FrHACK_01 Day Two

Just back to home from Besancon. Here we go for the second day review! Due to last minute planning changes, the conference started later today. Not critical, it was a good opportunity to do some social networking and BruCON promotion.

This second conference day started with a presentation named “How to build hacker spaces everywhere” by Philippe Langlois. He first explained what’s a hacker space and gave a more deeper overview of his own one located not far from Paris (/tmp/lab). He welcomed everybody to join them. The goal of hacker spaces is to change the way we think. They proposes: autonomous spaces, hacking praxis (code, hardware, culture). They are open, share and social. Other examples are in foreign countries: CCC (DE), C-Base(DE), HSB(BE), Metalab(AT), L0pth (US). France has a special historical view about “hackers”. The word still frighten people. In the ’90, the DST (French secret services) created a fake hackers club (called “CCCF”) to collect as much data as possible on real hackers. Today hacker spaces are still facing the challenge to appear “clean” to the public (nothing “underground”).

Then, Philippe explained several ongoing projets within the /tmp/lab: “Consumer B Gone” (how they successfully blocked and unblocked shopping kart wheels by playing specific sounds with a mobile phone) or “Church of security” (a philosophy of clear acceptance of security measures) or “ChaoSCAM” (embellishment of security cameras using X-mas ornaments, funny!).

Second talk was given by p3lo, owner of the website attackvector.lescigales.org: “All browsers MitM key logging on remote”. Using JavaScript, he demonstrated how to build a keylogger to record activity on a website.
Using multiples technologies (cURL, JavaScript packer, etc…), the demo successfully redirected a “clean” web site to an attacker servers and logged all the user activity. Collected information are saved into a MySQL database for later review. Of course, to redirect the user to the malicious server, another “classical” attack must still be successfully performed via phishing e-mails, social engineering or a XSS flow. Funny, using the GoogleEarth API, it’s also possible to “follow” the current attack on the Internet (how it spread across the world). The topic was interesting but it was a first try for p3lo and hardware problems made the presentation difficult to be followed (example: demo screenshots unreadable, …). Sad because the topic promised to be interesting.

After a small break, back to the conference program with a presentation of Abhijeet Hatekar about “Unified Communications Security” (based on Microsoft Office Communication Server R1/R2). Abhijeet briefly reviewed what’s “unified communications” and described the features of OCS (instant messaging, conference calls, voice, calendaring, webcast, …). They he reviewed what are the security threads and possible attacks. Vulnerabilities are: limited hardware, protocol stacks are poorly implemented, lack of authentication and encryption. Signaling attacks are flooding, fuzzing, DoS, signaling message injection, hijacking of registration, media, Caller-ID spoofing, enumeration. Overview of the M$ OCS. When Abhijeet started to work on UC audit, no tool was available. He performed some reverse engineering, used the OCS SKD and OAT was born! (“OCS Assessment Tool“) This tool provides the following features: dictionary attacks, presence and contacts stealing, IM flood, call walk, spam call and reporting. New in OAT 2.0: Call DoS, targeted IM, TLS support transport and much more.

In assessment mode, they are two types of typical deployment (architecture): internal vs external deployment modes. Abhijeet performed some live demos: cracking a user password (using classic directories), IM flood (funny remark: some phones are vulnerable and crash if too much IM messages are received). Interesting feature of IM flood: this attack can be used to conduct a phishing attack: just send ONE message but originating from a trusted partner with a malicious URL. “Call walk” is an attack to do audio spam by sending audio files 😉 The goal of the tool is not to discover new vulnerabilities in OCS but really to protect existing deployment. Recommendations made by Abhijeet: follow best practices recommended by Microsoft!

The last two sessions were really nice ones! “Auditing and securing PHP applications” by Philippe Gamache, author of the book “Sécurité PHP 5 & MySQL” (security of web applications) (Note from the speaker: other languages can fall under the same topic, nothing was restricted to PHP). Philippe did not only gave technical information about the audit process of PHP code, he also explained how to conduct a successful audit of a web application. There are two types of audits: black box (like a pentest) and white box (the real audit). Both are complementary. . Why do we need security audits in web application? Philippe insisted on the fact that students are not really aware of security threads during the development phases. An audit can also be used to validate a project before it is released. Developers working on a project do not stand back to detect potential issues in their code. Audit can help to “reveal” them. Of course, an audit must be done as soon as possible to avoid unwanted costs and time loss. The audit is based on the following steps: a clear scope must be defined, developers must be interviewed, blackbox testing, open code audit and finally reporting. Sometimes audit are quickly performed but corrective actions can take months to be fixed! Must be taken into account. Audit scope can focus on three points: security, performance, code quality BUT cannot be handled in the same time. Code quality can help developers team to better understand code and avoid future misunderstanding. During interviews with the developers, security experience can be analyzed, how to they design and approach problems. Audit must be done in confidence (respect the anonymity of people)

The black box test is easy to perform and helps to understand how the application works, can be “spectacular” but the auditor can miss some critical security holes. Methods used are Google (as usual), automated tools (scanners), fuzzers, scenarios (test the application logic) and attacks. Some actions must be performed manually to be able to extract the right value of the hole (value of the disclosed data). Warning, the black box audit can have destructive!
[Note: Philippe talked about the “.phps” extension. By using .phps, its possible to view and browse the source code directly in the browser! Was enabled by default in PHP3! (disabled in 4.x)] Another example is the famous “robots.txt” file: often it contains a readable list of all directories developers want to “hide”. Find the error? 😉

The white box test: code audit. The auditor looks directly the code to find hidden problems. Less spectacular but more powerful. Once problems are found, easy to explain to the develop and help him to write better code. How to approach this phase? There is not magic tool out of the box, use your eyes, your best editor or quick & powerful tools like grep. Reviewed all the possibilities of data input or output. Nothing can be trusted! Gotchas: don’t even trust HTTP headers! (Referer, User-Agent), $_SERVER.
The final report must have: a resume for the management (non technical) Classification of issues (critical, high, medium, low). That was a excellent presentation with a good balance between technical and project/management aspects.

And last but not least, I followed was the presentation of Guillaume Prigent: “OS fingerprinting defeating”. Working for Diateam, Guillaume developed a tool called IpMorph. The starting idea could be: “to live happy, let’s live hidden”. IpMorph is a tool able to defeat fingerprint scanners (giving them fake results – Example: reveal a Linux server as being a PS3 console). It’ a something like a “fingerprint fucker”, OS fingerprinting frustrating or packet scrubbing tool. The demo was based on a Linux virtual server running a Windows XP guest. IpMorph modified the IP packets to let the Linux act as a Windows. Two methods are possible: active or passive. The active method is signature based (pattern matching on responses like “Nmap”) and the passive one is “read-only”, sniffing traffic between two hosts. (IpMorph works up to layer 4).

The goal is to have a configurable TCP/IP stack that can be changed to match the other operating systems behavior (like TTL size, timeouts, replies to some ICMP packets, incrementation, …). The tool architecture is based on three elements: the exposed IP stack, a content queue which “rewrites” the packets on the fly and a protected IP stack. The following tools were tested:

• Xprobe2: active, based on signature files
• Nmap
• SinFP: active or passive
• p0f: active or passive (only on syn packets) very similar to SinFP
• Ring2: simulate a congestion to detect OS (does not send ACK -> replies depend on the OS)

Nmap caused lot of technical issues and Guillaume explained in details how Nmap works. That was really interesting.

One of the biggest issue was the usability (how to manage a lot of signatures db). They are busy to develop the “personality manager” using “meta-signature” to aggregate akk other signatures. The demo was really amazing: IpMorph protecting a VM in Virtualbox (Ubuntu) faked as an OpenBSD for each tools. And it worked! This project will be presented during hack.lu in October. Then followed a small session of questions and answers. The feeling was strange after the presentation: what’s the purpose of this tool? There is no real advantage. It looks like “security by obscurity” which is not the best method to protect a system. But on a pure technical point of view, it was brilliant!

That’s all for the first edition of FrHack! I met nice people and followed nice talks with intersting topics. Two remarks about the organization: once again, guys provide some network connectivity for the second edition and set up a bar with refreshments and seats! (The second day was really sunny and hot). See you in 2010!