Cosmin Radu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9. The slides and other presentations can be found on https://def.camp/archive

1. 08.11.2018
© Atos
Burp-ing through your cryptography shield

2. Who am I?

3. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
▶ rootn uid=0(root) gid=0(root) groups=0(root)
▶ Work and education:
▪ Pentester @Atos Romania
▪ BEng @University “Politehnica” of Bucharest
▪ MEng @University “Politehnica” of Bucharest
▪ MSc @Bucharest Academy of Economic Studies
▪ Member @Romanian Security Team community
▪ Speaker @DefCamp 2017 && @OWASP RO 2018
▪ CEH
▪ Interests:
▪ Web App Security
▪ Infra Security
▪ IoT Device Security
▪ Contact: @matasareanu13
3
~# whoami&&id

4. Glossary ☺

5. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
▶ Burping (also known as belching, ructus, eruptus or eructation) is the release of
gas from the digestive tract (mainly esophagus and stomach) through the
mouth.
5
What is Burp-ing?

6. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
6
What is Burp-ing?

7. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
7
What is Burp?

8. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
▶ A thick client, also known as Fat Client is a client in client–server architecture or
network and typically provides rich functionality, independent of the server. In
these types of applications, the major processing is done at the client side and
involves only aperiodic connection to the server.
8
What is a Thick Client?

9. What is the problem?

10. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
▶ Be on a pentest assignment with a thick client in front of you
▶ Set up Burp as a system proxy
▶ Manage to finally intercept requests
▶ Cool – SOAP requests
▶ Stumble upon gibberish in the requests and response of the application
10
What is the problem at hand?

11. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
11

12. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
Decompile the .NET application
12
What to do?

13. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
▶ Find the encryption method used
13
What to do?

14. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
14
What to do?

15. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
15
What to do?
Find the IV and the Key ☺

16. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
16
Cyberchef

17. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
17
Results ☺
▶ We are starting to get there ☺
▶ But decrypting, decoding modifying the parameters, re-encoding, re-encrypting
for each request and for each payload starts to get old very fast.

18. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
18

19. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
19
My Google Fu isn’t providing

20. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
20

21. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
▶ Getting started:
– “Easy“ way to extend Burp features
– Basic steps:
21
Writing a Burp extension ☺

22. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
▶ Getting started:
– “Easy“ way to extend Burp features
– Basic steps:
22
Writing a Burp extension ☺

23. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
23
Writing a Burp extension ☺
Get more info about writing a Extension.
Learn by example ☺
https://portswigger.net/burp/extender#SampleE
xtensions

24. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
Decide what language you will use??
24
Writing a Burp extension ☺

25. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
Jython it is ☺
25
Writing a Burp extension ☺

26. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
26
Writing a Burp extension ☺
https://portswigger.net/blog/sample-burp-suite-extension-custom-editor-tab
Start from
something
they built It’s always easier ☺

27. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
▶ The encrypted values are found in SOAP requests under two XML tags:
– <writeObj>
– <readObj>
– First step is to look for the pattern:
27
Writing a Burp extension ☺

28. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
28
Writing a Burp extension ☺
Decrypt the payload ☺
Don’t be that fast
PyCrypto doesn’t want to work in Jython 

29. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
29
Writing a Burp extension ☺
Decrypt the payload ☺
Don’t be that fast
PyCrypto doesn’t want to work in Jython 

30. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
30
Writing a Burp extension ☺
https://github.com/csm/jycrypto

31. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
31
Writing a Burp extension ☺

32. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
▶ You now have .NET serialized objects…
32
Writing a Burp extension ☺
And now the struggle of Google-ing begins
again..

33. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
▶ https://github.com/agix/NetBinaryFormatterParser
33
Writing a Burp extension ☺

34. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
34
Writing a Burp extension ☺

35. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
35
Writing a Burp extension ☺

36. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
▶ Problem and solution:
– Burp’s Java StackTrace doesn’t provide any help when using Jython!
– Here comes the solution: https://github.com/securityMB/burp-exceptions
– Put the file in your project folder
– Import it in your code:
– Call it in the end:
– Now any Python exception is thrown in the Extender Output-Tab of Burp
36
Writing a Burp extension ☺

37. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
37

38. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
38

39. | 08.11.2018 | Cosmin Radu | © Atos
Atos Romania
39
Questions? And let’s hope some answers ☺

40. Atos, the Atos logo, Atos Codex, Atos Consulting, Atos Worldgrid, Bull, Canopy, equensWorldline, Unify,
Worldline and Zero Email are registered trademarks of the Atos group. November 2018. © 2018 Atos.
Confidential information owned by Atos, to be used by the recipient only. This document, or any part of
it, may not be reproduced, copied, circulated and/or distributed nor quoted without prior written
approval from Atos.
Thanks
For more information:
contact@cosminr.me
@Matasareanu13
github.com/Matasareanu
Or you know, in person ☺