{"id":1628,"date":"2014-11-24T11:11:11","date_gmt":"2014-11-24T10:11:11","guid":{"rendered":"http:\/\/securite.intrinsec.com\/?p=1628"},"modified":"2014-11-24T11:11:11","modified_gmt":"2014-11-24T10:11:11","slug":"conference-nosuchcon-2014-jour-2","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/conference-nosuchcon-2014-jour-2\/","title":{"rendered":"NoSuchCon 2014 Conference \u2013 Day 2"},"content":{"rendered":"

As part of its monitoring activities, Intrinsec attended the second edition of the NoSuchCon international conference, which took place from November 19 to 21, 2014, at the Niemeyer space at the headquarters of the French Communist Party (PCF) in Paris. The presentations were in English, technical, and straightforward. (bullshit-free)<\/em>.<\/p>\n

\"image15\"<\/a>(source : http:\/\/www.nosuchcon.org\/<\/a>)<\/p>\n

We offer summaries of the various presentations from the conference: Day 1<\/a>, day 2 (this article) and day 3<\/a>.<\/p>\n

We would also like to thank the organizers and student volunteers who managed this event very well, as well as the speakers who shared their knowledge and discoveries.<\/p>\n

Day 2<\/h1>\n

\u00abUnderstanding and defeating Windows 8.1 Patch Protections: it's all about gong fu! (part 2) \u00bb \u2013 Andrea Allievi (Cisco)<\/h2>\n

\"image23\"<\/a>Slides: http:\/\/www.nosuchcon.org\/talks\/2014\/D2_01_Andrea_Allievi_Win8.1_Patch_protections.pdf<\/a><\/p>\n

Andrea Allievi recalled the protection mechanisms added to the latest versions of Windows to make it more difficult to compromise the operating system.<\/p>\n

Especially : Patch Guard<\/em> protects the Windows kernel and the Driver Signing Enforcement<\/em> restricted to only drivers signed for execution within the kernel.<\/p>\n

The mechanism Patch Guard<\/em> It works by abruptly shutting down the operating system if it is compromised. Various vulnerabilities have been discovered and are being patched by Microsoft each time. Andrea therefore chose a different offensive approach: rather than trying to bypass\/block this mechanism, he sought to use it to protect his malicious code!<\/p>\n

After three months of hard work, he managed to install a hook<\/em> on the kernel API for file creation and to protect it by Patch Guard<\/em>. Thus, if anti-softwarerootkits<\/em> If you try to remove it, the protection will kick in and shut down the system!<\/p>\n

\u00abMimikatz\u00bb \u2013 Benjamin Delpy<\/h2>\n

\"image24\"<\/a>Slides: http:\/\/www.nosuchcon.org\/talks\/2014\/D2_02_Benjamin_Delpy_Mimikatz.pdf<\/a><\/p>\n

Benjamin Delpy, creator of the mimikatz tool, reviewed how authentication (LSA, NTLM, Kerberos) works in Windows and the design choices behind the SSO mechanism. (Single Sign-On)<\/em> which allows the attack Pass-The-Hash<\/em> and which has no countermeasures.<\/p>\n

Windows domains tend to move from NTLM authentication to the Kerberos protocol, and its research is now focused on this area.<\/p>\n

Benjamin presented the already known features of mimikatz: Overpass-The-Hash <\/em>(obtaining Kerberos tickets via password hashes alone), Pass-The-Ticket<\/em> (ticket theft and reuse), Golden\/Silver tickets<\/em> (generation of domain administrator tickets or service-specific tickets that are valid for a long period).<\/p>\n

Regarding the Golden Tickets<\/em> An attacker only needs the krbtgt account fingerprint, and this rarely changes (due to modifications in the domain's functional level). Two values are valid: the current one and the previous one! This fingerprint can be leaked at several levels: dump<\/em> domain (AD password audit or compromise), copying of a domain controller's file system (backup tape or share), compromise of a hypervisor hosting a domain control (and therefore access to the file system).<\/p>\n

It should also be noted that the password for the krbtgt account is not renewed automatically and this procedure is not recommended by Microsoft because it is not reliable (citing an example of a denial of service on a domain that lasted half a day).<\/p>\n

 <\/p>\n

The new attack presented is called Pass-The-Cache<\/em> This involves extracting the Kerberos ticket cache from Ubuntu or Mac OS X machines accessing the Windows domain, then converting it with mimikatz and injecting it for use. This makes it possible to attack users on these two systems and then impersonate them on a Windows domain.<\/p>\n

 <\/p>\n

\u00abPass the Cache\u00bb attack: Mimikatz tool is now able to import Linux and OS X cached Kerberos tickets and reuse them on Windows #NSC14<\/a><\/p>\n

\u2014 NoSuchCon (@NoSuchCon) November 20, 2014<\/a><\/p><\/blockquote>\n

 <\/p>\n

The mimikatz tool also allows, via driver injection, the removal of protection from protected processes (for example, lsass.exe) or the system to protect a program (for example, mimikatz). It is also possible to render antivirus software ineffective by disconnecting it from the OS notification system.<\/p>\n

Benjamin concluded by praising Microsoft's efforts to strengthen the security of Windows systems and domains in a challenging context (performance, backward compatibility, etc.).<\/p>\n

 <\/p>\n

\u00abGoogle Apps Engine security\u00bb \u2013 Nicolas Collignon (Synacktiv)<\/h2>\n

\"image31\"<\/a>Slides: http:\/\/www.nosuchcon.org\/talks\/2014\/D2_03_Nicolas_Collignon_Google_Apps_Engine_Security.pdf<\/a><\/p>\n

Google Apps Engine (GAE) is the offering cloud <\/em>from Google, which allows the design and hosting of web applications (PaaS: Platform as a Service)<\/em>. Nicolas Collignon presented the security flaws that can appear when using this platform, from three perspectives.<\/p>\n

First, there are the mistakes that developers can make. Nicolas reminds us that this platform isn't magic and doesn't protect against classic web vulnerabilities: SQLI, XSS, CSRF, XXE, etc., which remain the developers' responsibility. Some APIs, such as urlfetch<\/em> And socket<\/em> Furthermore, they are not secure by default: developers must explicitly request validation of certificates and the remote host for SSL\/TLS exchanges. Nicolas also reminded everyone that the elasticity property of the cloud<\/em> (increasing the number of instances with the load) poses a dilemma in the event of a denial-of-service attack: either the customer will be overcharged, or they implement a quota, but the service will be made unavailable more easily!<\/p>\n

At the infrastructure level, tests cannot be run locally by developers, who therefore have credentials that grant indiscriminate access to both test and production instances. Compromising a developer's workstation can thus allow access to production, which is less common in a traditional infrastructure. Furthermore, GAE allows the parallel execution of multiple versions with or without debugging features: it is therefore possible to compromise production version 2 from production version 1 or development version 3!<\/p>\n

Vulnerabilities have also been discovered in the sandbox used by Google to segment applications. The protection offered is weaker if the development mode is used.<\/p>\n

Google Apps Engine (GAE) security findings by @synacktiv<\/a> on stage at #NSC14<\/a> pic.twitter.com\/9kvp1JCT7P<\/a><\/p>\n

\u2014 Jeff Oudenard (@jeffman78) November 20, 2014<\/a><\/p><\/blockquote>\n

 <\/p>\n

\u00abBlended Web and Database Attacks on Real-time, In-Memory Platforms\u00bb \u2013 Ezequiel Gutesman (Onapsis)<\/h2>\n

\"image26\"<\/a>Slides: http:\/\/www.nosuchcon.org\/talks\/2014\/D2_04_Ezequiel_Gutesman_Blended_Web_and_database_Attacks_on_real_time.pdf<\/a><\/p>\n

Advances in computer hardware mean that it is now possible to have databases of several hundred gigabytes running entirely in memory for significant performance gains.<\/p>\n

SAP, the publisher of the eponymous ERP system, implemented such a database: HANA. Its design goes beyond a traditional database, as it includes a web server and allows for the direct hosting of applications!<\/p>\n

 <\/p>\n

This target is of interest to Ezequiel Gutesman because highly sensitive company data is intended to be stored there (risks of espionage, sabotage or fraud) and the attack surface is substantial.<\/p>\n

 <\/p>\n

The hosted web applications and the database are tightly linked: for example, application users are necessarily database users, and the application's source code is stored in the database. Therefore, SQL injection will be restricted to data accessible by the current user; however, if the user has privileged access, it will be possible to modify the pages (defacement or addition of malicious code).<\/p>\n

Restricting SQL injections to the current user leads to hybrid attacks: social engineering and SQLI.<\/p>\n

 <\/p>\n

The countermeasures are classic: fine-grained restriction of user privileges and use of prepared statements.<\/p>\n

 <\/p>\n

HANA can also use a statistical computing engine based on R. Ezequiel offers configuration recommendations to ensure that it is properly protected.<\/p>\n

 <\/p>\n

In conclusion, critical business processes and information are migrating to new technologies whose security must be assessed (research, penetration testing, auditing). HANA was designed with security in mind, but several factors still rely on human error (administrators, developers, and end users).<\/p>\n

 <\/p>\n

The presentation concludes with practical guides. (cheatsheets) <\/em>useful when a HANA database is discovered in a penetration test.<\/p>\n

 <\/p>\n

\u00abUSBArmory\u00bb \u2013 Andrea Barisani (Reverse Path)<\/h2>\n

\"image25\"<\/a>Slides: http:\/\/www.nosuchcon.org\/talks\/2014\/D2_05_Andrea_Barisani_forging_the_usb_armory.pdf<\/a><\/p>\n

The "USBArmory" product is a free and open system that aims to create a "smart" USB key that can provide security features.<\/p>\n

The features currently being considered are as follows:<\/p>\n