Jakub Kaluzny - Proprietary network protocols - risky business on the wire.

okay hi so uh welcome to my presentation uh so this is a joint research by me and my colleague from securing uh but he could not attend this time so we are pentesters yeah well this is some corporate blobbing I have to say so we do security assessments of applications at networks and all of different system which also contains some devices and actually this talk will be about weird devices which connect to the internet or to the networks through proprietary Network protocols uh so I will show you a few case studies uh which uh which we found during our penetration tests uh so we are talking about home automation pool printing Solutions uh some Forex Trading software

and remote desktops uh I've got a few other examples if if I have enough time uh and I would also like to show you some cheat sheets uh or of how to develop proprietary Network protocols how to do it properly and uh securely okay so uh well probably some of you are pent testers have you encountered a proprietary Network protocol during your penetration tests any okay great uh so it's obvious you you don't know how to create requests with with this proprietary Network protocol you don't have documentation uh and you cannot connect well-known local proxies like burp or zap Pro or whatever which works with HTTP right uh so you have to do something decompile the client maybe

search for some tools maybe Google for the documentation of a closed protocol maybe just watch the r Pockets uh so let's give it a try uh the first example is uh is with a home automation uh device uh so it works just like that you have to buy uh the appliance the appliance is just the box which you connect to the internet and it has the output uh and it collects the input from your smart home uh Additionally you get a mobile application for example for Android uh from which you can control your smart home uh and during this test we found some proprietary Network protocol which is is working from the mobile application to the server to this

box uh and I would like to show you the whyare capture from uh from this box so uh so the client is actually the box and the server is the cloud service uh which is provided by the appliance vendor uh so the authorization to this device is just a password without any username or something uh is yeah well so uh obviously all of the request from this box contained uh contained some some similar fragments of the pcket right well what we first tried to do uh was changing the password to this Appliance so we took three of these passwords and actually only the is 10 B 10 bytes changed so well obviously do you know any 10

bytes hash function or something like that well probably it will it was cut or or something like that so let's let's give it a try uh let's disassemble this protocol and and try we we actually tried to brute force uh actually find all hashing algorith uh of this password uh trying to Salt this and so on and we found that it is md5 but on only the first 10 bytes of the md5 of password uh so actually what was possible it was sniffing the traffic and actually perform active men in the middle attack and collect the information and actually break the access control because you don't need a password if you can just replay the pockets okay well the

vulnerability here was not very strong or or not very complex uh but I would like to show you what was the process of getting vendor to fix this uh yeah so these were the risks uh so as always we try to contact vendors and we uh wrote him a report that he's got some vulnerabilities in his Appliance uh so he said okay I will PCH it uh by as you as you said I will PCH it by SSL uh so in the mobile app the new version that uh that was in the uh Play Store uh there were new four lines and does anybody see uh like vulnerability here in the SSL connection yeah yeah well the trust manager is

empty so the server will actually accept all of the certificates any any certificate so the men in the middle still still possible right okay it's a funny thing uh so my friend who is actually building his own uh smart home uh didn't want to buy a big appliance which is which was very expensive actually this box just uh cost about like 1,000 and he emulated everything that was in this box by a simple Raspberry Pi connected to his uh sensors and everything in the smart home and writing one line of POS code uh which emulated the the first version of the software and after adding dssl it was actually still one line of code but a little bit

longer so uh so this is how it works okay now let's move to the example that is a little bit more complex uh we often see that in proprietary Network protocols uh the outer layer is very uh obscure like I mean it's hidden and you don't got documentation but underneath there are a lot of vulnerabilities uh connected to access control like a function access control or data access control and uh I did a big research on pool printing Solutions uh which I probably you know how it works you don't print directly to the server to to the printer you print through the uh job server and uh you collect these things at the printer by swiping

your card or entering your username uh and the printer requests uh the job files from the server uh yeah well it's it's very it's getting very popular right now and actually the big the biggest risk in P printing solution is uh stealing confidential data right like uh getting the que print queue of a CEO right uh so the biggest risks for a proprietary for a pool printing solution is sniffing the traffic from the server to the printer uh also from the user from the user computer to the server uh getting to the other print cues uh tempering the accountability because uh in some companies you have right to print like let's say 100 Pages a day uh and not not

more and also stealing users data and users credentials uh so let's see uh yeah well so sniffing is done here access to the other print cues here you got the vector attacks okay let's move to the to the vendor claims uh before the test we really like to uh open the vendor website and see what is he claiming so this one is saying that uh he's got in education and he understands that college kids like to hack uh so they're focusing on security and they ensure that uh it's completely secure and documents are printed only when the collecting user is present uh we always like to verify vendor claims so let's see the binary protocol in this P

printing solution uh so here is uh like a quality analysis of of this protocol of the pockets of the R pockets on the on the cable uh the print server sends a short Hello message uh after user swipes his card at the printer the printer sends his username the server responds with some token the printer sends a hash of these passwords and token uh the server verifies it and the printer s sends a message to release uh the print queue of this user and also uh let's say charge me for printing uh 100 Pages take it from my balance uh and the server response so uh I'd like to ask you what where where is the point that we will

attack here which pcket is the most interesting

yeah okay let's let's see how it works uh how it uh looks on the cable so the blue Comm communication is from the server uh the server send some permissions about the user to the printer so for example that he can uh only he can print color pages uh because some of the users could not uh so our first idea was to change the data that is uh about about the permissions uh and it actually worked so after changing this value uh well previously it was Kent or or there was no col color copy so the user could not copy in color uh we change it that he can and after this a printer sends the file it is printed

in color and the server does not ver verify if really this user can print in color it was only changed in the user interface on the printer so what about the attack that you mentioned uh here you've got begin device transaction of the guest XY Z actually the user was already authenticated in the previous request the in the previous communication uh so what is the point of sending username here well the point is that well we can change it now on the cable we did it and it worked so actually we were able to release the print queue of other user and what is even more funny uh the account that was charged for for printing these Pages was

his account because later there uh there was uh there was another transaction for charging user uh account for printing these jobs uh so actually attacking this protocol showed us that uh all the Q risks were broken here so we could sniff we could print the other print cues temporary accountability and actually get other users data and communication with this vendor was very nice I mean this happens not very uh it's not very common uh so he gave us access to his knowledge base and the other version versions of his software because on his website there was one only educational educational uh version of his software he got some Enterprise Blueprinting solution for big companies and he also wanted to see if it's sec

uh so we also found some vulnerabilities there uh and he really liked that that we pested him uh I don't know if it happens to you if you pentest vendor like completely black box without uh uh without the the order or the request uh they vendors don't look happy to be pent tested today uh okay now let's get to another example which is uh quite more complicated and and very funny for us uh we tested one of remote desktop protocols uh these Protocols are optimized for uh for the latency or for the data amount of data that is uh sent through the cable uh so the vendor claims uh that his uh his solution is very secure uh it is really

we've seen this in one of the banks uh it is used for critical business operations and they claim that they are uh validated with the fips norm which is quite strict uh and they provide end to end data decry encryption so let's see uh if it's really endtoend encryption so the communication was for the first look it was very simple the client sent four bytes to the server sever responded with four bytes and there was a big load of communication which was actually SSL uh so if you would tamper uh these requests where would you tumer where would you change

anything okay well uh so first idea was to change these values but actually it it didn't change anything uh the the communication was was still uh was still this way but when we tampered this value which is 0 B which stands for 11 right uh we Chang it to just 01 do you have any idea what would happen yeah well when we we read like 500 pages of documentation of uh implementing this solution in in the corporation uh we found that it is backwards compatibility because some of older versions of the software are still used uh in critical business infrastructure uh it's unlikely to be updated uh so to be backwards compatible they just provided an option

to connect with an old version of protocol and this old version of protocol didn't didn't uh support SSL uh so first of all the the men in the middle attack was possible uh in the communication we found the username and the password which was encoded uh so we took we changed the password to a long one uh it's the aski hex of this password uh on the cable we got this encoded password so like the first thing you would say about this is is it the hash of hash function of of this password well not really because the length of this is is the same of this right so any other encryption algorithm or or ciphers

do you know well I've heard somewhere Sor right so uh you know how exor works right uh youor the password like the plain text with the key and you receive the this uh the ciphered text but if you sore Cipher text with the plain text you receive the key which was actually this is reducted it was actually actually the name of the company uh Communications limited so uh and actually in the binary uh executable file of of this solution uh you could actually find find this data too so all the communication was the password was encoded with uh with Sor and this key okay so let's uh focus on the SSL uh SSL version of of this

solution the default configuration was like that the client connected with his Cipher suits the server responded with with no certificates and the cipher suit so what's what's specific about this Cipher suit it's Anonymous so whatever you you do a in the middle and you put any certificate uh you don't have to do this actually because the server does not send any certificate uh okay it was default configuration there was an option in this software to uh switch to the uh certificate version of SSL uh yeah well this was the one thing so this time certificate responded with some non-anonymous Cipher suits and uh there was a certificate pinning implemented so for the first connection uh the server stored the

client certificate and on the following connections if you uh tried to do a man in the middle attack with a wrong certificate it alerted with a with with error so what would you do one time yeah okay well uh well what we did was trying to not do this like the server wanted it to do but be backward compatible with the first one so even that the server uh sends not Anonymous suits we tried to uh connect with uh with no certificate so this time if you connect with a wrong certificate the server responded with an error but if you uh change the communicate from the server to the client and client thought that it should be uh Anonymous suit and

the client responded with no certificate the server responded okay let's connect so uh yeah a lot of backwards compatibility vulnerabilities there uh yeah this communication with this vendor was was really hard uh we tried to send them our report and we tried to encrypt this but they didn't know pgp uh and they they as asked us to use a zip file with CEO's name as a password but when we opened their website there was five CEOs in this company uh okay so finally after like one month of uh doing some phone calls uh sending emails and so on uh we achieved like a proper encrypted channel uh and they I responded they sorry uh we do not plan

to solve these issues they completely ignored our emails they said that they've got so many clients that updating all this for for their customers uh would be impossible uh so we disclos it publicly completely on the full disclosure list it was about like one or one and a half year ago well and a few few weeks later uh the full disclosure was closed uh I hope it was not because of us okay uh another example is also encryption uh vulnerability in proprietary Network protocol uh so the vendor claims that this printing solution safeguards document confidentiality blah blah blah and provides airtight security uh when I see such claim I take out my laptop and try

to hack the vendor ensures that uh like the all key risks of this solution uh it's not possible to break them because everything is confidential it save any time and anywhere and it's kept secure okay so the first look of the communication was uh the all communication was on two TCP ports uh there was no SSL uh like for example the fire sh did not recognize it as SSL uh but it seemed to follow some scheme and I would like to show you this scheme so this is a quantitive analysis of the traffic from the print server to the printer uh so first like a free short communicates then a lot of small communication uh and a huge amount of

data so if it's like a whole communication is 1.1 megabyte and this is 1.05 me so what is it in printing solution files uh okay so uh more quantitive analyzis uh the first communicate was always constant uh 263 bytes looked like that there is some Crypt so probably there is some encryption uh second one uh was some podding on the end also some ping and this was X bytes this x was 512 uh when the when the in the administrative interface there was an option of RSA 512 uh bytes so what is it probably a public Key Well actually not a public key but like a exponent of public key right uh okay always different 40 uh 64

bytes so if they are trying to do something like SSL probably if this was a public key for asymmetric encryption outside this is uh encrypted with this public key the token key for session key for the symmetric encryption inside right now we've got this huge amount of data and in the wi Shack capture we've seen that there are many many identical 16 bytes blocks and I would like to ask you how must have been these files encrypted that they were the the the these are many identical blocks anybody yeah well so if you encrypt for example a bitmap with an ECB mode of encryption electronic code likeke you still you cannot get the right colors

but you probably will at least know the shapes so the print files are actually quite the same these are postcript files which are text files and actually you cannot get exact words of the print file but you can get some uh some scheme so you can probably you can crack it okay so this was some kind of a Hello message then hello certificate uh session key for the symmetric encryption side and these were the postcript print files encrypted in EB mode of encryption it was a very bad idea uh so we found in the embedded software that was installed on the printer hardcoded RSA certificates uh on the server there was no trustor so the man in the middle attack

was possible just by changing changing this this 512 bytes nonetheless what was the key size if it was 2,000 bytes or or more uh yeah so the same as uh we found the same protocol in the admin interface so we could do also the many for the administrator of this device uh of course the cons quences of this attack are pretty the same all of the key risks for a pool printing solution were broken uh we can we could do actually all of the attacks okay how much time we've got uh so we tried to notify this vendor and he responded that sorry many of the devices do not have the CPU power and uh we like features small latency

and uh speed than security uh does it happen to you Well they claimed that changing ECB to CBC mode of encryption would cause slower performance and their customers are very reluctant to see it implemented right uh well actually on one Fred processors changing ECB to CBC mode of encryption uh does not cause a slower performance and and actually they they told us that no sorry uh you we've got no vulnerabilities you could not find vulnerabilities because the system has already passed some internal audits in big companies so uh yeah uh very very hard vendor to to communicate and to uh to achieve like a proper patch for the for the report okay now I want to present you the most

interesting example from from proprietary Network protocols uh we had possib AB ility to test a trading protocol for the Forex uh industry so actually the the software that clients uh log into and put some real money uh take big risk and uh win or lose rather lose uh so it was an online application but uh it communicated uh through a proprietary Network protocol uh it was binary to minimize the delays and it was actually TCP in in the SSL tunnel so we had to uh do MN in the middle attack first there was some there was some pinning it was not possible to do MN in the middle on the other customer on the other client

but just in the in our lab we were able to do a many in the middle attack and tamper the communication inside uh so we've been sitting like few days on on the what was in inside in these communications sitting the next day the next day next day and we didn't find find anything until one day when there were some HTML fragments and on the next one we've seen something like this which closer looks like that it is uh soap communication right soap message the response from the server now we can let's say suppose that this is the puff for the web service and the method is is cluster right so we tried to brute

force uh other methods in this communication uh we found some admin service but but there were some exceptions uh after doing some brute forcing we found the method which was called register user uh why it was in the client interface not only in the admin interface we don't know uh so the answer for a empty request with the method register user was incorrect login so what do you do you just add uh another uh entity with with the login right and it responds with incorrect password so you put a password in this it responds with incorrect first name actually all of the form uh form uh inputs uh were responded as an error so we put a first name and it responded

that group with name null does not exist if you would like to choose a group for your user in the Forex Trading software what would you choose admin admin does not exist another administrator you said does not exist anyone root and the answer for changing this was so this was an installation of Forex software for one of the banks uh so the banks in Forex industry are uh like there are some groups of Banks and uh if you can imagine like the whole amount of money that is on the Forex software this Bank uh could do transaction about like one of thousands of of the whole amount uh well it's still enough it's still enough

uh okay so it was it was very epic fail um the user of course had all the administrator rights could put false money on the accounts and so on uh and comp completely tempering the accountability of this system uh when we contacted the vendor uh actually the bank contacted the vendor they could not uh get how we hacked this solution because they've got the f wall and they thought that we physically uh went into their lo location to their server uh and put a cable here I know drop a drone with a Wi-Fi H hacking tool or something and it was very hard to uh explain them that we just tumer the proprietary Network protocol which which

was coming through the firewall because it was the accessible way of of contacting this okay so uh okay 10 minutes uh I would like to show you some cheat sheet if you are owner of uh such solution if you are a buyer of solution which uses proprietary Network protocol uh so first of all get it pent tested uh verify vendor claims and ask how do this vendor uh address vulnerabilities which uh could be found by any uh any hacker or somebody uh see how previously found bugs were addressed and if were they patched of course and if you're a developer of such solution uh well remember security by obscurity doesn't work so uh use a

proper encryption and don't try to write your own encryption algorithms because if you are not a specialist in that field probably you will fail uh so remember about that the protocol is only the outer layer maybe it's uh impossible to do a man in the middle attack of the outer protocol but in the lab you can you could do a m in the middle attack for yourself and tamper the communication inside uh and of course beware the backwards compatiability as in the remote desktop protocols uh the question is because like I think that most of you are pentesters or or specialists in that field how to how protocols there is actually I found that there is another

presentation about proprietary Network protocols at info security Europe uh I contacted the guy I think it was Daniel M who is creating a low key software which works somehow like scapy do use scapy for proor yeah well uh well these are some ways for example for me if I was trying to hack these protocols with scap probably it will took take me twice more time that I did it by myself just with small python or PHP scripts uh well so like a funny thing is that you should really Google for it uh we found some uh unofficial client just in the internet but really funny was Finding on Google on in the actually in the Russian internet uh the

documentation of the proprietari Network protocol used in the Forex Trading software which is actually unacceptable if if you handle with such amount of money and software which handles such amount of money uh okay so of course you could DEC compile the client it's well if it's an Android application without officiation it's it's very easy right or net application uh but sometime it can be really time consuming and the time consumed on that will be not uh will be not really good used right uh so well our approach to testing these protocols is actually watching the r buckets and uh trying to think what developers could write about this solution that it uh looks like this on the

cable uh well try to spot some scheme so uh we tried to use some machine learning to find a scheme in the communication but actually it does not work uh like we invented more with our brains than than machine learning thing uh well of course use for This research we mostly used W shark TCP dump SSL dump and our own scripts in Python and PHP to intercept traffic on the TCP layer uh yeah well uh well I think I got a few more minutes I would like to show you some some more uh examples of proprietary Network protocols uh so uh once we tested industrial uh systems for tracking uh AIT uh tags uh so there was

some uh Appliance with uh with access to the internet and with modb TCP protocols uh well this is some uh interface web interface this solution well it's not very interesting what is interesting there was a AED reader at the Gate of the company and it read all the AIT tacks which were on the trucks uh and automatically opened the gate so this box uh had some open ports uh in the documentation of this we found that sending an eror fit to this box is also possible for tet on the port 407 and you have to put uh this uh these row values on the cable so of course we connected with this and we could open the gate uh just

from the actually L network of this solution uh but the proprietary Network protocol is it's not very it's not very complicated here uh okay and here in the hex stamp of this communication we found uh the AIT tax identifiers uh but actually should we worry about this like what what is the problem uh even the there was a physically uh physical security guy over there so he could watch if we are entering with a wrong car or not with a truck uh but there is now it's a big hype on bluetooth smart uh iot things which use cloud and Computing and so on uh so uh well there is slides about Bluetooth but I want to show you this

funny thing uh well there are some for example NFC tags Bluetooth tags in the museum uh so you can see what is uh what is on the image or on the picture that is in the museum well that's not very interesting but there is a thing called cruise control for pedestrians anybody heard about this so this is a Bluetooth device Which con which contains some electrodes you put it on the legs well why does it not work okay and from the Bluetooth uh from the mobile application you can uh move some somebody's leg right so if you haug this uh this communication this protocol on The Wire yeah it works like automatically that's that's they're

claiming uh so our faced idea like what would happen if you hack this solution right well this okay uh well there there are many different devices like there is smart cup which uh tests what is inside the drink and it communicates with the mobile application through Bluetooth and actually Bluetooth is well it's not it's not proprietary Network protocol there is documentation do you know how many pages is the Bluetooth uh low energy documentation to actually create buckets and understand what's going on there you have to read 3,000 Pages uh so we we call it uh proprietary and well uh in my city there was a hacking competition by startup uh which invented um Appliance in the car uh

which connects with a mobile device and you can open your car with a mobile application uh and actually we huged this competition uh even though somebody told them that it's unbreakable because the use of AES uh and actually it it the topic of connected cars is uh very is very big now uh like BMW Audi's and Volkswagens are implementing all their uh connected car devices which uh which you can open the car with the mobile device you can control the air conditioning well well I've got some funny stories about that when I entered the Volkswagen dealer and uh tried to hack this connected car but okay maybe that's for the after party uh okay I

would like to really thank you for attending my presentation uh well my company uh invented some like a thing for a better world we provide free consultancy of security uh we spend one hour per week for a free consultancy if you have any not only business like you have private concerns about security you can ask this well the link is in Polish uh but if you send me an email actually I can send you the English version sorry uh and if you have if you have got any questions uh you can ask me and uh leave your business card if you want the presentation or my other presentations