Links to reports from other days:

• Hack.lu 2016 – first day
• Hack.lu 2016 – Day Two
• Hack.lu 2016 – Day Three

Day 2

The Metabrik Platform: Rapid Development of Reusable Security Tools

Patrice Auffret aka GomoR started this 2nd day of the conference by presenting his "Metabrik" tool developed in Perl.

Metabrik is not just a Pokémon but an interactive UNIX shell facilitating rapid program development via briks (more than 200 briks currently available), while relying on the perl interpreter to perform automated tasks.

This tool was designed following the "Do it once" principle to avoid repetition and to overcome the limitations of UNIX shell pipes.

With Metabrik everything becomes a Perl variable and the last executed command is stored in the variable "$RUN" for later use.

Patrice finally demonstrated the power of his tool by presenting us with the solution to the Forensic challenge.« Find the cat » by Root Me:

The Fantastic 4 … forensic domains: net, disk, mem, mal

David Durvaux and Christophe Vandeplas presented us in this workshop with Forensic analysis procedures via a roadmap on 4 essential areas of analysis and named the 4 fantastic: network, disk, memory and malicious code.

The "Locked Shields Cyber Exercise" challenge organized by the CCDCOE (Cooperative Cyber Defence Centre of Excellence) served as the basis for this workshop, the aim of which was to analyze all network and system traces in order to find the origin of a server compromise and thus avoid a world war.

Throughout this exercise we identified the malicious traffic and the chronology of events in order to retrieve all indicators of compromise (IOCs) and correlate these with other actions carried out by the attacker.

For those wishing to participate in the exercise, all the case studies can be downloaded from the following website:

http://vandeplas.com/hacklu/

The PowerPoint presentation is also available at the following address:

https://docs.google.com/presentation/d/1j1y97LUw9AHapfcFICVOZ3hGxaT6jYSwk_gm4iQjEnA/edit

Exploiting new default accounts in SAP systems

Joris van de Vis, consultant at ERP-SEC, presented us with the configuration flaws of the SAP solution.

Two of the most important attack vectors were particularly exposed by Joris, namely the presence of default accounts and the use of the SAP RFC gateway.

The list of default and publicly known SAP accounts is as follows:

Joris then presented us with a whole series of new accounts protected by trivial passwords and having high permissions:

These accounts are created by the SAP management solution (SOLMAN_SETUP) on all satellite systems according to the scenarios activated.

By using these accounts, it is then possible to access interesting features with elevated privileges, and to perform the following actions:

• Executing native SQL queries
• SMB Relay
• Executing system commands
• Creating new SAP accounts
• Retrieving condensates from other SAP accounts

Joris continued his presentation by performing several technical demonstrations enabling the compromise of SAP servers via different attack vectors.

The first method involved using the ABAP command execution "functionality" by calling the "RSSAA_CALLEXTERN" program:

Once this interface is launched, it is possible to bypass the whitelist of allowed programs by directly calling arbitrary programs from the "PARAM" field:

Note: This vulnerability has been fixed in the latest versions of the SAP product.

The second demonstration enabled the retrieval of password hashes via the SMDAGENT system user, capable of executing SQL queries to extract content from the database:

Once these condensates have been collected, they can be easily broken by brute force using the Hashcat tool:

Joris then presented us with a Python script in his third demo, enabling the creation of an SAP account via the RFC protocol:

This is made possible via the "SXPG_STEP_XPG_START" function, by exploiting the implicit trust relationship with the database, in order to create an SAP account with SAP_ALL rights without this action being logged.

Finally, the Metasploit module "sap_soap_rfc_sxpg_command_exec" was presented in a fourth and final demonstration to retrieve a shell on the target server:

Joris concluded his presentation by recommending that we use the tool developed by his company in order to check for the existence of default accounts, or to use the Python library pysap, developed by Martin Gallon, to forge and send packets for the following network protocols:

• SAP Network Interface (NI)
• SAP Diag
• SAP Enqueue
• SAP Router
• SAP Message Server (MS)
• SAP SNC

Pysap can be downloaded from the following Github repository:

https://github.com/CoreSecurity/pysap

Finally, it is also advisable to apply the security patches and remove the "SMD_ADMIN" user for SAP Solution Manager installations higher than version 7.1 SP10.

badGPO – Using GPOs for Persistence and Lateral Movement

Yves Kraft and Immanuel Willi, two consultants from Oneconsult, presented us with a persistence technique using GPO.

This technique adds a new group policy via the use of WMI and remote execution of gpupdate.

Previous research has been conducted by Sean Metcalf on this topic and are available on his website.

For demonstration purposes, Yves and Immanuel used Empire, a post-exploitation framework often used during missions. Red Team and for which several modules such as "set_gpo" and "get_gpo" have been developed:

For those wishing to use these different modules, a pull request was initiated last September to have them added to the official Empire repository:

This persistence technique is interesting because it allows access to all servers in a Windows domain while using standard Microsoft procedures, thus avoiding the generation of alerts and detection by the SIEM.

Finally, the following recommendations have been proposed to protect against this type of attack:

• Review all implemented group strategies
• Limit the number of domain administrators and their privileges
• Restrict the use of system applications via a whitelist
• Implement intrusion detection systems (IDS)
• Maintaining a healthy information system

Credential Assessment: Mapping Privilege Escalation at Scale

Matt Weeks revisited several high-profile security breaches such as the attacks against Target, Homedepot, and JPMorgan Chase in order to study their origins.

A report on the attack against Target has been published and can be accessed at the following address:

https://aroundcyber.files.wordpress.com/2014/09/aorato-target-report.pdf

A study of this attack was also conducted by the United States Committee on Trade, Science and Transportation, and it outlines the different phases generally followed by this chain of compromise:

Matt then lamented the lack of interest in the login credentials recovery phase, which he believes is in most cases the root cause of all these compromises.

He then presented the proprietary Orkos tool developed by root9B, which allows for the collection and analysis of reusable identifiers across different servers in a Windows environment in order to map possible paths of compromise:

Finally, Matt concluded his presentation by listing the following recommendations to apply in order to protect against this type of compromise:

• Lock local administration accounts
• Replace the use of passwords with smart cards using a certificate authority not connected to the company network
• Change your KRBTGT account password frequently
• Implement an authentication policy that allows for account segregation by limiting the target and source of logins.

When Crypto Fails

A brief feedback session from Yaniv Balmas and Ben Herzog on this presentation, which focused on cryptography implementation errors in malware.

They revisited several failures in the implementation of cryptography in viruses and ransomware such as Zeus, Linux Encoder, CryptoWall, Petya, and the Nuclear exploit kit.

The first class of error encountered was dubbed "voodoo programming." A custom implementation of the RC4 encryption algorithm used by Zeus falls into this category. It adds a linear transformation routine to take each byte of the ciphertext and perform an XOR operation with the next byte:

Although this fragment of code does not increase the security of the encryption algorithm used, it reveals the lack of confidence of the authors of the Zeus virus in existing encryption algorithms.

Another example of implementation failure is the use of a bad seed for generating random numbers, based, in the case of the "Linux Encoder" virus, on timestamps. This makes it easy to regenerate the key to decrypt the files.

The CryptoWall ransomware also suffers from a flawed implementation which, although using the RSA encryption algorithm, generates the private/public key pair upon infection, encrypts files with the public key, and transmits the private key to the server. However, since the key pair is generated client-side, its confidentiality can be compromised. This is especially true because the example implementation available on the MSDN website, and used by this malware, forces the storage of this private key locally, thus making it persistent on the compromised system.

They also exclusively presented their "SALSA-O-METER" barometer, which allows for the evaluation of the in-house stream encryption algorithm based on Salsa20 and used by the Petya virus for Master Boot Record (MBR) encryption:

After analysis, the following errors were made in the implementation of the encryption routine:

• The variable used to store the 64-bit stream is a variable of type uint32_t, therefore coded on 32 bits.
• One constant has not been modified to adapt the code originally designed to run on a 16-bit architecture.

• A constant during a shift that skips every 4 bytes was not modified, thus halving the complexity since 2 out of 4 bytes are ignored.

• A "key_expand" function is ultimately used, significantly reducing the key size from 16 to 8 bytes.

A brute-force attack on the remaining 8 printable characters can therefore be easily carried out.

The presentation concluded with an analysis of the Nuclear exploit kit, for which activities ceased following the publication of Checkpoint.

The error caused by this virus occurs during the exchange of the deobfuscation key using the Diffie-Hellman protocol. Because the client variables are not base64 encoded, an error is returned when the "getGmp" function, responsible for decoding this value, is called, and therefore returns zero.

Since the rest of the calculation is based on this value, the entire encryption code returns zero.

Yaniv and Ben finally concluded the presentation by reminding everyone not to play the sorcerer's apprentice with the following quote:

If you consider cryptography to be a magic black box then either you don't understand cryptography or it doesn't understand you.

Hadoop safari: Hunting for vulnerabilities

Mehdi Braik and Thomas Debize presented us with the security level of the Hadoop Big Data solution.

As a reminder, Hadoop is an open-source framework written in Java and used for creating distributed applications whose processing is based on a "MapReduce" type algorithm:

After a brief explanation of Hadoop's inner workings, Mehdi and Thomas detailed its various security models. Although used by major companies like Adobe, Yahoo!, and eBay, no authentication mechanism is enforced by default on a Hadoop cluster. In fact, if the Kerberos protocol is not enabled, Hadoop only performs authentication based on the username provided by the user and verifies its existence.

Next, regarding permission management and the audit process, these prove to be complex to implement since each component of the Hadoop cluster has its own authorization model; the HDFS (Hadoop Distributed File System) file system has supported POSIX permissions and ACLs since version 2.5.

Finally, encryption is not enabled by default to protect data confidentiality during transmission (in-transit) and storage (at-rest). This option is available, however, for installations using the Kerberos protocol.

Thomas and Mehdi then explained to us the attack surface offered by this type of installation as well as the attack techniques of certain services such as the WebHDFS REST API or the Hadoop command interpreter.

A tool called HDFSBrowser was even developed to simplify the task of data retrieval and export to CSV format:

Furthermore, retrieving a Meterpreter shell is easily achievable since the purpose of Hadoop is to distribute tasks to be executed:

Thomas then pointed out that one of the disadvantages of distributed systems is that it is not possible a priori to precisely target the server on which we want to execute code.

Finally, several vulnerabilities on third-party modules were presented, such as account enumeration, XSS vulnerabilities, and access to log files.

To conclude their presentation, they reiterated some recommendations to be applied, such as the implementation of the Kerberos protocol, the reduction of the attack surface via exposed services, and the application of security patches.

Hacking Social Gathering

The day ended beautifully with the Social event.

The evening's menu included sandwiches, unlimited beer and wine, and presentations that were more outlandish than the last. Several people took to the stage to present materials randomly selected from the internet.

This evening confirmed the excellent welcome from the entire staff and the approachability of the conference participants. We highly recommend that our readers attend the next edition!

Appendices

The various presentation materials will soon be available at the following address:

http://archive.hack.lu/2016/

In the meantime, here are some links to watch the different conferences:

• Day 2
  • The Metabrik Platform: Rapid Development of Reusable Security Tools by Patrice Auffret
    • https://www.youtube.com/watch?v=_0pCIZoMnpM
  • 2016: The Infosec Crossroads
    • https://www.youtube.com/watch?v=G4UTzi_OGuU
    • Support – http://www.slideshare.net/saumilshah/hacklu-the-infosec-crossroads
  • Exploit generation and JavaScript analysis automation with WinDBG
    • https://www.youtube.com/watch?v=d42EBkolXqY
  • A Network of Sorrows: Small Adversaries and Small Allies by Quinn Norton
    • https://www.youtube.com/watch?v=dc9d8LXlFRo
  • Lightning Talk: Start-up Pitch: securityscorecard.io by Chris Meidinger
    • https://www.youtube.com/watch?v=cg1MRiFJ26o
  • Lightning Talk: Sisyphus, All IP Data In One Place by GomoR
    • https://www.youtube.com/watch?v=boqk7FA4ZGY
  • Lightning Talk: Start-up Pitch: redowl.com by Peter Heim
    • https://www.youtube.com/watch?v=LwgYK1Z9XCI
  • Exploiting new default accounts in SAP systems by Joris Van De Vis
    • https://www.youtube.com/watch?v=KBRRfa6Na2s
  • badGPO – Using GPOs for Persistence and Lateral Movement
    • https://www.youtube.com/watch?v=PnFszVBEwBY
  • Machine Duping: Pwning Deep Learning Systems by Clarence Chio
    • https://www.youtube.com/watch?v=Nwt1i6vOkC8
  • Credential Assessment: Mapping Privilege Escalation at Scale by Matt Weeks
    • https://www.youtube.com/watch?v=tXx6RB0raEY
  • When Crypto Fails (Yaniv Balmas, Ben Herzog)
    • https://www.youtube.com/watch?v=YCGOyMwOVXc
  • Bootstrapping an Architectural Research Platform by Jacob I. Torrey
    • https://www.youtube.com/watch?v=WECAQ0MIq30
  • Hadoop safari: Hunting for vulnerabilities by Mahdi Braik and Thomas Debize
    • https://www.youtube.com/watch?v=4jeZm3BI2SE