Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

“Tales from the Dark Side” – Dor Tumarkin


Published on

Presentation delivered on DC9723 October Meeting, by Dor Tumarkin

DC9723 October 2017 Meeting

When: 24 of October, 2017 from 19:00 to 22:00
Where: SafeBreach Offices in Tel-Aviv (Yosef Karo 18, 4th floor, Tel Aviv.) NOTICE DIFFERENT LOCATION!

“Review of the Ukraine cyber attack 2015” – Guy Barnhart-Magen
“Tales from the Dark Side” – Dor Tumarkin
"NATO war games, updating crypto vulns in IDs, and other stuff" - Hillar Aarelaid
As always, the talks are free and there is no need to register. Come and bring your friends.

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact

Review of the Ukraine cyber attack 2015 – Guy Barnhart-Magen
The cyber-attack on the Ukraine power grid was unique in that it was public, and not that it happened.
In this talk, I will discuss some unique characteristics of the attack, its structure, and the possible ramifications.
As this attack was attributed as a “cyber” act of war, the interest in the techniques and the methodology used is considerable.

Tales from the Dark Side – Dor Tumarkin
Information Security is a battle fought on many varied fronts.
Join Dor, a researcher and former consultant, as he shares stories of his team’s astounding victories against the feeble forces of good in “Tales from the Dark Side”.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

“Tales from the Dark Side” – Dor Tumarkin

  1. 1. Tales from the Dark Side Dor Tumarkin, Application Security Researcher Checkmarx
  2. 2. 2 Presentation Agenda • Introduction • Penetration-Testing, Red-Teaming in a nutshell • COOL STORIES • Questions
  3. 3. 3 • • • • • 2.5 years in Cisco Advanced Services Research New Tricks Write ReportsHave Fun at Someone Else’s Expense
  4. 4. 4 • • •
  5. 5. 5 • Identify all vulnerabilities in a well- defined scope • Exploit and demonstrate risk to environment • “Can you pick the lock on my front door? Are my windows secure?” Penetration Testing Red Team • Identify all vulnerabilities on a path to a specific goal within an organization • • Exploit anything in your way – computers, employees, nice security guards • “Can you steal the jewels from the safe inside this locked building?”
  6. 6. 6 Mind the Air-Gap
  7. 7. 7 Mind the Air-Gap • A Red Team on a big vendor (let’s call them E-Corp) • Hundreds of thousands of internet facing IPs • Behind a firewall, an IPS • Mostly updated • Dozens of web-applications • With Web Application Firewalls • Many interesting vulnerabilities, but no massive show-stoppers • Remote access has 2-factor authentication, so phishing is limited • …And we are looking for a solid way in
  8. 8. 8 Mind the Air-Gap • Multiple “presales labs” – blank demo environments owned by E-Corp, accessible via VPN • One ESX server with multiple virtual E-Corp appliances inside • No sensitive information • No configurations • No access to/from E-Corp’s network • …but all passwords are either default or simple (ecorp123) • VPN • ESX • Remote Desktop • SSH
  9. 9. 9 Mind the Air-Gap • But what use to us is an empty lab? • Well… • So we log in, aaaand… Boom.
  10. 10. 10 Mind the Air-Gap • This means that this ESX server for this lab is physically in a rack at some E-Corp site • But we’re not in quite yet
  11. 11. 11 Mind the Air-Gap Where are we going to get credentials in an empty lab??? Ooooh nooooo…
  12. 12. 12 Mind the Air-Gap • Account credentials are SSO, double as Wi-Fi credentials • And we got into corporate, just like that, over the air. • And like every fairy-tale, it had a happy ending… • …where we scored domain admin rights a few days later (LLMNR, etc.)
  13. 13. 13 Conclusions • No such thing as a “useless” or “harmless” environment • Particularly – no such thing as “doesn’t need security”! • “Remember my Password” on an untrusted computer in an untrusted lab? Come on, man.
  14. 14. 14 King without a Crown
  15. 15. 15 King without a Crown • Sometimes, though not often, challenges present themselves INSIDE organizations • Endpoint security • Network security • Tripwires • This time challenges were presented as policies
  16. 16. 16 King without a Crown • We’re inside a massive organization – Umbrella Corp. • Main objectives complete with time to spare • Infiltrated from outside • Collected most prized data – business development and finance • Nobody noticed • Collected a handful of domain user accounts on the way • Secondary objective: own the domain - be a domain administrator!
  17. 17. 17 King without a Crown • We’ve searched ceaselessly for such accounts or employees by crawling a central management application that manages user accounts • Everything is finely distributed between employees • Company policy - No domain administrators!
  18. 18. 18 King without a Crown • Wait a minute – a central management web-application? • Built using proprietary code! • If it can manage all accounts – then it must have a really powerful active directory user! • Maybe even… a domain admin? • Comb the code repositories!
  19. 19. 19 King without a Crown • The dev code repo environment was very easy to find • Code repository contains config files! • Config file contains credentials! #LDAP user Username=KCD3A08381467823D4013960E75E465F0B00C5E3BAEFBECBB Password=JFJA90BVM2ZO0YJF67NQ72YUVN7B71POCZM3098FABVDADG3Q • Wait, that doesn’t look right…
  20. 20. 20 King without a Crown • Config file contains encrypted credentials  • Company policy – passwords at rest MUST be encrypted or hashed
  21. 21. 21 King without a Crown • But the central management web-application isn’t the SERVER receiving these credentials • It is a CLIENT of the active directory when using them User Web Server Backend Client Client ServerServer • Password-driven authentication requires Clients to have the actual password!
  22. 22. 22 King without a Crown • Server has to have credentials in “plaintext” at some point… • Therefore - It must be able to decrypt this file!
  23. 23. 23 King without a Crown 1. Identify what part of code opens the encrypted credentials config file $filename = 'config.ini'; open($fh, $filename) or die "Could not open file '$filename'!"; *Pseudo-Code *
  24. 24. 24 King without a Crown 2. Trace code from that point to see where file is read, and where it is decrypted while ($row = $fh.readline()) { if ($row.startsWith('Username=')) { $username = crypto.decrypt($row[9:]); } if ($row.startsWith('Password=')) { $password = crypto.decrypt($row[9:]); } }
  25. 25. 25 King without a Crown 3. Reverse-engineer encryption! Function decrypt($encrypted) { $encrypted = reverseString($encrypted); $encrypted = $encrypted << 8; $magic = blowfish($encrypted, $keyOne); $decrypted = doMagic($magic,$keyTwo); return $decrypted; } $keyOne = ‘tQ@vH8dM%agy6Y4RO’; $keyTwo = ‘!#YCEKiMKijFtgcyZ’; This is very interesting and all but… Keep it simple! Grab their crypto!
  26. 26. 26 King without a Crown 4. “Develop” a decryption tool [stolen code goes here] print(“User:” + decrypt(“KCD3A08381467823D4013960E75E465F0B00C5E3BAEFBECBB”)); print(“Pass:” + decrypt(“JFJA90BVM2ZO0YJF67NQ72YUVN7B71POCZM3098FABVDADG3Q”)); User: admin1user Pass: 9m5!4G4GaZ1VU@oi9Xh 5. Profit
  27. 27. 27 King without a Crown • And that is how we became the first human domain admin they’ve seen in years • Was the “No domain admins” policy adhered?
  28. 28. 28 Conclusions • A lock is meaningless if you attach the keys to it – ditto for encryption and its keys • Keeping actionable information, such as passwords, in a dev environment is dangerous exposure • Bending policies is not a way to solve problems, it’s a way to obscure them (barely)
  29. 29. 29 The Phish that Kept on Phishing
  30. 30. 30 The Phish that Kept On Phishing • Most phishing awareness exercises involve employee awareness, which is very important • Access that the average user has • Would clicking a suspicious link mean the user will also submit their password? • Or download and install a file? • “Spear-Phishing” – are employees aware of more sophisticated, targeted attacks? • But most phishing awareness exercises aren’t concerned with the risk of a successful attack
  31. 31. 31 The Phish that Kept On Phishing • Our client, a bank, wanted to find out what are the risks it faces from phishing • We’ll call them Hacme, because why not • They also required us to build a system for keeping track of phishing targets • Each targeted e-mail received a link with a token • This token was saved along with every action *Illustration, it actually looked nothing like this User Token IP User Agent Action Debbie M. ja1Kd2moXpP2mJ Mozilla/5.0 (iPhone; CPU iPhone OS…) Clicked Link yyy.yyy.10.12 Mozilla/5.0 (Windows NT 6.1; WOW64) Clicked Link yyy.yyy.10.12 Mozilla/5.0 (Windows NT 6.1; WOW64) Logged in! Andrew R. u0IL9aZxQmnV3a yyy.yyy.10.12 Mozilla/5.0 (Windows NT 6.1; WOW64) Clicked Link yyy.yyy.10.12 Mozilla/5.0 (Windows NT 6.1; WOW64) Downloaded File John U. 73aBVlkq9Arq8nb zzz.zzz.90.114 Mozilla/5.0 (Linux; Android 4.0.4;…) Clicked Link
  32. 32. 32 The Phish that Kept On Phishing • Good credentials to phish for should: • Lead to as many sensitive environments as possible (SSO) • Lead to sensitive data • Lead to MORE ACCESS
  33. 33. 33 The Phish that Kept On Phishing • OWA is likely to contain sensitive information • Accessible online • Easy to impersonate by either installing your own server, or just replicating the login • Seamless Phishing – user submits credentials, credentials are saved by attacker, client is forwarded seamlessly into their real OWA inbox • Never know what hit ‘em
  34. 34. 34 From: To: [target] Please forward. ---Forwarded Message--- From: Subject: Testing New OWA Login To All Employees, As many of you know, we were recently the targets of a large scale phishing attack[…] We are transitioning to a new & secure environment[…][…]
  35. 35. 35 The Phish that Kept On Phishing • Using our tracking system, we met our favorite victim ever - Debbie. • Debbie is the best! • We sent out 41 e-mails • How many users did we phish within 2 hours?
  36. 36. 36 117 That’s 300% (98 different users phished using Debbie’s token)
  37. 37. 37 The Phish that Kept On Phishing • On that day we celebrated Debbie, and all Debbies everywhere • In retrospect we found out it was way worse than we thought • …Debbie actually pulled this e-mail out of her spam box, before sending it to 300+ people. • Because despite this phishing e-mail successfully passing through our testing spam filters…
  38. 38. 38 The Phish that Kept On Phishing • We were able to prove that spam filters aren’t a good defense • Also that their phishing mitigation did not work • But also – how easy it is to compromise employee e- mails • We got a very broad user-base coverage – HR, PR, IT users • IT users apparently shared passwords over e-mail, too.
  39. 39. 39 The Phish that Kept On Phishing • Lets talk about Debbie• Is Debbie REALLY a ? • She may have messed up in her awareness • She may have set the bar low • But anyone can fall for the right lie
  40. 40. 40 Conclusions • Remember this acronym: N.B.D. Never. Be. Debbie. • Even people who practice N.B.D. daily can be fooled – always know your risks. • 2-factor authentication, in this case, would have made a huge difference.
  41. 41. 41 A Crowbar for Binary
  42. 42. 42 A Crowbar for Binary • A big financial institute had us engage their online assets and hack in • We’ll call them Golden Calf Investments • Not that many online assets • Most interesting ones were scoped out because: • No testing accounts or environments • “Federal Regulations” (pfffff)
  43. 43. 43 A Crowbar for Binary • How do we get in if we’re told to stay away?? • Some canned marketing applications… • Skin deep customer service applications… • …Outsourced, not even part of the organization • A couple of old employee-only applications… • Wait a minute, that last one sounds promising!
  44. 44. 44 A Crowbar for Binary The New Target: • Application with known exploits • Got App-Admin in… 5 minutes? • Got code running on web-server within a couple of hours
  45. 45. 45 A Crowbar for Binary • Realize web-server is boring, except for one database connection • Database is internal, beyond DMZ? • New goal: we own the database • Wrote code to go through web- server and directly talk to DB (SQL)
  46. 46. 46 A Crowbar for Binary • So what database are we really attacking here? • MSSQL • Database running as “sa” (lol) • VERY strict firewall rules • Can’t pull malware. • Can’t do much from inside out, really. • So we HAVE to push!
  47. 47. 47 A Crowbar for Binary Challenge #1 – OS Commands: • MSSQL feature - use xp_cmdshell to execute OS commands • There’s a character restriction in SQL queries however • Binaries would never fit
  48. 48. 48 A Crowbar for Binary Challenge #2 – Writing to Disk: • Introducing the latest in computer hacking technology: THIS GUY!
  49. 49. 49 A Crowbar for Binary Challenge #3 – Normalization: • Binary is binary • It’s 99% garbage to (most) humans • May contain bytes that break requests, or get altered on the way • Normalize with Base64 – all bytes converted to alpha-numeric
  50. 50. 50 xp_cmdshell ‘ ‘; SQL Query A Crowbar for Binary Hello World! Code SGVsbG 8gV29yb GQh Base64 echo SGVsbG8gV29ybGQh >> evil.b64.txt Echo to File • Now that we know how to get binaries unto the server, let’s do it! • Convert code to base64 • Chunk to segments that fit size restriction • For every segment – create command • For every command – execute with SQL
  51. 51. 51 A Crowbar for Binary • Great job getting a junk base64 file on the server! • How do we convert it back to binary without tools? • Maybe something that is naturally stored as either? • A certificate can be either a binary or base64. • It would be great if there was some sort of, I don’t know, a utility in Windows?util cert .exe -decode evil.b64.txt evil.exe
  52. 52. 52 A Crowbar for Binary • Score! • We’ve demonstrated executing a binary • From the internet • Riding a web server • Pass through the database with queries • And right into the DB’s operating system • Can install tools to scan internal network • Can have remote control with malware over DNS • In retrospect – this DB was co-hosted with their main business transaction OraDB. Double Score!
  53. 53. 53 Conclusions • A small misconfiguration behind an outdated system can be crowbarred into a gaping hole • Always patch your things, no matter how insignificant they seem • The Principle of Least Privilege
  54. 54. 54 (re)Applied Sciences
  55. 55. 55 (re)Applied Sciences • Reinventing the wheel is usually not recommended when unnecessary • With the myriad of technologies out there, though, you never know what you’ll come across • Sometimes, it’s all about taking something you know and understand and applying it to something you don’t
  56. 56. 56 (re)Applied Sciences • We were working on a large shipping company, let’s call them “Planet Express” • We’ve found an application that behaves very oddly • Landing page is empty • Dorking “site:” leads to a directory listing
  57. 57. 57 (re)Applied Sciences • Directory listing contains… e-mail files? • E-Mail files created very recently • E-Mail contents seem automated, and contain links back to the site itself • Links are to actual order information
  58. 58. 58 (re)Applied Sciences (Sophisticated Recreation) • Why is this application so weird? • Assumption: application is fully functioning when approached from internal network – externally, only links to orders can be accessed by clients
  59. 59. 59 (re)Applied Sciences • So of course, we test the only parameter we can access in this app by setting “orderId” to “1’ A ‘” (Sophisticated Recreation) • …Pardon? • Not like any SQL error I have ever seen
  60. 60. 60 (re)Applied Sciences • And so a quick Google search taught us that this is, in fact…
  61. 61. 61 CacheIntersystems SQL Who?? What?? Ok, at least we know this word
  62. 62. 62 (re)Applied Sciences • What is this database, even?? • For one – it’s SQL, so it probably adheres to the same syntax: • SELECT columns FROM database.table WHERE condition • At the same time – it exhibits the exact same behavior a “common” SQL error would: • Injected apostrophe (‘) breaks the syntax of the query • Additional verbs after ‘ error out • We can probably add more to the query, and get data!
  63. 63. 63 (re)Applied Sciences • So we can probably inject… • …but the internet is clueless • Very rare • No tools • No exploits • Not even a tutorial I DON’T KNOW WHO YOU ARE BUT I WILL READ ABOUT YOU AND I WILL HACK YOU
  64. 64. 64 (re)Applied Sciences • Which injection type do we choose? • UNION based – unite columns to create new tables, hope web server renders right • Error based – trigger an error that reflects information in it’s contents • Boolean based – identify true and false conditions, use these as an oracle for data • Boolean based are the only ones that require very little prior knowledge
  65. 65. 65 (re)Applied Sciences True statement False statement Give me orderId “AH0010-015” if 1=1 Give me orderId “AH0010-015” if 1=0
  66. 66. 66 (re)Applied Sciences • So what do we need for a Boolean SQL injection to work? • We need to establish the injection variables for what we want to retrieve: • SELECT columns FROM database.table WHERE boolean • How do we find the database name? • Table name? • Column name? • The right condition to help us retrieve data?
  67. 67. 67 (re)Applied Sciences • SQL usually has a table of tables, a table of databases, a table of columns etc. • These are all mapped out in a known way • Tools like SQLMap can automate the process because, once they fingerprint the database, they know where to find metadata • But they’ve never even heard of “Intersystems Cache SQL”
  68. 68. 68 (re)Applied Sciences • Research – from documentation: • Databases - SELECT SqlSchemaName FROM %dictionary.compiledclass WHERE SqlSchemaName LIKE ‘%’ • Tables - SELECT SqlSchemaName FROM %dictionary.compiledclass WHERE SqlSchemaName = 'db_name' AND SqlTableName LIKE 'table_name'
  69. 69. 69 (re)Applied Sciences • Research roadblock – no documentation of columns? Not in the same Dictionary.compiledclass?? • Ask an expert on StackOverflow!
  70. 70. 70 (re)Applied Sciences • We know where to get all the metadata we need to get all the stored data we want • Now for a condition, and we’re good to go • Keep it simple! • WHERE parameter LIKE ‘[inject]%’ • WHERE parameter LIKE ‘p%’ • WHERE parameter LIKE ‘pa%’ • WHERE parameter LIKE ‘pas%’…
  71. 71. 71 (re)Applied Sciences • Final injection form:' AND EXISTS (SELECT SqlSchemaName FROM %dictionary.compiledclass WHERE SqlSchemaName = 'db_name' AND SqlTableName LIKE 'table_name‘) • Building this into a Python script that enumerates letters and numbers on the condition replicates the principles of SQLMap’s Boolean-based SQL injection
  72. 72. 72 (re)Applied Sciences • We never made it into a nice “tool” form • We knew we’re not likely to see this system ever again… • But we dumped enough of the database to demonstrate we could get all shipping information on every single client
  73. 73. 73 Conclusions • Exotic technology is still technology • Obscure is not Secure • A simple external test would have revealed the information leakage which has lead to this exploitation
  74. 74. 74 Final Thoughts • Hacking is a lot more than just known vulnerabilities and available tools – it’s also a creative process • Never underestimate your opponents • Understanding & knowing risks and impact is as important as mitigating vulnerabilities in your network
  75. 75. 75 Questions?
  76. 76. Thank you.