Tom Tervoort, Michael Schouwenaar, Michel Lennard - Common cryptographic bugs in applications and how to exploit them $2,500

Common cryptographic bugs in applications and how to exploit them

Training description:

Hacking cryptographic systems is usually seen as the domain of either academics writing complicated attack papers on communication protocols, or CTF enthusiasts solving fun but unrealistic puzzles. When you encounter cryptography as a pentester, though, actually attempting to break it seems like a daunting task: you may be able to write up a theoretical finding about how cipher X is bad and that they should Y instead, but that is not going to get you a shell.

Meanwhile, application developers are putting crypto everywhere, using badly-designed low-level libraries that are almost impossible to use securely. This results in a number of extremely common crypto bugs that are quite often exploitable in practice. And with 'exploitable' we don't just mean that you might be able to extract some encrypted bits when analyzing intercepted network traffic: what we're interested in are the likes of unauthenticated RCE and full authentication bypasses, that you can trigger by sending a bunch of HTTP requests from a Burp extension or Python script.

This course will be about these kinds of bugs: real (web) application crypto vulnerabilities that you can exploit remotely and immediately achieve a useful results with. We will cover the basics of modern cryptography most relevant to pentesters, and some of the fundamentals that many developers get wrong. We'll examine how to spot the interesting and exploitable crypto bugs and distinguish them from the boring ones.

Participants will learn about a variety of crypto attack techniques while solving a series of hacking challenges that are each based on real exploitable crypto bugs we discovered during vulnerability research and pentests, and will also develop a feel of how to work around some practical obstacles that complicate exploitation. Following this course should provide pentesters with a toolbox of new attack skills with which to test application-level crypto, as well as an understanding of how to identify and avoid common flaws.

This course is primarily aimed at pentesters experienced with web application pentests, although its contents will also be interesting for security-minded software developers interested in the common pitfalls surrounding application-level cryptography. Participants should be comfortable with (basic) scripting/automation and intercepting HTTP proxies. Cryptographic expertise is not required, but some affinity with the topic is recommended.

Trainer(s) bio: 

Tom Tervoort is a Principal Security Specialist for Secura, a security company based in the Netherlands. Tom regularly performs network pentests, web/mobile application assessments, as well as code, configuration and design reviews for large Dutch companies and institutions. Tom's primary areas of interest include cryptographic protocols and cryptography engineering, advanced web attacks and Windows AD pentesting. Besides doing security assessments, Tom also develops and gives cryptography and secure programming courses to software developers. In December 2020, Tom won a Pwnie award for Best Cryptographic Attack, due to his discovery of the Zerologon vulnerability. Tom has spoken at various conferences, including ONE Conference 2021, Black Hat USA 2021 and Black Hat Europe 2022.

Michael Schouwenaar is an ethical hacker and team manager for Secura. He regularly performs application assessments, network penetration tests, and both leads and participates in red team assessments. Michael has a lot of experience on the code and development side of things, as he has worked as a software developer for over ten years before switching full-time to offensive security. Michael enjoys participating in CTF events, where he likes to solve cryptographic challenges, and has played in two CTF finals, one of which his team won. Michael regularly hosts secure programming and threat modeling trainings, and has helped develop a cryptography-related training with Tom.

Michel Lennard de Boer is a working student for Secura with an avid interest in cryptography. He participated in many CTF events, focusing mostly on solving cryptography challenges. He is part of the organization for the Radboud Institute of Pwning CTF group. As such, he has not only experience in playing CTFs, but also with the collaboration around it, as well as creating CTF challenges. Furthermore, last year he got selected by the Dutch Challenge The Cyber team to participate in the European Cyber Security Challenge in Vienna. Other interests include reverse engineering, swimming, hiking, and running.

Trainer(s) social media links:

Michael: https://linkedin.com/in/mschouwenaar

Tom: no links to share

Michel: https://linkedin.com/in/michel-lennard-de-boer

Outline:

• Brief history of cryptography
• Common uses of application-level cryptography
• Common design problems

• Encryption oracles
• Unsafely combined cipher input
• Finding and exploiting leaked keys

• Block and stream ciphers
• Attack categories: known-plaintext vs chosen-plaintext vs chosen-ciphertext
• Hash functions, MACs and AEADs
• KDFs and password-based KDFs

• Chosen-ciphertext forgeries
• Decrypting secrets with a partial chosen-plaintext

• Passwords vs. keys
• Offline brute-force and dictionary attacks; copy+pasted defaults
• Password storage and password-based encryption; salting, stretching and cost trade-offs

• Padding oracle attacks
• Ciphertext malleability attacks
• Root cause; solutions; pitfalls

• Static IV != equality-preserving encryption
• Attacking static-IV CFB

• Key exchange
• Asymmetric (hybrid) encryption, KEMs
• Digital signatures
• Primitives: RSA, finite field DH, elliptic curves, PQC
• TLS and X.509 certificates
• WebPKI and domain validation

• Client certificate pitfalls
• Certificate spoofing attacks against reverse proxies
• Analysing and exploiting leaked key stores

• Hybrid encryption attacks
• RSA PKCS#1 padding oracles
• Sign/encrypt confusion

 

Technical difficulty:

Intermediate.

Web application pentesting skills are required, and the participant should be able to have sufficient scripting experience to be able to automate sending HTTP requests and shift bits around (any programming language; Python will be used for demonstration). Prior cryptographic expertise is not required.

Suggested prerequisites:

There are no specific materials that we are suggesting students to read before the class.

 

Students should bring:

Students need to bring a laptop with an intercepting proxy tool (e.g. Burp Suite, ZAP), and the ability to run scripts in whatever programming language (and HTTP client library) the student is comfortable with.

In case the community version of Burp is used, please consider any possible limitations and prepare alternatives beforehand. For example, Burp Intruder is heavily limited in the Community edition, but the Turbo Intruder is a very solid alternative if you know how it works.

The labs will be accessed online, but we will arrange an offline back-up solution (probably a VM on a thumb drive) in case of technical difficulties.

 

DATE: August 14th-15th 2023
TIME: 8am to 5pm PDT
VENUE: Caesars Forum, Las Vegas, NV
TRAINERS: Tom Tervoort, Michael Schouwenaar, Michel Lennard

- 16 hours of training with a certificate of completion.

- 2 coffee breaks are provided per day
- Note: Food is not included

 

Registration terms and conditions:

Trainings are refundable before July 1st, the processing fee is $250.

Trainings are non-refundable after July 10th, 2023.

Training tickets may be transferred. Please email us for specifics.

Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.

By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.