Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Mobile ActiveSync
 Russian Roulette
    Presented by Oliver “deathflu” Greiter



               assurance
Assurance / Oliver Greiter

   Assurance = compliance { penetration testing/ethical
   “hacking”, review, audit }, wireles...
Exchange ActiveSync
- Based on HTML and XML
- Platforms with Exchange ActiveSync compatible client
- Allows users to acces...
Simple Diagram




assurance
Default security
         configuration
   - SSL transport layer protection (HTTPS)
   - Basic Auth
   - Device ID
   - “En...
Sample Sync Request
POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274
&DeviceType=IMEI351878010074...
Sample Sync Request
POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274
&DeviceType=IMEI351878010074...
Sample Sync Request
POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274
&DeviceType=IMEI351878010074...
Sample Sync Request
POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274
&DeviceType=IMEI351878010074...
Sample Sync Request
POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274
&DeviceType=IMEI351878010074...
Sample Sync Request
POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274
&DeviceType=IMEI351878010074...
Sample Sync Request
POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274
&DeviceType=IMEI351878010074...
Sample Sync Request
POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274
&DeviceType=IMEI351878010074...
autodiscover.{domain}.com
 Approximately 30% of “Top 500 domains”*
  had an autodiscover hostname in DNS




             ...
assurance
assurance
MITM Attack



                 ARP spoof?
               DNS poisoning?
              Fake WiFi Hotspot?
              Po...
MITM Fun
  Sniff Traffic - Emails, Contacts, Notes, User
  credentials (AD domain)
  Client Request Replay - Generate your ...
Kill Command Replay




assurance
Sample kill response
  HTTP/1.1 449 Retry after sending a PROVISION command
  Connection: Keep-Alive
  Date: Fri, 20 Nov 2...
Sample kill response
  HTTP/1.1 449 Retry after sending a PROVISION command
  Connection: Keep-Alive
  Date: Fri, 20 Nov 2...
Sample kill response
  HTTP/1.1 449 Retry after sending a PROVISION command
  Connection: Keep-Alive
  Date: Fri, 20 Nov 2...
Symbian OS


                Nokia N95
                Mail for Exchange v2.9.158




assurance
Symbian OS


                Nokia N95
                Mail for Exchange v2.9.158




assurance
iPhone OS


                 iPhone 3G
                 iPhone OS v3.1.2




assurance
iPhone OS


                 iPhone 3G
                 iPhone OS v3.1.2




assurance
Windows Mobile 6.1


            Dell AXIM X51v PDA
            Windows Mobile 6.1




assurance
Windows Mobile 6.1


            Dell AXIM X51v PDA
            Windows Mobile 6.1




assurance
What just happened?




assurance
In an ideal world...
   - Valid SSL Certificate on server
   - Unique Client Certificate on each device
   - Device (and sto...
Application
            Improvement
 How about
 introducing session
 management as a
 default component
 of the applicatio...
Where to from here?


            3G MITM Attacks?




assurance
Danke


 - y011
 - kiwicon crüe

assurance
Questions?




     oliver.greiter@assurance.com.au
assurance
Upcoming SlideShare
Loading in …5
×

Mobile Activesync Russian Roulette - Kiwicon 09

2,656 views

Published on

As the popularity of communication (especially email) using mobile devices increases so does the risk of data leakage and data theft. This presentation will review Microsoft Mobile Activesync looking at transport layer security, controls enforced on the mobile devices and some potentially lethal fun (to the device anyway).

  • Exposed: How to Become a Slots Millionaire For Free! START FREE https://t.co/9byG8V4SHv
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Mobile Activesync Russian Roulette - Kiwicon 09

  1. 1. Mobile ActiveSync Russian Roulette Presented by Oliver “deathflu” Greiter assurance
  2. 2. Assurance / Oliver Greiter Assurance = compliance { penetration testing/ethical “hacking”, review, audit }, wireless & mobility, UNIX/ Windows/network and security consulting/support Oliver = professional bio author and breaker of stuff assurance
  3. 3. Exchange ActiveSync - Based on HTML and XML - Platforms with Exchange ActiveSync compatible client - Allows users to access their e-mail, calendar, contacts, and tasks stored on Exchange server - Cheaper solution to implement (at first glance) when compared to other solutions such as BlackBerry - “Good” way to encourage (enslave) users to check corporate email on their own time assurance
  4. 4. Simple Diagram assurance
  5. 5. Default security configuration - SSL transport layer protection (HTTPS) - Basic Auth - Device ID - “Enforced” Device Security Policy assurance
  6. 6. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
  7. 7. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
  8. 8. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
  9. 9. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
  10. 10. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
  11. 11. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
  12. 12. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
  13. 13. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
  14. 14. autodiscover.{domain}.com Approximately 30% of “Top 500 domains”* had an autodiscover hostname in DNS *http://www.seomoz.org/top500 assurance
  15. 15. assurance
  16. 16. assurance
  17. 17. MITM Attack ARP spoof? DNS poisoning? Fake WiFi Hotspot? Port re-direction? assurance
  18. 18. MITM Fun Sniff Traffic - Emails, Contacts, Notes, User credentials (AD domain) Client Request Replay - Generate your own requests and replay them to the server Server Response Replay - Generate your own responses and replay them to the client assurance
  19. 19. Kill Command Replay assurance
  20. 20. Sample kill response HTTP/1.1 449 Retry after sending a PROVISION command Connection: Keep-Alive Date: Fri, 20 Nov 2009 22:29:31 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 Cache-Control: private X-AspNet-Version: 2.0.50727 MS-Server-ActiveSync: 8.1 X-Powered-By: ASP.NET Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 70 ã …HUH.-.…œUH-* /R»ÕO)ÕIUH…O-V»À/Q(JMŒOœÀ¨JU(…»,Ü(“Á‘…n6 assurance
  21. 21. Sample kill response HTTP/1.1 449 Retry after sending a PROVISION command Connection: Keep-Alive Date: Fri, 20 Nov 2009 22:29:31 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 Cache-Control: private X-AspNet-Version: 2.0.50727 MS-Server-ActiveSync: 8.1 X-Powered-By: ASP.NET Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 70 ã …HUH.-.…œUH-* /R»ÕO)ÕIUH…O-V»À/Q(JMŒOœÀ¨JU(…»,Ü(“Á‘…n6 assurance
  22. 22. Sample kill response HTTP/1.1 449 Retry after sending a PROVISION command Connection: Keep-Alive Date: Fri, 20 Nov 2009 22:29:31 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 Cache-Control: private X-AspNet-Version: 2.0.50727 MS-Server-ActiveSync: 8.1 X-Powered-By: ASP.NET Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 70 ã …HUH.-.…œUH-* /R»ÕO)ÕIUH…O-V»À/Q(JMŒOœÀ¨JU(…»,Ü(“Á‘…n6 assurance
  23. 23. Symbian OS Nokia N95 Mail for Exchange v2.9.158 assurance
  24. 24. Symbian OS Nokia N95 Mail for Exchange v2.9.158 assurance
  25. 25. iPhone OS iPhone 3G iPhone OS v3.1.2 assurance
  26. 26. iPhone OS iPhone 3G iPhone OS v3.1.2 assurance
  27. 27. Windows Mobile 6.1 Dell AXIM X51v PDA Windows Mobile 6.1 assurance
  28. 28. Windows Mobile 6.1 Dell AXIM X51v PDA Windows Mobile 6.1 assurance
  29. 29. What just happened? assurance
  30. 30. In an ideal world... - Valid SSL Certificate on server - Unique Client Certificate on each device - Device (and storage card) encryption - Access to restricted to private Cell Network Access Point Name (APN) - HTTP Digest authentication - Exchange ActiveSync domain segregation - User education assurance
  31. 31. Application Improvement How about introducing session management as a default component of the application? assurance
  32. 32. Where to from here? 3G MITM Attacks? assurance
  33. 33. Danke - y011 - kiwicon crüe assurance
  34. 34. Questions? oliver.greiter@assurance.com.au assurance

×