jon mccoy - appsec-usa-2014 hacking c#(.net) applications:the black arts (v3)
DESCRIPTION
Speech by Jon McCoy Hacking C#(.NET) Applications:The Black Arts (v3) @AppSec-USA 2014TRANSCRIPT
AppSec USA 2014
Denver, Colorado
Jon McCoy
Hacking .NET Applications:
The Black ArtsAppSec – USA – 2014
2
DenHac - DenHac.ORG
Monday 8:00700 Kalamath St. Denver CO
3
NOT Microsoft
Cross Platform
Next Step From C++/JAVA
FUTURE COMPATIBLE
PLATFORM INDEPENDENT
WHAT IS .NET?
4
HACKER VS ATTACKER
5
6
NOT AMS LEVEL
7
WHY NOT IDA?
IDA PRO
8
IDA PRO
9
BACK WHEN
10
BACK WHEN
11
BUT….
12
NOT IDA PRO
13
14
15
NOT IDA PRO
16
IL – Intermediate LanguageCode of the Matrix |||| NEW ASM
17
C# - 15
IL - 34
ASM - 77
LINESC# - 13 LINESDECOMPILE
18
HOW MUCH CODE DO YOU NEED TO READ`
C# - 15IL - 34ASM - 77
19
Attacking/Cracking
IN MEM |||| ON DISK
20
ATTACKING .NET
ATTACKTHE CODE ON DISK
21
ATTACKING ON DISK
22
ASM Attacking
Basics of ASM in .NETDemo
23
24AMS
25
GRAYWOLF
ON DISK EDIT
26
ATTACKING .NET APPLICATIONS: AT RUNTIME
27
GRAYDRAGON
INJECTION
28
ATTACKING .NET
ATTACK WHILETHE APP IS RUNNING
29
Run and InjectSECURITY
SYSTEMS
30
31
BAD IDEASome Things Are Just A Bad Idea!!!
32
101 - ATTACK ON DISK
Decompile - Get code/tech
Infect - Change the target's code
Remold/Recompile - WIN
Exploit - Take advantage
Connect/Open - Access Code
33
THE WEAK SPOTS
Flip The Check
Set Value is “True”
Cut The Logic
Return True
Access Value
34
FLIP THE CHECKSET VALUE TO “TRUE”
bool Registered = false;bool Registered = true;bool Registered = false;
If(a!=b)If(a==b)If(a==b)
35
RETURN TRUE
bool IsRegistered(){ Return TRUE; ........................}
36
CUT THE LOGIC
string sqlClean(string x){ Return x;}
37
CRACK THE KEY
Public/Private
3/B==Name*ID*7
Call Server
Demo = True;
Complex Math
==
==
==
==
==
Complex Math
Change Key
ASK what is /B?
Hack the Call
Set Value
1% of the time the KeyGen is given
38
PUBLIC/PRIVATE KEY
If you can beat themWhy join them
Key = “F5PA11JS32DA”
Key = “123456ABCDE”
39
SERVER CALL
1. Fake the Call2. Fake the Request3. Fake the Reply4. Win
“Send”SystemID = 123456789
*Registered = True*
Reg Code = f3V541
40
REG CODE REPLAY
Name:
Code: ==
JON DOE
98qf3uy!=
*C5G9P3
FAIL
41
Name:
Code:
*C
5G9P3
REG CODE REPLAY
42
Name:
Code: ==
JON DOE
5G9P3==
*C5G9P3
WIN
REG CODE REPLAY
43
COMPLEX MATH
1. Chop up the Math2. Attack the Weak
3. ??????????
4. Profit
44
WHAT STOPS THIS?
What is the security?
45
PROTECTION ON DISK
Protection - Security by 0b$cur17y Code Obfuscation
Shells / Packers / Encrypted(code)
Logic Obfuscation
Unmanaged calls…to C/C++/ASM
Try to SHUTDOWN Decompilation
46
47
48
PROTECTION ON DISK0bfu$ca7ed
DEMOFAIL
49
50
UNPROTECTED / PROTECTED
51
PROTECTION ON DISK
Shells
Pack/Encrypt the EXE
52
IT CAN BE THAT EZ
What is the security?What is the security?
’T‘T
53
54
VISUAL STUDIOExploit – Run arbitrary code
First noted in 2004
Get developer KeysAttack the SVN & DB
ATTACK VECTOR
www.pretentiousname.com/misc/win7_uac_whitelist2.html
55
LOOK INSIDE
56
DON’T LOOK
57
SECURITY
The Login security check is
Does A == B
Does MD5%5 == X
Is the Pass the Crypto Key
58
DATA LEAK
The Data sent home is
Application Info
User / Registartion Info
Security / System Info
59
KEY
The Crypto Key is
A Hard Coded Key
The Licence Number
A MD5 Hash of the Pass
6Salt 6MD5 Hash of the Pass
60
CRYPTO
The Crypto is DES 64
Tripple DES 192
Rijndael AES 256
Home MIX (secure/unsecure)
61
FIN
63
HACK THE LOGIN
DEMOPASS THE KEYSHOW THE KEY
64
HACK THE KEY
DEMOAPPSEC-USA 2011
999ca10a050f4bdb31f7e1f39d9a0dda
65
Static Crypto Key
Vector init = 0
Clear TXT Password Storage
Encrypted Data