SlideShare a Scribd company logo

BSides London 2015 - Proprietary network protocols - risky business on the wire.

Download as PPTX, PDF
Jakub Kałużny
Jakub Kałużny

When speed and latency counts, there is no place for standard HTTP/SSL stack and a wise head comes up with a proprietary network protocol. How to deal with embedded software or thick clients using protocols with no documentation at all? Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. However, when you dive inside this traffic and reverse-engineer the communication inside, you are there. Welcome to the world full of own cryptography, revertible hash algorithms and no access control at all. We would like to present our approach and a short guideline how to reverse engineer proprietary protocols. To demonstrate, we will show you few case-studies, which in our opinion are a quintessence of ""security by obscurity"" - the most interesting examples from real-life financial industry software, which is a particularly risky business regarding security.

Technology
1 of 79
Proprietary network protocols – risky business on the wire Jakub Kałużny BSides London, 03.06.2015
Who are we Pentesters @ SecuRing Security assessments of applications, networks, systems... Jakub Kałużny Sławomir Jasek
Agenda Case studies – proprietary protocols • Home automation • Pull printing #1 • Remote desktop • Pull printing #2 • Trading Cheatsheet for architects & developers How to hack it
Proprietary network protocols • A pentester will encounter one • Don’t have the protocol specs nor tools to attack it • How to hack it? • decompile the client? • search for some tools? • watch the raw packets? • Let’s try! https://www.flickr.com/photos/canonsnapper/2566562866
Home automation remote control ● „Plug the device, configure your router for port forwarding (and dynamic dns if necessary), set password.” ● Proprietary TCP protocol, direct connection from Internet to device, password protected access http://www.flickr.com/photos/99832244@N07/9436065073/
Protocol – a few packets ab 55 41 00 15 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 02 01 00 00 a9 39 64 64 34 65 34 36 31 32 36 .....9dd 4e46126 aa 55 41 00 14 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 ab 55 41 00 15 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 0c 02 00 00 a4 39 64 64 34 65 34 36 31 32 36 .....9dd 4e46126 aa 55 41 00 14 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 aa 53 41 02 01 01 f0 f1 f1 f1 f1 00 be f1 f1 00 .SA..... ........ c4 00 e1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 ........ ........ f1 f1 f1 00 64 00 00 00 01 00 f0 f0 0a f1 00 02 ....d... ........ 0f 0f e7 S E R V E R C L I E N T
And what if we change the password? Password 1: Password 2: Password 3:
Home automation protocol internal command (5 bytes) MD5(password) – first 10 bytes status returned by the appliance (sensors, settings, etc)
Home automation - failures ● Sniffing ● MITM ● Connect directly to the appliance - sniffed hash is enough ● Recommendation: SSL!
Home automation - SSL Vendor: OK, we have added SSL support! sslcontext=SSLContext.getInstance("TLS"); trustmgr=new TrustManager[1]; trustmgr[0]=new EasyX509TrustManager(null); sslcontext.init(null, trustmgr, null); • Empty TrustManager – accepts all certificates
Side effect How to build your own appliance: socat tcp4-listen:1234,fork,readbytes=5 /dev/ttyUSB0,vmin=51 And for the new version with SSL support: socat openssl-listen:1234,key=s.key, cert=s.crt,verify=0,fork,readbytes=5 /dev/ttyUSB0,vmin=51
Pull Printing Solutions
Why hack pull printing? • Widely used • Confidential data • Getting popular
Threat modelling – key risks sniffing print queues accountability users’ data
Attack vectors Other users’ data Access to other print queues Sniffing, MITM Authorization bypass User/admin interface vulnerabilities
Pull Printing #1 – access control “With its roots in education and the full understanding that college kids “like to hack”, our development processes continually focus on security.” “Secure print release (…) can integrate card-swipe user authentication at devices (…) ensuring jobs are only printed when the collecting user is present.”
Pull Printing #1 – binary protocol S E R V E R P R I N T E R HELLO USER: user1 token HASH(password + token) Password ok Release my print queue OK Just copied 100 pages
Charge user “guest-xyz” for copying 100 pages Pull Printing #1 – closer look Release my print queue Just copied 100 pages User permissions beginDeviceTransaction (…) guest-xyz Release print queue for user “guest-xyz” S E R V E R P R I N T E R
Pull printing #1 - consequences sniffing print queues accountability users’ data
Pull printing #1 - vendor gets notified • Gave access to KB and support service • And all versions of software • Responded in few hours and patched in few days • Was happy to be pentested
Remote desktop protocol X-win „on steroids” (encryption, compression, access control...) Mainframe access for critical business operations „More than 100,000 users around the world” „Prevents unauthorized eavesdropping FIPS 140-2 Validated End-to-end data encryption” http://en.wikipedia.org/wiki/X_Window_System_protocols_and_architecture
Remote desktop protocol 00000000 0b 00 00 00 .... C L I E N T S E R V E R 00000000 01 01 00 00 .... 00000004 16 03 00 00 6d 01 00 00 69 03 00 52 8d e8 02 cf ....m... i..R.... 00000014 88 d3 96 14 f4 a3 7c 47 f3 0d 85 57 58 d6 c9 f7 ......|G ...WX... 00000024 18 24 95 15 2e 05 82 27 b7 1e ff 00 00 42 00 3a .$.....' .....B.: 00000034 00 39 00 38 00 35 00 34 00 33 00 32 00 2f 00 1b .9.8.5.4 .3.2./.. 00000044 00 1a 00 19 00 18 00 17 00 16 00 15 00 14 00 13 ........ ........ 00000054 00 12 00 11 00 0a 00 09 00 08 00 07 00 06 00 05 ........ ........ SSL 00000000 01 00 00 00 .... 00000000 01 00 00 00 .... LOGIN ENCODED PASSWORD
Password [redacted] Communications Limited 54657374696e6750617373776f72643132333454657374696e6750617373776f7264 TestingPassword1234TestingPassword XOR 1c101e1900000032080117572c1d095c475d5d3704071d060014702d1a1e1e1b1700 = 48756d6d696e676269726420436f6d6d756e69636174696f6e73204c696d69746564
C L I E N T CLIENTHELLO! cipher suites: SSL_DHE_RSA_WITH_AES_256_CBC_SHA SSL_DHE_DSS_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA (...) default configuration SERVERHELLO! I don’t have any certificate! cipherSuite: SSL_DH_anon_WITH_AES_256_CBC_SHA OK, no problem! You have to be the right server if you say so, don’t you? Remote Desktop - SSL S E R V E R
C L I E N T CLIENTHELLO! certificates configured SERVERHELLO! Certificate Non-anonymous cipher suites: (...) 1st connection: OK, certificate stored! Following connections: OK, certificate valid / ALERT: MITM ATTACK! SERVERHELLO! I don’t have any certificate! cipherSuite: SSL_DH_anon_WITH_AES_256_CBC_SHA S E R V E R Remote Desktop - SSL I have your certificate, but since you don’t offer it any more, I won’t check it. OK, let’s connect!
Remote desktop protocol - vendor „We don’t know PGP, use zip with our CEO’s name as password” Do not plan to solve the issues (?) > /dev/null 2>&1 Full disclosure! ... and a few weeks later the mysterious shut down of our beloved ;)
Pull Printing #2 - encryption “is a modern printing solution that safeguards document confidentiality and unauthorized access to print, scan, copy and e-mail functions. Its user-authentication provides air-tight security on your shared MFPs that function as personal printers.”
Vendor ensures „Documents are delivered only into the right hands” „Information is kept confidential. No risk of being left unattended at the printer” „Document collection is safe anytime and anywhere — no “print and sprint”.” „Integration with other enterprise applications and workflows is kept secure through single sign-on”
Pull Printing #2 – binary protocol First look on communication: • TCP, 2 ports • No cleartext, no SSL • Seems to follow some scheme…
Ex1: Deeper sight on traffic S E R V E R P R I N T E R constant 263B 96B, “X” B, 128B always different 64 B many identical 16B blocks HELLO HELLO, CERTIFICATE SESSION KEY PostScript, ECB mode https://en.wikipedia.org/wiki/ECB_mode
Pull Printing #2 - Reverse-engineered • Hardcoded RSA certificate in printer embedded software • No trust store • AES-128 ECB used for traffic encryption • Same protocol in admin interface
Pull Printing #2 - Consequences sniffing print queues accountability users’ data
“Many of the devices do not have the CPU power that allows a fast login response and at the same time establish a high security level” For example changing ECB to CBC mode encryption will be more CPU intensive and introducing that may cause slower performance of the devices, which the customers are very reluctant to see implemented.” Pull Printing #1 - vendor gets notified “(…) system has been deployed at many high security customers and has passed internal audits.”
● An online application for instant financial operations ● A proprietary, binary protocol, designed in order to minimise delays ● TCP in SSL tunnel https://www.flickr.com/photos/tradingrichmom/5571144428/ Trading protocol
Trading protocol
That’s interesting!
That’s interesting!
And what if we...
And how about...
<soapenv:Body> <registerUserResponse soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encodin g/"> <registerUserReturn xsi:type="xsd:string"> &lt;error code=&quot;266&quot; &gt;Incorrect login&lt;/error&gt; </registerUserReturn></registerUserResponse></soapenv:Body> • Incorrect password • Incorrect first name • Group with name null doesn't exist • Group with name admin doesn't exist • Group with name Administrator doesn't exist • And how about „root”? RegisterUser
Game Over <soapenv:Body> <registerUserResponse soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/ encoding/"> <registerUserReturn xsi:type="xsd:string"> User was registered sucessfully with id=5392745 So now we can manage all the other accounts and spend their money!
Architecture
Cheat sheet – owners While deploying a proprietary solution: • Get it pentested • Verify vendor claims • Ask the vendor for secure development lifecycle, procedures of addressing vulnerabilities, previous bugs
Cheat sheet - developers Protocol is NOT secure by its secrecy Proper encryption. Use known standards, implement them with care. Input validation, access control, many layers of security, least privilege principle... Beware backwards compatibility
How to hack protocols? Decompile client? Inject code? Search for the specs? Use some tools? Watch the packets? https://www.flickr.com/photos/nkphillips/2865781749
Look for the fine manual • There may be unofficial client, or e.g. wireshark plugin • Ask for the docs  • Search for them • Yes, we have found internal protocol specification by google hacking!
Decompile client Sometimes easy – e.g. not obfuscated Android application: byte abyte3[] = pass.getBytes(); byte abyte4[] = MessageDigest.getInstance("MD5").digest (abyte3); Sometimes really hard & time consuming. May be fun, but often leads astray
Watch the packets Various tools to analyze proprietary protocols time consuming, usually do not work Raw, just try to spot some scheme of course with a little help of your friends: wireshark, tcpdump, ssldump etc. Your favourite scripting language
http://www.securing.pl/konsultacje MORETHAN SECURITY TESTING
Thank you, looking forward to contact! jakub.kaluzny@securing.pl MORETHAN SECURITY TESTING
INDUSTRIAL INSECURITY
Thousands of interfaces publicly available. Trivial to discover, already scanned & catalogued likewise cameras. Modbus-TCP, Serial-TCP, default passwords or password-less web management interfaces... I won’t reveal the links here ;) Industrial insecurity
Industrial insecurity – public interfaces
Industrial insecurity – public interfaces
Industrial insecurity – public interfaces
Read RFIDs mounted in privileged trucks to automatically open the gate. Industrial RFID reader
PORT STATE SERVICE VERSION 23/tcp open telnet Busybox telnetd 4007/tcp open pxc-splr? 4684/tcp open unknown 10001/tcp open tcpwrapped Service Info: Host: UHF-RFID-Dev Industrial RFID reader – port scan
No need to hack - just RTFM
Command-line „client”
$ echo -e "xAAxBBx01x01x11x01xAAxCC" | nc <IP> 4007 | hexdump 0000000 bbaa 0101 8111 aa00 aacc 07bb aa00 aacc 0000010 07bb aa00 aacc 07bb aa00 aacc 07bb aa00 0000020 aacc 07bb aa00 aacc 07bb aa00 aacc 07bb 0000030 aa00 aacc 07bb aa00 aacc 07bb aa00 aacc (...) 0000350 aacc 07bb aa00 aacc 07bb aa00 aacc 07bb 0000360 aa00 aacc 07bb aa00 aacc 07bb aa00 aacc 0000370 07bb aa00 aacc 01bb 1101 ffc1 0103 0247 0000380 1353 ed6b ccaa bbaa 0007 ccaa bbaa 0101 0000390 c111 0300 0001 5302 6b13 05ed aa00 aacc (...) ...and now we can clone the tag
The incoming vehicles are also traditionally verified by security staff. The device is available in restricted LAN only. The tag can also be scanned from the truck itself. BUT: you have to be aware of the technology shortcomings and not to alter the above conditions! Should we worry?
BLUETOOTH SMART - AKA Bluetooth Low Energy, BLE, Bluetooth 4
Bluetooth Smart != Bluetooth 3 Completely different stack – from RF to upper layers. Designed from the ground-up for low energy usage. Network topology a) Broadcaster + Observer b) Master + Peripheral
Broadcast - beacon https://www.flickr.com/photos/jnxyz/13570855743 UUID (vendor) 2F234454-CF6D-4A0F- ADF2-F4911BA9FFA6 Major (group) 45044 Minor (individual) 5 Tx Power -59 The mobile app can measure precise distance to specified beacon.
Beacons – emulation #1: LightBlue https://itunes.apple.com/us/app/lightblue-bluetooth-low-energy/id557428110 Available for iPhone, iPad, Mac
# hcitool cmd 0x08 0x0008 1E 02 01 1A 1A FF 4C 00 02 15 84 2A F9 C4 08 F5 11 E3 92 82 F2 3C 91 AE C0 5E FD E8 AF C8 C5 00 Beacons – emulation #2: Bluez
# hcitool cmd 0x08 0x0008 1E 02 01 1A 1A FF 4C 00 02 15 84 2A F9 C4 08 F5 11 E3 92 82 F2 3C 91 AE C0 5E FD E8 AF C8 C5 00 Beacons – emulation #2: Bluez
# hcitool cmd 0x08 0x0008 1E 02 01 1A 1A FF 4C 00 02 15 84 2A F9 C4 08 F5 11 E3 92 82 F2 3C 91 AE C0 5E FD E8 AF C8 C5 00 iBeacon data broadcast iBeacon prefix (constant) UUID: 842AF9C4-08F51-1E39-282F- 23C91AEC05E Major: FD E8 = 65 000 Minor: AF C8 = 45 000 TX power
Additional info on products based on precise location. Rewards for visiting places. Indoor guide, help to navigate the blind etc. Your home or toys can automatically react to you. Be warned that your bike or car is no longer in the garage. Beacons – some example usage scenarios
Beacons – additional info based on location
Abuse?
Beacons – the navigating usage scenario
Abuse?
OTHER BLE DEVICES Beacons are just the beginning...
1. Buy SDK+devices from selected vendor (Nordic, TI...) 2. Import ready-to-use sample code. 3. Add your bright usage scenario (and sometimes a bit of hacking). 4. Create convincing bootstrap webpage + videos. 5. Run successful Kickstarter campaign. 6. Profit! How to make your own BLE device?
Electric plugs, lightbulbs, locks, kettles, sensors, wallets, socks, pans, jars, toothbrushes, bags, plates, dildos, sitting pads, measuring your farts devices, calorie-counting mugs... „It was just a dumb thing. Then we put a chip in it. Now it's a smart thing.” (weputachipinit.tumblr.com) Crowdfunding: a new kind of celebrity. Too often ridiculous meets big money. Beacons are just the beginning... www.myvessyl.com
They have been assured the communication is unbreakable because they use AES. I showed an intruder may approach the unsuspecting victim’s phone once (even with autounlock feature off), to be able to get full control over the car for consecutive times without consent of the victim. Other BLE devices www.loxet.io
http://www.securing.pl/konsultacje MORETHAN SECURITY TESTING
Thank you, looking forward to contact! jakub.kaluzny@securing.pl MORETHAN SECURITY TESTING

Recommended

Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityZeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityJakub Kałużny
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityPriyanka Aash
 
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat Security Conference
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
 
Defcon 22-gregory-pickett-abusing-software-defined-networks
Defcon 22-gregory-pickett-abusing-software-defined-networksDefcon 22-gregory-pickett-abusing-software-defined-networks
Defcon 22-gregory-pickett-abusing-software-defined-networksPriyanka Aash
 

Recommended

Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityZeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityJakub Kałużny
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityPriyanka Aash
 
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat Security Conference
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
 
Defcon 22-gregory-pickett-abusing-software-defined-networks
Defcon 22-gregory-pickett-abusing-software-defined-networksDefcon 22-gregory-pickett-abusing-software-defined-networks
Defcon 22-gregory-pickett-abusing-software-defined-networksPriyanka Aash
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopPriyanka Aash
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Security Weekly
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016SecuRing
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsPROIDEA
 
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...PROIDEA
 
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...EC-Council
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014Chong-Kuan Chen
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...Robert Conti Jr.
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 
I See You
I See YouI See You
I See YouAndrew Beard
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani GolandCODE BLUE
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsSlawomir Jasek
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...PROIDEA
 

More Related Content

What's hot

Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopPriyanka Aash
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Security Weekly
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016SecuRing
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsPROIDEA
 
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...PROIDEA
 
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...EC-Council
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...Robert Conti Jr.
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani GolandCODE BLUE
 

What's hot (20)

Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shop
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
 
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
 
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
I See You
I See YouI See You
I See You
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
 

Similar to BSides London 2015 - Proprietary network protocols - risky business on the wire.

Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsSlawomir Jasek
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...PROIDEA
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT securityJulien Vermillard
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
How do Things talk? IoT Application Protocols 101
How do Things talk? IoT Application Protocols 101How do Things talk? IoT Application Protocols 101
How do Things talk? IoT Application Protocols 101Christian Götz
 
Information security & ethical hacking
Information security & ethical hackingInformation security & ethical hacking
Information security & ethical hackingeiti panchkula
 
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitchesDEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitchesFelipe Prado
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...Felipe Prado
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hackingPranshu Pareek
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsYevgeniy Brikman
 
In The Middle of Printers –The (In)Security of Pull Printing Solutions
In The Middle of Printers –The (In)Security of Pull Printing SolutionsIn The Middle of Printers –The (In)Security of Pull Printing Solutions
In The Middle of Printers –The (In)Security of Pull Printing SolutionsSecuRing
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications WSO2
 

Similar to BSides London 2015 - Proprietary network protocols - risky business on the wire. (20)

Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT security
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
How do Things talk? IoT Application Protocols 101
How do Things talk? IoT Application Protocols 101How do Things talk? IoT Application Protocols 101
How do Things talk? IoT Application Protocols 101
 
Information security & ethical hacking
Information security & ethical hackingInformation security & ethical hacking
Information security & ethical hacking
 
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitchesDEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
 
In The Middle of Printers –The (In)Security of Pull Printing Solutions
In The Middle of Printers –The (In)Security of Pull Printing SolutionsIn The Middle of Printers –The (In)Security of Pull Printing Solutions
In The Middle of Printers –The (In)Security of Pull Printing Solutions
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications
 

Recently uploaded

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 

Recently uploaded (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 

BSides London 2015 - Proprietary network protocols - risky business on the wire.

  • 1. Proprietary network protocols – risky business on the wire Jakub Kałużny BSides London, 03.06.2015
  • 2. Who are we Pentesters @ SecuRing Security assessments of applications, networks, systems... Jakub Kałużny Sławomir Jasek
  • 3. Agenda Case studies – proprietary protocols • Home automation • Pull printing #1 • Remote desktop • Pull printing #2 • Trading Cheatsheet for architects & developers How to hack it
  • 4. Proprietary network protocols • A pentester will encounter one • Don’t have the protocol specs nor tools to attack it • How to hack it? • decompile the client? • search for some tools? • watch the raw packets? • Let’s try! https://www.flickr.com/photos/canonsnapper/2566562866
  • 5. Home automation remote control ● „Plug the device, configure your router for port forwarding (and dynamic dns if necessary), set password.” ● Proprietary TCP protocol, direct connection from Internet to device, password protected access http://www.flickr.com/photos/99832244@N07/9436065073/
  • 6. Protocol – a few packets ab 55 41 00 15 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 02 01 00 00 a9 39 64 64 34 65 34 36 31 32 36 .....9dd 4e46126 aa 55 41 00 14 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 ab 55 41 00 15 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 0c 02 00 00 a4 39 64 64 34 65 34 36 31 32 36 .....9dd 4e46126 aa 55 41 00 14 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 aa 53 41 02 01 01 f0 f1 f1 f1 f1 00 be f1 f1 00 .SA..... ........ c4 00 e1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 ........ ........ f1 f1 f1 00 64 00 00 00 01 00 f0 f0 0a f1 00 02 ....d... ........ 0f 0f e7 S E R V E R C L I E N T
  • 7. And what if we change the password? Password 1: Password 2: Password 3:
  • 8. Home automation protocol internal command (5 bytes) MD5(password) – first 10 bytes status returned by the appliance (sensors, settings, etc)
  • 9. Home automation - failures ● Sniffing ● MITM ● Connect directly to the appliance - sniffed hash is enough ● Recommendation: SSL!
  • 10. Home automation - SSL Vendor: OK, we have added SSL support! sslcontext=SSLContext.getInstance("TLS"); trustmgr=new TrustManager[1]; trustmgr[0]=new EasyX509TrustManager(null); sslcontext.init(null, trustmgr, null); • Empty TrustManager – accepts all certificates
  • 11. Side effect How to build your own appliance: socat tcp4-listen:1234,fork,readbytes=5 /dev/ttyUSB0,vmin=51 And for the new version with SSL support: socat openssl-listen:1234,key=s.key, cert=s.crt,verify=0,fork,readbytes=5 /dev/ttyUSB0,vmin=51
  • 13. Why hack pull printing? • Widely used • Confidential data • Getting popular
  • 14. Threat modelling – key risks sniffing print queues accountability users’ data
  • 15. Attack vectors Other users’ data Access to other print queues Sniffing, MITM Authorization bypass User/admin interface vulnerabilities
  • 16. Pull Printing #1 – access control “With its roots in education and the full understanding that college kids “like to hack”, our development processes continually focus on security.” “Secure print release (…) can integrate card-swipe user authentication at devices (…) ensuring jobs are only printed when the collecting user is present.”
  • 17. Pull Printing #1 – binary protocol S E R V E R P R I N T E R HELLO USER: user1 token HASH(password + token) Password ok Release my print queue OK Just copied 100 pages
  • 18. Charge user “guest-xyz” for copying 100 pages Pull Printing #1 – closer look Release my print queue Just copied 100 pages User permissions beginDeviceTransaction (…) guest-xyz Release print queue for user “guest-xyz” S E R V E R P R I N T E R
  • 19. Pull printing #1 - consequences sniffing print queues accountability users’ data
  • 20. Pull printing #1 - vendor gets notified • Gave access to KB and support service • And all versions of software • Responded in few hours and patched in few days • Was happy to be pentested
  • 21. Remote desktop protocol X-win „on steroids” (encryption, compression, access control...) Mainframe access for critical business operations „More than 100,000 users around the world” „Prevents unauthorized eavesdropping FIPS 140-2 Validated End-to-end data encryption” http://en.wikipedia.org/wiki/X_Window_System_protocols_and_architecture
  • 22. Remote desktop protocol 00000000 0b 00 00 00 .... C L I E N T S E R V E R 00000000 01 01 00 00 .... 00000004 16 03 00 00 6d 01 00 00 69 03 00 52 8d e8 02 cf ....m... i..R.... 00000014 88 d3 96 14 f4 a3 7c 47 f3 0d 85 57 58 d6 c9 f7 ......|G ...WX... 00000024 18 24 95 15 2e 05 82 27 b7 1e ff 00 00 42 00 3a .$.....' .....B.: 00000034 00 39 00 38 00 35 00 34 00 33 00 32 00 2f 00 1b .9.8.5.4 .3.2./.. 00000044 00 1a 00 19 00 18 00 17 00 16 00 15 00 14 00 13 ........ ........ 00000054 00 12 00 11 00 0a 00 09 00 08 00 07 00 06 00 05 ........ ........ SSL 00000000 01 00 00 00 .... 00000000 01 00 00 00 .... LOGIN ENCODED PASSWORD
  • 24. C L I E N T CLIENTHELLO! cipher suites: SSL_DHE_RSA_WITH_AES_256_CBC_SHA SSL_DHE_DSS_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA (...) default configuration SERVERHELLO! I don’t have any certificate! cipherSuite: SSL_DH_anon_WITH_AES_256_CBC_SHA OK, no problem! You have to be the right server if you say so, don’t you? Remote Desktop - SSL S E R V E R
  • 25. C L I E N T CLIENTHELLO! certificates configured SERVERHELLO! Certificate Non-anonymous cipher suites: (...) 1st connection: OK, certificate stored! Following connections: OK, certificate valid / ALERT: MITM ATTACK! SERVERHELLO! I don’t have any certificate! cipherSuite: SSL_DH_anon_WITH_AES_256_CBC_SHA S E R V E R Remote Desktop - SSL I have your certificate, but since you don’t offer it any more, I won’t check it. OK, let’s connect!
  • 26. Remote desktop protocol - vendor „We don’t know PGP, use zip with our CEO’s name as password” Do not plan to solve the issues (?) > /dev/null 2>&1 Full disclosure! ... and a few weeks later the mysterious shut down of our beloved ;)
  • 27. Pull Printing #2 - encryption “is a modern printing solution that safeguards document confidentiality and unauthorized access to print, scan, copy and e-mail functions. Its user-authentication provides air-tight security on your shared MFPs that function as personal printers.”
  • 28. Vendor ensures „Documents are delivered only into the right hands” „Information is kept confidential. No risk of being left unattended at the printer” „Document collection is safe anytime and anywhere — no “print and sprint”.” „Integration with other enterprise applications and workflows is kept secure through single sign-on”
  • 29. Pull Printing #2 – binary protocol First look on communication: • TCP, 2 ports • No cleartext, no SSL • Seems to follow some scheme…
  • 30. Ex1: Deeper sight on traffic S E R V E R P R I N T E R constant 263B 96B, “X” B, 128B always different 64 B many identical 16B blocks HELLO HELLO, CERTIFICATE SESSION KEY PostScript, ECB mode https://en.wikipedia.org/wiki/ECB_mode
  • 31. Pull Printing #2 - Reverse-engineered • Hardcoded RSA certificate in printer embedded software • No trust store • AES-128 ECB used for traffic encryption • Same protocol in admin interface
  • 32. Pull Printing #2 - Consequences sniffing print queues accountability users’ data
  • 33. “Many of the devices do not have the CPU power that allows a fast login response and at the same time establish a high security level” For example changing ECB to CBC mode encryption will be more CPU intensive and introducing that may cause slower performance of the devices, which the customers are very reluctant to see implemented.” Pull Printing #1 - vendor gets notified “(…) system has been deployed at many high security customers and has passed internal audits.”
  • 34. ● An online application for instant financial operations ● A proprietary, binary protocol, designed in order to minimise delays ● TCP in SSL tunnel https://www.flickr.com/photos/tradingrichmom/5571144428/ Trading protocol
  • 38. And what if we...
  • 40. <soapenv:Body> <registerUserResponse soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encodin g/"> <registerUserReturn xsi:type="xsd:string"> &lt;error code=&quot;266&quot; &gt;Incorrect login&lt;/error&gt; </registerUserReturn></registerUserResponse></soapenv:Body> • Incorrect password • Incorrect first name • Group with name null doesn't exist • Group with name admin doesn't exist • Group with name Administrator doesn't exist • And how about „root”? RegisterUser
  • 41. Game Over <soapenv:Body> <registerUserResponse soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/ encoding/"> <registerUserReturn xsi:type="xsd:string"> User was registered sucessfully with id=5392745 So now we can manage all the other accounts and spend their money!
  • 43. Cheat sheet – owners While deploying a proprietary solution: • Get it pentested • Verify vendor claims • Ask the vendor for secure development lifecycle, procedures of addressing vulnerabilities, previous bugs
  • 44. Cheat sheet - developers Protocol is NOT secure by its secrecy Proper encryption. Use known standards, implement them with care. Input validation, access control, many layers of security, least privilege principle... Beware backwards compatibility
  • 45. How to hack protocols? Decompile client? Inject code? Search for the specs? Use some tools? Watch the packets? https://www.flickr.com/photos/nkphillips/2865781749
  • 46. Look for the fine manual • There may be unofficial client, or e.g. wireshark plugin • Ask for the docs  • Search for them • Yes, we have found internal protocol specification by google hacking!
  • 47. Decompile client Sometimes easy – e.g. not obfuscated Android application: byte abyte3[] = pass.getBytes(); byte abyte4[] = MessageDigest.getInstance("MD5").digest (abyte3); Sometimes really hard & time consuming. May be fun, but often leads astray
  • 48. Watch the packets Various tools to analyze proprietary protocols time consuming, usually do not work Raw, just try to spot some scheme of course with a little help of your friends: wireshark, tcpdump, ssldump etc. Your favourite scripting language
  • 50. Thank you, looking forward to contact! jakub.kaluzny@securing.pl MORETHAN SECURITY TESTING
  • 52. Thousands of interfaces publicly available. Trivial to discover, already scanned & catalogued likewise cameras. Modbus-TCP, Serial-TCP, default passwords or password-less web management interfaces... I won’t reveal the links here ;) Industrial insecurity
  • 53. Industrial insecurity – public interfaces
  • 54. Industrial insecurity – public interfaces
  • 55. Industrial insecurity – public interfaces
  • 56. Read RFIDs mounted in privileged trucks to automatically open the gate. Industrial RFID reader
  • 57. PORT STATE SERVICE VERSION 23/tcp open telnet Busybox telnetd 4007/tcp open pxc-splr? 4684/tcp open unknown 10001/tcp open tcpwrapped Service Info: Host: UHF-RFID-Dev Industrial RFID reader – port scan
  • 58. No need to hack - just RTFM
  • 60. $ echo -e "xAAxBBx01x01x11x01xAAxCC" | nc <IP> 4007 | hexdump 0000000 bbaa 0101 8111 aa00 aacc 07bb aa00 aacc 0000010 07bb aa00 aacc 07bb aa00 aacc 07bb aa00 0000020 aacc 07bb aa00 aacc 07bb aa00 aacc 07bb 0000030 aa00 aacc 07bb aa00 aacc 07bb aa00 aacc (...) 0000350 aacc 07bb aa00 aacc 07bb aa00 aacc 07bb 0000360 aa00 aacc 07bb aa00 aacc 07bb aa00 aacc 0000370 07bb aa00 aacc 01bb 1101 ffc1 0103 0247 0000380 1353 ed6b ccaa bbaa 0007 ccaa bbaa 0101 0000390 c111 0300 0001 5302 6b13 05ed aa00 aacc (...) ...and now we can clone the tag
  • 61. The incoming vehicles are also traditionally verified by security staff. The device is available in restricted LAN only. The tag can also be scanned from the truck itself. BUT: you have to be aware of the technology shortcomings and not to alter the above conditions! Should we worry?
  • 62. BLUETOOTH SMART - AKA Bluetooth Low Energy, BLE, Bluetooth 4
  • 63. Bluetooth Smart != Bluetooth 3 Completely different stack – from RF to upper layers. Designed from the ground-up for low energy usage. Network topology a) Broadcaster + Observer b) Master + Peripheral
  • 64. Broadcast - beacon https://www.flickr.com/photos/jnxyz/13570855743 UUID (vendor) 2F234454-CF6D-4A0F- ADF2-F4911BA9FFA6 Major (group) 45044 Minor (individual) 5 Tx Power -59 The mobile app can measure precise distance to specified beacon.
  • 65. Beacons – emulation #1: LightBlue https://itunes.apple.com/us/app/lightblue-bluetooth-low-energy/id557428110 Available for iPhone, iPad, Mac
  • 66. # hcitool cmd 0x08 0x0008 1E 02 01 1A 1A FF 4C 00 02 15 84 2A F9 C4 08 F5 11 E3 92 82 F2 3C 91 AE C0 5E FD E8 AF C8 C5 00 Beacons – emulation #2: Bluez
  • 67. # hcitool cmd 0x08 0x0008 1E 02 01 1A 1A FF 4C 00 02 15 84 2A F9 C4 08 F5 11 E3 92 82 F2 3C 91 AE C0 5E FD E8 AF C8 C5 00 Beacons – emulation #2: Bluez
  • 68. # hcitool cmd 0x08 0x0008 1E 02 01 1A 1A FF 4C 00 02 15 84 2A F9 C4 08 F5 11 E3 92 82 F2 3C 91 AE C0 5E FD E8 AF C8 C5 00 iBeacon data broadcast iBeacon prefix (constant) UUID: 842AF9C4-08F51-1E39-282F- 23C91AEC05E Major: FD E8 = 65 000 Minor: AF C8 = 45 000 TX power
  • 69. Additional info on products based on precise location. Rewards for visiting places. Indoor guide, help to navigate the blind etc. Your home or toys can automatically react to you. Be warned that your bike or car is no longer in the garage. Beacons – some example usage scenarios
  • 70. Beacons – additional info based on location
  • 72. Beacons – the navigating usage scenario
  • 74. OTHER BLE DEVICES Beacons are just the beginning...
  • 75. 1. Buy SDK+devices from selected vendor (Nordic, TI...) 2. Import ready-to-use sample code. 3. Add your bright usage scenario (and sometimes a bit of hacking). 4. Create convincing bootstrap webpage + videos. 5. Run successful Kickstarter campaign. 6. Profit! How to make your own BLE device?
  • 76. Electric plugs, lightbulbs, locks, kettles, sensors, wallets, socks, pans, jars, toothbrushes, bags, plates, dildos, sitting pads, measuring your farts devices, calorie-counting mugs... „It was just a dumb thing. Then we put a chip in it. Now it's a smart thing.” (weputachipinit.tumblr.com) Crowdfunding: a new kind of celebrity. Too often ridiculous meets big money. Beacons are just the beginning... www.myvessyl.com
  • 77. They have been assured the communication is unbreakable because they use AES. I showed an intruder may approach the unsuspecting victim’s phone once (even with autounlock feature off), to be able to get full control over the car for consecutive times without consent of the victim. Other BLE devices www.loxet.io
  • 79. Thank you, looking forward to contact! jakub.kaluzny@securing.pl MORETHAN SECURITY TESTING