Stacking the Deck Dan Cronce & Justin Moravec 1 All rights reserved © 2018 Wildcard Corp Obligatory “Who we are” ● Dan Cronce ○ Job title: Penetration tester ○ What I do: Purple team, tool development, field work ● Justin Moravec ○ Job title: Security Specialist ○ What I do: Auditing, vulnerability assessments, system & network engineering Wildcard Corp. • 2 ● General design decisions Overview ● Samson: Cryptanalysis and attack framework ○ What and why ○ High-level overview ○ Video demo ● Judas: Covert-channel tunneling framework ○ What and why ○ High-level overview ○ Video demo ● Future Work Wildcard Corp. • 3 ● Tired of devs who “know what’s best”; built for Design Decisions experimentation/experts ● Built for reusability ● Built for a specific purpose ● Attempt to be consistent and intuitive ● Understandability over raw power ● Tools increase efficiency, not ability Wildcard Corp. • 4 Samson Cryptanalysis and Attack Framework 5 • Wildcard Corp Samson ● Running into possible cryptographic exploits in pentests What and Why ● CTFs using “Build-your-own-crypto” ● SageMath breaking on install ● Implementations in high-level language ● Understanding of low-level cryptographic primitives ● Samson - convenient library/framework for prototyping crypto or attacks Wildcard Corp. • 6 Samson ● DO NOT USE SAMSON TO SECURE ANYTHING High-level Overview ● Attacks ○ CBC Padding Oracle ○ PKCS#1.5 Padding Oracle ○ CRIME ○ Nostradamus ○ HMAC Forgery ○ Nonce-reuse cracking ○ Dual EC backdoor generation ○ And more... Wildcard Corp. • 7 Samson High-level Overview Cont. ● Primitives ○ Rijndael (AES) ○ DES ○ MT19937 ○ RSA/DSA ○ SHA1/2/3 ○ KASUMI/SNOW3G ○ Etc… ● Constructions ○ Merkle-Damgard Construction ○ Davies-Meyer Construction ○ Feistel Network ○ Sponge construction 8 • Wildcard Corp. Samson High-level Overview Cont. ● Utility/Analysis functions ○ English Analyzer ○ Statistics ○ Number theory ○ Byte manipulation ○ Metaheuristic optimization 9 • Wildcard Corp. Samson Demo 10 • Wildcard Corp Samson ● Scenario ○ Server generates 256-bit random key on start Demo up ○ Server gives client cookie encrypted with AES-256-CBC and random IV ○ Cookie includes permissions ○ Admin interface decrypts cookie and checks if user has admin permission ○ On error, sends exception to logging server ● What we know ○ The cookie i.e. IV + Ciphertext ○ Is using CBC (note we don’t even have to know the cipher) ○ Probably using PKCS7 padding ● What we want ○ Admin! Wildcard Corp. • 11 Samson Demo Source Wildcard Corp. • 12 Samson Demo Source Wildcard Corp. • 13 Samson ● The mechanisms at play ○ Padding Demo Breakdown ○ XOR ○ CBC ● The generic attack ● The attack for this specific instance Wildcard Corp. • 14 Samson ● What if your plaintext’s length is not a multiple of 16? PKCS7 Padding ● Pad plaintext to block length (16) with the byte representation of the padding length ○ E.g. ‘\x02\x02’ or ‘\x05\x05\x05\x05\x05’ ● If plaintext is multiple of 16, pad a full block ○ I.e. ‘\x10’ * 16 ● Creates a guaranteed way to add and remove the padding ● Trying to unpad a plaintext with non-conformant padding throws an error ● Example ○ Block size = 16 ○ Plaintext = ‘iliketurtles’ ○ Padded_plaintext = ‘iliketurtles\x04\x04\x04\x04’ Wildcard Corp. • 15 Samson XOR ● Stands for exclusive OR ● What you need to know ○ Commutative and associative ○ Symbol is ⊕ or ^ ○ Given A ⊕ B = C ■ C ⊕ A = B ■ C ⊕ B = A ■ A ⊕ A = 0 ■ A ⊕ 0 = A ■ Intuitively, since C = A ⊕ B, we can expand C ⊕ A to A ⊕ B ⊕ A Wildcard Corp. • 16 Samson XOR Visual >>> A = Bytes(b'iliketurtles') >>> B = Bytes(b'buy ovaltine') >>> A ^ B <Bytes: b'\x0b\x19\x10K\n\x02\x14\x1e\x00\x05\x0b\x16'> >>> (A ^ B) ^ A <Bytes: b'buy ovaltine'> >>> B = Bytes(b'ilikovaltine') >>> A ^ B <Bytes: b'\x00\x00\x00\x00\n\x02\x14\x1e\x00\x05\x0b\x16'> Wildcard Corp. • 17 Samson CBC Encrypt Source: Wikipedia Wildcard Corp. • 18 Source: Wikipedia Samson CBC Decrypt Source: Wikipedia Wildcard Corp. • 19 Samson Padding Oracle Attack C_prev C C_P P Wildcard Corp. • 20 Samson Padding Oracle Attack Cont. ● C_P ⊕ C_prev = P ● Padding oracle: is our padding correct? ● ATTACK: Try to cancel out the plaintext and inject our padding ○ Wrong guesses will screw up the padding ○ If our injection’s padding is correct, then we’ve gotten the correct byte! ● Algorithm for guessing last byte ○ For i=0 to 255 ■ injected_padding = b’\x01’ ■ guess = byte(i) ■ C_prev_exploit = C_prev[:15] + (injected_padding ⊕ guess ⊕ C_prev[16]) ■ Send C_prev_exploit + C to server 21 • Wildcard Corp. Samson ● We want two things ○ First, to know what’s in the plaintext Our Attack ○ Second, to craft an exploit to gain admin ● Get a valid IV and ciphertext from the server (SESS_PARAM cookie) ● Unpadding the plaintext will throw an exception if the padding is bad ○ But this exception is never returned to the user ○ However, logging server will cause latency! ■ Network > Disk > CPU ○ Solution: find timing differential between bad padding and good padding ● Run padding oracle attack using above oracle Wildcard Corp. • 22 Samson Padding Oracle Attack Code Wildcard Corp. • 23 Samson Our Attack Cont. ● Now we have plaintext ● Same idea with padding oracle, manipulate ciphertext, so it XORs to b’admin=True’ ● Example b’admin=False\x05\x05\x05\x05\x05’ b’000000EEEEE\x00\x00\x00\x00\x00' EEEEE = b’False’ ⊕ b’True\x00’ 24 • Wildcard Corp. Video Demo 25 • Wildcard Corp Samson ● Lucky Thirteen ● OpenSSL Real World Padding ● ASP .NET ● IPSec Oracles ● Steam ● JavaServer Faces Wildcard Corp. • 26 Samson ● Still under heavy development ● Not built for speed of execution Caveats ● Having a hammer doesn’t make you a carpenter Wildcard Corp. • 27 Judas Covert-channel Tunneling Framework 28 • Wildcard Corp Judas ● Looking for easy and composable tunnels ● OpenVPN too static, DET too naive What and Why ● Low-level understanding of networking Wildcard Corp. • 29 Judas High-level Overview Wildcard Corp. • 30 Judas High-level Overview Cont. ● Build your own implementation of the OSI model! ● Note the scheduler: parallel OSI models ● Built on top of Scapy ● Way faster than Scapy for sending data 31 • Wildcard Corp. Judas High-level Overview Cont. ● Interfaces ○ TUN/TAP device ○ TCP Server ○ Programmatic ● Schedulers ○ Round robin ○ Random ○ Token Bucket ● Transforms ○ Prepend Layers ○ Compress ○ Encrypt 32 • Wildcard Corp. Judas High-level Overview Cont. ● Pipes ○ TCP Client/Server ○ Datagram (UDP) ○ L2/L3 pipes (RAW) ● Tunnels ○ Normal tunnel ○ Adaptive tunnel ● Misc ○ Health-checking and automatic resolution ○ UDP holepunching ○ Hooks/disruptors ○ Packet rerouting 33 • Wildcard Corp. Judas High-level Overview Cont. ● Other uses ○ Fuzzing network applications ○ Security infrastructure testing ○ General tunnel prototyping ○ SDN ● Makes it simple to implement https://tools.ietf.org/html/rfc2549 -> “IP over Avian Carriers with Quality of Service” 34 • Wildcard Corp. Judas Demo 35 • Wildcard Corp Judas ● Wanted something that shows how arbitrary tunnels can be BeerTAP ● Intern came up with IP over beer ● Programmed packet rebuilder to lower “latency”, increase “throughput”, and mitigate “packet flooding” (beer keg?) Wildcard Corp. • 36 Judas BeerTAP Diagram Wildcard Corp. • 37 Judas BeerTAP Tunnel Source Wildcard Corp. • 38 Video Demo 39 • Wildcard Corp Judas ● Under heavy development ● Probably not gonna keep up with Gigabit Caveats lines ● Only runs on Linux at the moment (probably) Wildcard Corp. • 40 ● Samson Future Work ○ Microarchitectural attacks ○ More primitives ○ More analysis functions ● Judas ○ Steganographic transforms ○ Last-layer cache data exfiltration pipe ○ SDR pipe https://github.com/wildcardcorp/ Wildcard Corp. • 41.