Scribd
Upload
13 views

CypherCon 2024 Reverse Engineering Protocols

Presentation Slides: Cyphercon 2024 "Reverse Engineering Protocols for Fun and Profit" Presented by Luciano Moretti, Verve Industrial Protection.

Uploaded by

Luciano Moretti
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
13 views

CypherCon 2024 Reverse Engineering Protocols

Presentation Slides: Cyphercon 2024 "Reverse Engineering Protocols for Fun and Profit" Presented by Luciano Moretti, Verve Industrial Protection.

Uploaded by

Luciano Moretti
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 48

Reverse Engineering Protocols

for Fun and Profit.


Who am I?
Luciano Moretti
Senior Research Engineer

Verve Industrial Protection


Verve helps industrial companies inventory their devices,
assess and mitigate vulnerabilities, and harden networks.
Agenda
• Why reverse engineer protocols?
• Basics of protocols
• Reverse engineering a protocol
o Data capturing & matching
o Simulation
o Encryption
o RE Tools

• Common protocol issues

Agenda icons by nawicon - Flaticon</a>


Disclaimers

Reverse Engineering can be a legal gray area;


consult with your lawyer.

All Logos, Protocol Names, and Programs


mentioned are trademark/copyright of their
respective owners and are used purely in a
nominative manner.
Why Reverse Engineer Protocols?
Interoperability
• Make our software talk to devices
• Extract data our users want
Vulnerability Identification
• Responsible disclosure to vendors
• Makes devices more secure

FUN!
Vulnerability icon by Dewi Sari – Flaticon
Interoperability icon by phatplus - Flaticon
5
What is a Protocol?
A set of rules governing the exchange or
transmission of data.
In the real world:
Semaphore flag positions

6
What is a Protocol?
Our protocols are bits on a wire
Data commonly either text based or mixed binary types
Protocols can be updated to run over newer transports

7
Why people make custom protocols?
“We didn’t know about the standard protocol”
“The standard doesn’t exactly cover our use case”

Credit: XKCD
https://xkcd.com/927/
8
Why people make custom protocols?
Efficiency: Say only what we need to say to accomplish goal
Data is specific to a device
• Configuration
• Program Downloads

“Making our own will be more secure”


”We don’t want others to know how to mess with it”

Tools icon by Prosymbols - Flaticon


Download icon by Secret Studio – Flaticon
Security icon created by Freepik - Flaticon 9
What’s in a protocol?

• Commands • Sequence numbers

• Addresses • Checksum/CRCs

• Lengths • Data

• Start of frame/end of frame

10
Typical Data Configuration Data

Static Data IP Addresses

Model Usernames/Passwords

Versions Host Names

MAC Addresses Settings


Dynamic Data Program Downloads
Serial Numbers
Device Status
Program Status
Logs
Timestamps
11
Protocols
Are:
The rules of communication
Sometimes defined in a standard, sometimes custom

Contain:
Data of interest: Device Info, Settings, Status
Metadata: Lengths, Checksums, Sequence Numbers

12
Reverse Engineering Basic Process

Get the hardware

Get the software

Get and read the manual

Protocol capture

Result data capture (Screenshots, logs, copy & paste)

SW icon by Marz Gallery - Flaticon


Manual icon by srip - Flaticon
Computer, Hardware & Protocol icons by Freepik - Flaticon 13
Wireshark Capture
Commonly Used Capture Filters:
• host 10.1.128.2
• port 80
Commonly Used Display Filters
• ip.addr == 10.1.128.2
• tcp.len > 0

Capture multiple similar communication sequences

14
Matching Data

• Make a list of target data


• Convert to possible representations

Quick Hexadecimal Tutorial


• Base 16 numbers using characters 0-9 & A-F to represent 0-15
• Hexadecimal numbers are usually preceded by “0x” (but not always)
• Each digit represents 4 bits. A byte is made of 2 digits.

15
Matching Data - Integers
Field size: 8, 16 or 32 bits?
Size Hex Range Unsigned Range Signed Range
8 Bits 0x00 - 0xFF 0 to 255 -128 to 127
16 Bits 0x0000 - 0xFFFF 0 to ~65k -32k to 32k
32 Bits 0x00000000 – 0xFFFFFFFF 0 to 4.2bn -2.1bn to 2.1bn
Big Endian or Little Endian?
Integer Hexadecimal Endianness Wire Bytes
Big AB CD
43,981 0xABCD
Little CD AB

16
Matching Data - Strings
Null Terminated ASCII (C-String)
43 79 70 68 65 72 43 6F 6E 32 30 32 34 00 ➔ “CypherCon2024/0”

Length + String (Pascal String)


0D 43 79 70 68 65 72 43 6F 6E 32 30 32 34 ➔ 13,“CypherCon2024”

Fixed Allotment
43 79 70 68 65 72 43 6F 6E 32 30 32 34 00 00 00 ➔ “CypherCon2024/0/0/0”

Look-up Table
0x2D ➔ “CypherCon2024”
17
IP & MAC Addresses
IP Addresses
• Usually just 4 bytes: 10.1.128.34 ➔ 0A 01 80 22
• Rarely a string representation: “10.1.128.34”

MAC Addresses
• Almost always a series of 6 bytes

Adapter icon by Freepik - Flaticon


IP icon by Yogi Aprelliyanto - Flaticon

18
Matching Data - Timestamps

As a string: “Apr 05 2024 12:27:39”

POSIX Timestamp: 0x660F EE3B

DOS Date/Time: 0x5885 6373

Win32 FILETIME: 0x1DA 8754 A5D4 2F80 (64 bit)

Calendar icon by Freepik - Flaticon


19
Matching Data – Version Numbers

As string: “1.2.4r23”

As separate bytes: 0x01 02 04 17 (0x17 -> 23)


0x01 02 04 23 (0x23)

Integer divided by values: 0x0F 92 07 ➔ 1020423

1.2.4r23

20
Change and Recapture
In the packet: What changes? What stays the same?
• Look for matching data changes
• For strings, is there a length field that changes?
• Are there packet length changes?
• Watch for Checksums/CRCs

Iteration icon by Flat Icons – Flaticon


Examine icon created by juicy_fish - Flaticon
21
Simulation

Write a simulator for the device

Start with basic “replay”

Extract known data as discovered

Use to send new data & monitor changes

Simulation & Cut icon created by Freepik - Flaticon


Replay icon by Ehtisham Abid - Flaticon 22
Putting it together – Modbus TCP

23
Putting it together – Modbus TCP

24
Putting it together – Modbus TCP

25
Putting it together – Modbus TCP

26
Putting it together – Modbus TCP

27
Putting it together – Modbus TCP

0x28 * 2 = 0x50

28
Putting it together – Custom Protocol
The following slides are examples from a real custom protocol
• Left: data in the vendor software
• Upper Right: software transmitted packet
• Lower Right: device

The IP headers have been stripped


The displayed packets are JUST the UDP packet data segment

29
Putting it together
Sent Data:

Response Data:

30
Putting it together
Sent Data:

Response Data:

31
Putting it together
Sent Data:

Response Data:

32
Putting it together
Sent Data:

Response Data:

33
Putting it together
Sent Data:

Response Data:

34
Putting it together
Sent Data:
Response Data:

35
Putting it together Sent Data:
Response Data:

36
Putting it together

37
Putting it together
Sent Data:
Response Data:

=0A 01 80 1B

=/24 =0x18

38
Encryption
Makes life much harder
Becoming more common
Two basic types:
• Signing: Hashing for integrity
• Full Packet Encryption: All data obfuscated
Many algorithms & levels of sophistication

Encryption icon by juicy_fish - Flaticon


39
Dealing with Encryption
Check the negotiation
Replay Attack?
Look on host side for keys
Minor Changes
Brute Force
If the software displays a value, it had the keys
and you have the keys
Encryption icon by juicy_fish - Flaticon
40
Reverse Engineering Software
Debuggers
Dump memory to look for strings/tables.
Decompilers
• .Net is generally easy (DotPeek) while C is harder.
• C++/Go/Rust are difficult.
Look for sockets API calls: send(), sendto(), recv()
Code to format packet is usually nearby.
41
Don’t Reinvent the Wheel.
Resources to use:

• Vulnerability White Papers

• Wireshark Dissectors

• Vendor software libraries

42
Reverse Engineering Summary
• Search for documentation
• Get the device & software
• Identify what data could be on the wire
• Search the captures
• Make changes and watch the packets change
• Use simulation, debuggers & decompilers as needed

43
Common Protocol Issues: Authentication

No Authentication
Bad Password handling
• XOR/simple hash
• No rate limiting
• Password and check on opposite end of the wire
• Password available with unauthenticated protocols

Hardcoded “Support” accounts


Customer service icon by Freepik - Flaticon
Authentication icon by Eucalyp - Flaticon

44
Common Protocol Issues: Data Protection
Clear text sensitive data in Protocol
• Passwords, Usernames, Wireless Network Keys
Ability to read/change anything without authentication:
• Read or set passwords and keys
• Download configurations/User Programs
• “Update” firmware

Hacker icon by Freepik - Flaticon

45
Common Protocol Issues: Implementation

Overflow/Underflow issues

Data verification issues

Injection attacks

Replay attacks (esp. Login)


Flow icon by Vectors Tank - Flaticon
Verification icon by Eucalyp – Flaticon
Injection icon by Dewi Sari - Flaticon
Replay icon by bearicons - Flaticon

46
Summary I am fluent in
over six million
protocols
Protocols are how devices talk to each other

Understanding protocols lets us:


• Get information
• Find Vulnerabilities

Protocols are a practical puzzle waiting to be solved


Robot icon by Good Ware - Flaticon

47
Thank You
Luciano Moretti
[email protected]

www.verveindustrial.com

You might also like