Cognitive and Scientific Brainology

Security - consulting,assessment,research,solutions,penetration tests.
Face - detect,track,recognize,extract features,learn emotions,character animation.

Category: PHDays.ru

phdays 2012 Day2, Track1, 12:00, PostScript Danger Ahead

06/11/12 | by zveriu | Categories: Conference, PHDays.ru, Write-up

UPDATE: subscribe to postscript-sec@andreicostin.com mailing list for notifications and planned tools & PoC releases.

Presentation.

Video.

Securely yours,
Andrei

Leave a comment •

PHDays 2012 - Overview

06/08/12 | by zveriu | Categories: Conference, PHDays.ru, Write-up

Motto: “Во первых, огромное спасибо за замечательную организацю конференции - очень очень приятно учавствовать в PHDays с безупречной организацией!”

PHDays.ru is over and it’s kind of sad - I am already looking forward for the PHDays 2013 and already started to draft thoughts for my next presentation for this very cool conference.

The organization of the conference was fantastic, brilliant, very professional and flawless.

Positive Technologies, the main organizer of this security forum, have taken care of all the smallest details: flights, hotels, airport transfer (which in Moscow is a real hassle if you ever had the experience).

Just a few facts that I am sure say it all:

the event was free to attend and around 1500-1800 participants have shown up
it featured 2 days of multi-tracks - there was a minimum 3 tracks and up to 6 tracks in a given hour slot
I haven’t seen significant delays in this massively packed track list, which is very very impressive - kudos to organizers!
there was an entire real mini-TV crew, running live editing, transmission and recording in a very professional manner (this was a bit unusual, since speakers could not connect their laptops to video output, but it was an interesting experience after all)
the organizers thrown a very nice live rock concert as a closing event (PS: I have insanely enjoyed “Дорогая я купил тебе ХУРМУ” cover)
it was entirely awesome to meet the PTSecurity organizer crew as well as all the other distinguished speakers!

It is needless to say that the unlimited rivers of various alcoholic drinks (and NOT just vodka!) along with very fine russian delis were there during the entire conference.

Sadly, I have missed most of the CTF action going on there, but the fun part is that CTF had a ‘dumpster-diving’ exercise - the idea is brilliant ! Perhaps the next time the organizers could throw an ‘un-shred challenge’ twist to the ‘dumpster diving’ part

You can also check some of the talks wrap-ups I wrote:

There is also a main posting on HABR

Again, thanks to whole PHDays2012 crew, to the speakers and to the attendees! Hope to see you all there next year as well.

Securely yours,
Andrei

Leave a comment •

phdays 2012 Day2, Track4, 10:00, Breaking havoc using a Human Interface Device

06/05/12 | by zveriu | Categories: Conference, PHDays.ru, Write-up

Download here

Code:

phdays.com, phdays.ru
Moscow, 2012
Day2, Track4, 10:00
Nikhil Mittal,
Breaking havoc using a Human Interface Device
 
Nikhil Mittal
    Abusing HID devices
 
Pen-testing overview
    enum+intel -> vuln scan -> exploit -> post-exploitation -> report
 
Best case scenario exploitation
    memory corruption bugs
        server side
        client side
    mis-configs
    open file shares
    sticky slip passwords
    man in the middle
    unsecured dumpsters
    human
 
Worst case scenario
    no public exploits available
    not allowed on the system
    countermeasure blocking
    exploit completed but no session was generated
    hardened systems
    patches in place
    countermeasures blocking scans and exploits
    security incident monitoring and blocking
    no network access
    need alternatives
 
Need new methos to break into systems
    bad guys get smarter
    not as easy is it used to be
 
HID anyone?
    what could go wrong?
    HID are considered dumb devices
    but seems we can give it brains
    meet teensy
 
Teensy
    usb microcontroller
    storage ~ 130 kb
    there is also teensy++
    pjrc.com
    pjrc.com/teensy/projects.html
    similar to Arduino dev board
    programmed using Arduino dev env (ADE)
    need just a simple plugin for Arduino (teensyduino)
 
Installation
    Windows
        install serial.exe (virtual serial driver)
        install teensyduino
    For Linux
        avr and avr-gcc packages required
 
Usage (Arduino + Teensyduino)
    Select "USB Type" -> Keyboard+Mouse+Joystick
    C++ like syntax
    two functions required (setup() and loop() )
        setup() first time you connect you connect a device
        loop() keeps running after setup()
 
======================
 
void setup()
{
    Keyboard.print("Hello World")
}
 
void loop()
{
}

Leave a comment •

phdays 2012 Day2, Track3, 16:00, Light and dark side of code instrumentation

06/05/12 | by zveriu | Categories: Conference, PHDays.ru, Write-up

Download here

Code:

phdays.com, phdays.ru
Moscow, 2012
Day2, Track3, 16:00
Dmirty Evdokimov,
Light and dark side of code instrumentation
 
Static binary instrumentation tools
    dyninst
    eel
    atom
    pebil
    eresi
    tau
    vulcan
    bird
    slan (4514N)
 
Debuggers
    sw/hw breakpoints (hw only 4 => mostly sw)
    scripting
        windbg + pykd
        ollydbg + ptyhon = immunity debuggers
        gdb+pythondfb
        python libs: buggery, idapythonm, immlib, lldb, pydbg, pydbgeng, pygdbm python-ptrace, vtrace, winappdbg
    deubber and application works at the same level
        eg: better to do this kind of instrumentation ...
 
Dynamic binary instrumentation
    aka virtual code integration
    is a process to control and analysis of own code into a process already in the memory
    dba tools:
        small plugins (win=dll libs, *nix=so libs)
    dba tools:
        instrumentaiton routines
            executed just once, the place where we need to add our code
            at this stage the instrumentation introduces our code
        analysis routines
            this gets called when the above detected place is reached (can be called multiple times)
    compared to debuggers, there is no need to switch context
 
Modes
    user mode vs kernel mode
 
Mode of work
    start to finish
    attach
 
Mode of exec
    there is a graph JIT vs PROBE
    interpretaiton modew
        valgrind, useful for heavy and slow analysis (memory leaks for huge processes like Oracle DB, etc,)
    probe-mode (MORE performance)
        instruction overwrite
    jit-mode (MORE functionality)
        binary -> disasm -> disasm instrumentation -> recompile -> original code never executed, just merely an instrumented equivalent
 
DBI Frameworks
    DBI::Intro from zeronights conf
    Frameworks
        PIN (Intel)
        DynamoRIO (HP)
        DynInst (Maryland & Vinsconsin Universities)
        Valgrind (FOSS worldwide)
        Nirvana (MS)
    command line example given
    
Levels of granularity
    instruction
    basic block
    trace/superblock
    function
        requires symbols, otherwise better to use instruction level
    section
    events
    binary image
 
Self-modifying code and DBI
    in case the code is self-modifiable, in the cache of the DBI engine, the cache contains NOT the code which got executed, but the one replaced by the malicious code
    how to detect
        write-protected code pages
        checking store address
        inserting extra code
 
Overhead
    O=X+Y
    X=N*Z
    Y=K+L
    O=tool overhead
    N=number of times function is called
    Y=analysis routines overhead
    TODO
 
Rewriting instructions
    fixed length instruct (ARM)
    variable length instruct (x86, x64)
    graph with distribution by instruction length (TODO)

Leave a comment •

phdays 2012 Day2, Track2, 13:00, To Recover Plaintext Passwords of Windows Users

06/05/12 | by zveriu | Categories: Conference, PHDays.ru, Write-up

Download here

Code:

	`phdays.com, phdays.ru`
	`Moscow, 2012`
	`Day2, Track2, 13:00`
	`Benjamin Delpy,`
	`To Recover Plaintext Passwords of Windows Users`

	`mimikatz::sekurlsa::tspkg`

	`http://blog.gentilkiwi.com/securite/pass-the-pass`

	`MS introduces SSO with NT 6 to improve RemoteApps`

	`KB says it work with "Default credentials"`
	`it can be user/domain/(pass\|hash\|ticket)`
	`in all cases seems to be vulnerable to pass-the-hash attack`

	`Some interesting APIs/symbols`
	`TSObtainClearCreds`
	`TSRevealPassword`
	`TSCredTableLocateDefaultCreds`

	`LsaEnumerateLogonSessions`
	`for each UID`
	`tspkg!TSCredTableLocateDefaultCreds`
	`TODO`

	`LsaEnumerateLogonSessions`
	`for each UID`
	`tspkg!TSGlobalCredTable`
	`RtlLookupElementGenericTable`
	`LsaUnprotectMemory`

	`We have just to:`
	`tspkg:TSGlobalCredTable`
	`SeckPkgFunctionTable -> LsaUnprotectMemory`
	`LSA_SECPKG_FUNCTION_TABLE (MSDN/KB link)`

	`mimikatz::sekurlsa::wdigest`
	`Hashes`
	`HA1=MD5(username:relam:password)`
	`HA2=MD5(methiod:digestURI:[...])`

	`LsaUnprotectMemory`
	`at offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE`
	`_DigestCalcHA1@8`

	`LsaProtectMemory`
	`at offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE`

	`LsaEnumerateLogonSessions`
	`for each UID`
	`TODO`

	`Using TsPkg and WDigest password can be revealed on all Windows`
	`WDigest`
	`XP, 2003`
	`Vista, seven, 2008, 2008r2`
	`8`
	`TsPkg`
	`XP SP3 (manual install)`
	`Vista, seven, 2008, 2008r2`
	`8`

	`wce (TODO find what is wce) had not copied this talk TsPkg functionalities`

	`WinDBG`
	`!process 0 0 lsass.exe`
	`.process /i 83569040`
	`g`
	`.reload /user`
	`bp TODO`
	`g`

	`mimikatz::sekurlsa::livessp`

	`LsaEnumerateLogonSessions`
	`for each UID`
	`search linked list LUID`
	`LsaUnprotectMemory`

	`mimikatz::sekurlsa::kerberos (nt 6)`
	`mimikatz::sekurlsa::kerberos (nt 5)`

	`MS implementaation of Kerberos`
	`For password auth`
	`password hash for shared secred but keeping password in memory`

Leave a comment •

:: Next Page >>

HIRE! - My Resume

Contact

Upcoming talks

PHDays
Hack In Paris
BlackHat USA