As every year, Intrinsec is present at the most anticipated security conference in France: SSTIC.

Here is a report of the first day of SSTIC by Nicolas Roux and Erwan Péton.

«"Control Paths in an Active Directory Environment" – Emmanuel Gras & Lucas Bouillot

Emmanuel Gras and Lucas Bouillot have developed a method and a tool for analyzing permissions within a Windows domain. Using data retrieved from Active Directory and domain-owned machines, their tool generates a graph showing the relationships between different elements (users, groups, GPOs, etc.). This visually highlights complex and sometimes unexpected relationships. For example, during an audit, they identified that a regular user had the right to modify GPOs that were themselves applied to a domain administrator's workstation. This user therefore indirectly possessed domain administrator privileges.

«"Analyzing the security of an Active Directory with the BTA tool" – Joffrey Czarny & Philippe Biondi

Joffrey Czarny & Philippe Biondi gave a presentation of their BTA tool, which had been presented at a session of SSTIC 2013. This tool was published under the GPLv2 license.

As a reminder, the tool is developed in Python and relies on a MongoDB database into which the contents of the "ntds.dit" file from an Active Directory environment (AD) that you wish to audit can be imported. After the file is imported, "miners" are launched to perform defined audit tasks. These miners can be grouped into "miner groups," and multiple groups can thus form a sophisticated audit program.

The tool's purpose is to help businesses, large and small, using Microsoft Active Directory to maintain good system hygiene. It is used to identify bad practices within the Active Directory, forgotten entries (accounts unused for several months or never used at all), signs of compromise, and more. The tool can compare two snapshots of the same Active Directory to detect potentially illegitimate changes and offer the possibility of cleaning up the information system without having to rebuild it.

Unlike the AD-permissions tool, which "explores" Active Directory, BTA executes fixed procedures, producing deterministic results. As it is open-source software, we are also encouraged to contribute to projects with new audit procedures, in other words, new "miners.".

 

«"Authentication Secrets Episode II: Kerberos Strikes Back" – Aurélien Bordes

Microsoft's implementation of Kerberos uses a Privilege Attribute Certificate (PAC) that contains, among other things, the groups to which a user belongs. This PAC is present in TGT tickets, which are encrypted with the NTLM hash of the user krtgt, and in service tickets, which are encrypted with the NTLM hash of the machine. Therefore, if an attacker has dumped the NTLM hashes of all "users" in the domain, they can create valid TGT or service tickets containing any PAC (for example, a PAC indicating that user X is a domain administrator). The purpose of this presentation was to demonstrate that in the event of a domain compromise (NTLM hash dump), simply changing the passwords of all users is not sufficient.

«Security analysis of mobile terminal modems» – Benoit Michau

By using 2G, 3G, and 4G front-ends and developing a lightweight core network, Benoit Michau was able to offer a limited operator service to commercial terminals, all within a restricted environment (Faraday cage). From this environment, a scan of supported protocols and fuzzing of these protocols were performed.

Numerous vulnerabilities exist in many manufacturers, allowing encrypted communication to be switched to a mode without encryption or signature.

Several vulnerabilities have been identified and fixed by manufacturers. However, devices older than two years (the market's lifecycle) often don't receive the update, which is regrettable.

 «"How to Play Hooker: An Automated Android Market Analysis Solution" – Dimitri Kirchner & Georges Bossert

Dimitri Kirchner and Georges Bossert have developed an Open Source tool that allows for static (via Androguard) and dynamic (via Substrate) analysis of a large number of Android applications to highlight macroscopic statistics such as the most used TCP/UDP ports, the permissions actually used, etc., and thus detect possible anomalies.

«Digital Investigation & Apple iOS Devices – Acquisition of Data Stored on a Closed System» – Mathieu Renard

Mathieu Renard investigated methods for accessing the file system of an iOS device. While public tools exist for versions prior to iOS 4, the task is more complex for recent versions. For iOS 6, it is necessary to exploit a vulnerability to access the file system, and for iOS 7, several are required. Furthermore, the device must be unlocked.

«Catch Me If You Can – A Compilation Of Recent Anti-Analysis In Malware» – Marion Marschalek

Marion Marschalek discussed the different types of malware available on the market and the numerous anti-debugging and anti-anti-debugging techniques used to, respectively, protect against analysts and successfully analyze malware. She also discussed a specific case of malware that was doubly packaged, using both a C++ packer and a Visual Basic 6 packer, even though this language is no longer supported, making analysis quite difficult.

Short presentation: "ADSL modem security analysis" – Eric Alata, Jean-Christophe Courrege, Mohammed Kaaniche, Vincent Nicomette, Yann Bachy, and Yves Deswarte

Benoit Michau investigated six ADSL boxes. For two of them, the HTTP protocol is used to retrieve configuration and updates. Thus, by using his own DSLAM and modem, he creates a buffer between the box and the legitimate DSLAM and is able to modify the box's configuration: making premium-rate calls, taking control of the box, etc.

Short presentation: "Computer Security" – Frédéric Basse

Frédéric Basse set out to analyze the black boxes that are the Philips computer divisions (a term apparently still being validated). During his analysis, he was able to take control of the equipment, notably by exploiting a vulnerability in libupnp that had been reported in 2012 but not patched in the 2014 firmware. Other vulnerabilities were also detected, and the update system, whose packages are encrypted and signed, was also analyzed.

Short presentation: "The radio that came from the cold" – Alain Schneider

Alain Schneider traced the history of tools available for intercepting wireless connections from our keyboards and mice of this type. A widely used off-the-shelf component in these peripherals, when combined with other equipment, allows messages to be intercepted for a small fee. Through a demonstration, he showed that in 2014 Microsoft was still encrypting communications from these devices with a simple XOR operation and the device ID…

 

The first day ended with a friendly cocktail party held in memory of Cédric Blancher («Sid») who unfortunately passed away.