU & Esp8266
Deauthentication Attack with Node MCU & Esp8266Deauthentication Attack with Node MCU & Esp8266
Deauthentication Attack with Node MCU & Esp8266
 
[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan Novikov[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan Novikov
 
Holland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_videoHolland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_video
 
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsDefcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 f
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3
 
A 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCA 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFC
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce it
 
Wireless security
Wireless securityWireless security
Wireless security
 
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
 
Esp8266 basics
Esp8266 basicsEsp8266 basics
Esp8266 basics
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 Devices
 

Semelhante a Shameful secrets of proprietary network protocols

CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsPROIDEA
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitchesDEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitchesFelipe Prado
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...PROIDEA
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT securityJulien Vermillard
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hackingPranshu Pareek
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
 
Revisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sRevisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sOlga Kochetova
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakesJustin Black
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
 

Semelhante a Shameful secrets of proprietary network protocols (20)

CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitchesDEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT security
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
 
Revisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sRevisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’s
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakes
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 

Mais de Slawomir Jasek

Hardwear.io 2018 BLE Security Essentials workshop
Hardwear.io 2018 BLE Security Essentials workshopHardwear.io 2018 BLE Security Essentials workshop
Hardwear.io 2018 BLE Security Essentials workshopSlawomir Jasek
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardSlawomir Jasek
 
Hacking Bluetooth Smart
Hacking Bluetooth SmartHacking Bluetooth Smart
Hacking Bluetooth SmartSlawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 
Jak włamałem się do banku
Jak włamałem się do bankuJak włamałem się do banku
Jak włamałem się do bankuSlawomir Jasek
 
Testowanie bezpieczeństwa aplikacji mobilnych
Testowanie bezpieczeństwa aplikacji mobilnychTestowanie bezpieczeństwa aplikacji mobilnych
Testowanie bezpieczeństwa aplikacji mobilnychSlawomir Jasek
 
(Nie)bezpieczenstwo aplikacji mobilnych
(Nie)bezpieczenstwo aplikacji mobilnych(Nie)bezpieczenstwo aplikacji mobilnych
(Nie)bezpieczenstwo aplikacji mobilnychSlawomir Jasek
 

Mais de Slawomir Jasek (7)

Hardwear.io 2018 BLE Security Essentials workshop
Hardwear.io 2018 BLE Security Essentials workshopHardwear.io 2018 BLE Security Essentials workshop
Hardwear.io 2018 BLE Security Essentials workshop
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless card
 
Hacking Bluetooth Smart
Hacking Bluetooth SmartHacking Bluetooth Smart
Hacking Bluetooth Smart
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Jak włamałem się do banku
Jak włamałem się do bankuJak włamałem się do banku
Jak włamałem się do banku
 
Testowanie bezpieczeństwa aplikacji mobilnych
Testowanie bezpieczeństwa aplikacji mobilnychTestowanie bezpieczeństwa aplikacji mobilnych
Testowanie bezpieczeństwa aplikacji mobilnych
 
(Nie)bezpieczenstwo aplikacji mobilnych
(Nie)bezpieczenstwo aplikacji mobilnych(Nie)bezpieczenstwo aplikacji mobilnych
(Nie)bezpieczenstwo aplikacji mobilnych
 

Último

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 

Shameful secrets of proprietary network protocols

  • 1. Shameful secrets of proprietary protocols Sławomir Jasek Jakub Kałużny SecuRing Photo: https://www.flickr.com/photos/ektogamat/2687444500
  • 2. Who are we ● Pentesters @ ● Security assessments of applications, networks, systems... Sławomir Jasek Jakub Kałużny
  • 3. Agenda ● Case studies – proprietary protocols – Home automation – Pull printing #1 – Remote desktop – Pull printing #2 – Trading ● Cheatsheet for architects & developers ● How to hack it
  • 4. Proprietary network protocols • A pentester will encounter one. • Don’t have the protocol specs nor tools to attack it • How to hack it? • decompile the client? • search for some tools? • watch the raw packets? • Let’s try! https://www.flickr.com/photos/canonsnapper/2566562866
  • 5. Home automation remote control ● „Plug the device, configure your router for port forwarding (and dynamic dns if necessary), set password.” ● Proprietary TCP protocol, direct connection from Internet to device, password protected access http://www.flickr.com/photos/99832244@N07/9436065073/
  • 6. Protocol – a few packets ab 55 41 00 15 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 02 01 00 00 a9 39 64 64 34 65 34 36 31 32 36 .....9dd 4e46126 aa 55 41 00 14 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 ab 55 41 00 15 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 0c 02 00 00 a4 39 64 64 34 65 34 36 31 32 36 .....9dd 4e46126 aa 55 41 00 14 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 aa 53 41 02 01 01 f0 f1 f1 f1 f1 00 be f1 f1 00 .SA..... ........ c4 00 e1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 ........ ........ f1 f1 f1 00 64 00 00 00 01 00 f0 f0 0a f1 00 02 ....d... ........ 0f 0f e7 S E R V E R C L I E N T
  • 7. And what if we change the password? Password 1: Password 2 Password 3
  • 8. Home automation protocol Internal command (5 bytes) MD5(password) – first 10 bytes Status returned by the appliance (sensors, settings, etc).
  • 9. Home automation - failures ● Sniffing ● MITM ● Connect directly to the appliance - sniffed hash is enough ● Recommendation: SSL!
  • 10. Home automation - SSL ● Vendor: OK, we have added SSL support! sslcontext = SSLContext.getInstance("TLS"); atrustmanager = new TrustManager[1]; atrustmanager[0] = new EasyX509TrustManager(null); sslcontext.init(null, atrustmanager, null); • Empty TrustManager – accepts all certificates
  • 11. Side effect How to build your own appliance: socat tcp4-listen:1234,fork,readbytes=5 /dev/ttyUSB0,vmin=51
  • 12. Side effect And for the new version with SSL support: socat openssl-listen:1234,key=s.key, cert=s.crt,verify=0,fork,readbytes=5 /dev/ttyUSB0,vmin=51
  • 14. Why hack pull printing? • Widely used • Confidential data • Getting popular
  • 15. Threat modelling – key risks sniffing print queues accountability users’ data
  • 16. Attack vectors Other users’ data Access to other print queues Sniffing, MITM Authorization bypass User/admin interface vulnerabilities
  • 17. Pull Printing #1 – access control “With its roots in education and the full understanding that college kids “like to hack”, our development processes continually focus on security.”
  • 18. Pull Printing #1 – access control “With its roots in education and the full understanding that college kids “like to hack”, our development processes continually focus on security.” “Secure print release (…) can integrate card-swipe user authentication at devices (…) ensuring jobs are only printed when the collecting user is present.”
  • 19. Pull Printing #1 – binary protocol S E R V E R P R I N T E R HELLO USER: user1 token HASH(password + token) Password ok Release my print queue OK Just copied 100 pages
  • 20. Pull Printing #1 – closer look Release my print queue Just copied 100 pages User permissions beginDeviceTransaction (…) guest-xyz S E R V E R P R I N T E R
  • 21. Charge user “guest-xyz” for copying 100 pages Pull Printing #1 – closer look Release my print queue Just copied 100 pages User permissions beginDeviceTransaction (…) guest-xyz Release print queue for user “guest-xyz” S E R V E R P R I N T E R
  • 22. Pull printing #1 - consequences sniffing print queues accountability users’ data
  • 23. Pull printing #1 - vendor gets notified • Gave access to KB and support service • And all versions of software • Responded in few hours and patched in few days • Was happy to be pentested
  • 24. Remote desktop protocol ● X-win „on steroids” (encryption, compression, access control...) ● Mainframe access for critical business operations ● „More than 100,000 users around the world” ● „Prevents unauthorized eavesdropping FIPS 140-2 Validated End-to-end data encryption” http://en.wikipedia.org/wiki/X_Window_System_protocols_and_architecture
  • 25. Remote desktop protocol 00000000 0b 00 00 00 .... C L I E N T S E R V E R 00000000 01 01 00 00 .... 00000004 16 03 00 00 6d 01 00 00 69 03 00 52 8d e8 02 cf ....m... i..R.... 00000014 88 d3 96 14 f4 a3 7c 47 f3 0d 85 57 58 d6 c9 f7 ......|G ...WX... 00000024 18 24 95 15 2e 05 82 27 b7 1e ff 00 00 42 00 3a .$.....' .....B.: 00000034 00 39 00 38 00 35 00 34 00 33 00 32 00 2f 00 1b .9.8.5.4 .3.2./.. 00000044 00 1a 00 19 00 18 00 17 00 16 00 15 00 14 00 13 ........ ........ 00000054 00 12 00 11 00 0a 00 09 00 08 00 07 00 06 00 05 ........ ........ SSL
  • 26. Remote desktop protocol 00000000 0b 00 00 00 .... C L I E N T S E R V E R 00000000 01 01 00 00 .... 00000000 01 00 00 00 ....00000000 01 00 00 00 .... LOGIN ENCODED PASSWORD Protocol version without encryption
  • 27. Password Encoding key / algorithm? 54657374696e6750617373776f72643132333454657374696e6750617373776f7264 1c101e1900000032080117572c1d095c475d5d3704071d060014702d1a1e1e1b1700 Cleartext password: TestingPassword1234TestingPassword Encoded password
  • 29. Remote Desktop - SSL C L I E N T CLIENTHELLO! cipher suites: SSL_DHE_RSA_WITH_AES_256_CBC_SHA SSL_DHE_DSS_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA (...) default configuration SERVERHELLO! I don’t have any certificate! cipherSuite: SSL_DH_anon_WITH_AES_256_CBC_SHA OK, no problem! You have to be the right server if you say so, don’t you?
  • 30. Remote Desktop - SSL C L I E N T CLIENTHELLO! certificates configured SERVERHELLO! Certificate Non-anonymous cipher suites: (...) 1st connection: OK, certificate stored! Following connections: OK, certificate valid / ALERT: MITM ATTACK!
  • 31. Remote Desktop - SSL C L I E N T CLIENTHELLO! certificates configured SERVERHELLO! Certificate Non-anonymous cipher suites: (...) 1st connection: OK, certificate stored! Following connections: OK, certificate valid / ALERT: MITM ATTACK! SERVERHELLO! I don’t have any certificate! cipherSuite: SSL_DH_anon_WITH_AES_256_CBC_SHA I have your certificate, but since you don’t offer it any more, I won’t check it. OK, let’s connect!
  • 32. Remote desktop protocol - vendor ● „We don’t know PGP, use zip with our CEO’s name as password” ● Do not plan to solve the issues (?) ● > /dev/null 2>&1 ● Full disclosure! ● ... and a few weeks later the mysterious shut down of our beloved ;)
  • 33. Pull Printing #2 - encryption “is a modern printing solution that safeguards document confidentiality and unauthorized access to print, scan, copy and e-mail functions. Its user-authentication provides air-tight security on your shared MFPs that function as personal printers.”
  • 34. Vendor ensures „Documents are delivered only into the right hands” „Information is kept confidential. No risk of being left unattended at the printer” „Document collection is safe anytime and anywhere — no “print and sprint”.” „Integration with other enterprise applications and workflows is kept secure through single sign-on”
  • 35. Pull Printing #2 – binary protocol First look on communication: • TCP, 2 ports • No cleartext, no SSL • Seems to follow some scheme…
  • 36. Ex1: Deeper sight on traffic S E R V E R P R I N T E R constant 263B 96B, “X” B, 128B always different 64 B many identical 16B blocks HELLO HELLO, CERTIFICATE SESSION KEY PostScript, ECB mode
  • 37. Ex1: Deeper sight on traffic S E R V E R P R I N T E R constant 263B 96B, “X” B, 128B always different 64 B many identical 16B blocks HELLO HELLO, CERTIFICATE SESSION KEY PostScript, ECB mode https://en.wikipedia.org/wiki/ECB_mode
  • 38. Pull Printing #2 - Reverse-engineered • Hardcoded RSA certificate in printer embedded software • No trust store • AES-128 ECB used for traffic encryption • Same protocol in admin interface
  • 39. Pull Printing #2 - Consequences sniffing print queues accountability users’ data
  • 40. “Many of the devices do not have the CPU power that allows a fast login response and at the same time establish a high security level” Pull Printing #1 - vendor gets notified
  • 41. “Many of the devices do not have the CPU power that allows a fast login response and at the same time establish a high security level” For example changing ECB to CBC mode encryption will be more CPU intensive and introducing that may cause slower performance of the devices, which the customers are very reluctant to see implemented.” Pull Printing #1 - vendor gets notified
  • 42. “Many of the devices do not have the CPU power that allows a fast login response and at the same time establish a high security level” For example changing ECB to CBC mode encryption will be more CPU intensive and introducing that may cause slower performance of the devices, which the customers are very reluctant to see implemented.” Pull Printing #1 - vendor gets notified “(…) system has been deployed at many high security customers and has passed internal audits.”
  • 43. Trading protocol ● An online application for instant financial operations ● A proprietary, binary protocol, designed in order to minimise delays ● TCP in SSL tunnel https://www.flickr.com/photos/tradingrichmom/5571144428/
  • 44. Trading protocol – a few packets
  • 45. Trading protocol – a few packets
  • 46. Trading protocol – a few packets
  • 47. Trading protocol – a few packets
  • 48. Trading protocol – a few packets
  • 51. And what if we...
  • 53. RegisterUser <soapenv:Body> <registerUserResponse soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <registerUserReturn xsi:type="xsd:string"> &lt;error code=&quot;266&quot; &gt;Incorrect login&lt;/error&gt; </registerUserReturn> </registerUserResponse> </soapenv:Body> • Incorrect password • Incorrect first name • Group with name null doesn't exist • Group with name admin doesn't exist • Group with name Administrator doesn't exist • And how about „root”?
  • 54. Game Over <soapenv:Body> <registerUserResponse soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <registerUserReturn xsi:type="xsd:string"> User was registered sucessfully with id=5392745 </registerUserReturn> </registerUserResponse> </soapenv:Body> So now we can manage all the other accounts and spend their money!
  • 56. Cheat sheet – owners While deploying a proprietary solution: • Get it pentested • Verify vendor claims • Ask the vendor for secure development lifecycle, procedures of addressing vulnerabilities, previous bugs
  • 57. Cheat sheet - developers ● Protocol is NOT secure by its secrecy ● Proper encryption. Use known standards, implement them with care. ● Input validation, access control, many layers of security, least privilege principle...
  • 58. How to hack protocols? Decompile client? Inject code? Search for the specs? Use some tools? Watch the packets? https://www.flickr.com/photos/nkphillips/2865781749
  • 59. Decompile client ● Sometimes easy – e.g. not obfuscated Android application byte abyte3[] = pass.getBytes(); byte abyte4[] = MessageDigest.getInstance("MD5").digest(abyte3); ● Sometimes really hard & time consuming. ● May be fun, but often leads astray: Sywek1?-# 45Schtirlitz&Pianistka
  • 60. Look for the fine manual ● There may be an unofficial client, or e.g. wireshark plugin ● Ask for the docs  ● Search for them – Yes, we have found internal protocol specification by google hacking!
  • 61. Watch the packets ● Various tools to analyze proprietary protocols – time consuming, usually do not work ● Raw, just try to spot some scheme – of course with a little help of your friends: wireshark, tcpdump, ssldump etc. ● Your favourite scripting language
  • 62. The end? slawomir.jasek@securing.pl jakub.kaluzny@securing.pl www.securing.pl Work with us! careers@securing.pl Talk with us! you are welcome to our stand!