Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Burp-ing through your cryptography shield

44 views

Published on

Cosmin Radu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.

The slides and other presentations can be found on https://def.camp/archive

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Burp-ing through your cryptography shield

  1. 1. 08.11.2018 © Atos Burp-ing through your cryptography shield
  2. 2. Who am I?
  3. 3. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania ▶ rootn uid=0(root) gid=0(root) groups=0(root) ▶ Work and education: ▪ Pentester @Atos Romania ▪ BEng @University “Politehnica” of Bucharest ▪ MEng @University “Politehnica” of Bucharest ▪ MSc @Bucharest Academy of Economic Studies ▪ Member @Romanian Security Team community ▪ Speaker @DefCamp 2017 && @OWASP RO 2018 ▪ CEH ▪ Interests: ▪ Web App Security ▪ Infra Security ▪ IoT Device Security ▪ Contact: @matasareanu13 3 ~# whoami&&id
  4. 4. Glossary ☺
  5. 5. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania ▶ Burping (also known as belching, ructus, eruptus or eructation) is the release of gas from the digestive tract (mainly esophagus and stomach) through the mouth. 5 What is Burp-ing?
  6. 6. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 6 What is Burp-ing?
  7. 7. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 7 What is Burp?
  8. 8. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania ▶ A thick client, also known as Fat Client is a client in client–server architecture or network and typically provides rich functionality, independent of the server. In these types of applications, the major processing is done at the client side and involves only aperiodic connection to the server. 8 What is a Thick Client?
  9. 9. What is the problem?
  10. 10. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania ▶ Be on a pentest assignment with a thick client in front of you ▶ Set up Burp as a system proxy ▶ Manage to finally intercept requests ▶ Cool – SOAP requests ▶ Stumble upon gibberish in the requests and response of the application 10 What is the problem at hand?
  11. 11. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 11
  12. 12. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania Decompile the .NET application 12 What to do?
  13. 13. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania ▶ Find the encryption method used 13 What to do?
  14. 14. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 14 What to do?
  15. 15. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 15 What to do? Find the IV and the Key ☺
  16. 16. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 16 Cyberchef
  17. 17. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 17 Results ☺ ▶ We are starting to get there ☺ ▶ But decrypting, decoding modifying the parameters, re-encoding, re-encrypting for each request and for each payload starts to get old very fast.
  18. 18. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 18
  19. 19. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 19 My Google Fu isn’t providing
  20. 20. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 20
  21. 21. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania ▶ Getting started: – “Easy“ way to extend Burp features – Basic steps: 21 Writing a Burp extension ☺
  22. 22. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania ▶ Getting started: – “Easy“ way to extend Burp features – Basic steps: 22 Writing a Burp extension ☺
  23. 23. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 23 Writing a Burp extension ☺ Get more info about writing a Extension. Learn by example ☺ https://portswigger.net/burp/extender#SampleE xtensions
  24. 24. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania Decide what language you will use?? 24 Writing a Burp extension ☺
  25. 25. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania Jython it is ☺ 25 Writing a Burp extension ☺
  26. 26. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 26 Writing a Burp extension ☺ https://portswigger.net/blog/sample-burp-suite-extension-custom-editor-tab Start from something they built It’s always easier ☺
  27. 27. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania ▶ The encrypted values are found in SOAP requests under two XML tags: – <writeObj> – <readObj> – First step is to look for the pattern: 27 Writing a Burp extension ☺
  28. 28. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 28 Writing a Burp extension ☺ Decrypt the payload ☺ Don’t be that fast PyCrypto doesn’t want to work in Jython 
  29. 29. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 29 Writing a Burp extension ☺ Decrypt the payload ☺ Don’t be that fast PyCrypto doesn’t want to work in Jython 
  30. 30. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 30 Writing a Burp extension ☺ https://github.com/csm/jycrypto
  31. 31. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 31 Writing a Burp extension ☺
  32. 32. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania ▶ You now have .NET serialized objects… 32 Writing a Burp extension ☺ And now the struggle of Google-ing begins again..
  33. 33. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania ▶ https://github.com/agix/NetBinaryFormatterParser 33 Writing a Burp extension ☺
  34. 34. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 34 Writing a Burp extension ☺
  35. 35. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 35 Writing a Burp extension ☺
  36. 36. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania ▶ Problem and solution: – Burp’s Java StackTrace doesn’t provide any help when using Jython! – Here comes the solution: https://github.com/securityMB/burp-exceptions – Put the file in your project folder – Import it in your code: – Call it in the end: – Now any Python exception is thrown in the Extender Output-Tab of Burp 36 Writing a Burp extension ☺
  37. 37. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 37
  38. 38. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 38
  39. 39. | 08.11.2018 | Cosmin Radu | © Atos Atos Romania 39 Questions? And let’s hope some answers ☺
  40. 40. Atos, the Atos logo, Atos Codex, Atos Consulting, Atos Worldgrid, Bull, Canopy, equensWorldline, Unify, Worldline and Zero Email are registered trademarks of the Atos group. November 2018. © 2018 Atos. Confidential information owned by Atos, to be used by the recipient only. This document, or any part of it, may not be reproduced, copied, circulated and/or distributed nor quoted without prior written approval from Atos. Thanks For more information: contact@cosminr.me @Matasareanu13 github.com/Matasareanu Or you know, in person ☺

×