SlideShare a Scribd company logo
SSL Ripper
All your encrypted traffic belongs to us

Ionut Popescu
Security Consultant @ KPMG Romania
“Nytro”
Why?
- External pentest

- Internal pentest
- Social Engineering
Steps
1. Information gathering
2. Vulnerability assessment

3. Exploitation
4. Post exploitation
SSL Ripper
- Dumping SSL traffic Application
POST /login ...
Host: server
User-Agent: ...
User=admin&
Pass=123456

E
N
C
R
Y
P
T

Ç#ív㾬à‹
èYã(ðƒ/Ç#
ív㾬à‹èY
ã(ðƒ/Ç#ívã
¾¬à‹èYã(ð
ƒ

SSL Ripper
Applicability
- Browsers: Mozilla Firefox, Google
Chrome, Internet Explorer
- Email clients: Microsoft Outlook, Mozilla
Thunderbird
- Remote connection: Putty, SecureCRT
Generic, any application that makes use of:
- OpenSSL
- Netscape Security Services
- Microsoft CryptoAPI
- Other libraries
How does it work?
Short answer: API Hooking
We need to execute code in other process‟ space:
1. Inject a DLL into a remote process (eg. outlook.exe)
- Allocate space for DLL name (VirtualAllocEx)
- Write DLL name (WriteProcessMemory)
- Create a new thread (CreateRemoteThread)
- On new thread call LoadLibrary with specific DLL
2. Hooks specific APIs:
- Find function address (from export table)
- Place a “jmp” on an internal function
- Do things
Classic DLL Injection
Old stuff, good stuff
// Open process
hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, p_dwID);
// Get LoadLibrary address
pvLoadLibrary = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
// Allocate space in remote process for DLL name
pvString = (LPVOID)VirtualAllocEx(hProcess, NULL, p_sDLLName.length(), MEM_RESERVE |
MEM_COMMIT, PAGE_READWRITE);
// Write DLL name in allocated space
bResult =
WriteProcessMemory(hProcess, (LPVOID)pvString, p_sDLLName.c_str(), p_sDLLName.length(), &written);
// Create Remote thread to call "LoadLibrary(dll)"
hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)
pvLoadLibrary, (LPVOID)pvString, 0, NULL);
API Hooking #1
1. Parse module (eg. nss3.dll) – Exports table
API Hooking #2
2. Set hook: jump to our function
Usual function call
How a usual function call looks like:

kernel32.dll
Firefox.exe
nss3.dll

Firefox.exe „s
address space

PR_Read

0x????a2e0

Do things

PR_Write

0x????a2f0

Do things
Hooked function call
How a hooked function call looks like:
1. Firefox calls PR_Read/PR_Write (nss3.dll)
2. It jumps (function code is modified by InjectedDLL) to
PR_Read_Hook/PR_Write_Hook functions in InjectedDLL
3. Functions hooks call original functions and *do things* with data parameters
(unencrypted)

kernel32.dll
Firefox.exe

Firefox.exe
address space

nss3.dll

InjectedDLL.dll

PR_Read

0x????a2e0

PR_Write

0x????a2f0

Do other things

Jmp PR_Read_Hook

Do other things

Jmp PR_Write_Hook
Windows APIs

MOV EDI, EDI – Used for hotpatching (thread safe)
PUSH EBP
MOV ESP, EBP – New stackframe
Hot patching:
1. Replace “mov edi, edi” with a short jump “jmp -5”
2. Place a relative/absolute jump
Example #1 – Firefox
• PR_Read
Reads bytes from a file or socket.

PRInt32 PR_Read(PRFileDesc *fd, void *buf, PRInt32 amount);

• PR_Write
Writes a buffer of data to a file or socket.
PRInt32 PR_Write( PRFileDesc *fd, const void *buf, PRInt32 amount);
Parameters:
fd
- A pointer to the PRFileDesc object for a file or socket.
buf
- A pointer to the buffer holding the data to be written.
amount - The amount of data, in bytes, to be written from the buffer.
Example #1 – Details
PR_Read source:
PR_IMPLEMENT(PRInt32) PR_Read(PRFileDesc *fd, void *buf, PRInt32 amount)
{
return((fd->methods->read)(fd,buf,amount));
}

Disassembly - Tail call optimization :

Hooked function:
Under the hood
First, we‟ll do two important things:
1. Backup old EIP (to return from normal function call)
2. Replace old EIP with our “Reinsert_Hook” function
Under the hood
Second, “do things”:

1.
2.
3.
4.
5.
6.

Backup registers
Restore original bytes
Call original function
“Do things”
Restore registers
Return (to reinsert hook)
Under the hood
Restore hook on PR_Read:
Under the hood
Restore old EIP (before call PR_Read) in the right place:
Example #2 - Outlook
• SslEncryptPacket (ncrypt.dll)
SECURITY_STATUS WINAPI SslEncryptPacket (
_In_
NCRYPT_PROV_HANDLE hSslProvider,
_Inout_ NCRYPT_KEY_HANDLE hKey,
_In_
PBYTE *pbInput,
_In_
DWORD cbInput,
_Out_ PBYTE pbOutput,
_In_
DWORD cbOutput,
_Out_ DWORD *pcbResult,
_In_
ULONGLONG SequenceNumber,
_In_
DWORD dwContentType,
_In_
DWORD dwFlags
);

pbInput [in] A pointer to the buffer that contains the packet to be encrypted.
cbInput [in] The length, in bytes, of the pbInput buffer.
Example #2 - Details
Somethings does not look OK... RETN vs RETN 2C
Calling conventions
__cdecl
__cdecl is the default calling convention for C and C++ programs.
Because the stack is cleaned up by the caller, it can do vararg
functions. The __cdecl calling convention creates larger executables
than __stdcall, because it requires each function call to include stack
cleanup code. The following list shows the implementation of this
calling convention.

__stdcall
__stdcall calling convention is used to call Win32 API functions.
The callee cleans the stack, so the compiler makes vararg
functions __cdecl. Functions that use this calling convention
require a function prototype.
Example #3 - Putty
No exported functions from a DLL – direct code injection
Demo
SSLRipper.exe – DLL Injector
InjectedDLL.dll – DLL that is injected into processes

Attacker

Victim

Virtual Machine - Kali

Host - Windows 8
SSL Ripper – Tamper data
Tamper data – Modify packets in realtime
Future work
-

Support for all SSL software
Support for x64
Thread safe
Bypass EMET
Metasploit post exploitation module
GUI version
Possibility to modify data

* First version will be released when it is stable
Questions?
Contact:
ionut.popescu@outlook.com

More Related Content

What's hot

Network sockets
Network socketsNetwork sockets
Network sockets
Denys Haryachyy
 
Everybody Polyglot! - Cross-Language RPC with Erlang
Everybody Polyglot! - Cross-Language RPC with ErlangEverybody Polyglot! - Cross-Language RPC with Erlang
Everybody Polyglot! - Cross-Language RPC with Erlang
Rusty Klophaus
 
Lecture10
Lecture10Lecture10
Lecture10
vantinhkhuc
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safe
Giovanni Bechis
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 
Centralized Logging with syslog
Centralized Logging with syslogCentralized Logging with syslog
Centralized Logging with syslog
amiable_indian
 
Python Network Programming – Course Applications Guide
Python Network Programming – Course Applications GuidePython Network Programming – Course Applications Guide
Python Network Programming – Course Applications Guide
Mihai Catalin Teodosiu
 
Advanced Sockets Programming
Advanced Sockets ProgrammingAdvanced Sockets Programming
Advanced Sockets Programming
elliando dias
 
Socket System Calls
Socket System CallsSocket System Calls
Socket System Calls
Avinash Varma Kalidindi
 
Anchoring Trust: Rewriting DNS for the Semantic Network with Ruby and Rails
Anchoring Trust: Rewriting DNS for the Semantic Network with Ruby and RailsAnchoring Trust: Rewriting DNS for the Semantic Network with Ruby and Rails
Anchoring Trust: Rewriting DNS for the Semantic Network with Ruby and Rails
Eleanor McHugh
 
OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!
Giovanni Bechis
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NoSuchCon
 
BlockChain implementation by python
BlockChain implementation by pythonBlockChain implementation by python
BlockChain implementation by python
wonyong hwang
 
Sockets
SocketsSockets
Applying Security Algorithms Using openSSL crypto library
Applying Security Algorithms Using openSSL crypto libraryApplying Security Algorithms Using openSSL crypto library
Applying Security Algorithms Using openSSL crypto library
Priyank Kapadia
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
idsecconf
 
Socket programming
Socket programmingSocket programming
Socket programming
Ujjwal Kumar
 
Creating an Arduino Web Server from scratch hardware and software
Creating an Arduino Web Server from scratch hardware and softwareCreating an Arduino Web Server from scratch hardware and software
Creating an Arduino Web Server from scratch hardware and software
Justin Mclean
 
Zi nginx conf_2015
Zi nginx conf_2015Zi nginx conf_2015
Zi nginx conf_2015
Zi Lin
 
Sockets intro
Sockets introSockets intro
Sockets intro
AviNash ChaVhan
 

What's hot (20)

Network sockets
Network socketsNetwork sockets
Network sockets
 
Everybody Polyglot! - Cross-Language RPC with Erlang
Everybody Polyglot! - Cross-Language RPC with ErlangEverybody Polyglot! - Cross-Language RPC with Erlang
Everybody Polyglot! - Cross-Language RPC with Erlang
 
Lecture10
Lecture10Lecture10
Lecture10
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safe
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
 
Centralized Logging with syslog
Centralized Logging with syslogCentralized Logging with syslog
Centralized Logging with syslog
 
Python Network Programming – Course Applications Guide
Python Network Programming – Course Applications GuidePython Network Programming – Course Applications Guide
Python Network Programming – Course Applications Guide
 
Advanced Sockets Programming
Advanced Sockets ProgrammingAdvanced Sockets Programming
Advanced Sockets Programming
 
Socket System Calls
Socket System CallsSocket System Calls
Socket System Calls
 
Anchoring Trust: Rewriting DNS for the Semantic Network with Ruby and Rails
Anchoring Trust: Rewriting DNS for the Semantic Network with Ruby and RailsAnchoring Trust: Rewriting DNS for the Semantic Network with Ruby and Rails
Anchoring Trust: Rewriting DNS for the Semantic Network with Ruby and Rails
 
OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
 
BlockChain implementation by python
BlockChain implementation by pythonBlockChain implementation by python
BlockChain implementation by python
 
Sockets
SocketsSockets
Sockets
 
Applying Security Algorithms Using openSSL crypto library
Applying Security Algorithms Using openSSL crypto libraryApplying Security Algorithms Using openSSL crypto library
Applying Security Algorithms Using openSSL crypto library
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
Socket programming
Socket programmingSocket programming
Socket programming
 
Creating an Arduino Web Server from scratch hardware and software
Creating an Arduino Web Server from scratch hardware and softwareCreating an Arduino Web Server from scratch hardware and software
Creating an Arduino Web Server from scratch hardware and software
 
Zi nginx conf_2015
Zi nginx conf_2015Zi nginx conf_2015
Zi nginx conf_2015
 
Sockets intro
Sockets introSockets intro
Sockets intro
 

Similar to Defcamp 2013 - SSL Ripper

Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?
Nelson Brito
 
maXbox starter30 Web of Things
maXbox starter30 Web of ThingsmaXbox starter30 Web of Things
maXbox starter30 Web of Things
Max Kleiner
 
Please help with the below 3 questions, the python script is at the.pdf
Please help with the below 3  questions, the python script is at the.pdfPlease help with the below 3  questions, the python script is at the.pdf
Please help with the below 3 questions, the python script is at the.pdf
support58
 
Maxbox starter18
Maxbox starter18Maxbox starter18
Maxbox starter18
Max Kleiner
 
RAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial TradecraftRAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial Tradecraft
⭕Alexander Rymdeko-Harvey
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
IOSR Journals
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
Rémi Jullian
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
Amr Ali
 
LSA2 - 02 Namespaces
LSA2 - 02  NamespacesLSA2 - 02  Namespaces
LSA2 - 02 Namespaces
Marian Marinov
 
Tick Stack - Listen your infrastructure and please sleep
Tick Stack - Listen your infrastructure and please sleepTick Stack - Listen your infrastructure and please sleep
Tick Stack - Listen your infrastructure and please sleep
Gianluca Arbezzano
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malware
Pedro Tavares
 
The 1990s Called. They Want Their Code Back.
The 1990s Called. They Want Their Code Back.The 1990s Called. They Want Their Code Back.
The 1990s Called. They Want Their Code Back.
Jonathan Oliver
 
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingDPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet Processing
Michelle Holley
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
GangSeok Lee
 
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
GangSeok Lee
 
Code Injection in Windows
Code Injection in WindowsCode Injection in Windows
Code Injection in Windows
n|u - The Open Security Community
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
guest441c58b71
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Bastian Feder
 

Similar to Defcamp 2013 - SSL Ripper (20)

Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?
 
maXbox starter30 Web of Things
maXbox starter30 Web of ThingsmaXbox starter30 Web of Things
maXbox starter30 Web of Things
 
Please help with the below 3 questions, the python script is at the.pdf
Please help with the below 3  questions, the python script is at the.pdfPlease help with the below 3  questions, the python script is at the.pdf
Please help with the below 3 questions, the python script is at the.pdf
 
Maxbox starter18
Maxbox starter18Maxbox starter18
Maxbox starter18
 
RAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial TradecraftRAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial Tradecraft
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
 
LSA2 - 02 Namespaces
LSA2 - 02  NamespacesLSA2 - 02  Namespaces
LSA2 - 02 Namespaces
 
Tick Stack - Listen your infrastructure and please sleep
Tick Stack - Listen your infrastructure and please sleepTick Stack - Listen your infrastructure and please sleep
Tick Stack - Listen your infrastructure and please sleep
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malware
 
The 1990s Called. They Want Their Code Back.
The 1990s Called. They Want Their Code Back.The 1990s Called. They Want Their Code Back.
The 1990s Called. They Want Their Code Back.
 
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingDPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet Processing
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
 
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
 
Code Injection in Windows
Code Injection in WindowsCode Injection in Windows
Code Injection in Windows
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
 

More from DefCamp

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
DefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
DefCamp
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
DefCamp
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
DefCamp
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
DefCamp
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
DefCamp
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
DefCamp
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
DefCamp
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
DefCamp
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
DefCamp
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
DefCamp
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
DefCamp
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
DefCamp
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
DefCamp
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
DefCamp
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
DefCamp
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
DefCamp
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
DefCamp
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
DefCamp
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
DefCamp
 

More from DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 

Recently uploaded

Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
Edge AI and Vision Alliance
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 

Recently uploaded (20)

Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 

Defcamp 2013 - SSL Ripper

  • 1. SSL Ripper All your encrypted traffic belongs to us Ionut Popescu Security Consultant @ KPMG Romania “Nytro”
  • 2. Why? - External pentest - Internal pentest - Social Engineering
  • 3. Steps 1. Information gathering 2. Vulnerability assessment 3. Exploitation 4. Post exploitation
  • 4. SSL Ripper - Dumping SSL traffic Application POST /login ... Host: server User-Agent: ... User=admin& Pass=123456 E N C R Y P T Ç#ívã¾¬à‹ èYã(ðƒ/Ç# ív㾬à‹èY ã(ðƒ/Ç#ívã ¾¬à‹èYã(ð ƒ SSL Ripper
  • 5. Applicability - Browsers: Mozilla Firefox, Google Chrome, Internet Explorer - Email clients: Microsoft Outlook, Mozilla Thunderbird - Remote connection: Putty, SecureCRT Generic, any application that makes use of: - OpenSSL - Netscape Security Services - Microsoft CryptoAPI - Other libraries
  • 6. How does it work? Short answer: API Hooking We need to execute code in other process‟ space: 1. Inject a DLL into a remote process (eg. outlook.exe) - Allocate space for DLL name (VirtualAllocEx) - Write DLL name (WriteProcessMemory) - Create a new thread (CreateRemoteThread) - On new thread call LoadLibrary with specific DLL 2. Hooks specific APIs: - Find function address (from export table) - Place a “jmp” on an internal function - Do things
  • 7. Classic DLL Injection Old stuff, good stuff // Open process hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, p_dwID); // Get LoadLibrary address pvLoadLibrary = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); // Allocate space in remote process for DLL name pvString = (LPVOID)VirtualAllocEx(hProcess, NULL, p_sDLLName.length(), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); // Write DLL name in allocated space bResult = WriteProcessMemory(hProcess, (LPVOID)pvString, p_sDLLName.c_str(), p_sDLLName.length(), &written); // Create Remote thread to call "LoadLibrary(dll)" hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) pvLoadLibrary, (LPVOID)pvString, 0, NULL);
  • 8. API Hooking #1 1. Parse module (eg. nss3.dll) – Exports table
  • 9. API Hooking #2 2. Set hook: jump to our function
  • 10. Usual function call How a usual function call looks like: kernel32.dll Firefox.exe nss3.dll Firefox.exe „s address space PR_Read 0x????a2e0 Do things PR_Write 0x????a2f0 Do things
  • 11. Hooked function call How a hooked function call looks like: 1. Firefox calls PR_Read/PR_Write (nss3.dll) 2. It jumps (function code is modified by InjectedDLL) to PR_Read_Hook/PR_Write_Hook functions in InjectedDLL 3. Functions hooks call original functions and *do things* with data parameters (unencrypted) kernel32.dll Firefox.exe Firefox.exe address space nss3.dll InjectedDLL.dll PR_Read 0x????a2e0 PR_Write 0x????a2f0 Do other things Jmp PR_Read_Hook Do other things Jmp PR_Write_Hook
  • 12. Windows APIs MOV EDI, EDI – Used for hotpatching (thread safe) PUSH EBP MOV ESP, EBP – New stackframe Hot patching: 1. Replace “mov edi, edi” with a short jump “jmp -5” 2. Place a relative/absolute jump
  • 13. Example #1 – Firefox • PR_Read Reads bytes from a file or socket. PRInt32 PR_Read(PRFileDesc *fd, void *buf, PRInt32 amount); • PR_Write Writes a buffer of data to a file or socket. PRInt32 PR_Write( PRFileDesc *fd, const void *buf, PRInt32 amount); Parameters: fd - A pointer to the PRFileDesc object for a file or socket. buf - A pointer to the buffer holding the data to be written. amount - The amount of data, in bytes, to be written from the buffer.
  • 14. Example #1 – Details PR_Read source: PR_IMPLEMENT(PRInt32) PR_Read(PRFileDesc *fd, void *buf, PRInt32 amount) { return((fd->methods->read)(fd,buf,amount)); } Disassembly - Tail call optimization : Hooked function:
  • 15. Under the hood First, we‟ll do two important things: 1. Backup old EIP (to return from normal function call) 2. Replace old EIP with our “Reinsert_Hook” function
  • 16. Under the hood Second, “do things”: 1. 2. 3. 4. 5. 6. Backup registers Restore original bytes Call original function “Do things” Restore registers Return (to reinsert hook)
  • 17. Under the hood Restore hook on PR_Read:
  • 18. Under the hood Restore old EIP (before call PR_Read) in the right place:
  • 19. Example #2 - Outlook • SslEncryptPacket (ncrypt.dll) SECURITY_STATUS WINAPI SslEncryptPacket ( _In_ NCRYPT_PROV_HANDLE hSslProvider, _Inout_ NCRYPT_KEY_HANDLE hKey, _In_ PBYTE *pbInput, _In_ DWORD cbInput, _Out_ PBYTE pbOutput, _In_ DWORD cbOutput, _Out_ DWORD *pcbResult, _In_ ULONGLONG SequenceNumber, _In_ DWORD dwContentType, _In_ DWORD dwFlags ); pbInput [in] A pointer to the buffer that contains the packet to be encrypted. cbInput [in] The length, in bytes, of the pbInput buffer.
  • 20. Example #2 - Details Somethings does not look OK... RETN vs RETN 2C
  • 21. Calling conventions __cdecl __cdecl is the default calling convention for C and C++ programs. Because the stack is cleaned up by the caller, it can do vararg functions. The __cdecl calling convention creates larger executables than __stdcall, because it requires each function call to include stack cleanup code. The following list shows the implementation of this calling convention. __stdcall __stdcall calling convention is used to call Win32 API functions. The callee cleans the stack, so the compiler makes vararg functions __cdecl. Functions that use this calling convention require a function prototype.
  • 22. Example #3 - Putty No exported functions from a DLL – direct code injection
  • 23. Demo SSLRipper.exe – DLL Injector InjectedDLL.dll – DLL that is injected into processes Attacker Victim Virtual Machine - Kali Host - Windows 8
  • 24. SSL Ripper – Tamper data Tamper data – Modify packets in realtime
  • 25. Future work - Support for all SSL software Support for x64 Thread safe Bypass EMET Metasploit post exploitation module GUI version Possibility to modify data * First version will be released when it is stable