Security Art Work

It has long been known that the NSA and some similar organizations have suirvellance systems deployed to ensure the safety and protection of us all from evil. However, the NSA always preferred to keep secret to avoid being forced to reject the Nobel Peace Prize. However, after the case of Snowden, Manning, Assange and other rebels, it is clear that the situation has become has become unsustainable.

Luckily, the certainty that the NSA listens to our conversations, reads our emails, spies our activity on social networks and basically knows everything we do has not generated any notable movement at the political or social level, because they do it for our own good (now that I write down it, I clearly remember hearing that in more than one time in my childhood). It would not be desirable that the lust of justice and freedom of a few (literally) we are doomed to hell and existential chaos.

Probably in short they will awarded with the Nobel Peace Prize.

A few good men. (Vía wikiquote).

(Opinion article published by Manuel Benet in Valencia’s local newspaper on 2nd July 2013)

The documents leaked by Edward Snowden to The Guardian on a sophisticated global intelligence are, in essence, nothing new. For years has been known that the U.S. and some partners share the ECHELON spy network, involved in the past in several trade scandals. However, we should not underestimated Snowden contribution. While so far the details of the spy system of the National Security Agency (NSA, for short) were based on experts research, we know now not only that this program (PRISM) is larger, intelligent and more ambitious than anything we thought in the past, but that many countries have their own surveillance systems.

Perhaps due to films or literature we have always been accustomed to the fact that espionage is made between States, with objectives and specific actors under certain rules. However, it has now taken a step forward, with the monitoring and recording of any information that could be virtually recorded of millions of individuals around the planet: a system without control or limit that breaks with total impunity and the cooperation of the Internet corporations any idea of freedom, privacy and justice we might have. States have come to spy on its citizens in a move more typical of dictatorships than democracies.

However, despite the seriousness of the matter, no one seems very concerned; do not expect a massive desertion from social network and if we look at the press, Snowden is famous for not having disclosed a large number of documents classified about a global and massive surveillance program, but by the geopolitical tensions that his flight and persecution have created between the U.S. and China and Russia mostly.

Says one of the quotes attributed to Benjamin Franklin that those willing to sacrifice some of their essential liberty for some security deserve neither one nor the other. This seems to be our case. It’s been a long time ago since —despite the great efforts (maybe not always so great, ok) of the data protection agencies both national and transnational— we decided that our privacy had not, at last and after all, the importance they wanted us to think. Made that decision, the transition of our information to a digital world controlled by multinational corporations outside national and European requirements posed no trauma at all.

At first glance there is a big difference between your messages being scrutinized by a nest of spies like the NSA, an opaque entity key in the American intelligence, and knowing that Google scans your emails to position relevant ads. However, there is no such difference: (almost) no one cares about we being spied upon; that is a simple inconvenience that we have taken as inherent of the digital age and something makes me think that we do not even needed the Damocles Sword of terrorism. The saying that goes that if you have nothing to hide, you have nothing to fear, has been assumed almost by obligation with few complains.

We can draw one last thought. Edward Snowden was not 007; he had no license to kill and it was not (that we know) a double agent. It was ‘only’ a system administrator working for a NSA provider, one of the world’s safest organizations. From there he had access to a huge volume of classified documents that James Bond would not even have heard of. In light of this, do we really know who access our information?

(Please note this post was published last 6th may 2013 in the Spanish version of this blog)

In the latest weekly Metasploit update, the outstanding feature has been the incorporation of a new extension dedicated to Mimikatz.

Mimikatz is a tool developed by @gentilkiwi that allows dumping passwords in plain text through lsass as well as obtaining hashes from SAM among other features, and about which we have already spoken in our previous post about Metasploit module, sdel.

Mimikatz is detected as a malicious tool by the major anti-virus. According to Virustotal, today, at least 21 out of 46 anti-virus detect it, therefore, its use complicates the task of the pentester.

Nevertheless, thanks to the extension made by Meatballs1 to Metasploit, it is possible  to use Mimikatz through a meterpreter without having the antivirus alerting us, by leaving the disk untouched and running it completely in memory (a more comfortable alternative to execute flag -m). An example of its use would be as follows. After having obtained a shell in a target host, we load the Mimikatz extension:

Once loaded the extension in our meterpreter session, let´s have a look at the options that it offers us:

By executing, for example the “Kerberos” command, we obtain the credentials of this kind in plain text in our owned host:

Another example of execution would be using the “mimikatz_command” as we can see below:

With the “logonPasswords” parameter we get it to show us the concurrent sessions of users who are logged in on the compromised machine.

For the reader who wishes to delve deeply into the issue of how Windows stores your credentials, weaknesses in this regard, and how Mimikatz is able to exploit those weaknesses, I recommend this article as well as presentations on the  Gentilkiwi blog.

There is no doubt that in the last years we have made great progress in Information Security. Gradually, business begin to perceive the idea that security is an area that requires special attention, beyond what many consider “the IT crowd”. However, if it is not good to fall into the doom and gloom, we should not be too lenient: there’s still a long way to go and progress does not always occur at the speed at which, fortunately for criminals, would be advisable or desirable. Every day we see security breaches in organizations with a strong investment in technological infrastructure and security controls, which should give us an idea of ​​the imbalance of forces.

In this line, there are still many errors and beliefs that we can identify as the ten usual errors of SMEs (Small and Medium Enterprises) in Information Security and that mark the way to go these next years.

1. To think that their information or systems do not interest anyone. This is, without a doubt, the main obstacle to the improvement of the information security in an organization: “who may want to attack us?“. There are several powerful arguments against this. First, any equipment is useful for “botnets” or networks of zombie PCs controlled remotely, either a corporate PC or a teenager laptop; if it can be controlled remotely then it can be used with to report spam or attack systems. Secondly, perhaps no one is really interested in those systems, but a worm doing a massive scan could detect by chance a vulnerable system. Finally, many organizations underestimate the value of their information, both for foreign and internal competition: accounting balances, rates of prices, margins, processes of production, innovations, etc.

2. To believe that security is just technical and therefore responsibility of the IT Dept.. To limit the security to its technical side, obviously necessary, leads to neglect controls such as the legal and organizational ones. To manage security incidents and events, perform education on security issues, define responsibilities or address legal requirements are vital aspects to prevent threats such as phishing or social engineering.

3. An antivirus and a firewall are just enough. This is primarily the progress that we talked about in the first paragraph. Few organizations do not have currently an antivirus or a firewall. However, this leads to a false sense of security that makes them to forget that there are many threats, both technical and non-technical, that require more specific measures.

4. To think that security is a product and not a process. This error comes from past times when security was just one thing more of the many tasks within the IT dept. staff. However, things have changed significantly and security has acquired a status of its own. Anyone working in an HR department, production, logistics or accounting performs a daily maintenance, either updating their knowledge, keeping the industrial systems running, implementing new processes or adapting its operation to new legal requirements. The departments adapt to changes constantly. However, security is still considered an area that does not require any maintenance. Nothing is further from reality.

5. Confidentiality is just something of spies and large corporations.. It is true that large corporations and spies sign confidentiality (non-disclosure) agreements. But although many companies still think of them in terms of science fiction, that does not make them unnecessary in the field of the small and medium companies. Suppliers, customers, employees, stakeholders and any natural or legal person with access to the company information must sign confidentiality agreements whose purpose is to protect the information of the organization. Very few times such a small effort brings such huge profits.

6. To forget the security in corporate contracts. Today a simple order form is still in many cases the procedure to contract services. No formal service contract, no confidentiality clauses, no legal requirements nor information about the security measures the provider must apply on the information we provide. Ultimately, security, in all its areas, is still absent in the contracts that many SMEs sign with suppliers and/or customers.

7. Privacy, the great unknown. Although privacy has been a critical issue for the last decade and there are legal requirements in many countries, many companies still ignore their duties in this area and some of those who know choose not to carry out any action. Whether to avoid economic sanctions or “just” social responsibility to the people who gives us their personal data, any company should take the necessary measures to ensure the security of the personal data of their customers, employees, suppliers … (please note this point was adapted from the Spanish Personal Data Protection Act to a more general view).

8. Just to look outside threats. Without the desire to criminalize and despite the mass media news , it is well known in the field of security that most of the security problems come from within the organizations. In some cases, malicious users. But in many other cases it is sheer ignorance: an employee who uses an infected USB, opens an attachment or clicks on a link in an email or simply throws confidential information to the recycle bin. It is essential to adopt a permanent strategy of awareness in information security, including managerial staff that handles sensitive information, to prevent and mitigate risky behaviors for both the organization and the employee.

9. To provide Internet services regardless of their safety. A service offered to the Internet is accessible virtually by billions of people, some of which will have not certainly good intentions. Without losing sight of the necessary legal requirements (in many cases very easy to fulfill) that we have seen, the story repeats again and again: services that contain web forms vulnerable to attacks that existed a decade ago, webservers misconfigured or directly not configured, etc.

10. To forget systems and network management. Last but not least, many companies still neglect the required security maintenance of their servers and networks, leading to vulnerable network devices, WiFi access points that allow a person on the street to access the corporate network, internal databases accessible from the Internet, or servers not updated in years. Without mentioning that this leads to the most absolute ignorance about what happens in the infrastructure of the organization, where an intruder can do whatever he wants. The rest is left to the imagination.

This decalogue of errors, more common than one would think, could certainly be completed with many other specific problems that SMEs commit daily. However, if in a few years we could cross off at least half of these errors, we would have made great strides in securing our companies.

Some time ago we wrote about HoneySpider 2.0 and we made a quick look at its functionalities. Now let’s see one of the key pieces of this new version: workflows. We assume you have already installed HoneySpider 2.0 or that you are using the virtual machine provided by the project.

Given that we already have the application installed, first of all we have at hand the necessary documentation to define a workflow, which can be found here and here.

A workflow in HoneySpider 2.0 is composed of a series of processes, where each process is composed of services. These services contain input parameters and the ability to redirect its output to other processes. Let’s see a conceptual scheme of what is a workflow:

These workflows are defined in XML format. The following example will provide you with a very simple example workflow that performs a file analysis with rb-officecat (Nugget razorback) of the Office documents located in a set of web links:

<?xml version="1.0"?> 
<workflow> 
  <description> 
    Analyze files office files with officecat 
  </description> 
  <process id="main"> 
    <service name="feeder-list" id="feeder"> 
      <parameter name="uri">/tmp/file.txt</parameter> 
      <parameter name="domain_info">true</parameter> 
      <output process="process_url"/> 
    </service> 
  </process> 
  <process id="process_url"> 
    <service name="webclient" id="webclient0" ignore_errors="DEFUNCT"> 
      <parameter name="link_click_policy">0</parameter> 
      <parameter name="redirect_limit">20</parameter> 
      <parameter name="save_html">false</parameter> 
      <parameter name="save_images">false</parameter> 
      <parameter name="save_objects">true</parameter> 
      <parameter name="save_multimedia">false</parameter> 
      <parameter name="save_others">false</parameter> 
      <output process="report"/> 
    </service> 
    <service name="reporter" id="reporter0"> 
      <parameter name="serviceName">webclient</parameter> 
      <parameter name="template">webclient.jsont</parameter> 
    </service> 
    <!-- determine classification, taking into account propagation from child objects --> 
    <script>!findByValue("parent", #current). 
      {? #this.origin != "link" and #this.classification == "malicious"}.isEmpty 
       or rb_officecat_classification == "malicious" 
       ? (classification = "malicious") : 
         (classification = "benign")</script> 
    <service name="reporter" id="reporter1"> 
      <parameter name="serviceName"/> 
      <parameter name="template">url.jsont</parameter> 
    </service> 
  </process> 
  <process id="report"> 
    <service name="reporter" id="reporter4"> 
      <parameter name="serviceName">webclient</parameter> 
      <parameter name="template">webclient.jsont</parameter> 
    </service> 
    <service name="reporter" id="reporter5"> 
      <parameter name="serviceName">file</parameter> 
      <parameter name="template">file.jsont</parameter> 
    </service> 
    <conditional expr="content != null and (mime_type == 'application/msword' or 
         mime_type == 'application/vnd.ms-excel' or mime_type == 
		 'application/vnd.ms-powerpoint')"> 
      <true> 
        <service name="rb-officecat" id="office1"/> 
        <service name="reporter" id="reporter6" ignore_errors="INPUT"> 
          <parameter name="serviceName">rb-officecat</parameter> 
          <parameter name="template">rb-officecat.jsont</parameter> 
        </service> 
      </true> 
    </conditional> 
    <!-- determine classification, taking into account propagation from child objects --> 
    <script>!findByValue("parent", #current). 
    {? #this.origin != "link" and #this.classification == "malicious"}.isEmpty 
       or rb_officecat_classification == "malicious" 
? (classification = "malicious") : 
         (classification = "benign")</script> 
    <service name="reporter" id="reporter7"> 
      <parameter name="serviceName"/> 
      <parameter name="template">url.jsont</parameter> 
    </service> 
  </process> 
</workflow>

This workflow example should be interpreted as follows: we define a main process that uses the service “feeder-list“. It reads the links to be analyzed from a file located in /tmp/file.txt. The links are passed to the process_url process. This process uses the service “webclient” to visit those links, getting as a parameter some actions it should do or not to do, such as saving multimedia objects, and so on. The links collected for this service will be passed to the report process.

Besides webclient, the process process_url has several services that generate output information for the web interface. Finally, the report process is where the service that scans the Office files with the razorback nugget, “rb-officecat” is located, besides printing information using the service report. We want to emphasize the importance to set which content must activate the service. In this case it has been limited to start running only with contents that apply.

After loading the workflow in our tool, we input it with a file with links. In our scenario we have included a link to a malicious office document, resulting in:

If we click on the detected document we will see the vulnerability detected by rb-officecat:

This is just one example of the detection abilities of this tool. As seen, the definition is simple and as we discussed in the previous post (ES) it has great possibilities. At this moment it is in an early stage and certain aspects will require fighting to get them to work as we want, but you can also report the problems in the Google group of the tool.

It is often admitted that ignorance is bliss. Conversely, another universal truth states that knowledge is power. I guess that we all have to find our place somewhere between both end members to keep our mental stability. However, when it comes to ICS cybersecurity knowledge is a must. The dark side lack of industrial processes know-how is the finger that plugs the hole in the dike, preventing the flood. But, as in the Dutch tale, this won’t last forever.

Security by obscurity paradigm is still firmly attached to many ICS managers’ views. This approach is absolutely unacceptable once you get even the slightest notion of the threat’s nature. Still, it is widely believed that the child will indefinitely keep on plugging the dike with his little finger.

Industrial processes knowledge and Stuxnet

Much has been said and written on Stuxnet, mainly because of its astounding refinement. However (please keep in mind that I’m an electrical engineer), what really shocks me is not its being the first malware specifically designed to attack an ICS, but the high degree of target’s physical processes knowledge involved.

Stuxnet was probably aimed to disrupt Iran’s uranium enrichment program. This material is used as fuel for nuclear power plants and in nuclear weapons construction. Uranium occurs in Nature as a mixture of two isotopes, ²³⁵U (lighter) and ²³⁸U (heavier). Natural concentration of ²³⁵U is under 1% whereas a concentration above 90% is required for military purposes (well over the 20% required for nuclear power plants). Enrichment process is usually performed inside centrifuges, machines that spin uranium gas at high speed. The heavier isotope experiences higher centrifugal acceleration and moves towards the spinning cylinder periphery while the lighter fraction (the useful one) remains by the rotation axis, where it is collected to be sequentially processed over and over again to reach the desired concentration. This is a very slow process because of the isotopes small atomic weight difference (3 atomic weight units to 238). In order to get enough material for the construction of a single device lots of time (or lots of money to provide a larger number of centrifuges) is required. To adjust the centrifuges speed frequency converters are used to drive the electric motors.

From this starting line, Stuxnet designers move on to tailor their strategy to the selected target: Iranian enrichment facilities. They tuned Stuxnet to pray on ICS with Siemens control systems (Simatic PLC and WinCC SCADA software) monitoring frequency inverters manufactured by Vacon (a finnish maker) and Fararo Paya (an iranian one). In addition, a number greater than 33 of this devices should be in place for the facility to qualify as a target. What is more, frequency settings should range from 807 Hz to 1,210 Hz (typical enrichment process settings).

Now comes my favorite part: choosing the attack mechanism. Once Stuxnet gains command and control of the system, it disrupts normal operation by forcing centrifuges spinning frequency (ie speed) to increase up to 1,410 Hz (above the maximum normal operation), then drop sharply to a value as low as 2 Hz (almost a complete halt, although machines rotating speed could depend on other factors), and then accelerate again to 1,064 Hz before returning to the normal operating sequence. This disruption repeats in predetermined cycles that involve, say, running at 1,410 Hz during 27 days, then a good dive down to 2 Hz and then 1,064 Hz again (resulting in good uranium shake) for another 27 days, and so on and on. This behavior does not affect all the devices in the same group, at least not simultaneously, but only a certain subset (to make malfunction detection harder, I guess). The goal is not only to disrupt the process. The goal is not to destroy the computer, or delete the program running on the PLC or any other action apparently definitive but, in practice, easily detected and fixed. These kind of actions would have warned the operator and the outcome would have been much restricted. It is obviously much more effective to cause the facility to produce uranium out of specifications for months for no apparent reason, something much more difficult to fix and therefore more harmful. The malware was intended to hide itself and its effects, so alarms logs and historians didn’t keep record of abnormal operation. Also, Stuxnet was able to reinfect a device in the event of original code being reloaded by the operators.

Lessons learned?

Beyond the initial shock (think of we poor ICS designers and operators and our broken safety feeling), there are some valuable lessons to be learned.

Much of the skepticism (real or fake) put up by ICS managers lays on their lack of understanding of the attack vectors and attacker’s goals. As far as they can see, a cyberattack is the digital equivalent of a carpet bombing, a blind and useless act of destruction. However, life ain’t that simple. As we can see from the Stuxnet case is that it is possible, given enough knowledge of an industrial process, to perform very sophisticated attacks aimed to cause much more damage in ways very difficult to fix: wastewater treatment plant discharges out of legal limits. An increase of non-compliant product resulting in economic cost and loss of reputation as it can be associated with missed deadlines or, worse, out-of-specs product reaching customers unnoticed (after all, statistical quality control samplings are designed to fit the ‘natural’ variability of our non disrupted process, so our standard sample size or sampling frequency may be inadequate to detect the situation). Or erroneous billing owing to altered data from meters (obviously up to destroy our reputation). What is worse, when we turn to our ICS it keeps telling that everything’s OK. And, let’s face it, how long will it take until you realize that maybe our control system has been hit by a cyberattack? After all, it is a risk that you have always dismissed…

You might regard yourself as a ‘good guy’.  You have lots of friends, a good reputation and no enemies. But, even if that’s true, in a global market where processes and machinery are increasingly standardized, who can tell for sure that you will not be victim of malware designed to hit a third party who just happens to share equipment or methods with you? Just one example: centrifugal machines originally used in olive oil production are now used to dewater sludges from (waste or fresh) water treatment plants.

Too often I hear arguments like ‘our system is not connected to the Internet’. Aside from the healthy skepticism that such an statement shall raise, we must remember that Stuxnet was designed to copy itself, whenever possible, by means of portable devices such as USB memory sticks or those PC used to load projects to PLC.

What every engineer knows

A short time ago the information used in industrial process engineering was paper-based and access to it was very limited: technical books purchase, suppliers technical data provided by salesmen, documentation gathered in specific technical courses, and so on: photocopies, photocopies, photocopies. The Internet has changed it all. Today we have almost unrestricted access to highly detailed and specific documentation from our very desktop PC. I remember the time when every engineer kept large amounts of information in various media. This personal treasure contained much of our knowledge and ability to design and its loss was a risk we could not afford. Today that is no longer necessary. The Internet is the ultimate file: pdf, pdf, pdf.

It’s amazing how much stuff about the processes and equipment in use in any given company lies out there, waiting to be discovered when appropriately searched. There is much more than technical documentation in the form of catalogs and data sheets. Providers often describe their references and success stories, sometimes in great detail, in multiple places: their websites, technical magazines, at conferences and fairs…The companies themselves sometimes release papers on their own state-of-the-art developments (or anything they are proud of). Constructors companies do just the same. When it comes to public infrastructures, Administrations grant tenders access to lots of detailed stuff. At least in Spain, some public projects are made available to every citizen to allow people to made allegations against the future infrastructure. You can find even undergraduate and post-doc academic works sponsored by companies regarded as critical operators: I have found academic papers describing the protocols and communication networks and control systems in real power grid substations of named companies. Sooner or later all this information makes it to the Internet.

Keeping this in mind, the next question is: do you really want to build your cybersecurity any longer on the idea that no one knows your industrial process?

Final note: specific data on Stuxnet and its performance is taken from the report published by Symantec (authors Nicolas Falliere, Liam O’Murchu, and Eric Chien) available here.

I’m sure we all have sketched a smile when seeing photographs or videos of strange artifacts powered by steam or internal combustion engines. Most of these inventions failed because the technology used didn’t fit the purpose they were meant for. Seen with modern eyes it’s just so naïve to try to fly a plane fitted with a steam engine. However, those inventors were not as dumb as their failure suggests. They were intelligent people (or, let’s say, not less intelligent than average) trying to solve the problems of their time with the technology available.

Steam powered the beginning of industrialization, granting people access to energy at a scale never seen before. This brand new technology lead to an engineering and cultural revolution that paved the way to our modern society. The Industrial Revolution beginnings were times of faith in progress, of unleashed collective optimism. Steam-powered machines were regarded as the key to all kind of engineering problems that remained unsolved so far.

[Read more…]

A few days ago, following the well-known Mandiant Report “APT1”, we published a small post where we made some assessments about the alleged Chinese attacks on various public and private organizations. We made public a set of Snort rules that could be used to detect —provided that the information from the report Mandiant is true— if an organization had been infected. Obviously, if you receive an alert that should raise some suspicions, but the opposite should not make you assume you are not infected. The resources used for infection are certainly very dynamic and after the report many of them may have been replaced or eliminated.

But this is not what I wanted to talk about. The truth is that I wrote the post with some urgency because we wanted to publish the rules the same day, and I didn’t had the time to think about the complexity of the Chinese attack, its implications, origins and specificities. So I was surprised that none of our readers (you) pointed to some obvious errors in the post that I thought after a while, but I resisted to correct. The entry stated:

The question here is, as pointed accurately by Securosis in their blog, that the difference is not that China has a cyber espionage program, but that its objectives and beneficiaries are both the public and private sectors. From an economic standpoint it makes sense. In an economy largely state-operated and conducted as China, it seems normal that such government “initiatives” benefit economic areas that are in many cases and at least partially, also state. At the end everything remains at home.

The fact is that this is not cyber espionage is not in the sense in which we are accustomed to think about it. This is “something else” and the reason why many people should start to be concerned. Not “classic” or industrial espionage. There is no one to prosecute or to send to the WTO. This is not a criminal action as we understand it. Because it’s more than “simple” military information or technology what is at stake. Is the entire Western economic and social model. It is said that China is a giant that is waking up, but in the light of such reports, may be the Western powers who are sleeping.

One last note. It is true that there is something called Echelon and occasionally this or that power get into suspicious activity (industrial espionage, bribery, etc.) through which they try to favor their national companies in contracts worth millions (see eg , vs. Boeing case. Airbus), but it is conceivable that the volume and size of these bad practices is not even remotely the same as the Chinese (although that is something that we really do not know). There isn’t, to our knowledge, anything like a program of intellectual property stealing coordinated and led by the states (in the political sense, not the U.S.). Such practices belong, in any case, to the private sector, which is subject to the laws and legislations of such states.

This is an approach somewhat underdeveloped and certainly simplistic, but the actions contained in the Mandiant report are not actions of espionage or data theft. These are actions of a political nature that are part of a much broader geopolitical strategy. Carl Von Clausewitz said that war is the continuation of politics by other means. The updated version of the XXI century is clear: cyberwar is nothing more than a tool of politics, with the difference that while the war is legally illegal, there is no such consideration for cyberwar.

Summarizing. This is not about computers anymore. It’s politics. We can “play” hackers meanwhile.

Recently a blog user asked why in in the Snort malware detection rules, when you want to detect the DNS query to certain suspicious domains, certain characters such as “byte_test:1, !&, 0xF8, 2;” are used as testing conditions. To explain let’s take as an example the following VRT rule for Gauss malware detection:

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain 
bestcomputeradvisor.com - Gauss"; flow:to_server; byte_test:1,!&,0xF8,2; 
content:"|13|bestcomputeradvisor|03|com|00|"; fast_pattern:only; metadata:impact_flag 
red, policy balanced-ips drop, policy security-ips drop, service dns; 
reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767

[Read more…]

(Please note this post was published last 12th sept. 2012 in the Spanish version of this blog)

Recently we used a very interesting tool to analyze Java applets: JavaSnoop, developed for BlackHat USA 2010 by Arshan Dabirsiaghi. Broadly speaking, the tool allows us to adhere (attach) to a Java process or start it and intercept the calls made. In addition to intercept these calls and view its contents, we can change the arguments of the methods we are intercepting and modify the return value of the function.

Let’s see how to intercept a Java applet method:

1. Download the latest version of the application: http://code.google.com/p/javasnoop/downloads/list

Note: It is recommended to install the application in a directory that does not contain spaces on Windows (eg C:\JavaSnoop).

2. Download the latest version of Java SDK (requires restart after installation).

3. Set the location of the JAD binary in ““Settings > Manage JAD > Set jad path””. Download from the author website. This will allow us to decompile the classes.

4. We make sure that the JAVA_HOME environment variable for our user is set.

5. To avoid problems with permissions when injecting, JavaSnoop contains in the Resources folder the file unsafe.policy. We copy this file to %USERPROFILE%\.java.policy. This directory should contain a file .java.policy. After our analysis is recommended to restore the initial configuration.

6. It is advisable to activate the Debug Console in Java and keep it active for messages.

7. It is very important the order in which JavaSnoop and the java application are started. With some applets is strictly necessary that JavaSnoop is running before launching the browser.

8. Once started JavaSnoop we use the feature “An existing process“. In this case we see the PID 184 which is an applet that we started in Internet Explorer. Then hit the Attach button to adhere to process 184:

9. Once we have adhered to the process, we will set a “New hook“. To do so, click on the “Add new hook“. If you still do not know what class and method you want to hook, go to Browse, what will open a new window where you can select the class you want.

Now we select the method we are interested in:

Once selected the class and the method, we go back to the main window:

In this window, if we have selected the method (point 1) we will be able to set the actions to be undertaken by JavaSnoop: print the parameters when the method is invoked, print the contents of the stack, modify the parameters that are passed to the function and the return values​​. (points 2 and 3).

10. We can also see features of the process that we have attached to in the Actions menu.

With these steps, you are ready to intercept any Java application in a simple and fast way.