Not So Random

Recommendations

Info

$(whoami) Brendan Jamieson (@hyprwired) • Wellington based consultant for Insomnia Security • Infosec • Linux • Python • CTF (@hamiltr0n_ctf) Not So Random
Talk Overview 1. Theory: • Why? • What’s a PRNG? • PRNG Properties • What’s a CSPRNG? • CSPRNG vs PRNG 2. Implementation • PRNGs across common languages 4. Demos a) Brute Force • PHP mt_rand() b) Brute Force of Bounded Call • PHP mt_rand(0,61) c) Weak Seeds • .NET System.Random() 3. Exploitation Theory Not So Random
Page 1: Not So Random Exploiting Unsafe Ran
Page 5 and 6: Why do we need random numbers? •
Page 7 and 8: Random numbers in Web Applications
Page 9 and 10: Concept of Randomness • define: r
Page 11 and 12: PRNG PRNG r = random.Random() Not S
Page 13 and 14: PRNG 16768642083820545282 323536147
Page 15 and 16: PRNG PRNG 16768642083820545282 3235
Page 17 and 18: PRNG Seeds, States and Periods 1. S
Page 19 and 20: PRNG Seeds and States Seed (/dev/ur
Page 31 and 32: CSPRNG vs PRNG 1. Non-Deterministic
Page 33 and 34: Language Examples Language Method P
Page 35 and 36: Internals Glance public Random(int
Page 37 and 38: Exploitation Theory • Want to obt
Page 39 and 40: Exploitation Theory Target PRNG Out
Page 41 and 42: Exploitation Theory Target PRNG Out
Page 43 and 44: Exploitation Theory Target PRNG Obt
Page 45 and 46: Exploitation Theory Our PRNG Obtain
Page 47 and 48: Untwister Brute Force Algorithm 101
Page 53 and 54:
Untwister Brute Force Algorithm 101
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Demos 1. Brute Force • PHP mt_ran
Page 67 and 68:
Overview - Brute Force 1. Generate
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Brute Force - Source class ResetPas
Page 75 and 76:
PHP mt_rand()- Exploitation • Rec
Page 77 and 78:
PHP mt_rand()- Exploitation • Tar
Page 79 and 80:
PHP mt_rand()- Exploitation Theory
Page 81 and 82:
PHP mt_rand() - Untwister uint32_t
Page 83 and 84:
PHP mt_rand()- Exploitation root@ka
Page 85 and 86:
PHP mt_rand()- Exploitation class R
Page 87 and 88:
5. Generate a number of tokens usin
Page 89 and 90:
6. Attempt tokens against applicati
Page 91 and 92:
PHP mt_rand()- Exploitation “To r
Page 93 and 94:
Demos 1. Brute Force • PHP mt_ran
Page 95 and 96:
Overview - Brute Force Bounded Call
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Brute Force Bounded Call - Source c
Page 103 and 104:
PHP mt_rand(0,61)- Exploitation •
Page 105 and 106:
PHP mt_rand(0,61)- Exploitation •
Page 107 and 108:
Exploitation Theory Target PRNG Obt
Page 109 and 110:
PHP mt_rand(0,61)- Decoder #!/usr/b
Page 111 and 112:
PHP mt_rand(0,61)- Exploitation # p
Page 113 and 114:
PHP Bounded mt_rand() Constructor
Page 115 and 116:
PHP Bounded mt_rand() - Patched Unt
Page 117 and 118:
PHP mt_rand(0,61)- Exploitation roo
Page 119 and 120:
4. Seed new PRNG with obtained seed
Page 121 and 122:
PHP mt_rand(0,61)- Exploitation
Page 123 and 124:
PHP mt_rand(0,61)- Exploitation # p
Page 125 and 126:
PHP mt_rand(0,61)- Exploitation Not
Page 127 and 128:
Exploitation Theory Our PRNG Obtain
Page 129 and 130:
Overview - Weak Seeds 1. Generate a
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Weak Seeds - Source public class Re
Page 137 and 138:
.NET System.Random() Constructor
Page 139 and 140:
.NET System.Random()- Exploitation
Page 141 and 142:
Page 143 and 144:
Exploitation Theory Observed PRNG O
Page 145 and 146:
System.Random() Constructor • .NE
Page 147 and 148:
System.Random() Untwister Patch int
Page 149 and 150:
Page 151 and 152:
Page 153 and 154:
Page 155 and 156:
Page 157 and 158:
Page 159 and 160:
5. Attempt tokens against applicati
Page 161 and 162:
Exploitation Theory Observed PRNG O
Page 163 and 164:
Practical Exploitation - Tips • L
Page 165 and 166:
Mitigations Need a truly random num
Page 167 and 168:
Developers, Developers, Developers
Page 169 and 170:
Links / Further Reading • https:/
show all

Not So Random

Create successful ePaper yourself

Delete template?

Save as template?