Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
0 likes324 views
This case study by Tal Melamed highlights challenges faced in Java client penetration testing, detailing various techniques and tools used to overcome SSL/TLS obstacles, such as SSL certificate pinning and TCP communication issues. The author shares real-life experiences and specific failures during testing, emphasizing the importance of persistence in overcoming application security hurdles. Tools discussed include javasnoop for runtime manipulation, proksy for SSL pinning circumvention, and various Java deserialization resources.
Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
- 1. Case Study Java Hurdling Obstacles and Techniques in Java Client Penetration-Testing Tal Melamed Application Security Expert [email protected]
- 2. Agenda Me AppSec Labs The problems Fail #1 Fail #2 Fail #3 }
- 3. about:me Tech Lead @ AppSec Labs [email protected] Application Security Expert Trainer, builder & breaker Follow me @ appsec.it https://github.com/nu11p0inter , but when I do: http://lnkdin.me/cyber
- 5. AppSec Labs Industry vectors: AppSec Labs provides its high end services to the following industry vectors: High Tech software development Banking and financing National security IoT Cloud Pharmaceuticals Commerce Travel and transport IT Security products Biometrics Education Gaming Government Telecommunications
- 6. We are hiring! [email protected] Experienced PT Exp. Code-Review* Training skills Willing to travel * English Independent work and self-learning ability
- 7. Disclaimer This is a true story. The events depicted in this talk took place in 2016. At the request of the survivors, names, characters, places and incidents were changed, and are either products of the author’s imagination or are used fictitiously. Any resemblance to actual events or locales or persons, living or dead, is entirely coincidental. The rest is told exactly as it occurred. Warning: this presentation might contain memes…
- 8. The Problems TCP rather than HTTP SSL/TLS Certificate Pinning Runtime manipulation Patching the application ProKSy – revealed for the first time…
- 9. Day 1: I Got This! Let’s use BURP! - set the HTTP Proxy (option in tool) Nothing happens… Looking at WireShark Port 1XXXX TLS - Not HTTP! Sure, let use AppSec Labs’ incredible TCP proxy tool (TBC)
- 10. Problem #1: No HTTP/S We all Burp (nothing to be ashamed about) But what if… the application is not communicating over HTTP(s)?
- 11. Echo Mirage – by Wildcroft Security Link: unknown (good luck with FileHippo)
- 13. APE Intercept & tamper with TCP-based comm
- 14. APE What‘s new
- 15. APE External Filter – python based
- 16. APE – Listen to Requests HTTP/S? – Why not integrating with Burp?
- 17. What Really Happened? Nothing! Probably SSL… (Also, doesn’t work on 64-bit)
- 18. What Else is There? Stcppipe http://aluigi.altervista.org/mytoolz/stcppipe.zip
- 19. A Fraction of Hope…
- 20. Side Note: De/Serialization What is Serialization Converting the state of data to a byte stream so that the byte stream can be reverted back into a copy of the object What is the problem? Deserialization of untrusted data What does that mean? De-serializing data coming from the client could abuse the application logic, deny service, or execute arbitrary code. What to look for? ObjectInput.readObject() Externalizable.readExternal() Serializable.readResolve() ObjectOutputStream.replaceObject() ObjectInputStream.readUnshared() Many more…
- 21. All You Need to Know… You can find everything here: https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet https://github.com/njfox/Java-Deserialization-Exploit PayPal RCE (2016) http://artsploit.blogspot.co.il/2016/01/paypal-rce.html Burp Extension https://github.com/NetSPI/JavaSerialKiller https://github.com/federicodotta/BurpJDSer-ng-edited https://appsec-labs.com/belch/ Scanner https://github.com/federicodotta/Java-Deserialization-Scanner Code Analyzer https://github.com/mbechler/serianalyzer
- 22. Where Were We? I can see the traffic, but how do I tamper with it? Tunnel “stripped” traffic onto APE! We need to inject APE into stcppipe
- 23. And… Fail #1 APE got the encrypted data
- 24. How Do We Intercept TCP Over SSL? Download TcpCatcher http://www.tcpcatcher.org/ Download TcpCathcer’s root certificate Install it as a RootCA in the KeyStore Download KeyStore Explorer http://www.keystore-explorer.org/
- 25. How Do We Intercept TCP Over SSL? Configure TcpCatcher to communication with both, the client and the server TcpCatcherwill now serve as a MitM.
- 26. Woohoo!
- 27. What Really Happened? It didn’t work! Let’s say I got this……………. Let’s decode:
- 28. Now, That my friends…. Is SSL pinning! The application validates the info of the received (TcpCatcher’s) certificate, against the wanted info, hardcoded in the class. Since it’s a self-signed certificate – we could just replace it with our own. You passphrase is: “OpenSSL” Create you own self-signed certificate Fill in the required info (found in the class) Install the new certificate in the KS. Should do the trick!
- 29. Keytool keytool -keystore clientkeystore -genkey -alias client keytool -keystore clientkeystore -certreq -alias client -keyalg rsa -file client.csr
- 30. But, which seems to have happened a lot TcpCatcher does not support using your own certificate only on-the-fly ones with a single value.
- 31. Other Possible Scenarios Checking that its “actually” a Root CA. Create a Root CA, using OpenSSL Sign your certificate with theRootCA Import the new Root CA into the default KeyStore (default password: changeme) Pinning the Root CA You might need toactually sign your own certificate Pinning the intermediate You’ll probably have to patch the code and replace the int. public key with your own. Using self-created KeyStore Replace the KeyStore Might require some patching the bypass possible KS validations (e.g. checksum)
- 32. What do we do now? Let’s hook in runtime! Goodbye stcppipe. Hello… JavaSnoop!
- 33. Day 2: JavaSnoop Attaches into any app running over JVM Hook methods Tamper with parameters, print stacks, etc.
- 34. JavaSnoop
- 36. After 5 Hours (on the 2nd day!)
- 37. I Shall Call Him…
- 38. Fail #2 Server checked the value… What next? Let’s patch the JAR!
- 39. Day 3: Fail #3 // extract jar # jar -xf myapp.jar // pack jar # jar –cvf <desired.jar> <files> // update jar # jar -uf <file.jar> <my.class>
- 40. Let’s Modify Classes Directly! Now, how do you modify class files??
- 41. Introducing - JBE Java Bytecode Editor - http://set.ee/jbe/
- 42. Java Bytecode https://en.wikipedia.org/wiki/Java_bytecode_instruction_listings Java Bytecode Human ifeq / ifne if value is (not) 0, branch to offset if_icmpeq /if_icmpne if ints are equal / not equal iconst_0 / iconst_1 load int=0/ int=1 aload_0 load a reference into a local variable 0 astore_1 store a reference into local variable 1 dcmpg compare two doubles areturn return a reference form a method fneg negate a float ireturn return an integer from a method ldc push a constant from a constant pool to the stack
- 43. Java Bytecode Editor Demo time…
- 44. What REALLY Happened? 0. Load something… 1. If null jump to 14 (const_0) 4. Load something… 5. Get static “ADMIN” 8. Invoke equals(x,y) 11. If equals jump to 18 (const_1) 14. (no jump) const_0 15. Go to 19 (return) 18. const_1 19. return
- 45. Before…
- 46. I’ll Just….
- 47. Let Us Pray!
- 48. After 2 days and 6 hours
- 49. Imagine if… We needed to create a MitM, to serve as a proxy between the original MitM and the client, replacing its on-the-fly certificate with our own certificate So, now we have:
- 50. For the first time! Introducing…. ProKSy -- What with the “KS”? -- Stands for KeyStore :P https://github.com/nu11p0inter/ProKSy
- 51. Demo Time!
- 52. The Moral of the Story What did not work for me, might work for you Java – might not (fun) “writable”, but “readable” Never give up - there’s no such thing as “unbreakable” We love memes Download ProKSy!
- 53. One slide to dl them all APE - TCP (.net) Proxy for Hooking https://appsec-labs.com/advanced-packet-editor/ ProKSy - TCP/SSL Proxy for SSL Pinning https://github.com/nu11p0inter/ProKSy/ JavaSnoop - Java Runtime Manipulation http://www.aspectsecurity.com/tools/javasnoop JBE/reJ - Java ByteCode Editing http://set.ee/jbe/ https://sourceforge.net/projects/rejava
- 54. Thank you! see you @ OWASP IL 2017 QUESTIONS? [email protected] http://appsec.it https://github.com/nu11p0inter http://lnkdin.me/cyber