This year, one member of the Portcullis team went to one of the biggest security events in France: SSTIC (Symposium sur la sécurité des technologies de l’information et des communications). This post will highlight the most interesting presentations. Many of the slides, articles and videos are available on the SSTIC web site, but they are mostly in French.
The SSTIC event is one of the oldest security event in France with La Nuit du Hack, this year it was the 15th edition. The event is based at Rennes (Brittany), a small town with lots of students and bars. For the record, there is a street on this city which is nicknamed “Thirsty Street” because the majority of the bars of the city are located there. The event took place over 3 days (7, 8 and 9 of June) and welcomed around 600 security enthusiasts. There is only one track with 29 presentations in different formats:
- 11 Short talks: 15 min
- 14 Regular talks: 30 min
- 5 Guest talks: between 45 min and 1 hour
However in addition, there are “rump sessions”, which is a sort of lightening talks with a maximum duration of 3 minutes. Why maximum? Well, due to the fact the audience is able to stop the presentation by applauding the speaker.
Here were some of our favorite talks that were delivered at this event:
Silo Administration (“Administration en Silo”)
This talk was presented by Aurélien Bordes working for the ANSSI, which is the French equivalent of the NCSC. It was a very interesting talk showing how is possible to harden your Windows domain in order to avoid a full compromise during an internal penetration test or an APT. The idea is to prevent the attackers from performing lateral movements and obtaining domain admin rights in your Windows domain.
First, the speaker explained that a Windows domain can be divided in three different levels:
- RED: Administration resources (Active Directory, administrator workstations, etc.)
- YELLOW: Business data and assets manipulating those data
- GREEN: end-user workstations
Usually, the YELLOW level is the most important one. But in order to protect it, it is necessary to protect also the RED level. The idea is to improve the security of those levels by securing the authentication process in Windows. To do so, you should take the following steps:
- Disable NTLM and use Kerberos instead
- Forbid Kerberos delegation for the administrators
- Protect the AS requests on Kerberos
- Restrict the computers where the administrators are allowed to connect from
For the first two items, an administrator can easily apply those using GPO. For the other items, the following features available in Windows can be used:
- Protected Users Security Group
- Kerberos Armoring to protect AS and TGS exchanges
- Set-up Authentication Policies to restrict the lifetime of TGT tickets and to allow an account to connect only from specific workstations
These features are not new, but they are not really well known. However, to enjoy those features you need to use at least Windows 8 and Windows Server 2012 versions.
This talk was presented by Romain Coltel (Alsid) and Yves Le Provost (ANSSI). The goal was to present a new tool called WSUSpendu (pendu means hanged in French). This work was inspired by the WSUSPect tool presented at BlackHat in 2015 which allowed “Man-In-The-Middle” attacks to be performed on WSUS insecure connections in order to inject fake updates on the target. By default, WSUS use HTTP connections to send the updates, which are composed of signed binaries and XML files containing the description of the updates. The idea of the WSUSpendu tool is to inject directly fake updates on the WSUS server. The use case is very simple: if an attacker is able to compromise the WSUS server, it is possible to insert malicious updates on the WSUS database in order to target a specific workstation or a server.
This tool could be very useful during internal penetration tests and should be on your tool set.
Another presentation made by one of the ANSSI team (Guillaume Jeanne) and another interesting tool when hunting malicious binaries. Guillaume presented a tool called Binacle which allows you to make full-text searches on binaries. Of course, the idea is not just to make string searches but also to be able to search for a series of bytes for instance. In the first part, the speaker showed us the difficulties to make searches on a binary comparing to a text file. Guillaume tried several solutions allowing to make a search in a constant timeframe, with a reasonable database size and allowing a quick insertion on the database. Next, he compared the execution time of his tool to a Yara scan. And the result is much better. So, the idea of Guillaume is to use Binacle in order to help the generation of Yara rules but also to speed up the scans.
To finish, the tool was written in Rust and could be really useful for incident response jobs.
TV5 Monde post-incident review
For the closing conference, the ANSSI team (again!) delivered feedback about the TV5 Monde hack. As a reminder, TV5 Monde is a French channel hacked in 2015 by the APT28 group. This hack was affecting the broadcast of the programmes for several days, but also the different online accounts (Twitter, Facebook and YouTube). The first part of the presentation focused on how the attackers succeed to compromise the internal network and without any surprise it was, unfortunately, pretty easy. The attackers were able to steal the credentials from a contractor (VPN access) and use them to obtain internal access to the TV5 channel network. The lack of network segregation allowed the attackers to compromise several machines and they quickly found a domain admin account. The next step was to create a specific domain administrator to be used by the attackers in order to reconnect easily. Finally, the attackers found an internal wiki containing clear-text passwords and documentation about the broadcast equipments used by TV5 Monde. The second part of the presentation focused on the remediation part and especially on how the ANSSI guys rebuilt the Active Directory. A complete retranscription of the presentation was made by Mathieu Suiche and can be found on his blog here.
This presentation was really good and it was really interesting to have some feedback about a security incident event. Bravo to the ANSSI and TV5 Monde for this feedback and for choosing to share this kind of information to the community.
Other interesting talks
- YaCO (Yet another Collaborative tool): This tool aims to add a “multi-user” layer to the IDA Debugger in order to allow multiple persons to work on the same binary
- Deploying TLS 1.3: Presentation made by Filippo Valsorda (CloudFare): This presentation focused on the new features available on TLS1.3. If it sounds interesting, read the blog article hereand see the video in English
- Breaking Samsung Galaxy Secure Boot through Download mode: Frédéric Basse presented a bootloader bug in Samsung Galaxy smartphones which, with physical access allowed for the execution of arbitrary code. Full article in English
- BinCAT: purrfecting binary static analysis: BinCAT is a tool able to perform static analysis on x86 binaries with the following features: value analysis (registers and memory), taint analysis, type reconstruction and propagation, backward and forward analysis. Full article in English
- Subscribers remote geolocation and tracking using 4G VoLTE enabled Android phone: P1Sec presented an issue on the VoLTE (Voice over LTE) protocol allowing to leak the position (localization) of your contact. Full article in English
A more detailed write-up in English can be found on the following links:
- Day 1: https://blog.rootshell.be/2017/06/08/sstic-2017-wrap-day-1/
- Day 2: https://blog.rootshell.be/2017/06/09/sstic-2017-wrap-day-2/
- Day 3: https://blog.rootshell.be/2017/06/09/sstic-2017-wrap-day-3/