CookieMonstruo: Apple Flavour

the 14th of November 2017 and Oak Park Illinois Mike Anderson's life is about to change I was pouring outside so investing catch up with a dad on skype greenwashing will get worse I remember was done my my girlfriend was running late that night so I was all by myself in the apartment I decided to buy a movie and a couple of album to listen to

pop-up will appear on my screen they were saying I had to install the software so I could see the movie I wanted to see and look like the many and other pop-ups I've seen for anyway you have clicked it right all those worth email that saved on my home that up for safety reasons that Wan document with all of my passwords two years worth of pictures [Music] I could fix it I called my first for my team yeah I did that you sure the fishes

they became this

I really wish I had an antivirus on my back

now you see the technology that you are now cool alright guys thanks for coming thanks for taking the effort of going up the stairs after that heavy lunch dad I hope this is worth of your time so my name is marcin VK I'm gonna talk about cookies apple cookies actually so let's get into the most part important part of the presentation now so call me I don't want to spend too much time actually telling you about what certifications I have how much I enjoy long walks on the beach or how much I like ping pong if there's one thing I want you guys to remember about me is where I come from so that's the flag for my country

anybody knows what that is that's correct that's the way true that you can read it that's awesome so that's yeah I come from far away from South America when I talk to Portuguese people about far away the first thing I think about is like oh isn't that the place where these guys from if I remember that's Carlos Oh I'd say highest foreign scorer for big I think and always three so we got some good stuff out of there but if we're gonna relay to the Harvard community do you know what's the best contribution of Paraguay to the hacker community anyone take a guess apart for me it's this guy over here that's Hilux for our audiences or mater

which is the main component of the club motto so you're welcome guys but um anyway so let's go back to the plot so do you think that there's actually a very interesting fact about the Paraguayan flag is the only country flag in the world that has two different sides you know this side you know that's like hate right outside amazing huh now I would even focus on this little guy or here what do you think that is that's a lion right we think of lines what do you think oh right that's work that's what I answer from right so what a tell is there a lion on our on our country flight no clue the only line

that we actually had in the zoo actually died last year so yeah anyways the reason I want to talk about my plaque is because I feel it represents a little bit what I've been going through the last year so I've been in the IT security business for about six years now and I started out as a security consultant doing a little work on the offensive side of things pen testing social engineering you name it so you could say that I started out on the red spectrum of IT security but this year I took a turn and I felt like I wanted to feel what the other side of the of the IT security people feel like where were

the pains that go so I turn from I went from the red side to the blue side and now I'm actually an IT security manager for a company here in Lisbon let me tell you a little bit about that jump what it was like so I went from traveling all over the world bringing carnage to everywhere I went countries all over the place and now I'm doing not doing more fancy more interesting more exciting things like risk management and M PCI compliance yeah you know what you might love that's okay it's understandable but you know what it's actually very good because you actually start to understand what is that people go through every day that

people who dealing with that ID security title base of business or the business needs and feel like that but I yeah savanna it's been quite an interesting year for me in that regard now let's go back to the PCI thing just tell a little story about I was what I've been working this year with your with the PCI standards data security standard for all the companies that deal with credit card transactions so there's a bunch of security requirements that you as a security officer if you in charge of compliance you might you have to go through them and see what are you already complying or you need to do some sort of action remediation actions in

order to bring your combined your company to compliance now that there's this one item that really caught my attention which is requirement five point two one five one two which says for systems considered to be not commonly affected by malicious software you need to perform priority evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software so pretty straightforward horrible I know pretty straightforward if you have systems that need antivirus install antivirus 11 so this is actually quite easy to do when you have a Windows environment now when you have an Apple Mac environment there's a lot of conflict let's say people would think that they require antivirus and there's

people who don't really think that they require a new army now before I tell you what I think I want to know what you guys think so can you all grab your phones you have inter access if you wouldn't mind get in this would you go to this side www Metacom insert that code and tell me what you think I'll give you a few minutes yes who you gonna answer there's more than one person in this room I'm sure anybody else who wants to vote haven't been able to yet you don't tell me what you think I want to hear tell me what you actually think

what and I still see some guys trying to click in there I want to give them the chance to still unless they're chatting then I don't know I see this more votes coming in we have time okay anybody else I think we got em all right okay so Oh all right let's stop it here so you can see there is there is a disagreement here I'm let's go back to the press yeah here we go so so that's that's the situation that I was caught in some people arguing that yes we need to install an anti-virus mags and some people said no and there are certain common believes that make us have this argument one of them is months

don't really get viruses there is not that many Mac viruses out there really Macs are inherently more secure than Windows max don't really need security software etc right so those are they the common believes the people all very dear to them some of them actually and then I wondered to myself so I know that for a fighters cannot be true I mean there are my viruses out there so why is it that most people think this way and I'm not talking only about the IT security people in general I like the general population out there right so I started doing a little bit of research and trying to figure out and among many many reasons that I found one that I found

really interesting was how much marketing has been put into this and before I go into that aggression is in brief statistics that show that 50% of Mac's don't have antivirus and 50% of Mac's do have antivirus how accurate that is I don't know but it's it kind of reflects sort of the view that we had in this room so I would say that it's pretty accurate on the other hand only 24% of Windows machines don't have any antivirus solution install so going back to the marketing part Mac and Apple really put a lot of effort in spreading this this believed that the maximum release acceptable to viruses so anybody remember this ad campaign from PETA was

late 2000s around that time where you even know that I'm gonna play for now hello I'm a Mac and I'm a PC in tightly okay no I'm not okay I have that virus that's going around oh you better stay back - this one's a doozy that's okay I'll be fine no no do not be a hero I asked you there 114,000 no virus it's true feces feces not Mattox so I think I got a crash hey if you feel like that'll help good so it's a great idea actually they run a lot of not only on security button on everything around like there's videos to YouTube that have the entire all the ads so I would suggest it's really fun

to watch anyways back to this they pushed really hard on this marketing campaign and spread the knowledge that they believe that the the maps were not really there were way more secure the windows not susceptible to viruses even though that they did versions of this is that same ad you have the one in the u.s. one in the UK and even a Japanese version now if you're wondering what the Japanese version of Justin Long looks like well I write here for you Domo mattress is a no realistic ratchet Karen I did go to see a whole dunya code is Cara eggie eggie sugar I did a crane and a yu-gi-oh Synovus la posada de Mata

macuahuitl is what I Joe never know stop crash Sushma so they are ugly no no oh my mom yeah really strong but of course it's not it's not only marketing I mean there is a very good reason why there's more virus for windows out there than from formats obviously the economics play a big role in here if I'm a ma'am our Creator there's a higher likelihood ever encounter a Windows machine out in the world so why would I spend time training trillion in a malware for formats as you can see at the moment around 81 percent of the the global population of desktops are running Windows whereas Mac's are not even 15 percent however there are a lot of Mac malware

other and they're increasing actually the you can see here in this graph that's been quite a bit of a hike in the amount of malware for Mac detected last year and a big amount of those are actually Trojans not only spyware or add were an hour now let's get through X protect someone you say ok mark in come on max already have an anti-virus built in so why do I need to install a third-party one what was the point in done so that that built-in antivirus or anti-malware solution that you might be thinking about is what's called protect the problem with X protect is that is strictly reactive it doesn't have any sort of heuristic or generate detection

and it's designed to find a very small handful of existing threads there's also a very big window between malware discovery and when they actually ship it to the to the max out there in database and this is very important it only scans from malware in files downloaded with certain applications so Safari and email and such a sauce an egotist does come from our when files are copied in the finder from CD these nano volumes anyone so I don't know if you would want to rely on that one of course it's a very good first line of defense but I want to say is enough and then we get to the usual line and I know you I know some of you are

already thinking this skill hacker and cyber criminals can bypass most anti-malware solutions within so why bother right so our antivirus really useless them well I would say it depends and I was I would want to quote some of the IP security pros in the industry from the Twittersphere to prove my point or to back my point I think one of the big points with InfoSec is a lot of people are equate to discount a solution cut is not purple so many conversation will go around I can get around that so it's useless or it doesn't offend again X so why bother and that's what I was talking about but I really want to quote a line that's been used by Troy Hunt

that he usually talks about password managers in this case but I think he applies very well to antivirus here puzzle managers indicates anti viruses don't need to be perfect they just need to be better than not using them which they unique in a cubicle I still are right there's still another one another line that usually get is that when you install an anti-virus in your system you actually bring in an extra component that could be vulnerable that could be exploited by by adversaries so it doesn't that defy the purpose of having hantavirus well I would say no so let me call this Jake Williams here I can't stand when supported security profile command and install antivirus because

it's my husband abilities this light telling police officer not to wear bulletproof vests because they restrict range of motion increases risk of stabbing both these represent risk models and that's the key the key word there risk models so if you think in your company or the people who you handle security for it seems to they're some higher likelihood that a skill hacker will would will design a specific malware for the specific version of antivirus that you're running at the Pacific moment that they get infected as opposed to them just go into a website downloading a file a regular virus malware and then clicking and executing it that's your threat if you if you reach model your risk assessment tells

you that then okay don't install an anti-virus but otherwise I think most of us will be safer in a world would every computer has some sort of anti-malware software installed okay now tell me okay Martin you've been talking a lot but show me something like make your point with a with something real and that's usually the case when you're trying to make a point in in any company they wanna they didn't want to just look at graphs and data they want to see some real proof so this is moment I thought my talk it was a good way to show the potential impact of a compromise of a Mac on on real life and then I thought

what could I use to the showcase is in a good way and then I remember oh how about cookies so many of you have no idea what I'm talking about here but I'm not talking now about Cookie Monster which is a tool that I actually developed and presented last year as a couple of inside conferences as well and I thought that these would be using this tool and Apple environment would be a good way to show how how how susceptible Macs are actually to malware and what can happen if they get to the point so before valiums you have here okay before we move on with the demo part of the presentation let's do a little bit

of a recap about what cookies are surely most of you are familiar but this is always nice to refresh so this is the cookies 101 yo browser you have a server so the first and the first request you will be sending your username in your password and then the server will create a session in the local server database and then we'll attach a cookie to the response which will be returned into your browser and then from there on the cookie will in essence be replacing your credentials in order to keep track of that session the husband establishes with the server the cookie in this case being just a long string of random hopefully random characters so the main

point to get from this is that the cookie becomes your username a new password at that point now the problem with with the point i've seen with wood IT security repair articles and so on that they talk about how to use protect security protect cookie security is that they tend to they tend to focus too much on the network side of things but they tend to forget that the Cook is actually to reside in your local database there's actually a cookie jar in your computer so we take a look here that is the location of the 50 files for Chrome on a Windows environment which is basically a SQLite database and the same here for

Mac so ok in this folder we have here that the cookie file which again is on our SQLite database for Chrome now we take a closer look to this for Firefox Alice this is the same the same situation you have an SQLite database where you store all the poutine values and this is how it looks like you have this column which is the domain that the cookie repres belongs to and then you have some other attributes like the name and also of course the actual value of the cookie that's for fireworks now for chrome it's very similar the structure is quite similar you also have here the the domain or the host the cookie belongs to and the name of the cookie

however if we look at we try to look for the value you will not see this there's this column here here which is called encrypted value and you see a blob of binary so chrome actually encrypts the value of the cookie in your local storage unlike Firefox which is just exposes in clear-text so what is this Cookie Monster oh why did I wrote it and what did I write it and present that last year well it was it's a basically a post exploitation script so it means that you should already have access to the file system of your victim and it should help you as an attacker to dump the local cookie storage decrypted if necessary or they

crumb a scenario and identify out these sessions now let me show you a little little demo I hope it's visible enough these projectors are really bad so on this side we have a Windows computer with a Chrome browser and our friend here will login two-factor authentication of course

and now we have stablish obsession with Facebook one important thing I want you to notice is that this is the IP that we're coming from in that particular case now this particular Windows machine has already been infected there is Hori malware running there so in this case we have an instance of things very visual there but that's an empire agent and we're gonna run the Cookie Monster script from the Empire agent what is it gonna do is it's gonna dump the values of the cookies in this case for Facebook so we're going to copy that and then we're gonna write we're gonna write that in our attack your computer so this is the attacker computer and

it's a it's a Mac computer running Firefox now we're gonna do is going to connect to a VPN so that we change our IP address so you see was coming from a completely different IP address from completely different country and now we're going to import the values of those cookies and as you expect that will really help us achieve the session hijacking right so I think that the important thing to to notice here is this is a very great way to bypass default authentication in one way and also even though we're coming from a completely different computer operating system a completely different browser and completely different country and IP the the system so that Facebook still

allow us to reuse that same cookie to gain access to the to the session right

now if you remember I have just told you a while ago in the previous slide that the cookies for Chrome in Windows are actually encrypted so how was I able to just run a scrip and dump them well yeah there indeed encrypted however this encryption on Windows is done on the user level by leveraging the data protection API provided by Windows so that means that any process running on the same user context can access the data so in this case as the user was infected and we were able to run malicious code within the same user context then by calling the this API they will provide us the keys to access the Chrome the chrome

cookies now on the other hand we have Mac and it's a little bit different imagine the chrome also encrypts the cookies however they use they deliver to the kitchen for this and the encryption is not an application level that means that if even if you're running under the same context as the user that you're trying to you trying to compromise you so will not be able to access the the value in the data store in the kitchen you want to decrypt the chrome cookies it's only the chrome process they were the one that's able to access these keys so that obviously creates us extra hurdle that we need to bypass as attackers so here is a on the condom on

the Mac on the key chain without here the chrome safe storage and we have here the chrome storage password which is used to some critically to encrypt the cookies for Chrome all right so now we're going to do some actual live hacking hopefully so guys this is actually my first time doing a live demo and my first time also speaking of is Lisbon so I want to celebrate that and I also want to make an offering for the for the demo gods and I also I'm also really gonna like to drink a lot so if anybody from the anybody want to join me for a shot thank you very much sorry yeah 24 hours to the demo gods thank you Oh

you earned it all right I wasn't planning for add the kick all right let's get rid of this press for now when I clear all the browsing data first so this is pops machine our Bob so Bob has a Facebook account sorry here and I don't remember the possible I hope I remember him of course yeah Hawaiian oh good question what was it possible oh no I'm sorry I was not gonna do I was not gonna do a Facebook into Gmail actually that was not working never drink before doing a live demo all right hopefully this one works hey awesome of course really cares about security so he has to identification enable and I just find it

quickly here we have it all right cool now let's log into another account that bob has

yeah never mind that and a third one and of course I don't remember my password you I'm not rolling storefront I guess under seven talked about no friction security all right cool right now Bob really cares about internal security he has to photo indication they will everywhere so he's a safe guy however Bob tends to forget to lock his screen when he is not in front of his computer so then somebody comes along with a nifty little guy how do you see this one before this is a key word and this is what happens

and now Bob computers compromised by the way fully updated Mac no antivirus running so there you go only around here here we have our attacker machine hopefully we got an agent there we go we have the agent here could just connect it from Bob's computer so we want to access Bob's cookies here so what we're going to do first we're gonna download the cookies from his local storage but as I told you those cookies are encrypted so they're not any news of us unless we're able to decrypt them first and in order for us to do that we need to get out to the key to his keychain so we're also going to download his kitchen

now what's running just over there with you looks fine okay so if everything went right we should have his the files here the visible yeah you see if I yeah it's not really working dancing I can maybe turn around bigger

how though that's better awesome so as you can see we have the the two powers that we're looking for they're the cookie database and in the kitchen database now the kitchen obviously is protected by password so this is where your creativity comes in as a hacker in order to get that from from Bob so Empire it's actually quite cool yeah so there's a lot of modules that you can use to try to get this but there's one I really like is called collection or sex and prompt because of course what's the easiest way to get a password just ask for it right now this problem mode is pretty cool it allows you to impersonate an

application that is running on Mac and with a prompt and ask for a password basically so in order to look at the list of applications that you can that you can target there's an option call these apps we're going to set that one we're gonna run it on our current agent and this should tell us the list of applications installed in the Mac now it's up to you to choose something that will trigger your victim and actually make them give me what you want I like to choose applications are usually security focus so there's a little bit of trust in this case I'm going to use this one viscosity is a VPN client usually ask you for passwords every now

and then so it's not too uncommon to see this so what we're gonna do now is and set the list ups and when I use the app name we're going to set it as viscosity right and we're gonna run this and hopefully that will trigger something there you go I hope makhotin requires your password to continuing how many you will put your password in there I know I would that's very annoying believe me if even if they ignore the first time you just keep sending that at some point like too busy they're gonna put the buzzer and I've seen that work so now I'm Bob I just wanna I want to continue in my word

I want to get rid of this prompt so I'm gonna put my password which I hope I remember there you go so this is what we get as the attacker okay now we got everything we wanted we got the cookie database the keychain database and the password to the keychain so now we have to decrypt the kitchen the kitchen and for that we're going to use a tool called chain breaker which requires the file which is logging teaching that we up here and the password which we just got it from our victim and that should give you the contents inside the kitchen I'm going to file save that to a file alright now what we want is to find the key that is

used to encrypt the chrome cookies so we're gonna open that kitchen file and we're going to look for the from safe storage here you can see here and this right here is the password use or the key used to encrypt the cookies on on Chrome now and this is where our tool comes in we need to use that that key in Orchestra degrees that one so no now is go to Cookie Monster oh oh

we're gonna run this and it requires the password each we just got from the where's ears

and the file which was cookies cookies so when I run that and now we have the thickest a of T which is the output of the demonstra which contains all the cookies in in Netscape Foreman so now we continue this when use this new tool called cookie manager you can now look for a fire pot and we're going to import the cookies that we just had access to which was in here you have the cookies that we just created and we're gonna put that on a cookie jar default we're gonna import them now what I want to do is so our victim he is technically plays in Portugal right so let's enter a location we're coming from anybody wants to

choose a country I don't have we don't have VPN servers and borrower unfortunately about Denmark those guys are you know a Contras on alright so now we're coming from Denmark we already had up our positions yeah so we already all the cookies and now if my offering to the gods was worthy enough which you have access to the session or perfected yes great and hopefully also for outlook and hopefully also for paper

there we go oh so that's how you get a session hijacking pretty standard once you've got over all the encryption and keychain things now how do we take this to an our level one of the things I talk about my in my previous last year's talk is how the importance of securing the access to your Google Facebook Twitter accounts not only for the app for the data that is stored on those but also because we usually rely on these as means of logging in to order other systems so in this case we can go to box account and we can see where this is actually being used and for example here you're gonna see that this is also used

for Dropbox so that means that if you go to Dropbox then technically you should be able to get to Bob's account as well oh of course this is a live like hockey so this didn't work okay usually words try to try yourself at home in stores another problem that we may encounter is now I have access to the session but what if I want to take over the account well then we can see we can try to to change the password here so let's go back to the Google account let's go to sign into Google fair warning this might not work it was actually quite good at this forever lucky yeah anywhere this time you might

have to do with our cookies let me see if I can import them back and my word that's okay that's why I have several applications because one of them is gonna work today

so you can get back to the so last year actually work all the time I think they've got a little bit better at it I seen them doing more things now in Google but also Facebook and the others so let's see if it does more this time yeah holy Sam but if it allows you to go in what happens is that if it ask you usually what you have is your email account it's you have a recovery account and in this case for this particular account is the outlook account and then if you trigger a forget password then you get the code on the other you know and then you can use that you compromised the gmail account that was

the case and you work all the time last year this year they started asking you also four to five different occasions so if you have to cut an education enable he doesn't only it's not enough to only provide the code that you get on the email but also the two-factor authentication code and then it allows you to treat your other set password of course this is on the major players however it doesn't operate like that on all of them so let's try it for instance paper in this case funny thing you can actually send money with just a session

it's also not I'm gonna boot my email here on this case send you one hero

you can actually send money doesn't require you to reopen to gate or provide any sort of thing and if we're gonna try to do a comm compromise see if it works I just see that these I can see here what is the email that is associated why so what I'm gonna do now is to open a new project window so I don't lose my session gonna go back to the table now I'm getting on in Danish because in them I'll never forget my password and we already know this so she only gives you some options right you can either get an SMS to the mobile account that is registered with it obviously you don't have access to that so that's not an

option on this one they ask you if you want us to call you the same you need access to the mobile phone but here there's two different other options one is you receive an email or you answer some security questions so let's go with Emma one and we have access to that oh no that's my that's the money that I can hear the phone

and now because you have to you have other means of authentication in doesn't just allow you to to reset your password as I was telling you with just that code and we don't have access today into the mobile phone or the security questions however you will notice that we have an active session and if you go to security you have a security questions here which I can just easily update to whatever I want what's the name of your first school or whatever or the nickname of your oldest child whatever oh yeah no one and where I would say that right so now we go back to one day here though or than my first call oh this one is

still with the old one interesting okay you probably have to do this you're too change the other question first and then you go into forget password bio word e I remember cool yes and yes for the other 100 or or I didn't that's okay well another option is actually to receive an SMS well let's go but let's restart this this slope let's see V and now they are dead in my arm

so receive an email

and hopefully now the security questions yes order it whatever and no one right and now you can set you on buzzer oh I don't like whatever please don't hug me or this Oh are you oh my god okay we go again which was are the bridges here is Wendy's one indeed one again yeah Gaza and also you compromised a VF session hijacking all right let's go back to our

right on time cool that was fun so conclusion for PCI I don't really have a good argument against installing a visa Max and I hope you don't have any good arguments anymore either at least when it comes to compliance environment secondly for pentesters treaties can sometimes be more valuable than passwords so if you've got access to the file system your victim don't try to just go from passwords and store secrets like that right try to try the cookies as well you might get lucky there and you might get far with that for Deb's strong such a management really important if you can if your if your web application that you develop allows you to implement this don't allow

it concurrent sessions also this is very important is I didn't talk about what would happen if you imagine you're a developer or web application which also uses a session tokens that that can be used like this and haja like this if I go into your local cookie database and I steal your cookie and then I believe that cookie from your system that means that you can no longer sign that cookie out of your system and I'm the only one who have access to that one so in if that happens how do you kick me out of the system so faithfully Google and the big ones they provide you of manual checks of the active session so you can

keep them out anybody else but many of the kitchens don't have this functionality so what are you doing those cases very important to give the functionality of a user to terminate the session themselves also whenever you trigger reset password if available you should require two-factor don't just trust that the token that is provided via email is not gonna be compromised and that's it at the end my person station that's the link to the the proof of concept at the original Cookie Monster for Windows they want the Python script for Apple that I just used in the demo I also recommend you take a look at if you have the time to take a look at

my presentations in recess Munich and missus Viviana should be 2017 around 19 and credits to the intro videos actually it's a it's a video that BitDefender put up for for marketing purposes I just took it I thought it was pretty cool so anyway so that's it for me thank you very much guys Thank You margin any question no questions yes we still have the Gmail session open sorry do you still have the Gmail session open on the attackers computer because I'm curious about the details of the Google account they usually play right right I didn't show it is because I cover all of that in the previous presentation actually last year I don't want to go too much

into that that check is only done on on authentication so usually though they're not double checking every time what you will see is on Google Allegiant will see that it's come if it's coming from a different country different IP you will see you there but it will not trigger any alerts because you will just assume that maybe yourself you cut into a VPN or something you change IP so I will not think that it's coming from a different page doesn't trigger it doesn't trigger an alert okay if I'm changing your passwords things like that it will trigger alerts obviously so my recommendation you're gonna do this you might do it well at a time when the

victim cannot react like when he's sleeping maybe or something like that so like I said if you want to know more about it I'd recommend look at last year's plantation I go more into detail about those little things and and some other situations that might happen this was more focused on what can be done in Apple but yeah I really do wait wait okay anyone else okay thank you very much thank you guys