 Hello everyone my name is Janusz Czernicka and I'm presenting hack the hackers leaking data over SSL TLS I'll have a short introduction about the blind injections. What is a blind injection then problems that may appear with blind injections? Scenario and challenges when we are exploiting the blind injection injection blind injection over SSL TLS Then the demo time we test your map the most used penetration testing tool for when it comes SK injections and conclusion Where am I? I'm a security researcher for future nettles 5g lab. I also PhD student at the part of the part amount of computer science polytechnica book rest city of player penetration tester entrepreneur Actually, this research was done My PhD and I try to innovate based on this research. I tried to To introduce a new layer of security for web applications and this was one of the component of that layer and we run out of funds and It's on we take a break from the project and the former bug bug bounty hunter. I used to to be involved in many bug bounty programs Special thanks. Thanks for pen test tools. They have the best online penetration testing platform You should try it. They give you a gift tweak trials. You will have to visit their website I thank them because they are financially supporting me for being in Vegas and have this presentation there blind injection it's about when you are trying to Interrogate the server for true and forces in order to take One bite at a time from the information you target This is done by bullion base. This Technique is done for bullion or time based and The most cases where you encounter this technique will be at skin injection vulnerability. So you may heard about blind injection Blind as blind as you can injection the problem We can distinguish the three and forces from the encrypted traffic just looking on the length of the responses this is for the bullion and Just looking at the delays between the pockets between the responses and this is for time based Maybe it's not a problem. Maybe it is let's see if this is the real problem No, the real problem is something else. It's below the below. It's a new hacking technique a passive one It refers to blind injection leak over SSL TLS It's a passive attack as I already said no interaction with the victim with the hacker which is or penetration test of which is extracting extracting data from the server and This is because blind injection exploits are written in a predictable way. So How's that we have the F which is the method Char said by research you will see Next slide then we have the two types of output that we are taking taking from the encrypted traffic the two types of output one is true and the other one should be false and The result the N which is the input to the method to the function is the leak if you can suppose the method and Two types of output you can find it's a feasible brute force then you can find the leak by reversing the steps It's an easy It's very easy to do that known method methods of exploiting with blind technique. So these these are the methods which we are We are we should find when we are looking for blind injection over Cecilia TLS a the Char set method which you have the letters and the digits And you are starting to take the first letter a in this case and interrogate the server is the first letter of the Information a and maybe he said false Then you go to be you go to see till you you'll have a true from the server and the server say yes This is the d letter from this from the information the first letter of the information is d Good job. Go to the second one and so on so we can reverse if you suppose that the hacker did this the Char set and used a BCD 0 1 2 3 or 0 1 you'll have this this is challenging you'll see in the next slides but this is the way how this work because because Most of the hackers use this in their streets the binary search we can use also as a Exploiting the as a method for exploiting the blind technique the binary search Which which is an optimized way to extract data from the servers the scale map Is doing this and it's an improved way of the binary search because he's not on the whole ashy he's starting with with the printable characters and he's starting with the letters then it has some Some changes on the binary its binary search and We have a demo with a square map and you'll you'll see that it's very easy to reverse the steps and The bit shifting again, it's not so common, but it's a method and all method and I encounter it in a tool which it was doing It was doing a scale injection Challenges with the extraction methods No challenges when we are dealing with optimization techniques like binary search or be shifting because we already know the code How they are doing and it's easy to reverse the steps But we are we are having some challenges when it came about the charts that method because here It was the biggest challenge. Okay biggest challenge Yes, it was the biggest challenge it was because we don't know where are the letters if they the hacker started with the letters than the digits or his charts it is his his charts charts it starts with digits then the letters and You should brute force this their position by rotating the output and Looking on the output to make a text recognition or something like this to see the tool to extract the database Exploito how we exploit this over SSL TLS over this protocol It's an important one. We have the length of the packets We are using the length of the packets for Boolean based and we are we are using the time the Delays between the packets to find the truth through from the server when it's learning when it comes the time based In some cypher there is a padding involved. So We still exploit this problem because would work if the block if the block size It's is smaller than the difference between true and forces. So true and forces will be differentiated by a huge length And as a disclaimer is not a problem with SSL TLS protocol. The problem is in the way we are written The exploits to exploit this type of attack Scenarios of exploiting we have the penetration testing company which is doing the penetration test and Our pen test that is extracting with SQL map the database from vulnerable web application and Can be a huge problem because someone with the encrypted traffic from his company or Or the internet service provider because this is the second scenario can look at his traffic and take Reverse the steps and take the same database as the penetration test tester did this will be included This scenario will be in our demo. You will see Later our internet service provider which has all the traffic and he can start digging for information Start digging for database where our script kiddies or even professional hackers or Penetration testers are trying to exploit Databases and our internet service provider provider can take the same database and The third one may be one more reason why large countries have a strategic interest to pass the traffic of another country to their infrastructure Maybe it could be a reason Over tour future work. I was thinking the tour, but I don't have exit notes, but if you have exit notes, maybe Be a challenging it is challenging to to see what happened there and if a script kiddie or a penetration or a hacker a professional one will dump some database in the wild and You should be aware of the cell padding And if you are lucky enough that your true and false is are bigger than the Cell size of the padding in tour then the block size It's it's more than the difference between true and false is then you are lucky and we can recuperate the information Exactly like the hacker did tools and exploit database we Try to analyze some tools we Analyze some tools we analyze some exploits from exploit database Databases and with no exception. We find that all those tools and all those scripts that Were supposed to exploit blind injections were written in a predict in an unsafe way and there is a big impact on the When they are trying to exploit when they are trying to exploit there is a big problem because Someone can reverse the steps much more if they know with what was made to that extraction and Now for the demo we are we are using the SQL map. We try to To contact the two main contributors from SQL map we didn't have a reply for two months ago and We're doing this demo because Even I would hide from you that SQL map and I wouldn't say a word about SQL map Most of you guys already think about SQL map that it may have the same problem this problem and You can check it very very easy So Let's start the demo We have a penetration tester which already started his SQL map against a vulnerable web application the SQL map will find the exploit the vulnerability and will confirm it In the meantime, then we have three parties the many in the middle starts a ctcp dump and He will get the encrypted traffic The SQL map as you can see already find the vulnerability confirm it and exploiting it So he's dumping data from the vulnerable web app many in the middle. He's listening on the on the On the traffic he's taking the traffic. He's dumping all the traffic even if it's encrypted We'll see Seconds that that traffic it's all about Server hello, and then the encrypted packets and from those encrypted traffic Traffic will dump some data like packet lengths. Now we are doing this So I'll open with wire shark. You'll see that there is an encrypted traffic. Okay So here it is Look encrypted traffic server client exchange Hello, and so on then we are trying to dump some data packet lengths to a CVS file with that with that file We are running the Python script to take the packet length from the vulnerable web app to the penetration tester those packet lengths we are interesting in and From those packet lengths, we'll see what packet lengths are for true and What are for forces and we will have a file with force and tools and We'll feed our local SQL map with the same with the same force and truth right now I am creating on the man in the middle Database doesn't have any connection to the database that was Exploited before in the vulnerable web app. You can create any database. It's a dummy one like the other one But let's suppose that is a real one and now we are trying to Start an SQL map many the middle will start an SQL map on his local machine Against his database, which is already variable to SQL injection with an web app through a web web application On the local machine and right away before SQL map starts to Exploit that the database the men in the middle will start Feeding the SQL map with the same responses as the variable web app feed the pen tester And you will see that the SQL map will have the same the same Results as the pen tester the SQL map from the men in the middle will have the same results as the SQL map from the pen so right now we are we are We are having the Application which responds with the same Trim false as the vulnerable web responded to the penetration tester and Now we save the file. We have the responses false and truth and as you can see the SQL map is Extracting the same data as the SQL map from the penetration tester let's see till the end so the message from the database was extracted to so What happened So what we did in the demo the pen tester from a company company a exploit the vulnerable web application with SQL map the men in the middle Took the encrypted traffic through a TCP dump and He did a passive attack how he did this passive attack So it was no interaction between the men in the middle and the other two parties web application and Penetration tester no interaction. So this is this can have a big impact this problem I found So he extracted the three and forces from packet length from the encrypted traffic So it doesn't matter if it's encrypted or it's not encrypted doesn't matter He just took the packet length and feed his local SQL map with the same three and forces to leak the data Or you can reverse these steps and create a Tool that do the same but much faster I did this to be to see the impact to to understand the impact much easy in a easy way So So the the the result it was that the men in the middle as you can see in this picture Took the same information as the pen tester did with the wearable web app So this can be very tricky because when when you are using SQL map You should consider this your date your data You're expected you are extracting data from vulnerable web applications and those extracted data those Dumped databases can be extracted by anyone only with your encrypted traffic and It's not There are many cases where you can have problems like this charge set method So how how can you fix this problem for the charge set method? It's a easy way to to shuffle the order of the characters in the charge set and on your exploit knows the the position of each character and The someone like the man in the middle will not know ever and for the binary search You should add some extra steps. Of course, you will it will have an impact on the optimization because binary search tries to optimize the process you'll have extra steps, but It's safer for you to to add those extra steps Conclusion so the way we are writing blind injection exploits should be Should be written in a way in such a way that no one can reverse the steps of the of the Communication between the exploit and vulnerable application when we want to optimize the blind injection attacks we must consider inserting random steps for the optimization algorithms like binary search or bit shifting or any other type of the of optimization and As a defensive tech you can consider this I try to So as I said to my PhD I tried to introduce a new layer of security for web applications Okay, it's a threat hunting is not it's a layer because It's post-exploitation. It's a threat hunting like a threat hunting and What I was trying to do was to Find ways to confirm attacks without looking at the payload so it so the payload complexity doesn't matter We are looking for other other things in the in the data like in this case The packet lanes and confirm on a scale injection and so on maybe some attackers want to take this in consideration They will need full optimization. They want to take the data as fast as possible. So maybe Can be feasible as a defensive technique even Those things those problems with blind injection will be known from today Thank you. If you have questions, please ask me