Cognitive and Scientific Brainology
Security - consulting,assessment,research,solutions,penetration tests.
Face - detect,track,recognize,extract features,learn emotions,character animation.
Face - detect,track,recognize,extract features,learn emotions,character animation.
Archives for: June 2012, 05
#hitb2012ams Day1, Track1, 10:30, Turning Android Inside Out
Code:
http://conference.hitb.org/hitbsecconf2012ams/ | |
Amsterdam, 2012 | |
Day1, Track1, 10:30 | |
Ivo Pooters | |
Turning Android Inside Out | |
| |
Presented a forensic scenario where | |
A guy was found dead and had an android phone | |
This device was cloned with dd | |
A guy from SwiftLogic was arrested for suspicion on leaking private and sensitive information/schematics | |
This device was cloned with nandump | |
| |
MTD block device | |
dd -> bad it has no out of band (OOB) bytes | |
nandump -> wise choice | |
| |
Cellbrite ufed | |
android emulator | |
doesn’t like foreign images | |
load dyaffs2 support into linux kernel | |
| |
when using nansim | |
need correct parameters to load the right size of the image loaded | |
need to write the OOB bytes in the OOB-based image, so that the yaffs2 filesystem is correctly loaded | |
| |
50.56.29.109/ss | |
contains PDFs from the SwiftLogic | |
basic user: norby | |
basic pass: aaassspp | |
| |
Dead guy phone evidence | |
Looked up on twitter 'yob taog', the SwiftLogic guy | |
| |
Found com.andrIOd.mm | |
not in android market at all | |
looks like very custom, non-public application | |
looks like was installed on SwiftLogic guy by the selling shop/accomplice just hours before SwiftLogic guy picked up the phone in the shop | |
interesting fact – SwiftLogic guy put a status on Facebook/Twitter that is going to pick up his new shiny phone very soon and is excited about that | |
| |
Found com.vzw.smsProvider | |
| |
Live analysis | |
android emulator + adb | |
wireshark | |
adb, dalvik debug monitor logcat | |
| |
Static analysis (relid more on this) | |
see Fortinet talk for better tool list | |
apk-tool | |
jd-gui | |
etc | |
| |
com.andriod.mm | |
triggers on SD card mount | |
zips all the filed on the SDcard | |
uploads to the IP mentioned above | |
sends SMS to the dead guy | |
| |
http://www.dfrws.org/2011/challenge/results.shtml | |
http://www.dfrws.org/2011/challenge/index.shtml | |
| |
Rooting a phone can tamper evidence | |
So, developed in-memory temporary rooting techniques | |
in .NL, rooting is not a problem | |
in .US, it is kind of a problem |
#hitb2012ams Day1, Track1, 09:00, KEYNOTE 1 Getting Ahead of the Security Poverty Line
Code:
http://conference.hitb.org/hitbsecconf2012ams/ | |
Amsterdam, 2012 | |
Day1, Track1, 09:00 | |
Andy Ellis | |
KEYNOTE 1 Getting Ahead of the Security Poverty Line | |
| |
Tools mentioned | |
Low orbit ion canon | |
High orbit ion canon | |
Havy - "democratization of SQL injection" | |
Idea is that it brought to the commodity level the exploitation tools and techniques | |
| |
If you take away the risk, people will try to absorb more risk (i.e. the safer the technology in the car, the higher the speed they tend to driver => less victims because of the technology, but more accidents) | |
| |
FluffyBunny | |
check the story | |
| |
bitly.com/AkaVscar | |
bitly.com/AkaVscan |
#hitb2012ams Day1, Track1, 11:30, One Flew Over The Cuckoos Nest: Automated Malware Analysis
Code:
http://conference.hitb.org/hitbsecconf2012ams/ | |
Amsterdam, 2012 | |
Day1, Track1, 11:30 | |
Claudio Guarnieri | |
One Flew Over The Cuckoos Nest: Automated Malware Analysis | |
| |
Pros | |
presented a reasonable list of items which should be anyway common-sense pros items | |
| |
Cons | |
commercial solution are very expensive | |
environment could be detected | |
difficult to successfully automate | |
without proper consumption of the results, they are useless | |
| |
Preparation | |
define requirements and expectations | |
design analysis environment | |
integrate into a larger threat analysis result framework | |
| |
Questions to be answered | |
Why? | |
What? | |
What? | |
Who? | |
How? | |
| |
Decide the category of the exploits | |
cuckoobox.org | |
PDF | |
Office | |
PHP, perl scripts | |
browser exploits | |
| |
CUCKOO framework | |
malwr.com | |
multiple Google SoC grants | |
| |
Integration | |
what are the other threat frameworks does it integrate with | |
| |
Links | |
cuckoosandbox.org | |
blog.cuckoosandbox.org | |
malwr.com | |
honeynet.org | |
| |
Threat analysis frameworks | |
wiki pages generator | |
CIF | |
mostly in-house developments | |
mostly custom systems | |
cannot name an public or FOSS one |
phdays 2012 Day2, Track4, 10:00, Breaking havoc using a Human Interface Device
Code:
phdays.com, phdays.ru | |
Moscow, 2012 | |
Day2, Track4, 10:00 | |
Nikhil Mittal, | |
Breaking havoc using a Human Interface Device | |
| |
Nikhil Mittal | |
Abusing HID devices | |
| |
Pen-testing overview | |
enum+intel -> vuln scan -> exploit -> post-exploitation -> report | |
| |
Best case scenario exploitation | |
memory corruption bugs | |
server side | |
client side | |
mis-configs | |
open file shares | |
sticky slip passwords | |
man in the middle | |
unsecured dumpsters | |
human | |
| |
Worst case scenario | |
no public exploits available | |
not allowed on the system | |
countermeasure blocking | |
exploit completed but no session was generated | |
hardened systems | |
patches in place | |
countermeasures blocking scans and exploits | |
security incident monitoring and blocking | |
no network access | |
need alternatives | |
| |
Need new methos to break into systems | |
bad guys get smarter | |
not as easy is it used to be | |
| |
HID anyone? | |
what could go wrong? | |
HID are considered dumb devices | |
but seems we can give it brains | |
meet teensy | |
| |
Teensy | |
usb microcontroller | |
storage ~ 130 kb | |
there is also teensy++ | |
pjrc.com | |
pjrc.com/teensy/projects.html | |
similar to Arduino dev board | |
programmed using Arduino dev env (ADE) | |
need just a simple plugin for Arduino (teensyduino) | |
| |
Installation | |
Windows | |
install serial.exe (virtual serial driver) | |
install teensyduino | |
For Linux | |
avr and avr-gcc packages required | |
| |
Usage (Arduino + Teensyduino) | |
Select "USB Type" -> Keyboard+Mouse+Joystick | |
C++ like syntax | |
two functions required (setup() and loop() ) | |
setup() first time you connect you connect a device | |
loop() keeps running after setup() | |
| |
====================== | |
| |
void setup() | |
{ | |
Keyboard.print("Hello World") | |
} | |
| |
void loop() | |
{ | |
} |
phdays 2012 Day2, Track3, 16:00, Light and dark side of code instrumentation
Code:
phdays.com, phdays.ru | |
Moscow, 2012 | |
Day2, Track3, 16:00 | |
Dmirty Evdokimov, | |
Light and dark side of code instrumentation | |
| |
Static binary instrumentation tools | |
dyninst | |
eel | |
atom | |
pebil | |
eresi | |
tau | |
vulcan | |
bird | |
slan (4514N) | |
| |
Debuggers | |
sw/hw breakpoints (hw only 4 => mostly sw) | |
scripting | |
windbg + pykd | |
ollydbg + ptyhon = immunity debuggers | |
gdb+pythondfb | |
python libs: buggery, idapythonm, immlib, lldb, pydbg, pydbgeng, pygdbm python-ptrace, vtrace, winappdbg | |
deubber and application works at the same level | |
eg: better to do this kind of instrumentation ... | |
| |
Dynamic binary instrumentation | |
aka virtual code integration | |
is a process to control and analysis of own code into a process already in the memory | |
dba tools: | |
small plugins (win=dll libs, *nix=so libs) | |
dba tools: | |
instrumentaiton routines | |
executed just once, the place where we need to add our code | |
at this stage the instrumentation introduces our code | |
analysis routines | |
this gets called when the above detected place is reached (can be called multiple times) | |
compared to debuggers, there is no need to switch context | |
| |
Modes | |
user mode vs kernel mode | |
| |
Mode of work | |
start to finish | |
attach | |
| |
Mode of exec | |
there is a graph JIT vs PROBE | |
interpretaiton modew | |
valgrind, useful for heavy and slow analysis (memory leaks for huge processes like Oracle DB, etc,) | |
probe-mode (MORE performance) | |
instruction overwrite | |
jit-mode (MORE functionality) | |
binary -> disasm -> disasm instrumentation -> recompile -> original code never executed, just merely an instrumented equivalent | |
| |
DBI Frameworks | |
DBI::Intro from zeronights conf | |
Frameworks | |
PIN (Intel) | |
DynamoRIO (HP) | |
DynInst (Maryland & Vinsconsin Universities) | |
Valgrind (FOSS worldwide) | |
Nirvana (MS) | |
command line example given | |
| |
Levels of granularity | |
instruction | |
basic block | |
trace/superblock | |
function | |
requires symbols, otherwise better to use instruction level | |
section | |
events | |
binary image | |
| |
Self-modifying code and DBI | |
in case the code is self-modifiable, in the cache of the DBI engine, the cache contains NOT the code which got executed, but the one replaced by the malicious code | |
how to detect | |
write-protected code pages | |
checking store address | |
inserting extra code | |
| |
Overhead | |
O=X+Y | |
X=N*Z | |
Y=K+L | |
O=tool overhead | |
N=number of times function is called | |
Y=analysis routines overhead | |
TODO | |
| |
Rewriting instructions | |
fixed length instruct (ARM) | |
variable length instruct (x86, x64) | |
graph with distribution by instruction length (TODO) |
phdays 2012 Day2, Track2, 13:00, To Recover Plaintext Passwords of Windows Users
Code:
phdays.com, phdays.ru | |
Moscow, 2012 | |
Day2, Track2, 13:00 | |
Benjamin Delpy, | |
To Recover Plaintext Passwords of Windows Users | |
| |
mimikatz::sekurlsa::tspkg | |
| |
http://blog.gentilkiwi.com/securite/pass-the-pass | |
| |
MS introduces SSO with NT 6 to improve RemoteApps | |
| |
KB says it work with "Default credentials" | |
it can be user/domain/(pass|hash|ticket) | |
in all cases seems to be vulnerable to pass-the-hash attack | |
| |
Some interesting APIs/symbols | |
TSObtainClearCreds | |
TSRevealPassword | |
TSCredTableLocateDefaultCreds | |
| |
LsaEnumerateLogonSessions | |
for each UID | |
tspkg!TSCredTableLocateDefaultCreds | |
TODO | |
| |
LsaEnumerateLogonSessions | |
for each UID | |
tspkg!TSGlobalCredTable | |
RtlLookupElementGenericTable | |
LsaUnprotectMemory | |
| |
We have just to: | |
tspkg:TSGlobalCredTable | |
SeckPkgFunctionTable -> LsaUnprotectMemory | |
LSA_SECPKG_FUNCTION_TABLE (MSDN/KB link) | |
| |
mimikatz::sekurlsa::wdigest | |
Hashes | |
HA1=MD5(username:relam:password) | |
HA2=MD5(methiod:digestURI:[...]) | |
| |
LsaUnprotectMemory | |
at offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE | |
_DigestCalcHA1@8 | |
| |
LsaProtectMemory | |
at offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE | |
| |
LsaEnumerateLogonSessions | |
for each UID | |
TODO | |
| |
Using TsPkg and WDigest password can be revealed on all Windows | |
WDigest | |
XP, 2003 | |
Vista, seven, 2008, 2008r2 | |
8 | |
TsPkg | |
XP SP3 (manual install) | |
Vista, seven, 2008, 2008r2 | |
8 | |
| |
wce (TODO find what is wce) had not copied this talk TsPkg functionalities | |
| |
WinDBG | |
!process 0 0 lsass.exe | |
.process /i 83569040 | |
g | |
.reload /user | |
bp TODO | |
g | |
| |
mimikatz::sekurlsa::livessp | |
| |
LsaEnumerateLogonSessions | |
for each UID | |
search linked list LUID | |
LsaUnprotectMemory | |
| |
mimikatz::sekurlsa::kerberos (nt 6) | |
mimikatz::sekurlsa::kerberos (nt 5) | |
| |
MS implementaation of Kerberos | |
For password auth | |
password hash for shared secred but keeping password in memory |
phdays 2012 Day1, Track2, 11:00, Smartcard vulnerabilities in modern banking malware
06/05/12 | by zveriu | Categories: ACSA
Code:
phdays.com, phdays.ru | |
Moscow, 2012 | |
Day1, Track2, 11:00 | |
Aleksandr Matrosov, Eugene Rodionov, | |
Smartcard vulnerabilities in modern banking malware | |
| |
Impact since 2010 | |
| |
Blackhole | |
| |
Nuclear pack Apr 2012 | |
carders moved from blackhole to nuclear pack | |
| |
New in nuclear pack | |
added check for legitimate user | |
Java is one of the main vectors in attacking users | |
| |
Example: google search for "евровидение 2012" | |
contains an injected iframe with yandeXXX.<trololo>.ru - valid looking domain | |
this helps to void the AV/IDS detection of randomly generated domains | |
then the iframe redirects to an exploit | |
| |
Russia | |
provides detection of 70% of worldwide carders activity | |
3x increase in detection rate from Nov 2011 till Jun 2012 | |
| |
Biggest botnets | |
Origami, Gizmo, Dudorov | |
| |
BK-LOADER (BootKit) | |
Ringo bundle (ZeroKit or 0kit) | |
First bootkit to modify volume boot record | |
version 1.0, 11/02/2011 | |
| |
Carberp sample | |
Around 3000 bots receiving volume boot record BK debug messages | |
Looks like GSVSoft supplied some parts of the BK code | |
After screenshot publication, their start (because of high traffic incentive) -> started redirecting users to blackhole | |
| |
Rovnix, Carberp with BK, Rovnix.B | |
VBR | |
Polimorphic VBR | |
Malware driver storage | |
| |
Anti-debugging | |
Removes hooks of HIP systems | |
WinAPI functions called by hash, not by name | |
| |
Cards | |
Attacks on APDU level | |
| |
crackme.esetnod32.ru | |
win ipad | |
win amazon kindle | |
| |
Feisty | |
if there is any delay in protocol or program execution, the malware changes it's behaviour | |
malicious plugins not saved on disk, directly loaded into kernel memory |
phdays 2012 Day2, Track1, 17:00, How to hack a telecom and stay alive 2. Owning a billing
Code:
phdays.com, phdays.ru | |
Moscow, 2012 | |
Day2, Track1, 17:00 | |
Sergey Gordeychik, | |
How to hack a telecom and stay alive 2. Owning a billing | |
| |
(Lost 20 minutes of the talk) | |
| |
Lots of VPN | |
VPN is good, but need GOOD configuration | |
| |
The lords of the net | |
Admins! | |
a large network = MANY admins | |
web-accessible KVM/RDP | |
many servers = | |
| |
password of admin never is lock-out policy | |
| |
TCP 1337 over SSL | |
ShoutCast radio streaming server | |
Location: an administrator workstation | |
just search his email with word "password" | |
| |
WiFi access | |
WEP instead of WPA | |
reason = WPA is slow | |
since WEP is fast, so fast was the password cracking as well :) | |
found voip cisco call manager | |
level 15 for the network | |
| |
Pentester tips | |
don't miss anything on the perimeter | |
a strange service not being able to fingerprint -> might be a very BIG hole in fact | |
keep in mind 3rd party hosts | |
use old-school tools and techniques | |
sometimes old holes are found, when the newest threats are patched | |
check the WEB necessary | |
don't forget the admin side/aspects | |
| |
Subscribers | |
Subs are WITHIN the perimeter of network | |
many attacks are easier to perform from subs side | |
| |
General problems | |
network access control weakness | |
intransigent attacks | |
protection of the equipment | |
web applications for subscribers | |
eg.: play online games, manage account, etc. | |
| |
Network access control errors | |
scanned 192.168.x.x | |
22 ssh was open, though 23 telnet was closed | |
445 udp share smb was still open, though 445 TCP was closed | |
some cisco had default passwords | |
which subsequently has lead to some passport server passwords | |
which gets us more cisco passwords | |
etc | |
| |
Hosting | |
local network for collocated/dedicated servers | |
attack against infrastructure (DNS) | |
eg: Secunia hacked via DNS spoofing | |
shared hosting | |
| |
Network access control errors | |
gprs/edge/3g, traditionally stick to NAT | |
other clients are invisible | |
this is not always true | |
perhaps due to config errors | |
in the subnet 10.x, other subscribers could be seen | |
a lot of M2M unpatched devices (Kiosks) behind NAT with logic "behind NAT - unhackable" | |
| |
SNMP 'private' on a GGSN | |
Joke => some barcode | |
| |
Joke | |
captive portal (when credit expires on the net usage example) | |
has LAMP | |
but had mod_proxy -> used as a proxy -> leads to the backbone/technological network via the proxy –> pwn! | |
| |
Web portals and services for subscribers | |
are often placed into the DMZ together with OTHER_SPECIAL servers | |
Subs also reuse passwords or a flawed SSO is installed | |
Eg: | |
games server | |
proxima CMS, path traversal + SQLi + configuration error = root | |
found other 20 web apps on the same machine – all web apps used for subscriber related use/access | |
| |
Contractors | |
perimeter level attacks | |
require system access.vpn | |
corporate policy are not applicable (in the proper sense) - just connect and get your work done | |
eg: | |
a host was looking for a wifi AP | |
brought up fake AP | |
the host connected to fake AP | |
the host allowed guest access in windows | |
the host had the distributive for DSL subs | |
the password was in the distributive | |
the password matched the production xDSL management software | |
eg: | |
some contractors are external – screenshot with Chinese cmd.exe window | |
| |
Pentester tips | |
the laptop of the contractor is NOT a telecom good, IS a contractor good | |
the subscriber data is NOT a telecom data | |
so important to know what belongs to telecom, and what NOT | |
we are ONLY searching for vulnerabilities | |
MINIMALLY exploit the vuln | |
we use ONLY our own resources for demos | |
a fickle client | |
client: enter the portal, abuse the leaked password send me the screenshot | |
pentest: NO, here is the password, go enter yourself and check it | |
contractors are never to be hacked! | |
| |
Playing inside | |
changes are highly dynamic network | |
some errors can cause failures and facilitate frauds | |
| |
Going ahead | |
while inside the network | |
find things to break? | |
better is to: own the directory and own the net | |
own the net | |
net gets you traffic | |
traffic gets you passwords | |
own the directory | |
directory gets you passwords | |
etc | |
| |
Owning the NET | |
equipment vulnerabilities | |
cisco, huawei - is a real hassle to update/patch the vulnerabilities | |
FORGOTTEN (!) systems – example: | |
they found a switch – it was NON-configured! | |
FUN part – NON-configured BUT uptime 2 years! | |
pentesters configured it :) - "properly" configured! | |
etc | |
| |
Example | |
WPA-PSK for AP found | |
Hard time to physically find the given AP | |
Is inside the data center | |
gives access directly to the telecom without any hacks | |
| |
Backups | |
sometimes the backups of configuration are often pulled over the net | |
just sniff and collect the password | |
| |
Scenario1 - bruteforce | |
some default passwords work for a bootstrap-list of outlook web-access users | |
once outlook web-access obtained | |
gets us the list of users from the directory | |
expand the list of users to bruteforce | |
go back to step1 | |
once inside the network, use NULL session to get the list of users, go back to step1 | |
| |
scenario4 - relay attacks | |
don't forget to use | |
cannot be conceptually patched by design of challenge-response, where there is no authentication of the server (like in kerberos) | |
| |
scenario5 - service desk again | |
| |
scenarioN | |
50% cases works well | |
get into the sysvol share on the server | |
any user on the net has auth to see it | |
sometimes you find scripts with password hardcoded/changed in the script itself | |
post-exploitaion | |
Incognito - access token manipulation | |
Pass-the-hash - for windows | |
mimikatz into metasploit | |
| |
Some billing IT servers | |
look like any other web-server with DB | |
no-patch windows | |
oracle -> scott/tiger, no patches at all | |
IIS + ASP.NET | |
IMPORTANT -> billing=confidential information of subs => ask the telecom to get you a similar test system which doesn't contain confidential data |
phdays 2012 Day2, Track1, 15:00, Life cycle and detection of bot infections through network traffic analysis
Code:
phdays.com, phdays.ru | |
Moscow, 2012 | |
Day2, Track1, 15:00 | |
Fyodor Yarochkin, Vladimir Kropotov, | |
Life cycle and detection of bot infections through network traffic analysis | |
| |
Carbert | |
check if a live-user - mouse move | |
if live-user, then proceed to infection | |
have a random but long enough delay before contacting the C&C | |
otherwise, possibly a sandbox analysis - don't proceed | |
| |
Java exploits jar/class where on FTP | |
user anonymous | |
pass java version, eg. Java1_6.30@ | |
helps to get the proper version exploit from the exploit loader | |
| |
Detection during infection | |
infection | |
obfuscated IP address (like a number) | |
password = java version | |
exploitation | |
download the updates .exe | |
post exploitation | |
check_system.php | |
| |
What are we building | |
analyze DNS traffic | |
currently only DNS traffic | |
WHOIS (including team cymru whois) | |
| |
DNS traffic analysis | |
dictionary-based, know names | |
| |
DNS domain detection – by return codes | |
rcode: 3 (non-existing domains) | |
rcode: 2 (failed servers) | |
| |
all DNS packets are indexed | |
cross-correlation through database & whois queries | |
easy to automate | |
further steps | |
| |
Detection flow | |
failed dns lookups | |
mine whois cross-correlation | |
identify domains with same characteristic, but which are pinged and resolved | |
then render those in the sandbox | |
| |
Detection by visualization | |
parallel coordinates | |
see Alexander Dulanoy CIRCL.LU | |
| |
Demo video | |
trc_herd.sh | |
a lot of domains from .ro in the honeypot | |
fun trivia – scripts/programs in the sandbox are loaded and executed, but the execution is faked and shows random output (eg. Some Spanish phrases, etc.) | |
| |
Specifics in russian malware | |
loader | |
exploit packs | |
a lot of glue code and infrastructure to put it all together | |
a little dirty/ugly and the aim is fastest monetization of the target | |
| |
Specifics in chinese malware | |
some javascript | |
most probably just a single neat file | |
most probably they have a longer-term vision than just quick exploitation and monetization | |
| |
Recommendation | |
do not use AV, since if it's active, malware can enable AV evasion and start running on fake/strange execution paths | |
use passive monitoring and cross-correlation methods | |
default deny policy | |
short-life-span domain names would help a lot of these domains | |
| |
Questions | |
Q: are there any fake C&C in the wild to study honeypots? | |
A: haven't seen fake C&C |
phdays 2012 Day2, Track1, 09:00, Abusing Calypso phones
Code:
phdays.com, phdays.ru | |
Moscow, 2012 | |
Day2, Track1, 09:00 | |
Sylvain Munaut, | |
Abusing Calypso phones | |
| |
Sylvain Munaut | |
last 3 years with GSM | |
doing it as a hobby | |
| |
Why modify hardware | |
cheap way to play with the protocol | |
there are tools, but with limitations | |
access to only layer2 and up | |
require expensive hardware | |
| |
Target hardware | |
motorola c123 | |
chosen because supported by osmocombb | |
it's a reference implementation | |
there are plenty phones based on calypso ti | |
really cheap phone, easy to find even if broken | |
| |
Will look into Um interface | |
between MS and BTS | |
| |
GSM Um layer1 | |
several GSM bands | |
uplink (UL): phone -> network | |
downlink (DL): network -> phone | |
freq domain duplexing | |
there are channels -> frequency translation | |
| |
GSM Um layer1 | |
Fully synchronous | |
BTS is the clock master | |
it is a TDMA (nightmare) | |
frames -> timeslots -> bursts of transmission | |
| |
4 types of bursts: | |
normal bursts -> more than 90% of the traffic | |
frequency correction burst (FCCH): sent by BTQ | |
sync burst (SCH): sent by BTS | |
access burst (RACH): sent by MS to request a channel | |
| |
History | |
OsmocomBB - FOSS implementation of a BB | |
gives control ONLY over layer2 and layer3 | |
didn’t provide enough flexibility for Sylvain’s research | |
| |
Why Layer1? | |
Ciphering is applied in Layer1 | |
Gives power to play with bits for various ciphering/crypto attack | |
Follow freq hopping | |
Save uplink and downlink | |
| |
Typical RX chain | |
Antenna - can be replaced | |
RX filter - can be removed if needed | |
ignore the problem - in a lab the signal is strong, the filter cannot filter efficiently | |
otherwise - requires removing, soldering skills | |
RF mixer - selects which freq the phone is received | |
for UL - it is designed for it, works fine | |
for DL - needs removal to be able to tune to required freq | |
Analog baseband - no problem to remove, it's just an ADC | |
DSP-core | |
ROM based, cannot change :( | |
ARM-core | |
running the OsmocomBB firmware, can be modified just fine, we have full control (break the keys, send traffic to wireshark, etc.) | |
| |
DSP-core problems | |
TI has/needs a way to patch bugs | |
means there is way to patch the ROM | |
ARM is the master -> DSP will execute the tasks from ARM | |
There is NO "sniff the network" task | |
Need to implement one | |
DSP has a bootloader to upload code and execute in RAM | |
didn't work " - TI security feature, when executing from RAM, the ROM is locked :( | |
the fix is - in ROM there must be a memcpy() so that it can be used to bypass | |
bruteforced the location of the memcpy() location in the ROM (neat! – bruteforcer source is lost, but can be recreated based on TODO.c by going over memory location, calling the address as if it was memcpy and see if the memcpy occured) | |
took about one day/evening to dump | |
so, using memcpy able to read/dump the ROM -> then load into RAM | |
DSP ROM | |
have the word by word copy of the ROM | |
loaded into IDA PRO | |
known entry point (how?) | |
CPU of DSP is supported by IDAPro | |
seems like written by different teams/devs | |
no calling conventions | |
some routines are very optimized | |
reading ASM code for an unknown architecture is a pain | |
there are a lot of indirect calls | |
calls a function pointer and the pointer is in the RAM | |
DSP patching works by modifying a DSP function pointer tables | |
idea is to modify the function pointers | |
the modified table/pointers are load in the bootloader process | |
uses interrupts and IO access to trace importan functions | |
RAM interrupt | |
DMA interrupt | |
A5 unit IO | |
DMA unit IO – for burst RX buffer | |
RIF unit IO – for burst TX buffer | |
putting it all together allows to write any bits we want to the ARM without any modulation problems | |
| |
Current work | |
modify a phone to act as a BTS | |
not interested in doing FULL COMPLIANT BTS | |
but want SMS, voice calls, etc | |
i.e. provide minimal service BTS | |
motivation | |
another cheap tool for GSM research | |
portable fake BTS | |
just prove it's doable | |
idea is not new | |
first theoretical post about 2 years ago on the list (TODO find the post) | |
| |
MS vs BTS | |
the roles/frequencies are reversed | |
the upper layers can be run on the PC and modified in the FOSS sources | |
receiving bursts and the low level functionality at layer1 is harder to do | |
layer1: | |
annoying is that BTS is continuously transmitting even though it has nothing to transmit because phones look for a high-power RF channel to tune into | |
to keep it cheap, BTS not necessarily tx/rx simultaneously (receive, 3 frames later can switch to transmit) | |
transmit FCCH/TCH | |
receive RACH | |
clock master | |
requires a stable enough reference, otherwise the phones will not lock onto your fake (phone-emulated!) BTS | |
| |
Phone as a BTS | |
the TX/RX chain is pretty much there in the hardware | |
create DSP patch | |
look at TX path for transmit arbitrary data | |
required multi slot TX | |
cannot transmit all the time | |
but need to do your best | |
drives the power amplifier a little bit since it's above the specs | |
re-use OpenBTS as it is for the upper layers | |
1st process - does the main job, calls smaller tasks | |
2nd process - a small task _tranceive_ job | |
need just to reimplement the _tranceive_ job | |
duplex | |
sol1: use 3 phones, hard because need to externally synchronize all of them, TODO recall other reasons | |
sol2: not 100% reliable, but works most of the time - tx as much as you can, and then RX and do your best | |
Tt.R.ttt | |
(T) real BTS-like transmit, then (t) noise to be there on the channel, then switch to RX which is (.) a dead slot, then (R) receive RX from captured mobile phones, then switch again (.) to transmit, then 3 more noise (t) transmits TX | |
it provides ONLY 1 channel, but works | |
it doesn't allow voice calls | |
but SMS, LU, etc. are supported | |
clock sync | |
brilliant idea - use a commercial cell to lock onto | |
because the phone already has this code and functionality, then it's the first thing they tried :) | |
use this clock reference and our fake BTS/sniff phone will relay to other phones the clock reference (acquired from the commercial/surrounding BTS) | |
other option | |
remove the 64mhz oscillator and replace with a very precise, temperature-stable clock source, would be nice to be able to hook suck a clock directly to some exposed pins of the phone and with smallest hardware modifications to deliver this clock signal to appropriate pins on the board | |
| |
Stability issues | |
when it works -> works reliably | |
when it doesn't work -> it doesn't work reliably either :) | |
the random behaviour is dictated by the Fn(the clock reference cell, the current cell the phone camps on), result may vary | |
demo | |
registered to the demo | |
then got the welcome SMS form the OpenBTS | |
| |
Thanks | |
Dieter Spaar | |
LaF0rge | |
David Burgess | |
Andreas "jolly" | |
TODO | |
| |
Docs | |
wiki with | |
| |
Sylvain Munaut | |
Present @ hackspace neuron | |
friday 19:30 (calypso, gsm, openbts) | |
staruday 17:30 (tetra, gmr) |
phdays 2012 Day1, Track1, 17:00, Demo section Seeing once is better...
Code:
phdays.com, phdays.ru | |
Moscow, 2012 | |
Day1, Track1, 17:00 | |
Multiple speakers | |
Demo section Seeing once is better... | |
| |
=================================== | |
| |
Afanasiev Mihail (Gleg.net) | |
| |
Finding SCADAs | |
Services: ERIPP, Shodan | |
Identification: WinCC, TODO for others | |
| |
Advantech web access 0day sql injection | |
blind sql injection in proj and node http params | |
used CANVAS framework to symbol by symbol enumeration from pUserPassword table | |
| |
Carel PlantVisor PRO demo 2.0 blind sql injection 0day | |
select + current_settings('data_directory') - | |
true/false=substr(sym, sym_num) | |
used CANVAS framework | |
tomcat, postgresql, win2008 | |
| |
Ge Fanuc HMI/SCADA CIMPLICITY 8.1 | |
directory traversal | |
win xp sp3 | |
CIMWebServer.exe (port 80) | |
used CANVAS framework | |
| |
Pure web-base scada | |
atvise | |
integraxor | |
| |
=================================== | |
| |
Mobile trojan in-action | |
artiom 4aikin | |
positive technologies | |
| |
Total malware samples (MacAfee) | |
reportsrp-quaterly-threat-q4-2011.pdf | |
| |
Past android malware | |
easy to detect | |
example | |
angry birds bonus level by [some chinese chars] | |
requires access to sms and calls | |
demo | |
send SMS upon installation | |
| |
Present android malware | |
Users became smarter | |
easy to get the malware | |
drive-by download & SocEng | |
hard to detect | |
all latin chars in the naming | |
local exploits for privilege escalation | |
installs services to deny malware removal | |
demo | |
some russian malware developer | |
used SocEng: named "communication security update" | |
requires: "load at boot" and "internet connection" only | |
missing from the list of applications | |
only found in settings: com.Security.Update | |
using phone as proxy server | |
| |
Future android malware | |
rise of malware/trojans for mobile platforms | |
exploits: local and remote | |
motivations: fraud, mobile banking | |
cross-application vulns - already real | |
| |
=================================== | |
| |
Insecure Citrix | |
| |
how to own virtual servers | |
| |
citrix xenserver | |
cloud infrastructure | |
open hypervisor XEN | |
| |
(missed rest of the track) :( |
zveriu_biz 
686769 
Ads
Cognitive and Scientific Brainology
A deep dive into brain's curiosities
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| << < | Current | > >> | ||||
| 1 | 2 | |||||
| 3 | 4 | 5 | 6 | 7 | 8 | 9 |
| 10 | 11 | 12 | 13 | 14 | 15 | 16 |
| 17 | 18 | 19 | 20 | 21 | 22 | 23 |
| 24 | 25 | 26 | 27 | 28 | 29 | 30 |
Friends
Categories
- All
- ACSA (10)
- AskAmit (12)
- Conference (35)
- DailySpammer (11)
- Fun (8)
- In real life (8)
- On the web (22)
- GSM (2)
- Hardware (12)
- RFID (1)
- Security (6)
- Software (28)
Archives
- October 2012 (1)
- September 2012 (2)
- August 2012 (1)
- July 2012 (2)
- June 2012 (26)
- May 2012 (3)
- April 2012 (1)
- March 2012 (5)
- February 2012 (2)
- January 2012 (3)
- November 2011 (2)
- June 2011 (1)
- More...
Misc
XML Feeds
What is RSS?
