AppSec USA 2014

Denver, Colorado

Jon McCoy

Hacking .NET Applications:

The Black ArtsAppSec – USA – 2014

2

DenHac - DenHac.ORG

Monday 8:00700 Kalamath St. Denver CO

3

NOT Microsoft

Cross Platform

Next Step From C++/JAVA

FUTURE COMPATIBLE

PLATFORM INDEPENDENT

WHAT IS .NET?

4

HACKER VS ATTACKER

5

6

NOT AMS LEVEL

7

WHY NOT IDA?

IDA PRO

8

IDA PRO

9

BACK WHEN

10

BACK WHEN

11

BUT….

12

NOT IDA PRO

13

14

15

NOT IDA PRO

16

IL – Intermediate LanguageCode of the Matrix |||| NEW ASM

17

C# - 15

IL - 34

ASM - 77

LINESC# - 13 LINESDECOMPILE

18

HOW MUCH CODE DO YOU NEED TO READ`

C# - 15IL - 34ASM - 77

19

Attacking/Cracking

IN MEM |||| ON DISK

20

ATTACKING .NET

ATTACKTHE CODE ON DISK

21

ATTACKING ON DISK

22

ASM Attacking

Basics of ASM in .NETDemo

23

24AMS

25

GRAYWOLF

ON DISK EDIT

26

ATTACKING .NET APPLICATIONS: AT RUNTIME

27

GRAYDRAGON

INJECTION

28

ATTACKING .NET

ATTACK WHILETHE APP IS RUNNING

29

Run and InjectSECURITY

SYSTEMS

30

31

BAD IDEASome Things Are Just A Bad Idea!!!

32

101 - ATTACK ON DISK

Decompile - Get code/tech

Infect - Change the target's code

Remold/Recompile - WIN

Exploit - Take advantage

Connect/Open - Access Code

33

THE WEAK SPOTS

Flip The Check

Set Value is “True”

Cut The Logic

Return True

Access Value

34

FLIP THE CHECKSET VALUE TO “TRUE”

  bool Registered = false;bool Registered = true;bool Registered = false;

If(a!=b)If(a==b)If(a==b)

35

RETURN TRUE

bool IsRegistered(){ Return TRUE; ........................}

36

CUT THE LOGIC

string sqlClean(string x){ Return x;}

37

CRACK THE KEY

Public/Private

3/B==Name*ID*7

Call Server

Demo = True;

Complex Math

==

==

==

==

==

Complex Math

Change Key

ASK what is /B?

Hack the Call

Set Value

1% of the time the KeyGen is given

38

PUBLIC/PRIVATE KEY

If you can beat themWhy join them

Key = “F5PA11JS32DA”

Key = “123456ABCDE”

39

SERVER CALL

1. Fake the Call2. Fake the Request3. Fake the Reply4. Win

“Send”SystemID = 123456789

*Registered = True*

Reg Code = f3V541

40

REG CODE REPLAY

Name:

Code: ==

JON DOE

98qf3uy!=

*C5G9P3

FAIL

41

Name:

Code:

*C

5G9P3

REG CODE REPLAY

42

Name:

Code: ==

JON DOE

5G9P3==

*C5G9P3

WIN

REG CODE REPLAY

43

COMPLEX MATH

1. Chop up the Math2. Attack the Weak

3. ??????????

4. Profit

44

WHAT STOPS THIS?

What is the security?

45

PROTECTION ON DISK

Protection - Security by 0b$cur17y Code Obfuscation

Shells / Packers / Encrypted(code)

Logic Obfuscation

Unmanaged calls…to C/C++/ASM

Try to SHUTDOWN Decompilation

46

 

47

48

PROTECTION ON DISK0bfu$ca7ed

DEMOFAIL

49

50

UNPROTECTED / PROTECTED

51

PROTECTION ON DISK

Shells

Pack/Encrypt the EXE

52

IT CAN BE THAT EZ

What is the security?What is the security?

’T‘T

53

54

VISUAL STUDIOExploit – Run arbitrary code

First noted in 2004

Get developer KeysAttack the SVN & DB

ATTACK VECTOR

www.pretentiousname.com/misc/win7_uac_whitelist2.html

55

LOOK INSIDE

56

DON’T LOOK

57

SECURITY

The Login security check is

Does A == B

Does MD5%5 == X

Is the Pass the Crypto Key

58

DATA LEAK

The Data sent home is

Application Info

User / Registartion Info

Security / System Info

59

KEY

The Crypto Key is

A Hard Coded Key

The Licence Number

A MD5 Hash of the Pass

6Salt 6MD5 Hash of the Pass

60

CRYPTO

The Crypto is DES 64

Tripple DES 192

Rijndael AES 256

Home MIX (secure/unsecure)

61

FIN

62

www.DigitalBodyGuard.comJonM@DigitalBodyGuard.com

MORE INFORMATION @:

Jon McCoy

63

 

HACK THE LOGIN

DEMOPASS THE KEYSHOW THE KEY

64

 

HACK THE KEY

DEMOAPPSEC-USA 2011

999ca10a050f4bdb31f7e1f39d9a0dda

65

Static Crypto Key

Vector init = 0

Clear TXT Password Storage

Encrypted Data