Not So Random

Recommendations

Info

Practical Exploitation - Tips • When brute forcing, ideally want to be using raw output from the PRNG (numbers) • Bear in mind depth when trying to crack a PRNG that may have been called numerous times, 1000 default with Untwister should be fine • Get as many samples of the PRNG output as you can; decrease chance of wrong seed collision Not So Random
Practical Exploitation - Tips • Load balancing can be an issue; multiple application servers will cause multiple PRNGs to be generating output. • Use Persistent HTTP connections to force same process • Connection: Keep-Alive • Not covered in this talk, but state recovery attacks are also a possibility against PRNGs given enough output Not So Random
Page 1 and 2:
Not So Random Exploiting Unsafe Ran
Page 3 and 4:
Talk Overview 1. Theory: • Why?
Page 5 and 6:
Why do we need random numbers? •
Page 7 and 8:
Random numbers in Web Applications
Page 9 and 10:
Concept of Randomness • define: r
Page 11 and 12:
PRNG PRNG r = random.Random() Not S
Page 13 and 14:
PRNG 16768642083820545282 323536147
Page 15 and 16:
PRNG PRNG 16768642083820545282 3235
Page 17 and 18:
PRNG Seeds, States and Periods 1. S
Page 19 and 20:
PRNG Seeds and States Seed (/dev/ur
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
CSPRNG vs PRNG 1. Non-Deterministic
Page 33 and 34:
Language Examples Language Method P
Page 35 and 36:
Internals Glance public Random(int
Page 37 and 38:
Exploitation Theory • Want to obt
Page 39 and 40:
Exploitation Theory Target PRNG Out
Page 41 and 42:
Exploitation Theory Target PRNG Out
Page 43 and 44:
Exploitation Theory Target PRNG Obt
Page 45 and 46:
Exploitation Theory Our PRNG Obtain
Page 47 and 48:
Untwister Brute Force Algorithm 101
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Demos 1. Brute Force • PHP mt_ran
Page 67 and 68:
Overview - Brute Force 1. Generate
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Brute Force - Source class ResetPas
Page 75 and 76:
PHP mt_rand()- Exploitation • Rec
Page 77 and 78:
PHP mt_rand()- Exploitation • Tar
Page 79 and 80:
PHP mt_rand()- Exploitation Theory
Page 81 and 82:
PHP mt_rand() - Untwister uint32_t
Page 83 and 84:
PHP mt_rand()- Exploitation root@ka
Page 85 and 86:
PHP mt_rand()- Exploitation class R
Page 87 and 88:
5. Generate a number of tokens usin
Page 89 and 90:
6. Attempt tokens against applicati
Page 91 and 92:
PHP mt_rand()- Exploitation “To r
Page 93 and 94:
Demos 1. Brute Force • PHP mt_ran
Page 95 and 96:
Overview - Brute Force Bounded Call
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Brute Force Bounded Call - Source c
Page 103 and 104:
PHP mt_rand(0,61)- Exploitation •
Page 105 and 106:
PHP mt_rand(0,61)- Exploitation •
Page 107 and 108:
Exploitation Theory Target PRNG Obt
Page 109 and 110:
PHP mt_rand(0,61)- Decoder #!/usr/b
Page 111 and 112: PHP mt_rand(0,61)- Exploitation # p
Page 113 and 114: PHP Bounded mt_rand() Constructor
Page 115 and 116: PHP Bounded mt_rand() - Patched Unt
Page 117 and 118: PHP mt_rand(0,61)- Exploitation roo
Page 119 and 120: 4. Seed new PRNG with obtained seed
Page 121 and 122: PHP mt_rand(0,61)- Exploitation
Page 123 and 124: PHP mt_rand(0,61)- Exploitation # p
Page 125 and 126: PHP mt_rand(0,61)- Exploitation Not
Page 127 and 128: Exploitation Theory Our PRNG Obtain
Page 129 and 130: Overview - Weak Seeds 1. Generate a
Page 135 and 136: Weak Seeds - Source public class Re
Page 137 and 138: .NET System.Random() Constructor
Page 139 and 140: .NET System.Random()- Exploitation
Page 143 and 144: Exploitation Theory Observed PRNG O
Page 145 and 146: System.Random() Constructor • .NE
Page 147 and 148: System.Random() Untwister Patch int
Page 159 and 160: 5. Attempt tokens against applicati
Page 161: Exploitation Theory Observed PRNG O
Page 165 and 166: Mitigations Need a truly random num
Page 167 and 168: Developers, Developers, Developers
Page 169 and 170: Links / Further Reading • https:/
show all

Not So Random

Create successful ePaper yourself

Delete template?

Save as template?