PROIDEA, profile picture
Uploaded byPROIDEA
PPTX, PDF830 views

CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols

The document discusses the security vulnerabilities of proprietary protocols through various case studies in home automation, pull printing, and remote desktop protocols. It highlights methods for pentesting these protocols and emphasizes the need for proper encryption and security measures to safeguard against threats. Additionally, it provides a cheat sheet for architects and developers focusing on security best practices and how to approach hacking these protocols.

Embed presentation

Downloaded 18 times
Shameful secrets of proprietary protocols Sławomir Jasek Jakub Kałużny SecuRing Photo: https://www.flickr.com/photos/ektogamat/2687444500
Who are we ● Pentesters @ ● Security assessments of applications, networks, systems... Sławomir Jasek Jakub Kałużny
Agenda ● Case studies – proprietary protocols – Home automation – Pull printing #1 – Remote desktop – Pull printing #2 – Trading ● Cheatsheet for architects & developers ● How to hack it
Proprietary network protocols • A pentester will encounter one. • Don’t have the protocol specs nor tools to attack it • How to hack it? • decompile the client? • search for some tools? • watch the raw packets? • Let’s try! https://www.flickr.com/photos/canonsnapper/2566562866
Home automation remote control ● „Plug the device, configure your router for port forwarding (and dynamic dns if necessary), set password.” ● Proprietary TCP protocol, direct connection from Internet to device, password protected access http://www.flickr.com/photos/99832244@N07/9436065073/
Protocol – a few packets ab 55 41 00 15 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 02 01 00 00 a9 39 64 64 34 65 34 36 31 32 36 .....9dd 4e46126 aa 55 41 00 14 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 ab 55 41 00 15 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 0c 02 00 00 a4 39 64 64 34 65 34 36 31 32 36 .....9dd 4e46126 aa 55 41 00 14 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 aa 53 41 02 01 01 f0 f1 f1 f1 f1 00 be f1 f1 00 .SA..... ........ c4 00 e1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 ........ ........ f1 f1 f1 00 64 00 00 00 01 00 f0 f0 0a f1 00 02 ....d... ........ 0f 0f e7 S E R V E R C L I E N T
And what if we change the password? Password 1: Password 2 Password 3
Home automation protocol Internal command (5 bytes) MD5(password) – first 10 bytes Status returned by the appliance (sensors, settings, etc).
Home automation - failures ● Sniffing ● MITM ● Connect directly to the appliance - sniffed hash is enough ● Recommendation: SSL!
Home automation - SSL ● Vendor: OK, we have added SSL support! sslcontext = SSLContext.getInstance("TLS"); atrustmanager = new TrustManager[1]; atrustmanager[0] = new EasyX509TrustManager(null); sslcontext.init(null, atrustmanager, null); • Empty TrustManager – accepts all certificates
Side effect How to build your own appliance: socat tcp4-listen:1234,fork,readbytes=5 /dev/ttyUSB0,vmin=51 And for the new version with SSL support: socat openssl-listen:1234,key=s.key, cert=s.crt,verify=0,fork,readbytes=5 /dev/ttyUSB0,vmin=51
Pull Printing Solutions
Why hack pull printing? • Widely used • Confidential data • Getting popular
Threat modelling – key risks sniffing print queues accountability users’ data
Attack vectors Other users’ data Access to other print queues Sniffing, MITM Authorization bypass User/admin interface vulnerabilities
Pull Printing #1 – access control “With its roots in education and the full understanding that college kids “like to hack”, our development processes continually focus on security.” “Secure print release (…) can integrate card-swipe user authentication at devices (…) ensuring jobs are only printed when the collecting user is present.”
Pull Printing #1 – binary protocol S E R V E R P R I N T E R HELLO USER: user1 token HASH(password + token) Password ok Release my print queue OK Just copied 100 pages
Charge user “guest-xyz” for copying 100 pages Pull Printing #1 – closer look Release my print queue Just copied 100 pages User permissions beginDeviceTransaction (…) guest-xyz Release print queue for user “guest-xyz” S E R V E R P R I N T E R
Pull printing #1 - consequences sniffing print queues accountability users’ data
Pull printing #1 - vendor gets notified • Gave access to KB and support service • And all versions of software • Responded in few hours and patched in few days • Was happy to be pentested
Remote desktop protocol ● X-win „on steroids” (encryption, compression, access control...) ● Mainframe access for critical business operations ● „More than 100,000 users around the world” ● „Prevents unauthorized eavesdropping FIPS 140-2 Validated End-to-end data encryption” http://en.wikipedia.org/wiki/X_Window_System_protocols_and_architecture
Remote desktop protocol 00000000 0b 00 00 00 .... C L I E N T S E R V E R 00000000 01 01 00 00 .... 00000004 16 03 00 00 6d 01 00 00 69 03 00 52 8d e8 02 cf ....m... i..R.... 00000014 88 d3 96 14 f4 a3 7c 47 f3 0d 85 57 58 d6 c9 f7 ......|G ...WX... 00000024 18 24 95 15 2e 05 82 27 b7 1e ff 00 00 42 00 3a .$.....' .....B.: 00000034 00 39 00 38 00 35 00 34 00 33 00 32 00 2f 00 1b .9.8.5.4 .3.2./.. 00000044 00 1a 00 19 00 18 00 17 00 16 00 15 00 14 00 13 ........ ........ 00000054 00 12 00 11 00 0a 00 09 00 08 00 07 00 06 00 05 ........ ........ SSL 00000000 01 00 00 00 .... 00000004 11 01 30 0d 08 03 f1 00 00 00 00 00 00 00 00 00 ..0..... ........ 00000014 00 ff ff 7f 00 00 01 ac 3d 08 08 68 69 6a 61 63 ........ =..hijac 00000024 6b 65 64 0a 30 35 31 45 31 45 31 41 32 36 00 01 ked.051E 1E1A26.. 00000000 01 00 00 00 .... LOGIN ENCODED PASSWORD
Password [redacted] Communications Limited 54657374696e6750617373776f72643132333454657374696e6750617373776f7264TestingPassword1234TestingPassword XOR 1c101e1900000032080117572c1d095c475d5d3704071d060014702d1a1e1e1b1700 = 48756d6d696e676269726420436f6d6d756e69636174696f6e73204c696d69746564
Remote Desktop - SSL C L I E N T CLIENTHELLO! cipher suites: SSL_DHE_RSA_WITH_AES_256_CBC_SHA SSL_DHE_DSS_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA (...) default configuration SERVERHELLO! I don’t have any certificate! cipherSuite: SSL_DH_anon_WITH_AES_256_CBC_SHA OK, no problem! You have to be the right server if you say so, don’t you?
Remote Desktop - SSL C L I E N T CLIENTHELLO! certificates configured SERVERHELLO! Certificate Non-anonymous cipher suites: (...) 1st connection: OK, certificate stored! Following connections: OK, certificate valid / ALERT: MITM ATTACK! SERVERHELLO! I don’t have any certificate! cipherSuite: SSL_DH_anon_WITH_AES_256_CBC_SHA I have your certificate, but since you don’t offer it any more, I won’t check it. OK, let’s connect!
Remote desktop protocol - vendor ● „We don’t know PGP, use zip with our CEO’s name as password” ● Do not plan to solve the issues (?) ● > /dev/null 2>&1 ● Full disclosure! ● ... and a few weeks later the mysterious shut down of our beloved ;)
Pull Printing #2 - encryption “is a modern printing solution that safeguards document confidentiality and unauthorized access to print, scan, copy and e-mail functions. Its user-authentication provides air-tight security on your shared MFPs that function as personal printers.”
Vendor ensures „Documents are delivered only into the right hands” „Information is kept confidential. No risk of being left unattended at the printer” „Document collection is safe anytime and anywhere — no “print and sprint”.” „Integration with other enterprise applications and workflows is kept secure through single sign-on”
Pull Printing #2 – binary protocol First look on communication: • TCP, 2 ports • No cleartext, no SSL • Seems to follow some scheme…
Ex1: Deeper sight on traffic S E R V E R P R I N T E R constant 263B 96B, “X” B, 128B always different 64 B many identical 16B blocks HELLO HELLO, CERTIFICATE SESSION KEY PostScript, ECB mode https://en.wikipedia.org/wiki/ECB_mode
Pull Printing #2 - Reverse-engineered • Hardcoded RSA certificate in printer embedded software • No trust store • AES-128 ECB used for traffic encryption • Same protocol in admin interface
Pull Printing #2 - Consequences sniffing print queues accountability users’ data
“Many of the devices do not have the CPU power that allows a fast login response and at the same time establish a high security level” For example changing ECB to CBC mode encryption will be more CPU intensive and introducing that may cause slower performance of the devices, which the customers are very reluctant to see implemented.” Pull Printing #1 - vendor gets notified “(…) system has been deployed at many high security customers and has passed internal audits.”
Trading protocol ● An online application for instant financial operations ● A proprietary, binary protocol, designed in order to minimise delays ● TCP in SSL tunnel https://www.flickr.com/photos/tradingrichmom/5571144428/
Trading protocol – a few packets
Thats interesting!
Thats interesting!
And what if we...
And how about...
RegisterUser <soapenv:Body> <registerUserResponse soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <registerUserReturn xsi:type="xsd:string"> &lt;error code=&quot;266&quot; &gt;Incorrect login&lt;/error&gt; </registerUserReturn> </registerUserResponse> </soapenv:Body> • Incorrect password • Incorrect first name • Group with name null doesn't exist • Group with name admin doesn't exist • Group with name Administrator doesn't exist • And how about „root”?
Game Over <soapenv:Body> <registerUserResponse soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <registerUserReturn xsi:type="xsd:string"> User was registered sucessfully with id=5392745 </registerUserReturn> </registerUserResponse> </soapenv:Body> So now we can manage all the other accounts and spend their money!
Architecture
Cheat sheet – owners While deploying a proprietary solution: • Get it pentested • Verify vendor claims • Ask the vendor for secure development lifecycle, procedures of addressing vulnerabilities, previous bugs
Cheat sheet - developers ● Protocol is NOT secure by its secrecy ● Proper encryption. Use known standards, implement them with care. ● Input validation, access control, many layers of security, least privilege principle...
How to hack protocols? Decompile client? Inject code? Search for the specs? Use some tools? Watch the packets? https://www.flickr.com/photos/nkphillips/2865781749
Decompile client ● Sometimes easy – e.g. not obfuscated Android application byte abyte3[] = pass.getBytes(); byte abyte4[] = MessageDigest.getInstance("MD5").digest(abyte3); ● Sometimes really hard & time consuming. ● May be fun, but often leads astray: Sywek1?-# 45Schtirlitz&Pianistka
Look for the fine manual ● There may be an unofficial client, or e.g. wireshark plugin ● Ask for the docs  ● Search for them – Yes, we have found internal protocol specification by google hacking!
Watch the packets ● Various tools to analyze proprietary protocols – time consuming, usually do not work ● Raw, just try to spot some scheme – of course with a little help of your friends: wireshark, tcpdump, ssldump etc. ● Your favourite scripting language
The end? slawomir.jasek@securing.pl jakub.kaluzny@securing.pl www.securing.pl Work with us! careers@securing.pl Talk with us! you are welcome to our stand!

More Related Content

PDF
Reverse engineering Swisscom's Centro Grande Modem
byCyber Security Alliance
 
PPTX
Countering Innovative Sandbox Evasion Techniques Used by Malware
byTyler Borosavage
 
PDF
IoThings you don't even need to hack
bySlawomir Jasek
 
PDF
Reverse Engineering the TomTom Runner pt. 2
byLuis Grangeia
 
PPTX
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
byJakub Kałużny
 
PPTX
BSides London 2015 - Proprietary network protocols - risky business on the wire.
byJakub Kałużny
 
PPTX
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
byBlueHat Security Conference
 
PDF
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
byJakub Kałużny
 
Reverse engineering Swisscom's Centro Grande Modem
byCyber Security Alliance
 
Countering Innovative Sandbox Evasion Techniques Used by Malware
byTyler Borosavage
 
IoThings you don't even need to hack
bySlawomir Jasek
 
Reverse Engineering the TomTom Runner pt. 2
byLuis Grangeia
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
byJakub Kałużny
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
byJakub Kałużny
 
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
byBlueHat Security Conference
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
byJakub Kałużny
 

What's hot

PDF
D1 t1 t. yunusov k. nesterov - bootkit via sms
byqqlan
 
PDF
Positive Technologies - S4 - Scada under x-rays
byqqlan
 
PDF
Hacking the swisscom modem
byCyber Security Alliance
 
PDF
Lucas apa pacsec slides
byPacSecJP
 
PDF
Esp8266 v12
byhandson28
 
PDF
Automated Malware Analysis and Cyber Security Intelligence
byJason Choi
 
PDF
Ceh v8 labs module 03 scanning networks
byAsep Sopyan
 
PDF
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
byCyber Security Alliance
 
PDF
44CON London - Attacking VxWorks: from Stone Age to Interstellar
by44CON
 
PDF
Масштабируемый и эффективный фаззинг Google Chrome
byPositive Hack Days
 
PDF
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
by44CON
 
PDF
Ceh v8 labs module 07 viruses and worms
byAsep Sopyan
 
ODP
Proxy arp
byMarian Marinov
 
PPTX
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
byEC-Council
 
PDF
Threat Con 2021: What's Hitting my Honeypots
byAPNIC
 
PDF
Honeypots: Visão Geral
bybernardo_mr
 
TXT
Ipsec
byEddy Barzallo
 
PDF
Don't Get Hacked on Hostile WiFi
byMackenzie Morgan
 
PPTX
Scada strange love uwn-stuxnet
byPositive Hack Days
 
PDF
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
by44CON
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
byqqlan
 
Positive Technologies - S4 - Scada under x-rays
byqqlan
 
Hacking the swisscom modem
byCyber Security Alliance
 
Lucas apa pacsec slides
byPacSecJP
 
Esp8266 v12
byhandson28
 
Automated Malware Analysis and Cyber Security Intelligence
byJason Choi
 
Ceh v8 labs module 03 scanning networks
byAsep Sopyan
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
byCyber Security Alliance
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
by44CON
 
Масштабируемый и эффективный фаззинг Google Chrome
byPositive Hack Days
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
by44CON
 
Ceh v8 labs module 07 viruses and worms
byAsep Sopyan
 
Proxy arp
byMarian Marinov
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
byEC-Council
 
Threat Con 2021: What's Hitting my Honeypots
byAPNIC
 
Honeypots: Visão Geral
bybernardo_mr
 
Ipsec
byEddy Barzallo
 
Don't Get Hacked on Hostile WiFi
byMackenzie Morgan
 
Scada strange love uwn-stuxnet
byPositive Hack Days
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
by44CON
 

Viewers also liked

PPTX
El e-dni como herramienta de seguridad
byEventos Creativos
 
PDF
CC-4005, Performance analysis of 3D Finite Difference computational stencils ...
byAMD Developer Central
 
PDF
Oracle IoT Cloud Service - First practical experience
byOPITZ CONSULTING Deutschland
 
PPTX
25 years of CadSoft
byFarnell element14
 
PDF
Opening “Big Data Challenge” data: some insights on our role in the story
bySpazioDati
 
PPTX
Análisis Forense de teléfonos iPhone/iPad
byEventos Creativos
 
PDF
RandGold Resources Facts & Figures
byCompany Spotlight
 
PPTX
Quality Quest for Health Peoria, IL
bychildbirthconnection
 
PDF
Csw2016 julien moinard-hardsploit
byCanSecWest
 
PDF
Monitorizar GoogleBot usando Google Analytics por Lino Uruñuela
byLino Uruñuela
 
PDF
EMV Survey Results
byRandstad USA
 
PDF
Evdokimov python arsenal for re
byDefconRussia
 
PPTX
Eclipse Community Survey Report 2013
byIan Skerrett
 
PDF
Nanotechnology, ubiquitous computing and the internet of things
byKarlos Svoboda
 
PDF
Saverio Bruno - Facebook Advertising
byCultura Digitale
 
PPTX
When Attention is not Scarce – Detecting Boredom from Mobile Phone Usage
byMartin Pielot
 
PDF
Starlook.ru
byAlena Popova
 
PPTX
Boredom-Triggered Proactive Recommendations
byMartin Pielot
 
PDF
The Italian Way to Social Network Sites
byUniversità of Urbino Carlo Bo
 
KEY
From "Stand by Your Man" to "Stand by Your Suntan:" Women in boardsports from...
byCori Schumacher
 
El e-dni como herramienta de seguridad
byEventos Creativos
 
CC-4005, Performance analysis of 3D Finite Difference computational stencils ...
byAMD Developer Central
 
Oracle IoT Cloud Service - First practical experience
byOPITZ CONSULTING Deutschland
 
25 years of CadSoft
byFarnell element14
 
Opening “Big Data Challenge” data: some insights on our role in the story
bySpazioDati
 
Análisis Forense de teléfonos iPhone/iPad
byEventos Creativos
 
RandGold Resources Facts & Figures
byCompany Spotlight
 
Quality Quest for Health Peoria, IL
bychildbirthconnection
 
Csw2016 julien moinard-hardsploit
byCanSecWest
 
Monitorizar GoogleBot usando Google Analytics por Lino Uruñuela
byLino Uruñuela
 
EMV Survey Results
byRandstad USA
 
Evdokimov python arsenal for re
byDefconRussia
 
Eclipse Community Survey Report 2013
byIan Skerrett
 
Nanotechnology, ubiquitous computing and the internet of things
byKarlos Svoboda
 
Saverio Bruno - Facebook Advertising
byCultura Digitale
 
When Attention is not Scarce – Detecting Boredom from Mobile Phone Usage
byMartin Pielot
 
Starlook.ru
byAlena Popova
 
Boredom-Triggered Proactive Recommendations
byMartin Pielot
 
The Italian Way to Social Network Sites
byUniversità of Urbino Carlo Bo
 
From "Stand by Your Man" to "Stand by Your Suntan:" Women in boardsports from...
byCori Schumacher
 

Similar to CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols

PDF
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
byHoàng Hải Nguyễn
 
PDF
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
byLyon Yang
 
PDF
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
byFelipe Prado
 
PDF
Network+ Guide to Networks 7th Edition West Test Bank
bytisbycoore15
 
PDF
Hackerworkshop exercises
byHenrik Kramshøj
 
PPT
security
byahmad amiruddin
 
PDF
Metasploit
bynoc_313
 
PDF
Shameful secrets of proprietary network protocols
bySlawomir Jasek
 
PPTX
In The Middle of Printers –The (In)Security of Pull Printing Solutions
bySecuRing
 
PPTX
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
byJakub Kałużny
 
PPTX
In the Middle of Printers: (In)security of Pull Printing Solutions
byPositive Hack Days
 
PDF
class12_Networking2
byT. J. Saotome
 
PDF
Dssh @ Confidence, Prague 2010
byJuraj Bednar
 
PDF
Call your key to phone all
byGerard Fuguet
 
PDF
SNMP : Simple Network Mediated (Cisco) Pwnage
bySensePost
 
PDF
Fedv6tf-fhs
byTim Martin
 
PPT
introduction to security
byahmad amiruddin
 
PDF
0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay
byShakacon
 
PDF
0day hunting a.k.a. The story of a proper CPE test
byBalazs Bucsay
 
PDF
Meterpreter in Metasploit User Guide
byKhairi Aiman
 
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
byHoàng Hải Nguyễn
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
byLyon Yang
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
byFelipe Prado
 
Network+ Guide to Networks 7th Edition West Test Bank
bytisbycoore15
 
Hackerworkshop exercises
byHenrik Kramshøj
 
security
byahmad amiruddin
 
Metasploit
bynoc_313
 
Shameful secrets of proprietary network protocols
bySlawomir Jasek
 
In The Middle of Printers –The (In)Security of Pull Printing Solutions
bySecuRing
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
byJakub Kałużny
 
In the Middle of Printers: (In)security of Pull Printing Solutions
byPositive Hack Days
 
class12_Networking2
byT. J. Saotome
 
Dssh @ Confidence, Prague 2010
byJuraj Bednar
 
Call your key to phone all
byGerard Fuguet
 
SNMP : Simple Network Mediated (Cisco) Pwnage
bySensePost
 
Fedv6tf-fhs
byTim Martin
 
introduction to security
byahmad amiruddin
 
0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay
byShakacon
 
0day hunting a.k.a. The story of a proper CPE test
byBalazs Bucsay
 
Meterpreter in Metasploit User Guide
byKhairi Aiman
 

Recently uploaded

PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
PDF
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PPTX
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PPTX
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PPTX
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PPTX
MGw_MRS Benfits seu beficios de redes 4g
byJoaquimBarros18
 
PPTX
communication-skills-with-technology tools
byJaleto Sunkemo
 
PDF
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
API-First Architecture in Financial Systems
bycyy111112
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
MGw_MRS Benfits seu beficios de redes 4g
byJoaquimBarros18
 
communication-skills-with-technology tools
byJaleto Sunkemo
 
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 

CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols

  • 1.
    Shameful secrets of proprietaryprotocols Sławomir Jasek Jakub Kałużny SecuRing Photo: https://www.flickr.com/photos/ektogamat/2687444500
  • 2.
    Who are we ●Pentesters @ ● Security assessments of applications, networks, systems... Sławomir Jasek Jakub Kałużny
  • 3.
    Agenda ● Case studies– proprietary protocols – Home automation – Pull printing #1 – Remote desktop – Pull printing #2 – Trading ● Cheatsheet for architects & developers ● How to hack it
  • 4.
    Proprietary network protocols •A pentester will encounter one. • Don’t have the protocol specs nor tools to attack it • How to hack it? • decompile the client? • search for some tools? • watch the raw packets? • Let’s try! https://www.flickr.com/photos/canonsnapper/2566562866
  • 5.
    Home automation remotecontrol ● „Plug the device, configure your router for port forwarding (and dynamic dns if necessary), set password.” ● Proprietary TCP protocol, direct connection from Internet to device, password protected access http://www.flickr.com/photos/99832244@N07/9436065073/
  • 6.
    Protocol – afew packets ab 55 41 00 15 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 02 01 00 00 a9 39 64 64 34 65 34 36 31 32 36 .....9dd 4e46126 aa 55 41 00 14 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 ab 55 41 00 15 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 0c 02 00 00 a4 39 64 64 34 65 34 36 31 32 36 .....9dd 4e46126 aa 55 41 00 14 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 aa 53 41 02 01 01 f0 f1 f1 f1 f1 00 be f1 f1 00 .SA..... ........ c4 00 e1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 ........ ........ f1 f1 f1 00 64 00 00 00 01 00 f0 f0 0a f1 00 02 ....d... ........ 0f 0f e7 S E R V E R C L I E N T
  • 7.
    And what ifwe change the password? Password 1: Password 2 Password 3
  • 8.
    Home automation protocol Internalcommand (5 bytes) MD5(password) – first 10 bytes Status returned by the appliance (sensors, settings, etc).
  • 9.
    Home automation -failures ● Sniffing ● MITM ● Connect directly to the appliance - sniffed hash is enough ● Recommendation: SSL!
  • 10.
    Home automation -SSL ● Vendor: OK, we have added SSL support! sslcontext = SSLContext.getInstance("TLS"); atrustmanager = new TrustManager[1]; atrustmanager[0] = new EasyX509TrustManager(null); sslcontext.init(null, atrustmanager, null); • Empty TrustManager – accepts all certificates
  • 11.
    Side effect How tobuild your own appliance: socat tcp4-listen:1234,fork,readbytes=5 /dev/ttyUSB0,vmin=51 And for the new version with SSL support: socat openssl-listen:1234,key=s.key, cert=s.crt,verify=0,fork,readbytes=5 /dev/ttyUSB0,vmin=51
  • 12.
  • 13.
    Why hack pullprinting? • Widely used • Confidential data • Getting popular
  • 14.
    Threat modelling –key risks sniffing print queues accountability users’ data
  • 15.
    Attack vectors Other users’data Access to other print queues Sniffing, MITM Authorization bypass User/admin interface vulnerabilities
  • 16.
    Pull Printing #1– access control “With its roots in education and the full understanding that college kids “like to hack”, our development processes continually focus on security.” “Secure print release (…) can integrate card-swipe user authentication at devices (…) ensuring jobs are only printed when the collecting user is present.”
  • 17.
    Pull Printing #1– binary protocol S E R V E R P R I N T E R HELLO USER: user1 token HASH(password + token) Password ok Release my print queue OK Just copied 100 pages
  • 18.
    Charge user “guest-xyz”for copying 100 pages Pull Printing #1 – closer look Release my print queue Just copied 100 pages User permissions beginDeviceTransaction (…) guest-xyz Release print queue for user “guest-xyz” S E R V E R P R I N T E R
  • 19.
    Pull printing #1- consequences sniffing print queues accountability users’ data
  • 20.
    Pull printing #1- vendor gets notified • Gave access to KB and support service • And all versions of software • Responded in few hours and patched in few days • Was happy to be pentested
  • 21.
    Remote desktop protocol ●X-win „on steroids” (encryption, compression, access control...) ● Mainframe access for critical business operations ● „More than 100,000 users around the world” ● „Prevents unauthorized eavesdropping FIPS 140-2 Validated End-to-end data encryption” http://en.wikipedia.org/wiki/X_Window_System_protocols_and_architecture
  • 22.
    Remote desktop protocol 000000000b 00 00 00 .... C L I E N T S E R V E R 00000000 01 01 00 00 .... 00000004 16 03 00 00 6d 01 00 00 69 03 00 52 8d e8 02 cf ....m... i..R.... 00000014 88 d3 96 14 f4 a3 7c 47 f3 0d 85 57 58 d6 c9 f7 ......|G ...WX... 00000024 18 24 95 15 2e 05 82 27 b7 1e ff 00 00 42 00 3a .$.....' .....B.: 00000034 00 39 00 38 00 35 00 34 00 33 00 32 00 2f 00 1b .9.8.5.4 .3.2./.. 00000044 00 1a 00 19 00 18 00 17 00 16 00 15 00 14 00 13 ........ ........ 00000054 00 12 00 11 00 0a 00 09 00 08 00 07 00 06 00 05 ........ ........ SSL 00000000 01 00 00 00 .... 00000004 11 01 30 0d 08 03 f1 00 00 00 00 00 00 00 00 00 ..0..... ........ 00000014 00 ff ff 7f 00 00 01 ac 3d 08 08 68 69 6a 61 63 ........ =..hijac 00000024 6b 65 64 0a 30 35 31 45 31 45 31 41 32 36 00 01 ked.051E 1E1A26.. 00000000 01 00 00 00 .... LOGIN ENCODED PASSWORD
  • 23.
  • 24.
    Remote Desktop -SSL C L I E N T CLIENTHELLO! cipher suites: SSL_DHE_RSA_WITH_AES_256_CBC_SHA SSL_DHE_DSS_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA (...) default configuration SERVERHELLO! I don’t have any certificate! cipherSuite: SSL_DH_anon_WITH_AES_256_CBC_SHA OK, no problem! You have to be the right server if you say so, don’t you?
  • 25.
    Remote Desktop -SSL C L I E N T CLIENTHELLO! certificates configured SERVERHELLO! Certificate Non-anonymous cipher suites: (...) 1st connection: OK, certificate stored! Following connections: OK, certificate valid / ALERT: MITM ATTACK! SERVERHELLO! I don’t have any certificate! cipherSuite: SSL_DH_anon_WITH_AES_256_CBC_SHA I have your certificate, but since you don’t offer it any more, I won’t check it. OK, let’s connect!
  • 26.
    Remote desktop protocol- vendor ● „We don’t know PGP, use zip with our CEO’s name as password” ● Do not plan to solve the issues (?) ● > /dev/null 2>&1 ● Full disclosure! ● ... and a few weeks later the mysterious shut down of our beloved ;)
  • 27.
    Pull Printing #2- encryption “is a modern printing solution that safeguards document confidentiality and unauthorized access to print, scan, copy and e-mail functions. Its user-authentication provides air-tight security on your shared MFPs that function as personal printers.”
  • 28.
    Vendor ensures „Documents aredelivered only into the right hands” „Information is kept confidential. No risk of being left unattended at the printer” „Document collection is safe anytime and anywhere — no “print and sprint”.” „Integration with other enterprise applications and workflows is kept secure through single sign-on”
  • 29.
    Pull Printing #2– binary protocol First look on communication: • TCP, 2 ports • No cleartext, no SSL • Seems to follow some scheme…
  • 30.
    Ex1: Deeper sighton traffic S E R V E R P R I N T E R constant 263B 96B, “X” B, 128B always different 64 B many identical 16B blocks HELLO HELLO, CERTIFICATE SESSION KEY PostScript, ECB mode https://en.wikipedia.org/wiki/ECB_mode
  • 31.
    Pull Printing #2- Reverse-engineered • Hardcoded RSA certificate in printer embedded software • No trust store • AES-128 ECB used for traffic encryption • Same protocol in admin interface
  • 32.
    Pull Printing #2- Consequences sniffing print queues accountability users’ data
  • 33.
    “Many of thedevices do not have the CPU power that allows a fast login response and at the same time establish a high security level” For example changing ECB to CBC mode encryption will be more CPU intensive and introducing that may cause slower performance of the devices, which the customers are very reluctant to see implemented.” Pull Printing #1 - vendor gets notified “(…) system has been deployed at many high security customers and has passed internal audits.”
  • 34.
    Trading protocol ● Anonline application for instant financial operations ● A proprietary, binary protocol, designed in order to minimise delays ● TCP in SSL tunnel https://www.flickr.com/photos/tradingrichmom/5571144428/
  • 35.
    Trading protocol –a few packets
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
    RegisterUser <soapenv:Body> <registerUserResponse soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <registerUserReturn xsi:type="xsd:string"> &lt;errorcode=&quot;266&quot; &gt;Incorrect login&lt;/error&gt; </registerUserReturn> </registerUserResponse> </soapenv:Body> • Incorrect password • Incorrect first name • Group with name null doesn't exist • Group with name admin doesn't exist • Group with name Administrator doesn't exist • And how about „root”?
  • 41.
    Game Over <soapenv:Body> <registerUserResponse soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <registerUserReturn xsi:type="xsd:string"> Userwas registered sucessfully with id=5392745 </registerUserReturn> </registerUserResponse> </soapenv:Body> So now we can manage all the other accounts and spend their money!
  • 42.
  • 43.
    Cheat sheet –owners While deploying a proprietary solution: • Get it pentested • Verify vendor claims • Ask the vendor for secure development lifecycle, procedures of addressing vulnerabilities, previous bugs
  • 44.
    Cheat sheet -developers ● Protocol is NOT secure by its secrecy ● Proper encryption. Use known standards, implement them with care. ● Input validation, access control, many layers of security, least privilege principle...
  • 45.
    How to hackprotocols? Decompile client? Inject code? Search for the specs? Use some tools? Watch the packets? https://www.flickr.com/photos/nkphillips/2865781749
  • 46.
    Decompile client ● Sometimeseasy – e.g. not obfuscated Android application byte abyte3[] = pass.getBytes(); byte abyte4[] = MessageDigest.getInstance("MD5").digest(abyte3); ● Sometimes really hard & time consuming. ● May be fun, but often leads astray: Sywek1?-# 45Schtirlitz&Pianistka
  • 47.
    Look for thefine manual ● There may be an unofficial client, or e.g. wireshark plugin ● Ask for the docs  ● Search for them – Yes, we have found internal protocol specification by google hacking!
  • 48.
    Watch the packets ●Various tools to analyze proprietary protocols – time consuming, usually do not work ● Raw, just try to spot some scheme – of course with a little help of your friends: wireshark, tcpdump, ssldump etc. ● Your favourite scripting language
  • 49.
    The end? slawomir.jasek@securing.pl jakub.kaluzny@securing.pl www.securing.pl Workwith us! careers@securing.pl Talk with us! you are welcome to our stand!