Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: blackhateu

Blackhat Europe: Gone, but not forgotten

Somehow amidst all the chaos of the spiraling ash cloud of death™ I managed to get the last flight back to Vienna. Blackhat was a great conference, full of great presentations and great people. It was a real pleasure to meetup with some old friends (@cfragoso, @xme, @seccubus) and get to know some new ones (@corelanc0d3r, @iiamit, @christiaanbeek). I’m sure I’m missing people, but then again it is 04:00 am.

For those that might have missed the Blackhat coverage on the blog, here’s a list of the talks I covered.

Day 1

Day 2

There are also a number of excellent blog posts from Frank Breedijk (@seccubus) on the cupfighter.net blog

Finally, I recorded an episode of the Eurotrash Security Podcast (@eurotrashsec) late last night. In which we discussed some of the talks from Blackhat Europe 2010. We also has Andres Riancho from the W3AF project on to talk about his project and other news. You can find the podcast over at http://www.eurotrashsecurity.eu or in iTunes.

Hopefully you enjoyed the coverage on the blog and twitter. Feedback is always welcome 😉

I hope to see some of you guys at Ph-Neutral next month in Berlin.

Blackhat Europe: Weaponizing Wireless Networks

Weaponizing Wireless Networks: An Attack Tool for Launching Attacks Against Sensor Networks (Thanassis Giannetsos)

Abstract (source: Blackhat.com)

The pervasive interconnection of autonomous sensor devices has given birth to a broad class of exciting new applications. At the same time, however, the unattended nature and the limited resources of sensor nodes have created an equal number of vulnerabilities that attackers can exploit in order to gain access in the network and the information transferred within. While much work has been done on trying to defend these networks, little has been done on suggesting sophisticated tools for proving how vulnerable sensor networks are. This work demonstrates a tool that allows both passive monitoring of transactional data in sensor networks, such as message rate, mote frequency, message routing, etc., but also discharge of various attacks against them. To the best of our knowledge, this is the first instance of an attack tool that can be used by an adversary to penetrate the confidentiality and functionality of a sensor network. Results show that our tool can be flexibly applied to different sensor network operating systems and protocol stacks giving an adversary privileges to which she is not entitled to. We hope that our tool will be used proactively, to study the weaknesses of new security protocols, and, hopefully, to enhance the level of security provided by these solutions even further.

Talk Abstract –> Weaponizing Wireless Networks: An Attack Tool for Launching Attacks Against Sensor Networks

Speaker Bio –> Thanassis Giannetsos

Set of sensor nodes deployed in large areas of interest

  • Self-Configuration, adaptability and node cooperation
  • Multi-hop and many-to-one communication

Sensor networks are deployed in thousands of areas used for a range of different purposes including:

  • Smart Grid
  • Military
  • Wildlife
  • Monitoring

Why sensor nets ?

Unique characteristics

  • Coverage
  • Survivability
  • Ubiquity

Security Challenges

Wireless medium

  • Eavesdropping
  • Interception
  • Alteration
  • Replay
  • Injection

Unattended operation

  • Exposed to physical attacks

Random Topology

  • No prior knowledge of topology

Insider Threat

  • Physical attacks
  • Exploiting memory related vulnerabilities

Defense mechanisms

Several layers of protection, including implementation of IDS techniques to detect attacks.

Supported Wireless Attacks

  • Confidentiality attacks:
    • Intercept private info sent over the wireless medium
    • Eavesdropping, Data Replay, Selective Forwarding
  • Integrity attacks:
    • Send forged data frames
    • Program Image Dissemination, Data Injection, Malicious Code Injection
  • Availability attacks:
    • Impede delivery of wireless messages
    • Sinkhole, HELLO Flood attack



  • Network Sniffer – For passive monitoring and logging of radio packets
  • Network Attack Tool – Provides functionalities for compromising a sensor network’s security profile
  • Network Visualization – Displays overheard neighborhood topology, network traffic, node states and status of any performed attack

Network Sniffer

Gathers audit data to be forwarded over the serial port. Listens in promiscuous mode to discover neighboring nodes.

Can decode overheard messages.

Network Attack Tool

Core component of the tool. Contains a number of attacks.

Data Stream Framework

  • Configured by network information (hardware platform, underlying routing protocol, message rate)
  • Upon request constructs and transmits specially crafted packets

Attack Launcher

  • Totally controlled by the user
  • Depending on the kind of attack provides DSF with suitable requests


  • Data Replay Attack
    • Transparent data access and alteration (replay original/modified)
  • Sinkhole Attack
    • Draw traffic to your system by making your system appear attractive to other nodes (routing metrics)
  • Routing Layer Module
    • Attack routing calculations (RCM) of routing protocols (MintRoute/MultihopLQI)
    • The attack tool calculates the correct values for such an attack
  • Selective Forwarding
    • Refuse to forward specific traffic (Denial of Service)
    • Nodes may move to a new parent if you fail to forward packets
  • Program Image Dissemination
    • Code updates
    • Patches
    • Over the Air Programming (OAP) – Deluge Protocol
      • Pinging (request information from a node)
      • Reboot
      • Erase
      • Inject

If it’s possible to become a parent of another node using the Sinkhole attack, the child will send the encryption key to ensure the parent can route the traffic correctly.

When performing sinkhole attacks it is important to avoid routing loops. If another node detects a loop, it will move to another parent in an attempt to correct the issue.

Malicious Code Injection:

Possibly take advantage of memory related vulnerabilities, such as buffer or stack overflows. Send crafted packets and execute malicious code on the node.

Malware within sensor networks is rare, and not often looked for. Simple malware could go unnoticed. Possibility to create a self propagating worm.

By infecting a single node, it is possible to compromise an entire sensor network.

PoC  targeting devices following the Von Neumann architecture. Malware stored in the heap as it remains empty for the lifetime of the device.

Required Steps

  • Understand the memory map of the sensor device
  • Transmission of a series of mal-packets containing the code to be copied onto the heap
  • Send a specially crafted packet for setting the PC to the starting memory address of the malware

Network Data Injection

  • Construction and injection of fake messages
    • High powered transmission
  • HELLO Flood Attack
    • Insert Ghost nodes
    • Create the illusion of being a neighbor

Goals of SENSYS Attack Tool:

  • Reveal vulnerabilities of sensor networks
  • Study the effects of severe attacks
  • Motivate a better design of security protocols and put them to
  • the test against adversaries

Tool will be released open-source within the next few weeks

Additional Links

For more information please see the Blackhat Europe website

Blackhat Europe: Universal XSS via IE8’s XSS Filters

Universal XSS via IE8’s XSS Filters (David Lindsay & Eduardo Vela Nava)

Abstract (source: Blackhat.com)

Internet Explorer 8 has built in cross-site scripting (XSS) detection and prevention filters. We will explore the details of how the filters detect attacks, the neutering method, and discuss the filters’ general strengths and weaknesses. We will demonstrate several ways in which the filters can be abused (not just bypassed) in order to enable XSS on sites that would not otherwise be vulnerable. We will then show how this vulnerability makes most every major website vulnerable to XSS in affected versions of Internet Explorer 8.

Talk Abstract –> Universal XSS via IE8s XSS Filters

Speaker Bio –> David Lindsay, Eduardo Vela Nava

The sordid tale of a wayward hash sign

Client-side XSS Filtering

  • XSS is extremely common.
  • Reflective XSS is detectable in the browser

Microsoft decided to implement an XSS filter in Internet Explorer 8 in an attempt to help users protect against this threat. Firefox has the NoScript plugin that performs the same kind of functionality. Chrome is also working on a similar feature.

Microsoft XSS design goals

…intended to mitigate reflected / “Type-1” XSS vulnerabilities in a way that does not “break the web.

— David Ross

  • compatible
  • secure
  • performance

Detection process (3 step process)

  • Examine all outbound requests for XSS patterns using heuristic filters
  • If heuristic matches outgoing HTTP request then create a dynamic signature
  • If signature matches HTTP response then neuter the response


Matches again GET/POST requests

23 Regular expressions (see http://p42.us/ie8xss/filters02.txt)

Dynamic Signatures

  • One created for each matching heuristic
  • Matches against inbound responses
  • Blacklisting regular expressions
  • Account for server side modifications

Neutering Process

  • No user interaction, just notify the user
  • Replace the flagged character(s) with the hash symbol: #
  • Render the altered response

Heuristic Breakdown

Check of fixed strings such as javascript: vbscript, as well as HTML tags/attributes and JavaScript strings.

Filter Abuse – Attacks made possible because of the filters


When an attack is detected, altering the response before rendering can have unintended consequences.

Example – An attacker supplies a bogus GET parameter of &foo=

This will trigger the XSS protection and disable any <script> tag on the target will be disabled

How useful is this ?

  • Disable client side security features
    • Block Framebusters
    • Escape Facebook’s CSS Sandbox
    • Any other JS based security controls

Simple 2:

An attacker inserts a string such as // <![CDATA[
var foo='<img src=x:x onerror=alert(0)>’;
// ]]>. When the filter neuters the //

unfiltered: // <![CDATA[
var foo='<img src=x:x onerror=alert(0)>’;
// ]]>

filtered: var foo='<img src=x:x onerror=alert(0)>’

Universal XSS Intro

Equals signs are neutered by the filter (using a RegEx).

Almost any equals sign could be neutered if a suitable trigger string was inserted

Example: &fake=’>anything.anything=

<img alt=”x onload=alert(0) y” src=”mars.png”> could then become

The browser would then interpret the previously inactive onload condition and create an XSS condition.

Crafting an attack

  • Identify a persistent injection
    • confirm and insert a suitable XSS string
  • View source to identify a trigger string
    • work backwards from target = sign
  • Create vulnerable URL to target page
    • append trigger string using a fake GET parameter

Moving Forward

The Fix from Microsoft –> Stop neutering equals signs, and start neutering other characters instead

These new filters don’t seem to open up another attack vector… but this isn’t 100%

Other mitigations:

  • Use another browser
  • Disable XSS protection in IE (not recommended)
  • Only earlier versions of IE8 are affected… so patch

Should you disable filters ?

No… benefits outweigh the risks.


  • Filter user input
  • Site-Wide anti-CSRF tokens
  • Make use of the response header opt-out


  • 0 – turns off the filter completely
  • 1; mode=block – turns on the filter in block mode
    • Not fully supported in all browsers
    • Doesn’t filter, prevents page from loading

Other browsers:


  • Only add-ons for XSS protection
  • NoScript
  • NoXSS (not recommended)

Webkit is developing XSSAuditor

  • Filter based
  • Sits between HTML parser and JS engine
  • Respects same control headers as IE
  • –enable-xss-auditor to enable

Additional Links

For more information please see the Blackhat Europe website

Blackhat Europe: Oracle, Interrupted: Stealing Sessions and Credentials

Oracle, Interrupted: Stealing Sessions and Credentials (Steve Ocepak & Wendel G. Henrique)

Abstract (source: Blackhat.com)

In a world of free, ever-present encryption libraries, many penetration testers still find a lot of great stuff on the wire. Database traffic is a common favorite, and with good reason: when the data includes PAN, Track, and CVV, it makes you stop and wonder why this stuff isn’t encrypted by default. However, despite this weakness, we still need someone to issue queries before we see the data. Or maybe not… after all, it’s just plaintext.

Wendel G. Henrique and Steve Ocepek of Trustwave’s SpiderLabs division offer a closer look at the world’s most popular relational database: Oracle. Through a combination of downgrade attacks and session take-over exploits, this talk introduces a unique approach to database account hijacking. Using a new tool, thicknet, released at Black Hat Europe, the team will demonstrate how deadly injection attacks can be to database security.

Talk Abstract –> Oracle, Interrupted: Stealing Sessions and Credentials

Speaker Bio –> Steve Ocepek, Wendel G. Henrique

Thicknet demo

40,000 foot view of what the talk is about.

What is vamp ?

  • arpspoof is getting a bit old, hard to compile with new version of libdnet
  • Need something to use with thicknet
  • Stateful – i.e. new hosts can join the fun
  • Cross-platform: libdnet, libpcap / winpcap, libev

What is Ticknet ?

An injection tool that listens for database queries, and then alters it to perform actions as designated by an attacker.

Password not required, as the session is already authenticated.

Vamp, Arp Poisoning and you

  • Most reliable way to get data about local network
  • Injection opens up a whole category of attacks
  • Good way to find important services
  • It was very cool in the 80’s

The ARP protocol is old.

Arpspoof is also old, hard to compile with new version of libdnet

Vamp improves on this by being stateful and cross-platform (based on the updated libraries)

Don’t worry though…. ARP will disappear when we start using IPv6 (next week right?)

Hot Session Injection

Ettercap can do this, to a certain degree

  • In connections view (curses or GTK), select TCP connection
  • Can inject file or ASCII characters
  • I had limited success, not a commonly-used feature
  • Etterfilter also an option, but is not session aware

This allows modification of sessions / or to take-over the whole session. This session can be kept open as long as needed.


  • Two types: packet modification and takeover
  • Packet modification
    • UNC Injection attack works this way
    • Also downgrade attacks
  • Takeover
    • Allows sending of arbitrary packets into the session
    • Issue asynchronous SQL queries, etc..


  • Monitor for pattern
  • Modify according to logic (replace string, change bytes, …)


  • Inject data asynchronously
  • Requires taking over the session completely (original client is disconnected)
  • Gathering a sled helps to ensure we get this right
  • This is all reliant on data layer as well…

Understanding Oracle Queries

TNS – Net8

  • TNS – Transparent Network Substrate
    • Fairly simple, well-known
    • Wireshark decoder exists
    • Purpose is to encapsulate a variety of higher-layer protocols
  • Net8 – Used by Oracle to issue queries, sits on top of TNS
    • Not well known or documented
    • Specification is available, requires contract and $$$
    • No Wireshark decoder

TNS protocol has a lot of fields…. a lot are just 0x000 (at least that’s what was see in testing)

Net8 – 3 types of messages seen frequently

  • User-to-Server, Net8 Bundle call 0x03 0x5E
  • Piggyback call 0x11E
  • User-to-Server, Fetch 0x03 0x5E

Why wait for a SELECT request from the host and change it…. we want to send data now.

This is where SLED packets come into play.

A SLED packet is something that contains predictable data and does something similar to what we want to do. SELECT queries are great examples. Once identified, a thicknet sled consists of IP Layer, TCP Layer, DATA

Injection time!

The attacker now owns the session, so he needs to maintain it accordingly (ACK packets, etc…)

The client currently gets kicked out of the session

Thicknet tool

  • Proof of concept sled based injection, downgrade
  • Modular, can be expanded to use other protocols
  • Oracle protocol implementation
    • Extensions can be made in the future – MySQL, SMB, MSSQL

If this attack can work for Oracle, why can’t it work for other protocols and services (Samba for example)

Downgrading for credentials

Demo –> MitM attack to grab the password hash in transit between the client and server (after downgrading the authentication)

By performing this kind of downgrading attack it is possible to brute-force crack the password hash using tools like woraauthbf.

Sometimes Oracle isn’t listening on the standard 1521/TCP. This can cause issues with the downgrading attack. This can be overcome by perform pattern matching on packet content to discover the required packets regardless of the port being used.

Using this kind of matching it’s also possible to intercept disconnection requests from the client to the server, and silently drop then (replying with a spoofed response to the client). This will fool the client into closing the session but leave it open for an attacker to continue to use.

Goal: To downgrade the Oracle authentication to the weakest algorithm and password hash. In this case the goal is to downgrade to the hash format used in Oracle 8i, DES (Data Encryption Standard).

The first downgrade attack was released by László Tóth. However the attack was aimed at JDBC connections and doesn’t appear to work on newer Oracle instances with upgrade JDBC (i.e.

The JDBC downgrade attack is still valid with older versions of the client. By altering 1 bit, the old 8i authentication takes place. To prevent this from failing, checks are made in the thicknet tool to check the JDBC version in use to ensure it’s vulnerable before performing the downgrade.

InstantClient appears not to be vulnerable to this downgrading attack. When attempting, the connection between the client and server fails. One possible attack is to reply to the user as an Oracle 8i server and harvest the information required. The user will then need to retry connection, at which point the MitM will not attempt y downgrade and the user can then connect.

FullClient doesn’t always respond to this previous method.

  • It works against the Oracle full client
  • Crashes and consequently fails with Oracle full client (possible heap overflow).
  • An exception happens with Oracle full client which causes the connection to terminate.

The Thicknet program can detect the version of full client in use, and if a method is supported, it is automatically selected. However, neither of these methods is supported in Windows….

So is Windows immune?

  • During negotiation there are a few bytes used to define the acceptable protocol version.
  • The client offers different options and the server answers with the highest supported value (0x06).
  • During all our tests, all servers always responded with 0x06, as all clients tested always offer the same six options: 0x06, 0x05, 0x04, 0x03, 0x02 and 0x01.
  • Downgrading at this stage is very easy, we will just replace these values with 0x05, 0x05, 0x04, 0x03, 0x02 and 0x01.
  • Note we are not sending 0x06 as an option anymore;
  • consequently we are sending 0x05 two times.

This means that the server will respond with a 0x05 and the downgrade will happen automatically.

NTLM Downgrade

Similar to the previous downgrade, by changing a bit in the connection request it is possible to downgrade the connection to older LANMAN hashes. These passwords can be recovered using HALF-LM rainbow tables freely available.

Due to lack of time this area was only covered in brief –> please see the whitepaper for full information (link below)

Additional Links

For more information please see the Blackhat Europe website