Hacknet 2015

Map-God1KPMG Europe’s internal information security conference – Hacknet, was held in Berlin and lasted two days, the 29th and the 30th of April.

This year, it was Ionut, Daniel and me who had the privilege of representing KPMG Romania.

Our team arrived in Berlin on the 28th. After taking our luggage to the hotel, we went for dinner, followed by a short walk in the city.

First Day

The conference kicked off early on the 29th and the program for the day consisted of three presentations and the CTF competition.

First presentation was on Relaying Contactless EMV, by a colleague from KPMG NL. After an introduction to smart-cards and EMV, the speaker described the concept of Relay Attacks on Contactless Transactions. Afterwords, he showed a video illustrating his Android implementation of the attack, the novelty of his approach being the small time overhead incurred by the relay. Measurements showed that the duration of a relayed transaction was very close to the duration of a native transaction (sometimes, due to optimizations, even faster). Continue reading

Scripting Metasploit for a Real-Life Pentest

During a recent internal penetration test, we got to the point where we had to search a lot of Windows machines for Domain Admin tokens. Of course, our objective was to impersonate such a  (delegation) token with Metasploit and create our own Domain Admin user.

Since the search space was quite large, we had to automate this task by creating a custom Metasploit script. In this post we describe the process of creating and running such a script.

A bit of context

During our penetration test we’ve managed to obtain the credentials of a privileged user. This user, let’s call him Robert, had local administrative rights on multiple workstations in the Windows domain.

Using Robert’s credentials, we managed to create a low privileged domain user, which we’ll further denote by OurUser, but we were not able to add it to the Domain Admins group.

Continue reading

When Cryptographic API Design Goes Wrong

keys with no locksWhether we like to admit it or not, failing to account for human factors and usability issues when designing secure systems can have unwanted consequences. And while Security Usability is a broad field, today I’d like to focus on what I like to call the [lack of] usability of [some] cryptographic APIs.

A paper on SSL Certificate Validation

To get my point across, I’d like to bring forth a paper written in 2012 by Martin Georgiev, Subodh Iyengar, Suman Jana, Rishita Anubhai, Dan Boneh, and Vitaly Shmatikov, called The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software.

In this paper, the authors claim and empirically confirm that SSL certificate validation is completely broken in many security-critical applications and libraries, meaning that any SSL connection initiated from any of these applications and libraries is insecure against a man-in-the-middle attack.

They credit these vulnerabilities to badly designed APIs of SSL implementations and data-transport libraries, which present developers with a confusing array of settings and options.

Continue reading