Hack the hackers: Leaking data over SSL/TLS
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 84 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/54212 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Information securityComputer networkStudent's t-testComputerBoolean algebraInjektivitätInformationLeakReal numberFunction (mathematics)Type theoryBinary fileDemo (music)Shift operatorLeakInjektivitätType theoryDependent and independent variablesComputing platformBoolean algebraWebsiteProjective planeCASE <Informatik>Software bugSoftware testingMultiplication signExploit (computer security)Connectivity (graph theory)Control flowOrder (biology)InformationHacker (term)Function (mathematics)Interactive televisionVulnerability (computing)LengthMilitary baseServer (computing)Slide ruleBinary codeGoodness of fitDemo (music)Web applicationScripting languageoutputFunctional (mathematics)Forcing (mathematics)Scaling (geometry)Information securityStudent's t-testHash functionMathematicsPresentation of a groupBitTransport Layer SecurityComputer animation
05:36
Binary fileDemo (music)Shift operatorMathematical optimizationBoolean algebraPersonal digital assistantCommunications protocolBlock (periodic table)Dependent and independent variablesPenetrationstestInternet service providerInternetworkingCellular automatonVertex (graph theory)Exploit (computer security)InjektivitätException handlingDatabaseBlock (periodic table)Transport Layer SecurityDatabaseHacker (term)WordScripting languageGraphics tabletDifferent (Kate Ryan album)Cellular automatonMilitary baseDemo (music)Exploit (computer security)Communications protocolBitForcing (mathematics)Ferry CorstenLengthInternet service providerVulnerability (computing)Software testingCode refactoringBoolean algebraType theoryWeb applicationInjektivitätMathematical optimizationBinary codePosition operatorOptical character recognitionFunction (mathematics)Multiplication signSet (mathematics)Information
11:13
Error messageHacker (term)MechatronicsDemo (music)Server (computing)Web applicationOpen setClient (computing)Level (video gaming)Metropolitan area network2 (number)LengthScripting languageSoftware testingComputer fileVulnerability (computing)Core dump
12:54
Convex hullRight angleMetropolitan area networkVulnerability (computing)Web 2.0Virtual machineWeb applicationDatabaseConnected spaceSoftware testingComputer fileMessage passingLengthDependent and independent variablesResultantLevel (video gaming)InjektivitätLocal ringCartesian coordinate system
15:05
LengthLeakLocal ringDemo (music)Exploit (computer security)Computer wormInjektivitätMathematical optimizationAlgorithmKolmogorov complexityInjektivitätMathematical optimizationBinary codeWeb 2.0Interactive televisionMetropolitan area networkVulnerability (computing)Web applicationInformation securityComputer wormComplex (psychology)Software testingCartesian coordinate systemBitInformationPosition operatorProcess (computing)TelecommunicationCore dumpOrder (biology)LengthLevel (video gaming)Local ringCASE <Informatik>Type theoryScaling (geometry)DatabaseSet (mathematics)Exploit (computer security)Mobile appComputer animation
Transcript: English(auto-generated)
00:03
Hello everyone, my name is Jonas Cernica and I'm presenting Hack the Hackers, Leaking Data over SSL-TLS. I'll have a short introduction about blind injections, what is a blind injection, then problems that may appear with blind injections, scenarios and challenges when you are exploiting the blind injection, blind injection over SSL-TLS,
00:25
then the demo time with SQL map, the most used penetration testing tool for when it comes to SQL injections. And conclusion. Who am I? I'm a security researcher for Future Network's 5G lab. I'm also a PhD student at the Department of Computer Science, Polytechnica Bucharest, CTF player, penetration tester, entrepreneur.
00:50
Actually, this research was done at my PhD and I tried to innovate based on this research. I tried to introduce a new layer of security for web applications and this was one of the components of that layer.
01:07
And we ran out of funds and we take a break from the project. And a former bug bounty hunter. I used to be involved in many bug bounty programs.
01:22
Special thanks for Pentest tools. They have the best online penetration testing platform. You should try it. They give you a gift tweak trials. You have to visit their website. I thank them because they are financially supporting me for being in Vegas and have this presentation there.
01:43
Blind injection. It's about when you are trying to interrogate the server for true enforces in order to take one byte at a time from the information you target. This is done by Boolean based. This technique is done through Boolean or time based.
02:03
And the most cases where you encounter this technique will be at SQL injection vulnerability. So you may heard about blind injection, blind SQL injection. The problem. We can distinguish the three enforces from the encrypted traffic just looking on the length of the responses.
02:23
This is for the Boolean and just looking at the delays between the packets, between the responses. And this is for time based. Maybe it's not a problem. Maybe it is. Let's see if this is the real problem. No, the real problem is something else.
02:41
It's a new hacking technique, a passive one. It refers to blind injection leak over SSL TLS. It's a passive attack, as I already said, no interaction with the victim, with the hacker, which is, or penetration tester, which is extracting data from the server. And this is because blind injection exploits are written in a predictable way.
03:05
So how's that? We have the F, which is the method chart set binary search. We'll see in the next next slide. Then we have the two types of output that we are taking, taking from the encrypted traffic.
03:22
The two types of output. One is true and the other one should be false. And the result, the N, which is the input to the method, to the function is the leak. If you can suppose the method and the two types of output you can find, it's a feasible brute force. Then you can find the leak by reversing the steps. It's very easy to do that.
03:46
Known method, methods of exploiting with blind technique. So these are the methods which we should find when we are looking for blind injection over SSL TLS. The chart set method, which you have the letters and the digits, and you are starting to take the first letter,
04:06
A, in this case, and interrogate the server, is the first letter of the information, A, and maybe he said false. Then you go to B, you go to C. Here you'll have a true from the server, and the server will say, yes, this is the D letter from the information.
04:21
The first letter of the information is D. Good job, go to the second one, and so on. So we can reverse. If you suppose that the hacker did this, the chart set, and used ABCD0123 or 01, this is challenging. You'll see in the next slides.
04:42
But this is the way how this works, because most of the hackers use this in their scripts. The binary search, we can use also as a method for exploiting the blind technique.
05:01
The binary search, which is an optimized way to extract data from the servers. The SQL MOP is doing this, and it's an improved way of the binary search, because it's not on the whole hash G. He's starting with the printable characters, and he's starting with the letters.
05:20
Then it has some changes on its binary search, and we'll have a demo with the SQL MOP, and you'll see that it's very easy to reverse the steps. And bit shifting, again, is not so common, but it's a method, a known method, and I encountered it in a tool, which it was doing a scale injection.
05:49
Challenges with the extraction methods. No challenges when we are dealing with optimization techniques, like binary search or bit shifting, because we already know the code, how they are doing, and it's easy to reverse the steps.
06:02
But we are having some challenges when it came about the chart set method, because here it was the biggest challenge. Okay, biggest challenge, yes, it was the biggest challenge, because we don't know where are the letters, if
06:21
the hacker starts with the letters, then the digits, or his chart set starts with digits, then the letters. And you should brute force their position by rotating the output and looking on the output to make a text recognition or something like this to extract the database.
06:46
How we exploit this over SSL TLS, over this protocol, it's an important one. We have the length of the packets, we are using the length of the packets for Boolean-based, and we are using the time delays between the packets to find the truth from the server, when it comes to the time-based.
07:08
In some software, there is a padding involved, so we still exploit this problem, because it would work if the block size is smaller than the difference between true and false.
07:21
So true and false will be differentiated by a huge length. And as a disclaimer, it's not a problem with SSL TLS protocol. The problem is in the way we are written the exploits to exploit this type of attack.
07:41
Scenarios of exploiting, we have the penetration testing company, which is doing the penetration test, and our pen tester is extracting with SQL map the database from a vulnerable web application. And it can be a huge problem, because someone with the encrypted traffic from his company or the Internet service provider, because this
08:06
is the second scenario, can look at his traffic and reverse the steps and take the same database as the penetration tester did. This scenario will be in our demo, you will see later. Our Internet service provider, which has all the traffic and he can start digging for
08:25
information, start digging for database, where our script kiddies or given professional hackers or penetration testers are trying to exploit databases, and our Internet service provider can take the same database.
08:42
And the third one, maybe one more reason why large countries have a strategic intent is to pass the traffic of another country to their infrastructure. Maybe it could be a reason, I don't know. Overture, future work. I was thinking a tour, but I don't have exit notes, but if you have
09:01
exit notes, maybe it'd be a challenging, it is challenging to see what happened there. And if a skilled kiddie or a penetration or a hacker, a professional one will dump some database in the wild, and you should be aware of the cell padding. And if you are lucky enough that your true and false are bigger than the cell size
09:27
of the padding in tour, then the block size, it's smaller than the difference between true and false. If you are lucky and you can recuperate the information exactly like the hacker did.
09:43
Tools and exploits database. We try to analyze some tools, we analyze some exploits from exploit databases, and with no exception, we find that all those tools and all those scripts that were supposed to exploit blind people,
10:05
injections, were written in an unsafe way. And there is a big impact on when they are trying to exploit. When they are trying to exploit, there is a big problem because someone can
10:21
reverse the steps much more if they know what was made to that extraction. And now for the demo, we are using the SQL map. We tried to contact the two main contributors from SQL map.
10:41
We didn't have a reply two months ago. And we are doing this demo because even I would hide from you that SQL map, and I wouldn't say a word about SQL map, most of you guys already think about SQL map. It may have the same problem, this problem, and you can check it very, very easily.
11:06
So, let's start the demo. We have a penetration tester which already started his SQL map against a wearable web application.
11:21
The SQL map will find the exploit, the vulnerability, and will confirm it. In the meantime, we have three parties. The man in the middle starts a TCP dump, and he will get the encrypted traffic. The SQL map, as you can see, already finds the vulnerability, confirms it, and exploits it.
11:42
So, he's dumping data from the wearable web app. Man in the middle, he's listening on the traffic. He's taking the traffic. He's dumping all the traffic, even if it's encrypted. We'll see in seconds that that traffic, it's all about the server hello and then the encrypted packets.
12:09
And from those encrypted traffic, traffic will dump some data like packet names. Now, we are doing this. So, I'll open with Wireshark.
12:21
You'll see that there is an encrypted traffic. So, here it is. Look, encrypted traffic, server, client exchange, hello, and so on. Then we are trying to dump some data packet length to a CVS file.
12:46
With that file, we are running the Python script to take the packet length from the wearable web app to the penetration tester. Those packet lengths we are interested in.
13:00
And from those packet lengths, we'll see what packet lengths are for true and what are for falses. And we'll have a file with false and trues. And we'll feed our local SQL map with the same false and trues. Right now, I'm creating on the man in the middle a database.
13:23
It doesn't have any connection to the database that was exploited before in the wearable web app. You can create any database. It's a dummy one like the other one, but let's suppose that is a real one. And now, we are trying to start an SQL map.
13:43
Man in the middle will start an SQL map on his local machine against his database, which is already available to SQL injection with a web application on the local machine. And right away, before SQL map starts to exploit that database,
14:02
the man in the middle will start feeding the SQL map with the same responses as the wearable web app feeds the pen tester. And you'll see that the SQL map will have the same results as the pen tester. The SQL map from the man in the middle will have the same results as the SQL map from the pen tester.
14:23
So right now, we are having the application which responds with the same true and false as the wearable web responded to the penetration tester.
14:41
And now, we save the file. We have the responses, false and trues. And as you can see, the SQL map is extracting the same data as the SQL map from the penetration tester. Let's see till the end.
15:01
So the message from the database was extracted too. So what happened? So what we did in the demo, the pen tester from a company, Company A, exploit the wearable web application with SQL map. The man in the middle took the encrypted traffic through a TCP dump and he did a passive attack.
15:26
How he did this passive attack? So it was no interaction between the man in the middle and the other two parties. Web application and the penetration tester, no interaction. So this can have a big impact, this problem I found. So he extracted the true and false from packet length, from the encrypted traffic.
15:45
So it doesn't matter if it's encrypted or it's not encrypted. It doesn't matter. He just took the packet length and feed his local SQL map with the same true and false to link the data. Or you can reverse these steps and create a tool that do the same but much faster.
16:04
I did this to see the impact, to understand the impact much in an easy way. So the result, it was that the man in the middle, as you can see in this picture,
16:21
took the same information as the pen tester did with the wearable web app. So this can be very tricky because when you are using SQL map, you should consider this. Your data, you are extracting data from wearable web applications and those extracted data,
16:41
those dumped databases can be extracted by anyone only with your encrypted traffic. And it's not, there are many cases where you can have problems like this chart set method. So how can you fix this problem? For the chart set method, it's an easy way to shuffle the order of the characters in the chart set
17:06
and only your exploit knows the position of each character. And someone like the man in the middle will not know ever. And for the binary search, you should add some extra steps.
17:20
Of course, it will have an impact on the optimization because binary search tries to optimize the process. You have extra steps but it's safer for you to add those extra steps. Conclusion. So the way we are writing blind injection exploits should be written in a way,
17:50
in such a way that no one can reverse the steps of the communication between the exploit and wearable application.
18:01
When we want to optimize the blind injection attacks, we must consider inserting random steps for the optimization algorithms like binary search or bit shifting or any other type of optimization. And as a defensive tech, you can consider this.
18:22
I tried to, as I said at my PhD, I tried to introduce a new layer of security for web applications. Okay, it's a threat hunting, it's a layer because it's post exploitation, it's a threat hunting, like a threat hunting. And what I was trying to do was to find ways to confirm attacks without looking at the payload.
18:48
So the payload complexity doesn't matter. We are looking for other things in the data. Like in this case, the packet lanes and confirm and scale injection and so on.
19:02
Maybe some attackers want to take this in consideration. They will need full optimization. They want to take the data as fast as possible. So maybe it can be feasible as a defensive technique. Even those problems with blind injection will be known from today.
19:23
Thank you. If you have questions, please ask me.