blackjacking - defcon 14
TRANSCRIPT
-
8/12/2019 Blackjacking - Defcon 14
1/51
Defcon 14 - Las Vegas, NV USA 2006
Blackjacking 0wning the Enterprise via Blackberry
Jesse x30n DAguanno [email protected] [email protected]
-
8/12/2019 Blackjacking - Defcon 14
2/51
Defcon 14 - Las Vegas, NV USA 2006 2
Hello, My name is
$ whois x30n Founder / Director Prof Services
Praetorian Global, LLChttp://www.praetoriang.net
Member / Team Captain Digital Revelation Security Research Group & 2 time
winners, Defcon CTF
http://www.digrev.org
Blackjacking 0wning the Enterprise via Blackberry
-
8/12/2019 Blackjacking - Defcon 14
3/51
Defcon 14 - Las Vegas, NV USA 2006 3
Who uses Blackberry? Who doesn t?
Market share lead for handhelds. Gartner
Government workers and emergency personnel would beexempt from a possible shutdown Computerworld
Blackjacking 0wning the Enterprise via Blackberry
-
8/12/2019 Blackjacking - Defcon 14
4/51
Defcon 14 - Las Vegas, NV USA 2006 4
The solution Background
Typical Corporate Blackberry Installation
Blackjacking 0wning the Enterprise via Blackberry
RIM Net
Internet
Internal LAN
Blackberry
`
User s Workstation
App Serv
MS Exchange
BES
Wireless Providers
Blackberry Blackberry
Blackberry Blackberry
USB
-
8/12/2019 Blackjacking - Defcon 14
5/51
Defcon 14 - Las Vegas, NV USA 2006 5
The solution Background
Outgoing BES to RIM connection
Blackjacking 0wning the Enterprise via Blackberry
RIM Net
Internet
Internal LAN
MS Exchange
BES
Wireless Providers
Blackberry
Outbound TCP ConnectionBES to RIM
-
8/12/2019 Blackjacking - Defcon 14
6/51
Defcon 14 - Las Vegas, NV USA 2006 6
The solution Background
Persistent Tunnel BES and RIM
RIM Net
Internet
Internal LAN
MS Exchange
BES
Wireless Providers
Blackberry
Persistent Tunnel BetweenYour BES and RIM
Blackjacking 0wning the Enterprise via Blackberry
-
8/12/2019 Blackjacking - Defcon 14
7/51
Defcon 14 - Las Vegas, NV USA 2006 7
The solution Background Persistent Tunnel BES and BB Device
Blackjacking 0wning the Enterprise via Blackberry
RIM Net
Internet
Internal LAN
MS Exchange
BES
Wireless Providers
Blackberry
P e r s i s t e n t T u n n e l B e t w e e n
Y o u r B E
S a n d B B D e v i c e
-
8/12/2019 Blackjacking - Defcon 14
8/51
Defcon 14 - Las Vegas, NV USA 2006 8
RIM Net
Internet
Internal LAN
MS Exchange
10.1.1.10
Wireless Providers
Blackberry
P e r s
i s t e n t T u n n e
l B e
t w e e n
Y o u r
B E S a n
d B B D e v
i c e
Blackberry
BES / MDS10.1.1.12
App Serv
10.1.1.20
The solution Background
BB device now virtually on internal network
-
8/12/2019 Blackjacking - Defcon 14
9/51
Defcon 14 - Las Vegas, NV USA 2006 9
The solution - Review
BES / MDS creates outbound, persistent
connection to RIM network
Blackberry device then virtually placed on internal
network (Wherever BES / MDS exists)
always -on always connected
Wireless carrier independent
-
8/12/2019 Blackjacking - Defcon 14
10/51
Defcon 14 - Las Vegas, NV USA 2006 10
Problem with solution
Attitude of handhelds Only security of data on handheld usually
considered Not impact of handheld on rest of network
Blackberries are computers with constantconnection to corporate LAN
Not treated like other remote access. i.e.
VPN / Dial-in
-
8/12/2019 Blackjacking - Defcon 14
11/51
Defcon 14 - Las Vegas, NV USA 2006 11
Problem with solution
Guess what, we can exploit this problem!
Enter BBProxy
-
8/12/2019 Blackjacking - Defcon 14
12/51
Defcon 14 - Las Vegas, NV USA 2006 12
Step 1 External Connection
Create an outbound socket connection fromBlackberry device to attacker controlled hoston the internet.
-
8/12/2019 Blackjacking - Defcon 14
13/51
Defcon 14 - Las Vegas, NV USA 2006 13
Step 1 External Connection
Internet
Internal LAN
Blackberry
App Serv
MS Exchange
Attacker Host
Outbound Con nection via MDS
-
8/12/2019 Blackjacking - Defcon 14
14/51
Defcon 14 - Las Vegas, NV USA 2006 14
Step 2 Secondary Connection
From attacker controlled host, we theninitiate a subsequent socket connection to asecond host including internal hosts .
-
8/12/2019 Blackjacking - Defcon 14
15/51
-
8/12/2019 Blackjacking - Defcon 14
16/51
Defcon 14 - Las Vegas, NV USA 2006 16
Step 3 Proxy connection between external and internal host
Blackberry then proxies all data betweenhosts.
-
8/12/2019 Blackjacking - Defcon 14
17/51
Defcon 14 - Las Vegas, NV USA 2006 17
Step 3 Proxy connection between external and internal host
Internet
Internal LAN
Blackberry
App Serv
Attacker Host
Proxy ConnectionExternal Host to
Internal Host
-
8/12/2019 Blackjacking - Defcon 14
18/51
Defcon 14 - Las Vegas, NV USA 2006 18
BBProxy
Sweet! So now we can directly communicatewith any port on an internal host from anexternal host Right through our littleblackberry handheld.
-
8/12/2019 Blackjacking - Defcon 14
19/51
Defcon 14 - Las Vegas, NV USA 2006 19
Demo -
Let s check it out
Interaction with internal service
-
8/12/2019 Blackjacking - Defcon 14
20/51
-
8/12/2019 Blackjacking - Defcon 14
21/51
Defcon 14 - Las Vegas, NV USA 2006 21
BBProxy
OK, cool, we can now telnet to an internalbox or ssh or even grab intranet sites.
But can we do anything cooler?
This is Defcon Aren t we going to attacksomething? OF COURSE!
-
8/12/2019 Blackjacking - Defcon 14
22/51
Defcon 14 - Las Vegas, NV USA 2006 22
Metasploit!
Enter Metasploit
Point Click Root Now with Blackberryflavor!TM
C est impossible!
-
8/12/2019 Blackjacking - Defcon 14
23/51
Defcon 14 - Las Vegas, NV USA 2006 23
Metasploit!
Top level (listener) function added tometasploit to create a listening socket onport 1455 (default)
When a connection is received, verifies
BBProxy handshake Once connected, the connection is available
to any exploit within the framework Just
need to call it.
-
8/12/2019 Blackjacking - Defcon 14
24/51
Defcon 14 - Las Vegas, NV USA 2006 24
Demo -
Let s do it
Exploitation of Vulnerable service behindcorporate firewall
-
8/12/2019 Blackjacking - Defcon 14
25/51
Defcon 14 - Las Vegas, NV USA 2006 25
Demo -
Internet
Internal LAN
Blackberry
Vulnerable Server Behind on LAN
Attacker HostWith Metasploit
Attack vulnerableservice on internal host
-
8/12/2019 Blackjacking - Defcon 14
26/51
Defcon 14 - Las Vegas, NV USA 2006 26
Metasploit! Porting an exploit
Very easy to plug-in to usable exploits
Let s walk through one
msasn1_ms04_007_killbill.pm
-
8/12/2019 Blackjacking - Defcon 14
27/51
Defcon 14 - Las Vegas, NV USA 2006 27
Metasploit! Porting an exploit Patch msasn1_ms_04_007_killbill
exploit@@ -93,7 +93,8 @@my $target_idx = $self->GetVar('TARGET');my $target_app = $self->GetVar('PROTO');my $shellcode = $self->GetVar('EncodedPayload')->Payload;
- my $target = $self->Targets->[$target_idx];+ my $target = $self->Targets->[$target_idx];+ my $s = $self->GetVar('PROXYCONN');
Here we set $s to the value of the globalvariable PROXYCONN (Our proxy connection)
-
8/12/2019 Blackjacking - Defcon 14
28/51
Defcon 14 - Las Vegas, NV USA 2006 28
Metasploit! Porting an exploit
Patch msasn1_ms_04_007_killbill exploit$self->PrintLine("[*] Attempting to exploit target " . $target->[0]);
@@ -124,17 +125,34 @@"\x08\x00\xeb\xfe";
my $token = SPNEGO::token($stage0, $shellcode);- my $sock = Msf::Socket::Tcp->new- (- 'PeerAddr' => $target_host,- 'PeerPort' => $target_port,- 'SSL' => $self->GetVar('SSL'),- );-- if ($sock->IsError) {- $self->PrintLine("[*] Could not connect: ".$sock->GetError());- return;- }
We remove the standard socket build stuff
-
8/12/2019 Blackjacking - Defcon 14
29/51
-
8/12/2019 Blackjacking - Defcon 14
30/51
Defcon 14 - Las Vegas, NV USA 2006 30
Metasploit! Porting an exploit
++ my $sock = $s;+ $sock-
>Send($target_host.":".$target_port."\n");
Otherwise use our previous proxy connectionand send the appropriate string to start thesubsequent connection
-
8/12/2019 Blackjacking - Defcon 14
31/51
Defcon 14 - Las Vegas, NV USA 2006 31
Metasploit! Porting an exploit+ sleep(2);+ print $sock->Recv();
+ sleep(2);+
Sleep a bit to allow the second connection to beestablished, then do it!
if ($target_app eq 'http') {return $self->ExploitIIS($sock, $token);
@@ -176,7 +194,7 @@if ($resp =~ /0x80090304/) {
$self->PrintLine("[*] Server responded with error code 0x80090304");}
-+ sleep(10);$self->Handler($sock);$sock->Close;return;
-
8/12/2019 Blackjacking - Defcon 14
32/51
-
8/12/2019 Blackjacking - Defcon 14
33/51
Defcon 14 - Las Vegas, NV USA 2006 33
IDS evasion goodness
Each newer device has onboard tcp/ip stack No need for MDS to make connection Simple to choose connection type in code
deviceside=true or deviceside=false inconnection string
First connection from device side (Direct fromcarrier network). Second connection through
MDS Nothing on the border can see our traffic (It s all
encrypted by RIM s tunnel )
-
8/12/2019 Blackjacking - Defcon 14
34/51
Defcon 14 - Las Vegas, NV USA 2006 34
IDS evasion goodness
Carrier
Network
Internet
Attacker controlledbox
Wireless Providers Blackberry
First Connection
-
8/12/2019 Blackjacking - Defcon 14
35/51
Defcon 14 - Las Vegas, NV USA 2006 35
IDS evasion goodness
RIM Net
Internet
Internal LAN
VulnerableServer
Blackberry
Blackberry
Virtual Tunnel
Second (Exploit)Connection
-
8/12/2019 Blackjacking - Defcon 14
36/51
Defcon 14 - Las Vegas, NV USA 2006 36
IDS evasion goodness
Carrier
Network
RIM Net
Internet
Internal LAN
VulnerableServer
Attacker controlledbox
Wireless Providers Blackberry
Blackberry
Virtual Tunnel
Second (Exploit)Connection
BES/MDSEncrypted
Persistent Tunnel
First Connection
-
8/12/2019 Blackjacking - Defcon 14
37/51
Defcon 14 - Las Vegas, NV USA 2006 37
IDS evasion goodness Just like
Internet
Internal LAN
VulnerableServer
Firewall / IDSSees nothing
Attacker controlledbox
`
First Ethernet Connection
Second Ethernet Connection
-
8/12/2019 Blackjacking - Defcon 14
38/51
Defcon 14 - Las Vegas, NV USA 2006 38
Else
Problem BBProxy requires control of device (Interactive
app)
Solution First and only blackberry trojan (That I know of)!
-
8/12/2019 Blackjacking - Defcon 14
39/51
Defcon 14 - Las Vegas, NV USA 2006 39
Trojan Hot Game 2006
Same functionality as BBProxy User only sees game interface (TicTacToe) Over the air download! Easily integrated with other network
discovery functions and more covertmethods of control (IRC, etc.)
-
8/12/2019 Blackjacking - Defcon 14
40/51
Defcon 14 - Las Vegas, NV USA 2006 40
Demo -
Let s do it
Exploitation of Vulnerable service behindcorporate firewall while user playsTicTacToe
-
8/12/2019 Blackjacking - Defcon 14
41/51
Defcon 14 - Las Vegas, NV USA 2006 41
Code Signatures
RIM requires code (.cod) to be signed withRIM assigned private key to use proprietary
APIs, network access without confirmation,etc.
$100 USD processing fee to verify identity ofsignature requestor
Credit card name and address used for
verification of ID
-
8/12/2019 Blackjacking - Defcon 14
42/51
Defcon 14 - Las Vegas, NV USA 2006 42
Code Signatures Prepaid Credit Cards! Prepaid CCs allow online
transactions by ignoringthe name and addressfields
No need to steal credit
card number
Widely available in minimarkets and grocery storeseverywhere
Works!
-
8/12/2019 Blackjacking - Defcon 14
43/51
Defcon 14 - Las Vegas, NV USA 2006 43
Review
We can talk to hosts behind the corporatefirewall
We can attack them We can subvert IDS or data logging We can do it in a trojan We can sign our trojan anonymously and
use all APIs It gets worse! (or maybe better)
-
8/12/2019 Blackjacking - Defcon 14
44/51
Defcon 14 - Las Vegas, NV USA 2006 44
Device Provisioning
Ease of use vs. Security always a fight Ease of use wins!
Extremely easy to add a new device justplug it in
New device is then provisioned for use onthe BES
-
8/12/2019 Blackjacking - Defcon 14
45/51
Defcon 14 - Las Vegas, NV USA 2006 45
Blackjacking Hijacking blackberry connection
BB devices are
identified by theirunique PIN
Blackberry user plugs
in new device to PC New PIN is recognized
Encryption keys aregenerated and storedon BB handheld
-
8/12/2019 Blackjacking - Defcon 14
46/51
Defcon 14 - Las Vegas, NV USA 2006 46
Blackjacking Hijacking blackberry connection
Device PIN and new key pushed to
Exchange via MAPI
Info stored in BlackberryHandheldInfofolder in users mailbox
New device is now routing through MDS
This can be automated!
-
8/12/2019 Blackjacking - Defcon 14
47/51
Defcon 14 - Las Vegas, NV USA 2006 47
Blackjacking Hijacking blackberry connection
Work in progress Trojan to automate BB hijack process Utilizing other delivery mechanisms Everything else
Check www.praetoriang.net or www.digrev.org for updates.
-
8/12/2019 Blackjacking - Defcon 14
48/51
Defcon 14 - Las Vegas, NV USA 2006 48
References
Code and Updated Slides can be found athttp://www.praetoriang.net/presentations/blackjackorhttp://www.digrev.org/blackjack
http://www.blackberry.com/security
-
8/12/2019 Blackjacking - Defcon 14
49/51
Defcon 14 - Las Vegas, NV USA 2006 49
Q&A
?
-
8/12/2019 Blackjacking - Defcon 14
50/51
Defcon 14 - Las Vegas, NV USA 2006 50
Thanks / Greetings
Digital Revelation (DigRev) Pablo_marx FX Ian Robertson (RIM)
-
8/12/2019 Blackjacking - Defcon 14
51/51
Defcon 14 - Las Vegas, NV USA 2006 51
Thank You For Coming!Jesse x30n D Aguanno [email protected]