Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!
-
Upload
ec-council -
Category
Technology
-
view
192 -
download
4
Transcript of Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!
![Page 1: Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!](https://reader033.fdocuments.in/reader033/viewer/2022042607/55a35da01a28ab2b488b4598/html5/thumbnails/1.jpg)
RDP Fuzzingor
Why the Microsoft Open Protocol Specification is Awesome!
![Page 2: Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!](https://reader033.fdocuments.in/reader033/viewer/2022042607/55a35da01a28ab2b488b4598/html5/thumbnails/2.jpg)
And These Guys Are?
• Lane Thames, PhD– VERT Security Researcher @ Tripwire
– Decade+ Experience
– Focused on Tool Development and Data Analytics
• Andrew Swoboda– VERT Security Researcher @ Tripwire
– Focused on Python and Network Protocol Implementation
– Most Recent Research: RDP
![Page 3: Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!](https://reader033.fdocuments.in/reader033/viewer/2022042607/55a35da01a28ab2b488b4598/html5/thumbnails/3.jpg)
Ok... And This Talk?
![Page 4: Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!](https://reader033.fdocuments.in/reader033/viewer/2022042607/55a35da01a28ab2b488b4598/html5/thumbnails/4.jpg)
Microsoft Open Protocol Spec
• Open Spec Promise – September 2006
• Includes:
– Office File Formats – Binary & XML
– Multiple RFCs
– WMF Image Format
• Microsoft allows the open use/sale of products using the included specs.
![Page 5: Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!](https://reader033.fdocuments.in/reader033/viewer/2022042607/55a35da01a28ab2b488b4598/html5/thumbnails/5.jpg)
Microsoft Open Protocol Spec
• Documentation on hundreds of MS Protocols
• Includes examples and capture data
• Multiple Uses
– Build your own protocol stack
– Exploit Research
– Protocol Troubleshooting
– Malware Research
– Fuzzer Development!
![Page 6: Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!](https://reader033.fdocuments.in/reader033/viewer/2022042607/55a35da01a28ab2b488b4598/html5/thumbnails/6.jpg)
RDP Packet Dissection
• Server/Client based dissection
– Order maintained
– Encrypted packets were decrypted
– Fields and values explained
• Organized & Structured
![Page 7: Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!](https://reader033.fdocuments.in/reader033/viewer/2022042607/55a35da01a28ab2b488b4598/html5/thumbnails/7.jpg)
RDP Encryption
• Encryption– FIPS
• Federal Information Processing Standard
– Non-FIPS• 3 encryption lengths
– 40 bit, 56 bit, 128 bit
– Session key• Used to encrypt/decrypt• OPS
– How to calculate» Decrypt key» Encrypt key» Mac Key (Not mac signature)
– http://msdn.microsoft.com/en-us/library/cc240785.aspx
![Page 8: Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!](https://reader033.fdocuments.in/reader033/viewer/2022042607/55a35da01a28ab2b488b4598/html5/thumbnails/8.jpg)
![Page 9: Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!](https://reader033.fdocuments.in/reader033/viewer/2022042607/55a35da01a28ab2b488b4598/html5/thumbnails/9.jpg)
Why Python
• Interpreted language.
– Quick development
– No need to recompile between changes
– Ease of Use
• It’s used by many security tools.
• We use it internally at Tripwire
![Page 10: Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!](https://reader033.fdocuments.in/reader033/viewer/2022042607/55a35da01a28ab2b488b4598/html5/thumbnails/10.jpg)
Python 101: Hello World!
Basic Hello World!
>>> print 'Hello World!'
Hello World!
Hello World! function>>> def hw():... print 'Hello World!'...>>> hw()Hello World!
Hello World! Class>>> class Hello:... def __init__( self ):... self.hw = 'Hello World!'... def greet ( self ):... return self.hw...>>> world = Hello()>>> world.greet()'Hello World!'>>> print world.greet()Hello World!
![Page 11: Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!](https://reader033.fdocuments.in/reader033/viewer/2022042607/55a35da01a28ab2b488b4598/html5/thumbnails/11.jpg)
Fuzzing 101
• What is Fuzzing?
• Why Fuzz?
• Examples of Fuzzing outside of IT?
![Page 12: Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!](https://reader033.fdocuments.in/reader033/viewer/2022042607/55a35da01a28ab2b488b4598/html5/thumbnails/12.jpg)
Our Fuzzing Concept
• Stand Alone Fuzzer; Protocol Independent
• Protocol library can be built any way
– Requires – protocol library, error library
• Uses templates for fuzzing attempts.
– Generate the templates a number of ways
– Each template attempt is reported
• Allows for easy reproduction
![Page 13: Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!](https://reader033.fdocuments.in/reader033/viewer/2022042607/55a35da01a28ab2b488b4598/html5/thumbnails/13.jpg)
Pluggable Protocols
• Protocols are independent.
• Requires a function named start()
• Raises error messages
• Dynamically generates protocol module names
– <protocol>.py
– <protocol>_error.py
![Page 14: Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!](https://reader033.fdocuments.in/reader033/viewer/2022042607/55a35da01a28ab2b488b4598/html5/thumbnails/14.jpg)
Templates
• Define variables that can be manipulated.
• Generated via:
– Manually
– Programmatically
• With a script
• Populated with packet data– Packet Capture
– Exploit
![Page 15: Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!](https://reader033.fdocuments.in/reader033/viewer/2022042607/55a35da01a28ab2b488b4598/html5/thumbnails/15.jpg)
Why
• Minimal past experience with fuzzers
– It can be difficult to trace error generation
• Wanted it to work with many protocols
• Valid for our work at Tripwire
![Page 16: Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!](https://reader033.fdocuments.in/reader033/viewer/2022042607/55a35da01a28ab2b488b4598/html5/thumbnails/16.jpg)
Fuzzer: find_templates()
![Page 17: Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!](https://reader033.fdocuments.in/reader033/viewer/2022042607/55a35da01a28ab2b488b4598/html5/thumbnails/17.jpg)
Fuzzer: run()
![Page 18: Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!](https://reader033.fdocuments.in/reader033/viewer/2022042607/55a35da01a28ab2b488b4598/html5/thumbnails/18.jpg)
Fuzzer: fuzz()
![Page 19: Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!](https://reader033.fdocuments.in/reader033/viewer/2022042607/55a35da01a28ab2b488b4598/html5/thumbnails/19.jpg)
![Page 20: Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!](https://reader033.fdocuments.in/reader033/viewer/2022042607/55a35da01a28ab2b488b4598/html5/thumbnails/20.jpg)
Finding a vulnerability
![Page 21: Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!](https://reader033.fdocuments.in/reader033/viewer/2022042607/55a35da01a28ab2b488b4598/html5/thumbnails/21.jpg)
Disclosure Process - Why
• Tripwire has a responsible disclosure policy.
• We recommend everyone follow responsible disclosure guidelines.
• 0-day hurts everyone.
![Page 22: Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!](https://reader033.fdocuments.in/reader033/viewer/2022042607/55a35da01a28ab2b488b4598/html5/thumbnails/22.jpg)
Disclosure Process - How
• Request a CVE from Mitre (unless the vendor of the product is a CNA)
• Contact the Vendor, determine security contact.
• Contact security contact, include details on the vulnerability
• Follow up until you know the issue is resolved.
![Page 23: Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!](https://reader033.fdocuments.in/reader033/viewer/2022042607/55a35da01a28ab2b488b4598/html5/thumbnails/23.jpg)
Your Name in Lights
![Page 24: Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specification is Awesome!](https://reader033.fdocuments.in/reader033/viewer/2022042607/55a35da01a28ab2b488b4598/html5/thumbnails/24.jpg)
Thank You