Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Ähnlich wie Mobile Activesync Russian Roulette - Kiwicon 09
Ähnlich wie Mobile Activesync Russian Roulette - Kiwicon 09 (20)
Mobile Activesync Russian Roulette - Kiwicon 09
- 1. Mobile ActiveSync Russian Roulette Presented by Oliver “deathflu” Greiter assurance
- 2. Assurance / Oliver Greiter Assurance = compliance { penetration testing/ethical “hacking”, review, audit }, wireless & mobility, UNIX/ Windows/network and security consulting/support Oliver = professional bio author and breaker of stuff assurance
- 3. Exchange ActiveSync - Based on HTML and XML - Platforms with Exchange ActiveSync compatible client - Allows users to access their e-mail, calendar, contacts, and tasks stored on Exchange server - Cheaper solution to implement (at first glance) when compared to other solutions such as BlackBerry - “Good” way to encourage (enslave) users to check corporate email on their own time assurance
- 5. Default security configuration - SSL transport layer protection (HTTPS) - Basic Auth - Device ID - “Enforced” Device Security Policy assurance
- 6. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
- 7. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
- 8. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
- 9. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
- 10. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
- 11. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
- 12. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
- 13. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
- 14. autodiscover.{domain}.com Approximately 30% of “Top 500 domains”* had an autodiscover hostname in DNS *http://www.seomoz.org/top500 assurance
- 15. assurance
- 16. assurance
- 17. MITM Attack ARP spoof? DNS poisoning? Fake WiFi Hotspot? Port re-direction? assurance
- 18. MITM Fun Sniff Traffic - Emails, Contacts, Notes, User credentials (AD domain) Client Request Replay - Generate your own requests and replay them to the server Server Response Replay - Generate your own responses and replay them to the client assurance
- 20. Sample kill response HTTP/1.1 449 Retry after sending a PROVISION command Connection: Keep-Alive Date: Fri, 20 Nov 2009 22:29:31 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 Cache-Control: private X-AspNet-Version: 2.0.50727 MS-Server-ActiveSync: 8.1 X-Powered-By: ASP.NET Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 70 ã …HUH.-.…œUH-* /R»ÕO)ÕIUH…O-V»À/Q(JMŒOœÀ¨JU(…»,Ü(“Á‘…n6 assurance
- 21. Sample kill response HTTP/1.1 449 Retry after sending a PROVISION command Connection: Keep-Alive Date: Fri, 20 Nov 2009 22:29:31 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 Cache-Control: private X-AspNet-Version: 2.0.50727 MS-Server-ActiveSync: 8.1 X-Powered-By: ASP.NET Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 70 ã …HUH.-.…œUH-* /R»ÕO)ÕIUH…O-V»À/Q(JMŒOœÀ¨JU(…»,Ü(“Á‘…n6 assurance
- 22. Sample kill response HTTP/1.1 449 Retry after sending a PROVISION command Connection: Keep-Alive Date: Fri, 20 Nov 2009 22:29:31 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 Cache-Control: private X-AspNet-Version: 2.0.50727 MS-Server-ActiveSync: 8.1 X-Powered-By: ASP.NET Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 70 ã …HUH.-.…œUH-* /R»ÕO)ÕIUH…O-V»À/Q(JMŒOœÀ¨JU(…»,Ü(“Á‘…n6 assurance
- 23. Symbian OS Nokia N95 Mail for Exchange v2.9.158 assurance
- 24. Symbian OS Nokia N95 Mail for Exchange v2.9.158 assurance
- 25. iPhone OS iPhone 3G iPhone OS v3.1.2 assurance
- 26. iPhone OS iPhone 3G iPhone OS v3.1.2 assurance
- 27. Windows Mobile 6.1 Dell AXIM X51v PDA Windows Mobile 6.1 assurance
- 28. Windows Mobile 6.1 Dell AXIM X51v PDA Windows Mobile 6.1 assurance
- 30. In an ideal world... - Valid SSL Certificate on server - Unique Client Certificate on each device - Device (and storage card) encryption - Access to restricted to private Cell Network Access Point Name (APN) - HTTP Digest authentication - Exchange ActiveSync domain segregation - User education assurance
- 31. Application Improvement How about introducing session management as a default component of the application? assurance
- 32. Where to from here? 3G MITM Attacks? assurance
- 33. Danke - y011 - kiwicon crüe assurance
- 34. Questions? oliver.greiter@assurance.com.au assurance
Hinweis der Redaktion
- How many of you have checked your email while sitting on the toilet? pause A report by Osterman Research focusing on mobile messaging in the North American Workplace found that 79% of respondence admitted to doing so. o 77% have done so while driving (when the car is moving) o 41% have done so on a commercial flight while in the air o 16% have done so during a funeral or memorial service o 11% have done so during a romantic moment pause I’m here to talk to you about the bad things that can happen while checking your email on the shitter.
- - austrian by nationality, don’t hold an australian passport - there’s no kangaroos in austria - risky biz movember team
- - it’s a basic web application - some organisations implement using the corporate owned devices and some organisations implement the solution using employee owned devices
- - The server is normally named autodiscover.domain.name - sync also via USB Cradle Sync - IIS accepts the connection and then passes it onto the exchange server - (HTTPS)
- - Basic Auth - Base64 easily decoded - Device ID - the administrative interface can be used to block or permit certain device IDs - All three platforms tested (WM, iPhone OS, Symbian OS) implemented the Microsoft API to different levels (device policy) - Nokia wipe interrupted - removed pin lock and emails were still in inbox Device policy consists of things such as: - enforcing a device password - min pass length - alphanumeric pass - max password age - pass history - account lockout threshold - idle session timeout
- - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
- - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
- - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
- - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
- - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
- - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
- - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
- - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
- - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
- - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
- - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
- - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
- - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
- - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
- - explain the setup process and “automatically obtain settings” from exchange server - Setting are sent to the device via a XML response from the server - queried public DNS AUSTRALIA: autodiscover.firevibe.com.au autodiscover.awm.gov.au autodiscover.brisbane.qld.gov.au autodiscover.childsafety.qld.gov.au autodiscover.bendigobank.com.au autodiscover.banks.com.au autodiscover.adelaidebank.com.au autodiscover.benbank.com.au autodiscover.msn.com autodiscover.three.com autodiscover.vodafone.com autodiscover.altmedia.net.au autodiscover.abc.net.au autodiscover.pblmedia.com.au autodiscover.yahoo.com.au NEW ZEALAND: autodiscover.savethekiwi.org.nz autodiscover.policy.net.nz autodiscover.powergenerators.net.nz autodiscover.newzealandnow.govt.nz autodiscover.nzalpa.org.nz autodiscover.caa.govt.nz autodiscover.otago.ac.nz autodiscover.auckland.ac.nz autodiscover.massey.ac.nz autodiscover.lincoln.ac.nz
- list of autodiscover domains
- list of autodiscover domains
- list of autodiscover domains
- list of autodiscover domains
- list of autodiscover domains
- list of autodiscover domains
- list of autodiscover domains
- list of autodiscover domains
- list of autodiscover domains
- list of autodiscover domains
- list of autodiscover domains
- list of autodiscover domains
- list of autodiscover domains
- list of autodiscover domains
- - Attack one endpoint or the other or the traffic in between - SSL has copped a battering this year (wildcard ssl cert, reneg flaw), this talk isn’t about that. The user still gets prompted about a dodgy SSL cert...in most cases. This talk is about the shitty implementation of security on the various clients. - port 443 is all we care about (maybe dns too!) - SSL cert - Moxie’s wildcard SSL cert (firefox 2 except the certs without warning, firefox 3 won’t prompt the user to accept the cert in default config) - proxy to pass, capture and replay traffic
- Sniff Traffic - Pass on the traffic, while logging it. Use the creds to gain access to any other applications that are AD integrated such as Outlook Web Access or the internal domain through some other path (pysical access, wireless, etc.) Request Replay - Send emails (SPAM), retrieve emails, retreive attachments, search for contacts (mirror address book) Response Replay - Kill Response replay - explain - (central management function to deal with lost or stolen devices)
- Overview of what is going to take place when executing kill command replay as we know the user can’t be relied upon to decide if a cert is valid or not, especially when very little information is provided like on mobile devices so how to each of the platform react when presented with a wildcard ssl cert?
- -in response to any request we reply with this...
- -in response to any request we reply with this...
- - can view cert details (cn name etc.) - default action is continue
- - can view cert details (cn name etc.) - default action is continue
- The user is only prompted once iPhone OS 2.1 doesn’t prompt when presented with invalid cert
- The user is only prompted once iPhone OS 2.1 doesn’t prompt when presented with invalid cert
- 0x80072F17 = Unsupported Digital Certificate installed. If you installed a digital certificate that supports wildcards from a certifying digital certificate provider, this certificate will install however using the certificate is not supported. - in reality this just means that the device won’t accept the dodgy cert. - user isn’t given the option to accept the cert
- 0x80072F17 = Unsupported Digital Certificate installed. If you installed a digital certificate that supports wildcards from a certifying digital certificate provider, this certificate will install however using the certificate is not supported. - in reality this just means that the device won’t accept the dodgy cert. - user isn’t given the option to accept the cert
- - the device is nuked - reset to factory state (everything is gone!!!) - your high scores on your driving game (gone!)
- - ensure devices are secure adequately (jailbroken iphones, first person to exploit this was a dutch hacker charging 5 euros to fix it) - only windows mobile supports enforced encryption - so instead of vodafone.net.nz your APN would be some company name for example Device policy at a minimum: - Enforce device password is set to TRUE - Minimum password length is 7 characters - Alphanumeric passwords is enforced - Maximum password age is set to 90 days - Password history is set to 12 remembered - Account lockout threshold is set to 3 - Idle session timeout is set to 20 minutes
- Pretty standard for web applications This way the user’s credentials don’t need to be sent to the server with each request.
- 3G Micro Cells have recently become available to AT&T customers in the U.S. They cost US$149. How long before these are hacked and used to perform 3G MITM attacks? Kiwicon 2010 anyone? Are we going to have people sitting in airport lounges with micro cells, MITM 3G connections, exploiting SSL and sitting between cell phone users and their internet banking?