Hack.lu 2018 Wrap-Up Day #2

The second day started early with an eye-opener talk: “IPC – the broken dream of inherent security” by Thanh Bui. IPC or “Inter-Process Communications” are everywhere. You can compare them as a network connection between a client and a server but inside the operating system. The idea of Thanh’s research was to see how to intercept communications occurring via IPC based on MitMA or “Man in the Machine” attacks. There are multiple attack vectors available. Usually, a server bind to a specific identifier (a network socket, a named pipe). Note that they are also secure methods via socket pairs or unnamed pipes. In the case of a network socket, the server binds to a specific port on<port> and waits for a client connection but, often, they have failover ports. A malicious process could bind to the official port and connect to the server via the failover port and receive connections from the client on the first port. Thanh reviewed also named pipes on Windows systems (accessible via \\.\pipe\). The second part of the talk focused on juicy targets that use IPC: password managers. Most of them use IPC for communications between the desktop client and the browser (to fill passwords automatically). Thanh demonstrated how it is possible to intercept juicy information! Another popular device using IPC is the Fido U2F security key. The attack scenario is the following:
  1. Attacker signs in using the 1st factor and receive a challenge
  2. Attacker keeps sending the challenge at the device at a high rate
  3. Victim signs in to ANY service using the same security key and touches the button
  4. Attacker receives the response with high probability

A nice talk to start the day! Then, I decided to attend a workshop about Sigma. I knew the tool for a while but I never had the opportunity to play with it. This workshop was the perfect opportunity to learn more.
Sigma is an open signature format that allows you to write rules in YAML and export them to many log management solution (Splunk, ES, QRadar, <name your preferred tool here>).  Here is a simple example of a Sigma rule to detect Mimikatz binaries launched on a Windows host:

title: Exercise 1
status: experimental
description: Detects the execution of Mimikatz binaries
references: - https://website
author: Xavier Mertens
data: 2018/10/17
tags: - attack.execution
logsource: product: windows service: sysmon
detection: selection: EventID: 1 filter: Hashes: - 97f93fe103c5a3618b505e82a1ce2e0e90a481aae102e52814742baddd9fed41 - 6bfc1ec16f3bd497613f57a278188ff7529e94eb48dcabf81587f7c275b3e86d - e46ba4bdd4168a399ee5bc2161a8c918095fa30eb20ac88cac6ab1d6dbea2b4a condition: selection and filter
level: high
After the lunch break, I attended a new set of presentation. It started with Ange Albertini who presented the third episode of his keynote trilogy: “Education & communication“. The idea was the same as the previous presentations: Can we imagine a world where everything is secure? Definitively not. And today, our life is bound to computers. It’s a fact that infosec is a life requirement for everybody, said Ange. We need to share our expertise because we are all on the same boat. But the problem is that not everybody is acting in the same way when facing a security issue or something suspicious. It’s so easy to blame people reacting in a bad way. But, according to Ange, education and communication are part of our daily job as infosec professionals. Keep in mind that “not knowing is not a crime” said Ange. Interesting keynote but unfortunately not easy to implement on a day to day basis.
The next talk was presented by Saumil Shad, the classic speaker at hack.lu. Saumil is an awesome speaker and has always very interesting topics. This year it was: “Make ARM Shellcode Great Again“. It was quite hard for me… Saumil’s talk was about ARM shellcode. But as usual, demos well prepared and just working!
Then Alicia Hickey and Dror-John Roecher came on stage to present “Finding the best threat intelligence provider for a specific purpose: trials and tribulations“. IOCs are a hot topic for a while and many organizations are looking into implementing security controls based on IOCs to detect suspicious activities. Speaking about IOCs, there are the classic two approaches: free sources and a commercial feed. What’s the best one? It depends on you but Alicia & Dror make a research about commercial feeds and tried to compare them, which was not so easy! They started with a huge list of potential partners but the study focused on a pool of four (They did not disclose the names). They used MISP to store received IOCs but they had many issues like a lack of standard format between the tested partners. About the delivery of IOCs, there were also differences in terms of time but what do you prefer? Common IOCs quickly released or a set of valuable IOCs within a fixed context? IMHO, both are required and must be used for different purposes. This was an interesting research.
The next talk was presented by Sva: “Pretty Easy Privacy“. The idea behind this talk was to present the PEP project. I already saw this talk last year at FSEC.
My best choice for today was the talk presented by Stephan Gerling: “How to hack a Yacht – swimming IoT“. Last year, Stephan presented an awesome talk about smart locks. This year, he came back with something again smart but way bigger: Yacht! Modern Yachts are big floating IoT devices. They have a complete infrastructure based on a router, WiFi access-points, radars, cameras, AIS (“Automatic Identification System”) and also entertainment systems. There is also a CANbus like cars that carry data from multiple sensors to pilot the boat. If it’s easy to jam a GPS signal (to make the boat blind), Stephan tried to find ways to pwn the boat from the Internet connection. The router (brand: Locomarine) i, in fact,t a Mikrotik router that is managed by a crappy management tool that uses FTP to retrieve/push XML configuration files. In the file, the WiFi password can be found in clear text, amongst other useful information. The funniest demo was when Stephan used Shodan to find live boats. The router interface is publicly available and the administrative page can be accessed without authentication thanks to this piece of (pseudo) code:
if (user == "Dealer") { display_admin_page(); }
Awesome and scary talk at the same time!
The last regular talk was presented by Irena Damsky: “Simple analysis using pDNS“. Passive DNS is not new but many people do not realize the power of these databases. After a quick recap about how DNS works, Irena performed several live demonstrations by querying a passive DNS instance to collect juicy information. What you can find? (short list)
  • List of domains hosted on a name server
  • Malicious domains
  • Suspicious domains (typosquatting & co))

This is a very useful tool for incident responders but don’t forget that there is only ONE condition: the domain must have been queried at least once!

And the second day ended with a set of lightning talks (always interesting ideas and tools promoted in a few minutes) followed by the famous PowerPoint karaoké! Stay tuned tomorrow for the next wrap-up!