Hacking .NET Applications: - OWASP AppSec USA 2011
Hacking .NET Applications: - OWASP AppSec USA 2011
Hacking .NET Applications: - OWASP AppSec USA 2011
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
ABOUT METrainingMalware AnalysisCode ReviewApplication Penetration TestingCustom Security ModificationResearch
ELEVATOR PITCHATACKING .<strong>NET</strong>This is a fundamental truth,Executables equals Source Codehowever in the past it washarder or the tools were lackingANDI make it EASYIf it's on your system itI make the FREE toolscan be bent and broken
HACKER VS ATTACKER
SOFTWARETOOLSPASSWORDBACKUPFORENSICS
NOT IDA PRO
NOT IDA PRO
DECOMPILELINES OF CODE TO READC# - 13 LINES
13 LINES
DECOMPILELINES OF CODE TO READC# - 13 LINESC# - 15IL - 34ASM - 77
C# -IL 15- 34 ASM - 77HOW MUCH CODE DO YOUNEED TO READ`
ATTACKING .<strong>NET</strong>ATTACKTHE CODE ON DISK
IL – Intermediate LanguageCode of the Matrix |||| NEW ASM
Attacking .<strong>NET</strong> <strong>Applications</strong>: Atruntime
ATTACKING .<strong>NET</strong>ATTACKWHILETHE APP IS RUNNING
GRAYDRAGONINJECTION
Run and InjectSECURITYSYSTEMSHacksCracksMalwareBackdoors
Attacking/CrackingIN MEM |||| ON DISK
ATTACKING ON DISK
GRAYWOLFON DISK EDIT
CRACKDEMOBY PASS PASSWORDFORM1::ISVALIDPW()LDC.I4.1RET
RECON YOUR TARGETIf you know the enemy and knowyourself, you need not fear theresults of a hundred battles.- Sun Tzu
File Crypto – Triple DESMemeoSalt & VI – 8A-AF-F5-6A-F8-A5-37-C7Premium BackupCrypt Pass – SHA1 * (200) + saltFile Crypto – AESRECON THEProtectSalt & VI –Me!Unique2010SaltTARGETPass Crypto-Rfc2898DeriveBytes->-> AES -> SHA1 + salt0b$cur17yCustom Crypto LIB’sFile Crypto – SelectedAndrosaSalt & VI – 0FileProtectorPass Crypto - SHA512Possible Back Door
DEMO
101 - ATTACK ON DISKConnect/Open - Access CodeDecompile - Get code/techInfect - Change the target's codeExploit - Take advantageRemold/Recompile - WIN
THE WEAK SPOTSFlip The CheckSet Value is “True”Cut The LogicReturn TrueAccess Value
SET FLIP VALUE THE TO CHECK “TRUE”bool Registered = false; true;If(a!=b)If(a==b)
RETURN TRUEbool IsRegistered(){Return TRUE;........................}
CUT THE LOGICstring sqlClean(string x){Return x;}
HACK THE LOGINDEMOPASS THE KEYSHOW THE KEY
CRACK THE KEYPublic/Private3/B==Name*ID*7Call Server======Change KeyASK what is /B?Hack the CallDemo = True;==Set ValueComplex Math== Complex Math1% of the time the KeyGen is given
PUBLIC/PRIVATE KEYIf you can beat themWhy join themKey = “F5PA11JS32DA”Key = “123456ABCDE”
SERVER CALL1. Fake the Call“Send”SystemID = 1234567892. Fake the Request3. Fake the ReplyReg Code = f3V5414. Win*Registered = True*
REG CODE REPLAYName:*C5G9P3JON DOECode: == !=98qf3uyFAIL
REG CODE REPLAYName:*CCode:5G9P3
REG CODE REPLAYName:*C5G9P3JON DOECode: ==5G9P3WIN
COMPLEX MATH1. Chop up the Math2. Attack the Weak3. ??????????4. Profit
HACK THE KEYDEMOAPPSEC-<strong>USA</strong> <strong>2011</strong>999ca10a050f4bdb31f7e1f39d9a0dda
Encrypted DataStatic Crypto KeyVector init = 0Clear TXT Password Storage
MID POINTQ&A
BookManaged Code Rootkits:Hooking into Runtime EnvironmentsFrom:Erez Metula
WHAT STOPS THIS?What is the security?
PROTECTION ON DISKProtection – SecuritySigned code (1024 bit CRYPTO)Verify the creatorStrong NamesACLs……… M$ stuffTry to SHUTDOWNTampering
PRIVET KEY SIGNINGSigned code is based onPrivate Key - 1024 bitSigned Hash of Code………..Identify and Verify the Author
PROTECTION ON DISKProtection - Security by 0b$cur17yCode ObfuscationLogic ObfuscationUnmanaged calls…to C/C++/ASMShells / Packers / Encrypted(code)Try to SHUTDOWNDecompilation
CRACK - FAILDEMOFAIL
PROTECTION ON DISK0bfu$ca7ed
REVIEWDOTFUSCATORObfuscation Causes Phone Does no low Home will add applied or only noprogrammatically slows vulnerabilitiesIf Tampered the Bugs attacker is not100% effective
PROTECTION ON DISKShellsPack/Encrypt the EXE
UNPROTECTED / PROTECTED
DESKTOP SECURITY*I DON’T SECURE THATIT has it locked down the systemsOur systems are protectedWe have SMS and Anti-VirisIt is a little out of my areaThe developers know,about security
IT CAN ‘T ’TBE THAT EZWhat is the security?
STRONG NAME HACKING
ATTACK VECTORPRIVET KEY SIGNINGSigned code is based onPrivate Key - 1024 bitSigned Hash of Code………..SIGNED CODE CHECKING ISOFF BY DEFAULT
FAKE SIGNED DLL
FAKE SIGNED DLLTurn Key Checking ON[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.<strong>NET</strong>Framework]"AllowStrongNameBypass"=dword:00000000
FAKE SIGNED DLLERROR
ATTACK VECTOR (not new)ASM THE OLD IS NEWShell Code - ASM.<strong>NET</strong> has pointersNO .<strong>NET</strong> Security………..THIS IS SCARRY!!!!NEVER LET ME CALLUNMANNAGED
ATTACK VECTORASM THE OLD IS NEW
ATTACK VECTORASM THE OLD IS NEW
ATTACK VECTORVISUAL STUDIOExploit – Run arbitrary codeFirst noted in 2004DemoPowerShell - MatrixGet developer KeysAttack the SVN & DBwww.pretentiousname.com/misc/win7_uac_whitelist2.html
YOU’RE NOT A HACKERWHY SHOULD YOU CARE?Defend your <strong>Applications</strong>Defend your SystemsVerify your Tools\Programs
LOOK INSIDE
DON’TLOOK
SECURITYThe Login security check isDoes A == BDoes MD5%5 == XIs the Pass the Crypto Key
DATA LEAKThe Data sent home isApplication InfoUser / Registartion InfoSecurity / System Info
KEYThe Crypto Key isA Hard Coded KeyThe Licence NumberA MD5 Hash of the Pass6Salt 6MD5 Hash of the Pass
CRYPTOThe Crypto isDES 64Tripple DES 192Rijndael AES 256Home MIX (secure/unsecure)
ROOTKIT MMCDEMOCALL EVENTVWR.MSC
FIN
MORE INFORMATION @:www.DigitalBodyGuard.comJon.M@DigitalBodyGuard.comFIN = 1