Not So Random

Recommendations

Info

PHASE 3 – EXPLOITATION THEORY Not So Random
Exploitation Theory • Want to obtain secret values generated via a PRNG, e.g. password reset token • Can observe some output from the PRNG; e.g. own password reset tokens, other values generated via the same PRNG • PRNGs are deterministic; if we obtain the internal state of the PRNG, we can predict future output • Goal is to obtain internal state of the PRNG Not So Random
Page 1 and 2: Not So Random Exploiting Unsafe Ran
Page 3 and 4: Talk Overview 1. Theory: • Why?
Page 5 and 6: Why do we need random numbers? •
Page 7 and 8: Random numbers in Web Applications
Page 9 and 10: Concept of Randomness • define: r
Page 11 and 12: PRNG PRNG r = random.Random() Not S
Page 13 and 14: PRNG 16768642083820545282 323536147
Page 15 and 16: PRNG PRNG 16768642083820545282 3235
Page 17 and 18: PRNG Seeds, States and Periods 1. S
Page 19 and 20: PRNG Seeds and States Seed (/dev/ur
Page 31 and 32: CSPRNG vs PRNG 1. Non-Deterministic
Page 33 and 34: Language Examples Language Method P
Page 35: Internals Glance public Random(int
Page 39 and 40: Exploitation Theory Target PRNG Out
Page 41 and 42: Exploitation Theory Target PRNG Out
Page 43 and 44: Exploitation Theory Target PRNG Obt
Page 45 and 46: Exploitation Theory Our PRNG Obtain
Page 47 and 48: Untwister Brute Force Algorithm 101
Page 65 and 66: Demos 1. Brute Force • PHP mt_ran
Page 67 and 68: Overview - Brute Force 1. Generate
Page 73 and 74: Brute Force - Source class ResetPas
Page 75 and 76: PHP mt_rand()- Exploitation • Rec
Page 77 and 78: PHP mt_rand()- Exploitation • Tar
Page 79 and 80: PHP mt_rand()- Exploitation Theory
Page 81 and 82: PHP mt_rand() - Untwister uint32_t
Page 83 and 84: PHP mt_rand()- Exploitation root@ka
Page 85 and 86: PHP mt_rand()- Exploitation class R
Page 87 and 88:
5. Generate a number of tokens usin
Page 89 and 90:
6. Attempt tokens against applicati
Page 91 and 92:
PHP mt_rand()- Exploitation “To r
Page 93 and 94:
Demos 1. Brute Force • PHP mt_ran
Page 95 and 96:
Overview - Brute Force Bounded Call
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Brute Force Bounded Call - Source c
Page 103 and 104:
PHP mt_rand(0,61)- Exploitation •
Page 105 and 106:
PHP mt_rand(0,61)- Exploitation •
Page 107 and 108:
Exploitation Theory Target PRNG Obt
Page 109 and 110:
PHP mt_rand(0,61)- Decoder #!/usr/b
Page 111 and 112:
PHP mt_rand(0,61)- Exploitation # p
Page 113 and 114:
PHP Bounded mt_rand() Constructor
Page 115 and 116:
PHP Bounded mt_rand() - Patched Unt
Page 117 and 118:
PHP mt_rand(0,61)- Exploitation roo
Page 119 and 120:
4. Seed new PRNG with obtained seed
Page 121 and 122:
PHP mt_rand(0,61)- Exploitation
Page 123 and 124:
PHP mt_rand(0,61)- Exploitation # p
Page 125 and 126:
PHP mt_rand(0,61)- Exploitation Not
Page 127 and 128:
Exploitation Theory Our PRNG Obtain
Page 129 and 130:
Overview - Weak Seeds 1. Generate a
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Weak Seeds - Source public class Re
Page 137 and 138:
.NET System.Random() Constructor
Page 139 and 140:
.NET System.Random()- Exploitation
Page 141 and 142:
Page 143 and 144:
Exploitation Theory Observed PRNG O
Page 145 and 146:
System.Random() Constructor • .NE
Page 147 and 148:
System.Random() Untwister Patch int
Page 149 and 150:
Page 151 and 152:
Page 153 and 154:
Page 155 and 156:
Page 157 and 158:
Page 159 and 160:
5. Attempt tokens against applicati
Page 161 and 162:
Exploitation Theory Observed PRNG O
Page 163 and 164:
Practical Exploitation - Tips • L
Page 165 and 166:
Mitigations Need a truly random num
Page 167 and 168:
Developers, Developers, Developers
Page 169 and 170:
Links / Further Reading • https:/
show all

Not So Random

Create successful ePaper yourself

Delete template?

Save as template?