Java Hurdling Obstacles And Techniques In Java Client Penetration-Testing
Case StudyJava HurdlingObstacles and Techniques inJava Client Penetration-TestingTal MelamedApplication Security ExpertTal@AppSec-Labs.com
AgendaMeAppSec LabsThe problemsFail #1Fail #2Fail #3}
about:meTech Lead @ AppSec LabsTal@AppSec-Labs.comApplication Security ExpertTrainer, builder & breakerFollow me @ appsec.ithttps://github.com/nu11p0inter, but when I do:http://lnkdin.me/cyber
AppSec Labshttps://appsec-labs.com/
AppSec LabsIndustry vectors:AppSec Labs provides its high end services to the followingindustry vectors:High Tech software developmentBanking and financingNational securityIoTCloudPharmaceuticalsCommerceTravel and transportIT Security munications
We are hiring!Experienced PTExp. Code-Review*Training skillsjobs@appsec-labs.comWilling to travel *EnglishIndependent work and self -learning ability
DisclaimerThis is a true story. The events depicted in this talktook place in 2016.At the request of the survivors, names, characters,places and incidents were changed, and are eitherproducts of the author’s imaginationor are used fictitiously.Any resemblance to actual eventsor locales or persons,living or dead, is entirely coincidental.The rest is told exactly as it occurred.Warning: this presentation might contain memes
The ProblemsTCP rather than HTTPSSL/TLSCertificate PinningRuntime manipulationPatching the applicationProKSy – revealed for the first time
Day 1: I Got This!Let’s use BURP! - set the HTTP Proxy (option in tool)Nothing happens Looking at WireSharkPort 1XXXX TLS - Not HTTP!Sure, let use AppSec Labs’ incredible TCP proxy tool (TBC)
Problem #1: No HTTP/SWe all Burp (nothing to be ashamed about)But what if the application is not communicating over HTTP(s)?
Echo Mirage – by Wildcroft SecurityLink: unknown (good luck with FileHippo)
Advanced Packet or/https://github.com/appsec-labs/Advanced Packet EditorBased on:
APEIntercept & tamper with TCP-based comm
APEWhat‘s new
APEExternal Filter – python based
APE – Listen to RequestsHTTP/S? – Why not integrating with Burp?
What Really Happened?Nothing! Probably SSL (Also, doesn’t work on 64-bit)
What Else is /stcppipe.zip
A Fraction of Hope
Side Note: De/SerializationWhat is SerializationConverting the state of data to a byte stream so that the byte streamcan be reverted back into a copy of the objectWhat is the problem?Deserialization of untrusted dataWhat does that mean?De-serializing data coming from the client could abuse the applicationlogic, deny service, or execute arbitrary code.What to look m.replaceObject ()ObjectInputStream.readUnshared()Many more
All You Need to Know You can find everything alization-ExploitPayPal RCE ( l-rce.htmlBurp rCode Analyzerhttps://github.com/mbechler/serianalyzer
Where Were We?I can see the traffic, but how do I tamper with it?Tunnel “stripped” traffic onto APE!We need to inject APE into stcppipe
And Fail #1APE got the encrypted data
How Do We Intercept TCP Over SSL?Download TcpCatcherhttp://www.tcpcatcher.org/Download TcpCathcer’s root certificateInstall it as a RootCA in the KeyStoreDownload KeyStore Explorerhttp://www.keystore-explorer.org/
How Do We Intercept TCP Over SSL?Configure TcpCatcher to communication with both, theclient and the serverTcpCatcher will now serve as a MitM.
Woohoo!
What Really Happened?It didn’t work!Let’s say I got this .Let’s decode:
Now, That my friends .Is SSL pinning!The application validates the info of the received(TcpCatcher’s) certificate, against the wanted info,hardcoded in the class.Since it’s a self-signed certificate – we could justreplace it with our own.You passphrase is: “OpenSSL”Create you own self-signed certificateFill in the required info (found in the class)Install the new certificate in the KS.Should do the trick!
Keytoolkeytool -keystore clientkeystore -genkey -alias clientkeytool -keystore clientkeystore -certreq -alias client -keyalg rsa -file client.csr
But, which seems to have happened a lotTcpCatcher does not support using your owncertificateonly on-the-fly ones with a single value.
Other Possible ScenariosChecking that its “actually” a Root CA.Create a Root CA, using OpenSSLSign your certificate with the RootCAImport the new Root CA into the default KeyStore(default password: changeme)Pinning the Root CAYou might need to actually sign your own certificatePinning the intermediateYou’ll probably have to patch the code and replace the int.public key with your own.Using self-created KeyStoreReplace the KeyStoreMight require some patching the bypass possible KSvalidations (e.g. checksum)
What do we do now?Let’s hook in runtime!Goodbye stcppipe.Hello JavaSnoop!
Day 2: JavaSnoopAttaches into any app running over JVMHook methodsTamper with parameters, print stacks, etc.
JavaSnoop
What Really Happened?
After 5 Hours (on the 2nd day!)
I Shall Call Him
Fail #2Server checked the value What next?Let’s patch the JAR!
Day 3: Fail #3// extract jar# jar -xf myapp.jar// pack jar# jar –cvf desired.jar files // update jar# jar -uf file.jar my.class
Let’s Modify Classes Directly!Now, how do you modify class files?
Introducing - JBEJava Bytecode Editor - http://set.ee/jbe/
Java Bytecodehttps://en.wikipedia.org/wiki/Java bytecode instruction listingsJava BytecodeHumanifeq / ifneif value is (not) 0, branch to offsetif icmpeq /if icmpneif ints are equal / not equaliconst 0 / iconst 1load int 0/ int 1aload 0load a reference into a local variable 0astore 1store a reference into local variable 1dcmpgcompare two doublesareturnreturn a reference form a methodfnegnegate a floatireturnreturn an integer from a methodldcpush a constant from a constant pool to the stack
Java Bytecode EditorDemo time
What REALLY Happened?0. Load something 1. If null jump to 14 (const 0)4. Load something 5. Get static “ADMIN”8. Invoke equals(x,y)11. If equals jump to 18 (const 1)14. (no jump) const 015. Go to 19 (return)18. const 119. return
Before
I’ll Just .
Let Us Pray!
After 2 days and 6 hours
Imagine if We needed to create a MitM, to serve as a proxybetween the original MitM and the client, replacingits on-the-fly certificate with our own certificateSo, now we have:
For the first time!Introducing . ProKSy-- What with the “KS”?-- Stands for KeyStore :Phttps://github.com/nu11p0inter/ProKSy
Demo Time!
The Moral of the StoryWhat did not work for me, might work for youJava – might not (fun) “writable”, but “readable”Never give up - there’s no such thing as “unbreakable”We love memesDownload ProKSy!
One slide to d\l them allAPE - TCP (.net) Proxy for tor/ProKSy - TCP/SSL Proxy for SSL noop - Java Runtime vasnoopJBE/reJ - Java ByteCode rojects/rejava
Thank you! see you @ OWASP IL r
Java Hurdling Obstacles and Techniques in Java Client Penetration-Testing Tal Melamed Application Security Expert Tal@AppSec-Labs.com. Agenda Me AppSec Labs The problems Fail #1 Fail #2 Fail #3} about:me Tech Lead @ AppSec Labs Tal@AppSec-Labs.com Application Security Expert Trainer, builder & breaker
java.io Input and output java.lang Language support java.math Arbitrary-precision numbers java.net Networking java.nio "New" (memory-mapped) I/O java.rmi Remote method invocations java.security Security support java.sql Database support java.text Internationalized formatting of text and numbers java.time Dates, time, duration, time zones, etc.
Java Version Java FAQs 2. Java Version 2.1 Used Java Version This is how you find your Java version: Start the Control Panel Java General About. 2.2 Checking Java Version Check Java version on https://www.java.com/de/download/installed.jsp. 2.3 Switching on Java Console Start Control Panel Java Advanced. The following window appears:
3. _ is a software that interprets Java bytecode. a. Java virtual machine b. Java compiler c. Java debugger d. Java API 4. Which of the following is true? a. Java uses only interpreter b. Java uses only compiler. c. Java uses both interpreter and compiler. d. None of the above. 5. A Java file with
Java IO to download a file. The Java IO provides APIs to read bytes from InputStream and writing them to a File on disk. While, Java NET package provides APIs to interact with a resource residing over internet with the help of URL. In order to use Java IO and Java NET we need to use java.io.* and java.net.* packages into our class. Using
–‘java’ command launches Java runtime with Java bytecode An interpreter executes a program by processing each Java bytecode A just-in-time compiler generates native instructions for a target machine from Java bytecode of a hotspot method 9 Easy and High Performance GPU Programming for Java Programmers Java program (.
2 Java Applications on Oracle Database 2.1 Database Sessions Imposed on Java Applications 2-1 2.2 Execution Control of Java Applications 2-3 2.3 Java Code, Binaries, and Resources Storage 2-3 2.4 About Java Classes Loaded in the Database 2-4 2.5 Preparing Java Class Methods for Execution 2-5 2.5.1 Compiling Java Classes 2-6
Java EE Java Platforms Java Card: Smart card version Java ME (Micro Edition): Embedded systems, e.g. Mobile handheld Java SE (Standard Edition): Desktop application development Java EE (Enterprise Edition): Enterprise distributed application software Java EE add standards and libraries to SE for fault- tolerant, distributed, multi-tier based components
It WAS a powerful good adventure, and Tom Sawyer had to work his bullet-wound mighty lively to hold his own against it. Well, by and by Tom's glory got to paling down gradu'ly, on account of other things turning up for the people to talk about--first a horse-race, and on top of that a house afire, and on top of that the circus, and on top of that the eclipse; and that started a revival, same .
