jon mccoy - appsec-usa-2014 hacking c#(.net) applications:the black arts (v3)
DESCRIPTION
Speech by Jon McCoy Hacking C#(.NET) Applications:The Black Arts (v3) @AppSec-USA 2014TRANSCRIPT
![Page 1: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/1.jpg)
AppSec USA 2014
Denver, Colorado
Jon McCoy
Hacking .NET Applications:
The Black ArtsAppSec – USA – 2014
![Page 2: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/2.jpg)
2
DenHac - DenHac.ORG
Monday 8:00700 Kalamath St. Denver CO
![Page 3: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/3.jpg)
3
NOT Microsoft
Cross Platform
Next Step From C++/JAVA
FUTURE COMPATIBLE
PLATFORM INDEPENDENT
WHAT IS .NET?
![Page 4: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/4.jpg)
4
HACKER VS ATTACKER
![Page 5: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/5.jpg)
5
![Page 6: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/6.jpg)
6
NOT AMS LEVEL
![Page 7: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/7.jpg)
7
WHY NOT IDA?
IDA PRO
![Page 8: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/8.jpg)
8
IDA PRO
![Page 9: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/9.jpg)
9
BACK WHEN
![Page 10: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/10.jpg)
10
BACK WHEN
![Page 11: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/11.jpg)
11
BUT….
![Page 12: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/12.jpg)
12
NOT IDA PRO
![Page 13: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/13.jpg)
13
![Page 14: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/14.jpg)
14
![Page 15: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/15.jpg)
15
NOT IDA PRO
![Page 16: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/16.jpg)
16
IL – Intermediate LanguageCode of the Matrix |||| NEW ASM
![Page 17: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/17.jpg)
17
C# - 15
IL - 34
ASM - 77
LINESC# - 13 LINESDECOMPILE
![Page 18: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/18.jpg)
18
HOW MUCH CODE DO YOU NEED TO READ`
C# - 15IL - 34ASM - 77
![Page 19: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/19.jpg)
19
Attacking/Cracking
IN MEM |||| ON DISK
![Page 20: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/20.jpg)
20
ATTACKING .NET
ATTACKTHE CODE ON DISK
![Page 21: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/21.jpg)
21
ATTACKING ON DISK
![Page 22: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/22.jpg)
22
ASM Attacking
Basics of ASM in .NETDemo
![Page 23: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/23.jpg)
23
![Page 24: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/24.jpg)
24AMS
![Page 25: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/25.jpg)
25
GRAYWOLF
ON DISK EDIT
![Page 26: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/26.jpg)
26
ATTACKING .NET APPLICATIONS: AT RUNTIME
![Page 27: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/27.jpg)
27
GRAYDRAGON
INJECTION
![Page 28: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/28.jpg)
28
ATTACKING .NET
ATTACK WHILETHE APP IS RUNNING
![Page 29: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/29.jpg)
29
Run and InjectSECURITY
SYSTEMS
![Page 30: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/30.jpg)
30
![Page 31: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/31.jpg)
31
BAD IDEASome Things Are Just A Bad Idea!!!
![Page 32: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/32.jpg)
32
101 - ATTACK ON DISK
Decompile - Get code/tech
Infect - Change the target's code
Remold/Recompile - WIN
Exploit - Take advantage
Connect/Open - Access Code
![Page 33: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/33.jpg)
33
THE WEAK SPOTS
Flip The Check
Set Value is “True”
Cut The Logic
Return True
Access Value
![Page 34: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/34.jpg)
34
FLIP THE CHECKSET VALUE TO “TRUE”
bool Registered = false;bool Registered = true;bool Registered = false;
If(a!=b)If(a==b)If(a==b)
![Page 35: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/35.jpg)
35
RETURN TRUE
bool IsRegistered(){ Return TRUE; ........................}
![Page 36: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/36.jpg)
36
CUT THE LOGIC
string sqlClean(string x){ Return x;}
![Page 37: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/37.jpg)
37
CRACK THE KEY
Public/Private
3/B==Name*ID*7
Call Server
Demo = True;
Complex Math
==
==
==
==
==
Complex Math
Change Key
ASK what is /B?
Hack the Call
Set Value
1% of the time the KeyGen is given
![Page 38: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/38.jpg)
38
PUBLIC/PRIVATE KEY
If you can beat themWhy join them
Key = “F5PA11JS32DA”
Key = “123456ABCDE”
![Page 39: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/39.jpg)
39
SERVER CALL
1. Fake the Call2. Fake the Request3. Fake the Reply4. Win
“Send”SystemID = 123456789
*Registered = True*
Reg Code = f3V541
![Page 40: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/40.jpg)
40
REG CODE REPLAY
Name:
Code: ==
JON DOE
98qf3uy!=
*C5G9P3
FAIL
![Page 41: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/41.jpg)
41
Name:
Code:
*C
5G9P3
REG CODE REPLAY
![Page 42: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/42.jpg)
42
Name:
Code: ==
JON DOE
5G9P3==
*C5G9P3
WIN
REG CODE REPLAY
![Page 43: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/43.jpg)
43
COMPLEX MATH
1. Chop up the Math2. Attack the Weak
3. ??????????
4. Profit
![Page 44: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/44.jpg)
44
WHAT STOPS THIS?
What is the security?
![Page 45: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/45.jpg)
45
PROTECTION ON DISK
Protection - Security by 0b$cur17y Code Obfuscation
Shells / Packers / Encrypted(code)
Logic Obfuscation
Unmanaged calls…to C/C++/ASM
Try to SHUTDOWN Decompilation
![Page 46: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/46.jpg)
46
![Page 47: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/47.jpg)
47
![Page 48: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/48.jpg)
48
PROTECTION ON DISK0bfu$ca7ed
DEMOFAIL
![Page 49: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/49.jpg)
49
![Page 50: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/50.jpg)
50
UNPROTECTED / PROTECTED
![Page 51: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/51.jpg)
51
PROTECTION ON DISK
Shells
Pack/Encrypt the EXE
![Page 52: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/52.jpg)
52
IT CAN BE THAT EZ
What is the security?What is the security?
’T‘T
![Page 53: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/53.jpg)
53
![Page 54: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/54.jpg)
54
VISUAL STUDIOExploit – Run arbitrary code
First noted in 2004
Get developer KeysAttack the SVN & DB
ATTACK VECTOR
www.pretentiousname.com/misc/win7_uac_whitelist2.html
![Page 55: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/55.jpg)
55
LOOK INSIDE
![Page 56: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/56.jpg)
56
DON’T LOOK
![Page 57: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/57.jpg)
57
SECURITY
The Login security check is
Does A == B
Does MD5%5 == X
Is the Pass the Crypto Key
![Page 58: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/58.jpg)
58
DATA LEAK
The Data sent home is
Application Info
User / Registartion Info
Security / System Info
![Page 59: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/59.jpg)
59
KEY
The Crypto Key is
A Hard Coded Key
The Licence Number
A MD5 Hash of the Pass
6Salt 6MD5 Hash of the Pass
![Page 60: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/60.jpg)
60
CRYPTO
The Crypto is DES 64
Tripple DES 192
Rijndael AES 256
Home MIX (secure/unsecure)
![Page 61: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/61.jpg)
61
FIN
![Page 63: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/63.jpg)
63
HACK THE LOGIN
DEMOPASS THE KEYSHOW THE KEY
![Page 64: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/64.jpg)
64
HACK THE KEY
DEMOAPPSEC-USA 2011
999ca10a050f4bdb31f7e1f39d9a0dda
![Page 65: Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:The Black Arts (v3)](https://reader035.vdocuments.net/reader035/viewer/2022070319/55838ca8d8b42a282c8b4e03/html5/thumbnails/65.jpg)
65
Static Crypto Key
Vector init = 0
Clear TXT Password Storage
Encrypted Data