Stacking the Deck

Dan Cronce & Justin Moravec

1 All rights reserved © 2018 Wildcard Corp Obligatory “Who we are” ● Dan Cronce ○ Job title: Penetration tester ○ What I do: Purple team, tool development, field work ● Justin Moravec ○ Job title: Security Specialist ○ What I do: Auditing, vulnerability assessments, system & network engineering

Wildcard Corp. • 2 ● General design decisions Overview ● Samson: Cryptanalysis and attack framework ○ What and why ○ High-level overview ○ Video demo ● Judas: Covert-channel tunneling framework ○ What and why ○ High-level overview ○ Video demo ● Future Work

Wildcard Corp. • 3 ● Tired of devs who “know what’s best”; built for Design Decisions experimentation/experts ● Built for reusability ● Built for a specific purpose ● Attempt to be consistent and intuitive ● Understandability over raw power ● Tools increase efficiency, not ability

Wildcard Corp. • 4 Samson

Cryptanalysis and Attack Framework

5 • Wildcard Corp Samson ● Running into possible cryptographic exploits in pentests What and Why ● CTFs using “Build-your-own-crypto” ● SageMath breaking on install ● Implementations in high-level language ● Understanding of low-level cryptographic primitives ● Samson - convenient library/framework for prototyping crypto or attacks

Wildcard Corp. • 6 Samson ● DO NOT USE SAMSON TO SECURE ANYTHING High-level Overview ● Attacks ○ CBC Padding Oracle ○ PKCS#1.5 Padding Oracle ○ CRIME ○ Nostradamus ○ HMAC Forgery ○ Nonce-reuse cracking ○ Dual EC backdoor generation ○ And more...

Wildcard Corp. • 7 Samson High-level Overview Cont.

● Primitives ○ Rijndael (AES) ○ DES ○ MT19937 ○ RSA/DSA ○ SHA1/2/3 ○ KASUMI/SNOW3G ○ Etc… ● Constructions ○ Merkle-Damgard Construction ○ Davies-Meyer Construction ○ Feistel Network ○ Sponge construction

8 • Wildcard Corp. Samson High-level Overview Cont.

● Utility/Analysis functions ○ English Analyzer ○ Statistics ○ Number theory ○ Byte manipulation ○ Metaheuristic optimization

9 • Wildcard Corp. Samson Demo

10 • Wildcard Corp Samson ● Scenario ○ Server generates 256-bit random key on start Demo up ○ Server gives client cookie encrypted with AES-256-CBC and random IV ○ Cookie includes permissions ○ Admin interface decrypts cookie and checks if user has admin permission ○ On error, sends exception to logging server ● What we know ○ The cookie i.e. IV + Ciphertext ○ Is using CBC (note we don’t even have to know the cipher) ○ Probably using PKCS7 padding ● What we want ○ Admin!

Wildcard Corp. • 11 Samson Demo Source

Wildcard Corp. • 12 Samson Demo Source

Wildcard Corp. • 13 Samson ● The mechanisms at play ○ Padding Demo Breakdown ○ XOR ○ CBC ● The generic attack ● The attack for this specific instance

Wildcard Corp. • 14 Samson ● What if your plaintext’s length is not a multiple of 16? PKCS7 Padding ● Pad plaintext to block length (16) with the byte representation of the padding length ○ E.g. ‘\x02\x02’ or ‘\x05\x05\x05\x05\x05’ ● If plaintext is multiple of 16, pad a full block ○ I.e. ‘\x10’ * 16 ● Creates a guaranteed way to add and remove the padding ● Trying to unpad a plaintext with non-conformant padding throws an error ● Example ○ Block size = 16 ○ Plaintext = ‘iliketurtles’ ○ Padded_plaintext = ‘iliketurtles\x04\x04\x04\x04’

Wildcard Corp. • 15 Samson XOR

● Stands for exclusive OR ● What you need to know ○ Commutative and associative ○ Symbol is ⊕ or ^ ○ Given A ⊕ B = C ■ C ⊕ A = B ■ C ⊕ B = A ■ A ⊕ A = 0 ■ A ⊕ 0 = A ■ Intuitively, since C = A ⊕ B, we can expand C ⊕ A to A ⊕ B ⊕ A

Wildcard Corp. • 16 Samson XOR Visual

>>> A = Bytes(b'iliketurtles') >>> B = Bytes(b'buy ovaltine') >>> A ^ B

>>> (A ^ B) ^ A

>>> B = Bytes(b'ilikovaltine') >>> A ^ B

Wildcard Corp. • 17 Samson CBC Encrypt

Source: Wikipedia Wildcard Corp. • 18

Source: Wikipedia Samson CBC Decrypt

Source: Wikipedia Wildcard Corp. • 19 Samson Padding Oracle Attack

C_prev C

C_P

P

Wildcard Corp. • 20 Samson Padding Oracle Attack Cont.

● C_P ⊕ C_prev = P ● Padding oracle: is our padding correct? ● ATTACK: Try to cancel out the plaintext and inject our padding ○ Wrong guesses will screw up the padding ○ If our injection’s padding is correct, then we’ve gotten the correct byte! ● Algorithm for guessing last byte ○ For i=0 to 255 ■ injected_padding = b’\x01’ ■ guess = byte(i) ■ C_prev_exploit = C_prev[:15] + (injected_padding ⊕ guess ⊕ C_prev[16]) ■ Send C_prev_exploit + C to server

21 • Wildcard Corp. Samson ● We want two things ○ First, to know what’s in the plaintext Our Attack ○ Second, to craft an exploit to gain admin ● Get a valid IV and ciphertext from the server (SESS_PARAM cookie) ● Unpadding the plaintext will throw an exception if the padding is bad ○ But this exception is never returned to the user ○ However, logging server will cause latency! ■ Network > Disk > CPU ○ Solution: find timing differential between bad padding and good padding ● Run padding oracle attack using above oracle

Wildcard Corp. • 22 Samson Padding Oracle Attack Code

Wildcard Corp. • 23 Samson Our Attack Cont.

● Now we have plaintext ● Same idea with padding oracle, manipulate ciphertext, so it XORs to b’admin=True’ ● Example

b’admin=False\x05\x05\x05\x05\x05’ b’000000EEEEE\x00\x00\x00\x00\x00'

EEEEE = b’False’ ⊕ b’True\x00’

24 • Wildcard Corp. Video Demo

25 • Wildcard Corp Samson ● Lucky Thirteen ● OpenSSL Real World Padding ● ASP .NET ● IPSec Oracles ● Steam ● JavaServer Faces

Wildcard Corp. • 26 Samson ● Still under heavy development ● Not built for speed of execution Caveats ● Having a hammer doesn’t make you a carpenter

Wildcard Corp. • 27 Judas

Covert-channel Tunneling Framework

28 • Wildcard Corp Judas ● Looking for easy and composable tunnels ● OpenVPN too static, DET too naive What and Why ● Low-level understanding of networking

Wildcard Corp. • 29 Judas High-level Overview

Wildcard Corp. • 30 Judas High-level Overview Cont.

● Build your own implementation of the OSI model! ● Note the scheduler: parallel OSI models ● Built on top of Scapy ● Way faster than Scapy for sending data

31 • Wildcard Corp. Judas High-level Overview Cont.

● Interfaces ○ TUN/TAP device ○ TCP Server ○ Programmatic ● Schedulers ○ Round robin ○ Random ○ Token Bucket ● Transforms ○ Prepend Layers ○ Compress ○ Encrypt

32 • Wildcard Corp. Judas High-level Overview Cont.

● Pipes ○ TCP Client/Server ○ Datagram (UDP) ○ L2/L3 pipes (RAW) ● Tunnels ○ Normal tunnel ○ Adaptive tunnel ● Misc ○ Health-checking and automatic resolution ○ UDP holepunching ○ Hooks/disruptors ○ Packet rerouting

33 • Wildcard Corp. Judas High-level Overview Cont.

● Other uses ○ Fuzzing network applications ○ Security infrastructure testing ○ General tunnel prototyping ○ SDN ● Makes it simple to implement https://tools.ietf.org/html/rfc2549 -> “IP over Avian Carriers with Quality of Service”

34 • Wildcard Corp. Judas Demo

35 • Wildcard Corp Judas ● Wanted something that shows how arbitrary tunnels can be BeerTAP ● Intern came up with IP over beer ● Programmed packet rebuilder to lower “latency”, increase “throughput”, and mitigate “packet flooding” (beer keg?)

Wildcard Corp. • 36 Judas BeerTAP Diagram

Wildcard Corp. • 37 Judas BeerTAP Tunnel Source

Wildcard Corp. • 38 Video Demo

39 • Wildcard Corp Judas ● Under heavy development ● Probably not gonna keep up with Gigabit Caveats lines ● Only runs on Linux at the moment (probably)

Wildcard Corp. • 40 ● Samson Future Work ○ Microarchitectural attacks ○ More primitives ○ More analysis functions ● Judas ○ Steganographic transforms ○ Last-layer cache data exfiltration pipe ○ SDR pipe

https://github.com/wildcardcorp/

Wildcard Corp. • 41