Runtime Security Lab Michael Schwarz Friday 31 st August, 2018 Graz - - PowerPoint PPT Presentation

runtime security lab
SMART_READER_LITE
LIVE PREVIEW

Runtime Security Lab Michael Schwarz Friday 31 st August, 2018 Graz - - PowerPoint PPT Presentation

Apr 07, 2024 469 likes •1.19k views

Runtime Security Lab Michael Schwarz Friday 31 st August, 2018 Graz Security Week 2018 https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html www.tugraz.at Large IoT Incidents September 21, 2016 > 600 Gbps on Brian Krebs

slide-1
SLIDE 1

Runtime Security Lab

Michael Schwarz Friday 31st August, 2018

Graz Security Week 2018

slide-2
SLIDE 2

https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html

slide-3
SLIDE 3

Large IoT Incidents

www.tugraz.at

September 21, 2016

> 600 Gbps on Brian Krebs (security researcher) website (Mirai botnet)

September 30, 2016

Mirai source code published

October 21, 2016

˜1 Tbps on DNS provider Dyn

November 26, 2016

> 900 000 routers of Deutsche Telekom attacked and offline

February, 2018

> 1.35 Tbps attack on GitHub

2 Michael Schwarz — Graz Security Week 2018

slide-4
SLIDE 4
slide-5
SLIDE 5

Top 10 IoT Bugs

www.tugraz.at 3 Michael Schwarz — Graz Security Week 2018

slide-6
SLIDE 6

Top 10 IoT Bugs

www.tugraz.at

  • 1. Insecure Web Interface

Default usernames and passwords

4 Michael Schwarz — Graz Security Week 2018

slide-7
SLIDE 7

Top 10 IoT Bugs

www.tugraz.at

  • 1. Insecure Web Interface
  • 2. Insufficient Authentication

Weak passwords

4 Michael Schwarz — Graz Security Week 2018

slide-8
SLIDE 8

Top 10 IoT Bugs

www.tugraz.at

  • 1. Insecure Web Interface
  • 2. Insufficient Authentication
  • 3. Insecure Network Services

Unnecessary ports open

4 Michael Schwarz — Graz Security Week 2018

slide-9
SLIDE 9

Top 10 IoT Bugs

www.tugraz.at

  • 1. Insecure Web Interface
  • 2. Insufficient Authentication
  • 3. Insecure Network Services
  • 4. Lack of Transport Encryption

SSL/TLS not available

4 Michael Schwarz — Graz Security Week 2018

slide-10
SLIDE 10

Top 10 IoT Bugs

www.tugraz.at

  • 1. Insecure Web Interface
  • 2. Insufficient Authentication
  • 3. Insecure Network Services
  • 4. Lack of Transport Encryption
  • 5. Privacy Concerns

Collected information not properly protected

4 Michael Schwarz — Graz Security Week 2018

slide-11
SLIDE 11

Top 10 IoT Bugs

www.tugraz.at

  • 1. Insecure Web Interface
  • 2. Insufficient Authentication
  • 3. Insecure Network Services
  • 4. Lack of Transport Encryption
  • 5. Privacy Concerns
  • 6. Insecure Cloud Interface

Interfaces with security vulnerabilities

4 Michael Schwarz — Graz Security Week 2018

slide-12
SLIDE 12

Top 10 IoT Bugs

www.tugraz.at

  • 1. Insecure Web Interface
  • 2. Insufficient Authentication
  • 3. Insecure Network Services
  • 4. Lack of Transport Encryption
  • 5. Privacy Concerns
  • 6. Insecure Cloud Interface
  • 7. Insecure Mobile Interface

No account lockout mechanisms

4 Michael Schwarz — Graz Security Week 2018

slide-13
SLIDE 13

Top 10 IoT Bugs

www.tugraz.at

  • 1. Insecure Web Interface
  • 2. Insufficient Authentication
  • 3. Insecure Network Services
  • 4. Lack of Transport Encryption
  • 5. Privacy Concerns
  • 6. Insecure Cloud Interface
  • 7. Insecure Mobile Interface
  • 8. Insufficient Security Configurability

Encryption is not available

4 Michael Schwarz — Graz Security Week 2018

slide-14
SLIDE 14

Top 10 IoT Bugs

www.tugraz.at

  • 1. Insecure Web Interface
  • 2. Insufficient Authentication
  • 3. Insecure Network Services
  • 4. Lack of Transport Encryption
  • 5. Privacy Concerns
  • 6. Insecure Cloud Interface
  • 7. Insecure Mobile Interface
  • 8. Insufficient Security Configurability
  • 9. Insecure Software/Firmware

Updates are not signed

4 Michael Schwarz — Graz Security Week 2018

slide-15
SLIDE 15

Top 10 IoT Bugs

www.tugraz.at

  • 1. Insecure Web Interface
  • 2. Insufficient Authentication
  • 3. Insecure Network Services
  • 4. Lack of Transport Encryption
  • 5. Privacy Concerns
  • 6. Insecure Cloud Interface
  • 7. Insecure Mobile Interface
  • 8. Insufficient Security Configurability
  • 9. Insecure Software/Firmware
  • 10. Poor Physical Security

Unnecessary external ports like USB

4 Michael Schwarz — Graz Security Week 2018

slide-16
SLIDE 16

Summary

www.tugraz.at

The 90s called...

5 Michael Schwarz — Graz Security Week 2018

slide-17
SLIDE 17

Summary

www.tugraz.at

The 90s called... ...they want their bugs back!

5 Michael Schwarz — Graz Security Week 2018

slide-18
SLIDE 18
slide-19
SLIDE 19

Infrastructure

www.tugraz.at

  • There are 15 challenges

6 Michael Schwarz — Graz Security Week 2018

slide-20
SLIDE 20

Infrastructure

www.tugraz.at

  • There are 15 challenges
  • Different difficulties (the more points, the harder)

6 Michael Schwarz — Graz Security Week 2018

slide-21
SLIDE 21

Infrastructure

www.tugraz.at

  • There are 15 challenges
  • Different difficulties (the more points, the harder)
  • 4 different categories

6 Michael Schwarz — Graz Security Week 2018

slide-22
SLIDE 22

Infrastructure

www.tugraz.at

  • There are 15 challenges
  • Different difficulties (the more points, the harder)
  • 4 different categories
  • Play on your own or as team

6 Michael Schwarz — Graz Security Week 2018

slide-23
SLIDE 23

https://ctf.attacking.systems

slide-24
SLIDE 24

Infrastructure

www.tugraz.at

  • Capture-the-flag (CTF) style

7 Michael Schwarz — Graz Security Week 2018

slide-25
SLIDE 25

Infrastructure

www.tugraz.at

  • Capture-the-flag (CTF) style
  • Every challenge has a hidden flag

7 Michael Schwarz — Graz Security Week 2018

slide-26
SLIDE 26

Infrastructure

www.tugraz.at

  • Capture-the-flag (CTF) style
  • Every challenge has a hidden flag
  • Flags are usually in a text file flag.txt on the device

7 Michael Schwarz — Graz Security Week 2018

slide-27
SLIDE 27

Infrastructure

www.tugraz.at

  • Capture-the-flag (CTF) style
  • Every challenge has a hidden flag
  • Flags are usually in a text file flag.txt on the device
  • A flag looks like {A_S4MPL3_FL4G!}

7 Michael Schwarz — Graz Security Week 2018

slide-28
SLIDE 28

Infrastructure

www.tugraz.at

  • Capture-the-flag (CTF) style
  • Every challenge has a hidden flag
  • Flags are usually in a text file flag.txt on the device
  • A flag looks like {A_S4MPL3_FL4G!}
  • Goal is to get the flag and submit it to the CTF system

7 Michael Schwarz — Graz Security Week 2018

slide-29
SLIDE 29

Timeline

www.tugraz.at

  • CTF runs until Friday, 3:00pm

8 Michael Schwarz — Graz Security Week 2018

slide-30
SLIDE 30

Timeline

www.tugraz.at

  • CTF runs until Friday, 3:00pm
  • Last-minute questions from 2:00pm to 3:00pm

8 Michael Schwarz — Graz Security Week 2018

slide-31
SLIDE 31

Timeline

www.tugraz.at

  • CTF runs until Friday, 3:00pm
  • Last-minute questions from 2:00pm to 3:00pm
  • Best player/team gets a price

8 Michael Schwarz — Graz Security Week 2018

slide-32
SLIDE 32

How to Start

www.tugraz.at

  • Use your own computer or our provided Linux VM (on

USB or from https://ctf.attacking.systems/res)

9 Michael Schwarz — Graz Security Week 2018

slide-33
SLIDE 33

How to Start

www.tugraz.at

  • Use your own computer or our provided Linux VM (on

USB or from https://ctf.attacking.systems/res)

  • Create or join a team in the CTF system:

https://ctf.attacking.systems

9 Michael Schwarz — Graz Security Week 2018

slide-34
SLIDE 34

How to Start

www.tugraz.at

  • Use your own computer or our provided Linux VM (on

USB or from https://ctf.attacking.systems/res)

  • Create or join a team in the CTF system:

https://ctf.attacking.systems

  • Choose a hacklet, read the description, and download it

9 Michael Schwarz — Graz Security Week 2018

slide-35
SLIDE 35

How to Start

www.tugraz.at

  • Use your own computer or our provided Linux VM (on

USB or from https://ctf.attacking.systems/res)

  • Create or join a team in the CTF system:

https://ctf.attacking.systems

  • Choose a hacklet, read the description, and download it
  • Solve the hacklet by connecting to the hacklet

9 Michael Schwarz — Graz Security Week 2018

slide-36
SLIDE 36

How to Connect

www.tugraz.at

  • Hacklets are accessible over the network

10 Michael Schwarz — Graz Security Week 2018

slide-37
SLIDE 37

How to Connect

www.tugraz.at

  • Hacklets are accessible over the network
  • Every hacklet has a text interface on a specific port

10 Michael Schwarz — Graz Security Week 2018

slide-38
SLIDE 38

How to Connect

www.tugraz.at

  • Hacklets are accessible over the network
  • Every hacklet has a text interface on a specific port
  • You can connect using any telnet-like program:

PuTTY Terminal, netcat, telnet netcat, telnet

10 Michael Schwarz — Graz Security Week 2018

slide-39
SLIDE 39

How to Connect

www.tugraz.at

  • Hacklets are accessible over the network
  • Every hacklet has a text interface on a specific port
  • You can connect using any telnet-like program:

PuTTY Terminal, netcat, telnet netcat, telnet

  • For example on Linux/Mac in the shell:

netcat hacklets2.attacking.systems 8000

10 Michael Schwarz — Graz Security Week 2018

slide-40
SLIDE 40

The Categories

www.tugraz.at

There are 4 categories: pwn ( ), forensics ( ), crypto ( ), misc ( )

11 Michael Schwarz — Graz Security Week 2018

slide-41
SLIDE 41

The Categories

www.tugraz.at

There are 4 categories: pwn ( ), forensics ( ), crypto ( ), misc ( ) Vulnerable binaries which you have to exploit

11 Michael Schwarz — Graz Security Week 2018

slide-42
SLIDE 42

The Categories

www.tugraz.at

There are 4 categories: pwn ( ), forensics ( ), crypto ( ), misc ( ) Vulnerable binaries which you have to exploit Basically finding/reconstructing hidden/deleted stuff

11 Michael Schwarz — Graz Security Week 2018

slide-43
SLIDE 43

The Categories

www.tugraz.at

There are 4 categories: pwn ( ), forensics ( ), crypto ( ), misc ( ) Vulnerable binaries which you have to exploit Basically finding/reconstructing hidden/deleted stuff (Bad) Cryptography you have to break

11 Michael Schwarz — Graz Security Week 2018

slide-44
SLIDE 44

The Categories

www.tugraz.at

There are 4 categories: pwn ( ), forensics ( ), crypto ( ), misc ( ) Vulnerable binaries which you have to exploit Basically finding/reconstructing hidden/deleted stuff (Bad) Cryptography you have to break Random and fun hacklets which do not fit into any category (often no programming required)

11 Michael Schwarz — Graz Security Week 2018

slide-45
SLIDE 45
slide-46
SLIDE 46

How to Start

www.tugraz.at

  • Download the hacklet

12 Michael Schwarz — Graz Security Week 2018

slide-47
SLIDE 47

How to Start

www.tugraz.at

  • Download the hacklet
  • Identify the type of file

Executable? For which platform? Data? Which program can open it? Unknown?

12 Michael Schwarz — Graz Security Week 2018

slide-48
SLIDE 48

How to Start

www.tugraz.at

  • Download the hacklet
  • Identify the type of file

Executable? For which platform? Data? Which program can open it? Unknown?

  • Useful Linux tool: file – determines the file type

12 Michael Schwarz — Graz Security Week 2018

slide-49
SLIDE 49

Unknown Files

www.tugraz.at

  • Maybe file is some archive...

13 Michael Schwarz — Graz Security Week 2018

slide-50
SLIDE 50

Unknown Files

www.tugraz.at

  • Maybe file is some archive...
  • ...or contains multiple files

13 Michael Schwarz — Graz Security Week 2018

slide-51
SLIDE 51

Unknown Files

www.tugraz.at

  • Maybe file is some archive...
  • ...or contains multiple files
  • Binwalk Firmware Analysis Tool

https://github.com/ReFirmLabs/binwalk

13 Michael Schwarz — Graz Security Week 2018

slide-52
SLIDE 52

Unknown Files

www.tugraz.at

  • Maybe file is some archive...
  • ...or contains multiple files
  • Binwalk Firmware Analysis Tool

https://github.com/ReFirmLabs/binwalk

  • Can also extract files

13 Michael Schwarz — Graz Security Week 2018

slide-53
SLIDE 53

Readable Information

www.tugraz.at

  • Run strings on the file to extract all texts

14 Michael Schwarz — Graz Security Week 2018

slide-54
SLIDE 54

Readable Information

www.tugraz.at

  • Run strings on the file to extract all texts
  • For binaries: see all functions/variables (i.e., symbols)
  • x86:
  • bjdump -x <hacklet>
  • ARM: arm-linux-gnueabi-objdump -x <hacklet>

14 Michael Schwarz — Graz Security Week 2018

slide-55
SLIDE 55

Readable Information

www.tugraz.at

  • Run strings on the file to extract all texts
  • For binaries: see all functions/variables (i.e., symbols)
  • x86:
  • bjdump -x <hacklet>
  • ARM: arm-linux-gnueabi-objdump -x <hacklet>
  • Watch out for function names containing flag

14 Michael Schwarz — Graz Security Week 2018

slide-56
SLIDE 56

Binaries

www.tugraz.at

  • Try to run the binary
  • x86: no requirements
  • ARM: requires

libc6-dev-armhf-cross qemu-system-arm qemu-user

15 Michael Schwarz — Graz Security Week 2018

slide-57
SLIDE 57

Binaries

www.tugraz.at

  • Try to run the binary
  • x86: no requirements
  • ARM: requires

libc6-dev-armhf-cross qemu-system-arm qemu-user

  • Then simply execute

qemu-arm -L /usr/arm-linux-gnueabihf ./hacklet

  • r for ARMv8

qemu-aarch64 -L /usr/aarch64-linux-gnu ./hacklet

15 Michael Schwarz — Graz Security Week 2018

slide-58
SLIDE 58

Binaries

www.tugraz.at

  • Try to run the binary
  • x86: no requirements
  • ARM: requires

libc6-dev-armhf-cross qemu-system-arm qemu-user

  • Then simply execute

qemu-arm -L /usr/arm-linux-gnueabihf ./hacklet

  • r for ARMv8

qemu-aarch64 -L /usr/aarch64-linux-gnu ./hacklet

  • More details: https://ctf.attacking.systems/res

15 Michael Schwarz — Graz Security Week 2018

slide-59
SLIDE 59

Binaries

www.tugraz.at

  • Try to run the binary
  • x86: no requirements
  • ARM: requires

libc6-dev-armhf-cross qemu-system-arm qemu-user

  • Then simply execute

qemu-arm -L /usr/arm-linux-gnueabihf ./hacklet

  • r for ARMv8

qemu-aarch64 -L /usr/aarch64-linux-gnu ./hacklet

  • More details: https://ctf.attacking.systems/res
  • Use a port scanner to check for alternative interface

(SSH is not exploitable!)

15 Michael Schwarz — Graz Security Week 2018

slide-60
SLIDE 60

Reverse Engineering

www.tugraz.at

  • Command-line disassembler
  • x86:
  • bjdump -d <hacklet>
  • ARM: arm-linux-gnueabi-objdump -d <hacklet>
  • All platforms: radare2

16 Michael Schwarz — Graz Security Week 2018

slide-61
SLIDE 61

Reverse Engineering

www.tugraz.at

  • Command-line disassembler
  • x86:
  • bjdump -d <hacklet>
  • ARM: arm-linux-gnueabi-objdump -d <hacklet>
  • All platforms: radare2
  • Watch out for dangerous functions (e.g. strcpy, gets)

16 Michael Schwarz — Graz Security Week 2018

slide-62
SLIDE 62

Reverse Engineering

www.tugraz.at

  • Command-line disassembler
  • x86:
  • bjdump -d <hacklet>
  • ARM: arm-linux-gnueabi-objdump -d <hacklet>
  • All platforms: radare2
  • Watch out for dangerous functions (e.g. strcpy, gets)
  • GUI disassembler: cutter

https://github.com/radareorg/cutter

16 Michael Schwarz — Graz Security Week 2018

slide-63
SLIDE 63

Rubberduck Debugging

www.tugraz.at

  • It helps to explain what you see

17 Michael Schwarz — Graz Security Week 2018

slide-64
SLIDE 64

Rubberduck Debugging

www.tugraz.at

  • It helps to explain what you see
  • Talking about the problem can be the first step

17 Michael Schwarz — Graz Security Week 2018

slide-65
SLIDE 65

Rubberduck Debugging

www.tugraz.at

  • It helps to explain what you see
  • Talking about the problem can be the first step
  • Usually we talk to humans

17 Michael Schwarz — Graz Security Week 2018

slide-66
SLIDE 66

Rubberduck Debugging

www.tugraz.at

  • It helps to explain what you see
  • Talking about the problem can be the first step
  • Usually we talk to humans
  • If none available/interested: use a rubber duck!

17 Michael Schwarz — Graz Security Week 2018

slide-67
SLIDE 67

What next?

www.tugraz.at

  • Let’s start with the challenges!

18 Michael Schwarz — Graz Security Week 2018

slide-68
SLIDE 68

What next?

www.tugraz.at

  • Let’s start with the challenges!
  • https://ctf.attacking.systems

18 Michael Schwarz — Graz Security Week 2018

slide-69
SLIDE 69

What next?

www.tugraz.at

  • Let’s start with the challenges!
  • https://ctf.attacking.systems
  • If you are unsure, there is a walkthrough of one hacklet:

https://ctf.attacking.systems/res

18 Michael Schwarz — Graz Security Week 2018

slide-70
SLIDE 70

A Challenge a Day Keeps the Boredom Away

slide-71
SLIDE 71

Questions?