SlideShare una empresa de Scribd logo

The jar of joy

SensePost
SensePost

Presentation by Ian de Villiers at ZaCon 2 about exploiting java. This presentation is about instrumenting java applications. it begins with an explanation of what a jar file is. The difficulties in attacking java, such as signing and obfuscation are discussed. How to overcome these difficulties is also discussed. The presentation ends with a walkthrough example of how to instrument a java application.

TecnologíaEducación
1 de 25
Descargar para leer sin conexión
The JAR of Joy SensePost - 2010
`whoami` •  SensePost •  ian@sensepost.com –  Break some stuff –  Write reports about breaking some stuff –  Abuse the staff SensePost - 2010
Why This Talk ? •  import disclaimer; •  Not ground breaking stuff – no 0-day •  Java applications and applets appear to be popular again •  Reversing Java applications can be difficult •  Tips for reversing Java in less time (in my experience in any case)… SensePost - 2010
The JAR File •  Java ARchive •  Used to distribute Java applications / applets etc. •  ZIP file containing compiled classes, libraries, settings, certificates, * •  Trivial to extract •  Normally disclose a vast amount of information SensePost - 2010
Attacking Java is fun •  Trivial to reverse engineer •  Compiled applications are vulnerable to virtually all attacks traditional web apps are vulnerable to… •  …but all wrapped up in increased sense of developer smugness •  Repurposed Java applications make *awesome* attack tools SensePost - 2010
Difficulties Attacking Java •  Many classes and libraries in JAR files of complex applications •  Class files often do not decompile cleanly •  Impossible to fix all java sources in large application •  Applets and applications are frequently signed •  Obfuscated Code •  Frequently have to rely on other tools too… SensePost - 2010
Defeating Signing •  Certificate information stored in META-INF •  MANIFEST.MF contains hashes for resources •  These files can easily be deleted… SensePost - 2010
What this Means •  Now possible to modify classes in JAR file •  Signing normally used specifically for Java applets –  Allow applets to access network resources –  Allow applets to read / write files •  However, the applet runs on *my* machine –  Can specify own security model… SensePost - 2010
Obfuscation •  Defeating Java obfuscation is difficult •  Depends on the obfuscation mechanism used •  In most cases, virtually impossible… •  … however, the newer attack methodologies outlined later will help …but wait – there is more… SensePost - 2010
Obfuscation •  A bunch of classes depending on reflection methods and serialized objects can not normally be obfuscated… •  … in obfuscated applications this provides us with a nice area to attack  SensePost - 2010
Java Quick Kills •  Not necessary to fix all compiler errors •  Only need to fix specific classes with functionality you need –  Sanitisation libraries –  Network Stream libraries •  Updated classes can be recompiled with the original JAR file to satisfy dependancies SensePost - 2010
Demo and Walkthrough •  Decompile Application and export sources SensePost - 2010
Demo and Walkthrough •  Identify key source files and include in project SensePost - 2010
Demo and Walkthrough •  Remove compiled class files from original JAR •  Rebuild JAR file SensePost - 2010
Demo and Walkthrough •  Link modified JAR file to compiler CLASSPATH SensePost - 2010
Demo and Walkthrough •  Modify source code and run… SensePost - 2010
Demo and Walkthrough •  Repurposing uses the same technique… •  … but changes the functionality in order to turn the application into an attack tool SensePost - 2010
Newer Attack Methods •  New research and toolsets make reversing and recompiling unneccessary…  •  Also make it easier to attack obfuscated applications •  Cannot always be used for repurposing  SensePost - 2010
BlackHat Europe – 2010 •  Manish Saindane –  Demonstrated attacks against serialized objects –  Provided Burp plug-in to view and modify serialized objects http://www.blackhat.com/html/bh-eu-10/bh-eu-10-archives.html SensePost - 2010
Demo – Serialized Objects SensePost - 2010
BlackHat Las Vegas – 2010 •  Arshan Dabirsiaghi –  JavaSnoop : How to Hack Anything Written in Java •  Stephen de Vries –  Hacking Java Clients •  Both talks outlined new methods for attacking Java Applications http://www.blackhat.com/html/bh-us-10/bh-us-10-archives.html SensePost - 2010
Demo – JavaSnoop SensePost - 2010
In Summary •  Java reversing is fun •  Java reversing can be easy •  Newer attack methodologies no longer require attackers to reverse the application •  Traditional reversing techniques still normally apply for repurposing applications SensePost - 2010
Ta Muchly •  ZaCon folkses  SensePost - 2010
Questions ? ian@sensepost.com SensePost - 2010

Recomendados

Java buzzwords.pptx
Java buzzwords.pptxJava buzzwords.pptx
Java buzzwords.pptx
BHARATH KUMAR
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
Andreas Kurtz
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
JongWon Kim
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
Analyse Yourself
Analyse YourselfAnalyse Yourself
Analyse Yourself
Norberto Leite
 
Wireshark display filters
Wireshark display filtersWireshark display filters
Wireshark display filters
Mohamed Gamel
 
PenTest using Python By Purna Chander
PenTest using Python By Purna ChanderPenTest using Python By Purna Chander
PenTest using Python By Purna Chander
nforceit
 
Hack x crack_scapy2
Hack x crack_scapy2Hack x crack_scapy2
Hack x crack_scapy2
Diego Caceres
 

Recomendados

Java buzzwords.pptx
Java buzzwords.pptxJava buzzwords.pptx
Java buzzwords.pptx
BHARATH KUMAR
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
Andreas Kurtz
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
JongWon Kim
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
Analyse Yourself
Analyse YourselfAnalyse Yourself
Analyse Yourself
Norberto Leite
 
Wireshark display filters
Wireshark display filtersWireshark display filters
Wireshark display filters
Mohamed Gamel
 
PenTest using Python By Purna Chander
PenTest using Python By Purna ChanderPenTest using Python By Purna Chander
PenTest using Python By Purna Chander
nforceit
 
Hack x crack_scapy2
Hack x crack_scapy2Hack x crack_scapy2
Hack x crack_scapy2
Diego Caceres
 
DefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPYDefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPY
Michael Smith
 
Short 1100 Jart Armin - The Pocket Botnet
Short 1100 Jart Armin - The Pocket BotnetShort 1100 Jart Armin - The Pocket Botnet
Short 1100 Jart Armin - The Pocket Botnet
UISGCON
 
Himakomers magazine
Himakomers magazineHimakomers magazine
Himakomers magazine
Samy Ummy
 
Hallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul CogginHallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul Coggin
EC-Council
 
Sushma Pati1mtech fresher
Sushma Pati1mtech fresherSushma Pati1mtech fresher
Sushma Pati1mtech fresher
Sushma Patil
 
A tale of two proxies
A tale of two proxiesA tale of two proxies
A tale of two proxies
SensePost
 
Scapy. Generación y manipulación básica de paquetes de red
Scapy. Generación y manipulación básica de paquetes de redScapy. Generación y manipulación básica de paquetes de red
Scapy. Generación y manipulación básica de paquetes de red
David Cristóbal
 
The (In)Security of Topology Discovery in Software Defined Networks
The (In)Security of Topology Discovery in Software Defined NetworksThe (In)Security of Topology Discovery in Software Defined Networks
The (In)Security of Topology Discovery in Software Defined Networks
Talal Alharbi
 
#RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez
#RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez#RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez
#RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez
ffranz
 
Attacks and their mitigations
Attacks and their mitigationsAttacks and their mitigations
Attacks and their mitigations
Mukesh Chaudhari
 
Fun with TCP Packets
Fun with TCP PacketsFun with TCP Packets
Fun with TCP Packets
Security B-Sides
 
Scapy
ScapyScapy
Scapy
Mohamed Gamel
 
Jad NEHME - Alcatel-Lucent - Report
Jad NEHME - Alcatel-Lucent - ReportJad NEHME - Alcatel-Lucent - Report
Jad NEHME - Alcatel-Lucent - Report
Jad Nehme
 
Exploiting First Hop Protocols to Own the Network - Paul Coggin
Exploiting First Hop Protocols to Own the Network - Paul CogginExploiting First Hop Protocols to Own the Network - Paul Coggin
Exploiting First Hop Protocols to Own the Network - Paul Coggin
EC-Council
 
Python begin
Python beginPython begin
Python begin
ashigirl ZareGoto
 
How to dominate a country
How to dominate a countryHow to dominate a country
How to dominate a country
Tiago Henriques
 
Bringing SDR to the pentest community - BlackHat USA 2014
Bringing SDR to the pentest community - BlackHat USA 2014Bringing SDR to the pentest community - BlackHat USA 2014
Bringing SDR to the pentest community - BlackHat USA 2014
jmichel.p
 
Scapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azul
Scapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azulScapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azul
Scapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azul
Daniel Garcia (a.k.a cr0hn)
 
Cybercamp 2015 - Python, hacking y sec-tools desde las trincheras
Cybercamp 2015 - Python, hacking y sec-tools desde las trincherasCybercamp 2015 - Python, hacking y sec-tools desde las trincheras
Cybercamp 2015 - Python, hacking y sec-tools desde las trincheras
Daniel Garcia (a.k.a cr0hn)
 
Hacking ético con herramientas Python
Hacking ético con herramientas PythonHacking ético con herramientas Python
Hacking ético con herramientas Python
Jose Manuel Ortega Candel
 
2010 za con_ian_de_villiers
2010 za con_ian_de_villiers2010 za con_ian_de_villiers
2010 za con_ian_de_villiers
Johan Klerk
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communication
msaindane
 

Más contenido relacionado

Destacado

DefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPYDefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPY
Michael Smith
 
Short 1100 Jart Armin - The Pocket Botnet
Short 1100 Jart Armin - The Pocket BotnetShort 1100 Jart Armin - The Pocket Botnet
Short 1100 Jart Armin - The Pocket Botnet
UISGCON
 
Himakomers magazine
Himakomers magazineHimakomers magazine
Himakomers magazine
Samy Ummy
 
Sushma Pati1mtech fresher
Sushma Pati1mtech fresherSushma Pati1mtech fresher
Sushma Pati1mtech fresher
Sushma Patil
 
Jad NEHME - Alcatel-Lucent - Report
Jad NEHME - Alcatel-Lucent - ReportJad NEHME - Alcatel-Lucent - Report
Jad NEHME - Alcatel-Lucent - Report
Jad Nehme
 
How to dominate a country
How to dominate a countryHow to dominate a country
How to dominate a country
Tiago Henriques
 
Bringing SDR to the pentest community - BlackHat USA 2014
Bringing SDR to the pentest community - BlackHat USA 2014Bringing SDR to the pentest community - BlackHat USA 2014
Bringing SDR to the pentest community - BlackHat USA 2014
jmichel.p
 
Scapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azul
Scapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azulScapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azul
Scapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azul
Daniel Garcia (a.k.a cr0hn)
 
Cybercamp 2015 - Python, hacking y sec-tools desde las trincheras
Cybercamp 2015 - Python, hacking y sec-tools desde las trincherasCybercamp 2015 - Python, hacking y sec-tools desde las trincheras
Cybercamp 2015 - Python, hacking y sec-tools desde las trincheras
Daniel Garcia (a.k.a cr0hn)
 

Destacado (20)

DefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPYDefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPY
 
Short 1100 Jart Armin - The Pocket Botnet
Short 1100 Jart Armin - The Pocket BotnetShort 1100 Jart Armin - The Pocket Botnet
Short 1100 Jart Armin - The Pocket Botnet
 
Himakomers magazine
Himakomers magazineHimakomers magazine
Himakomers magazine
 
Hallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul CogginHallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul Coggin
 
Sushma Pati1mtech fresher
Sushma Pati1mtech fresherSushma Pati1mtech fresher
Sushma Pati1mtech fresher
 
A tale of two proxies
A tale of two proxiesA tale of two proxies
A tale of two proxies
 
Scapy. Generación y manipulación básica de paquetes de red
Scapy. Generación y manipulación básica de paquetes de redScapy. Generación y manipulación básica de paquetes de red
Scapy. Generación y manipulación básica de paquetes de red
 
The (In)Security of Topology Discovery in Software Defined Networks
The (In)Security of Topology Discovery in Software Defined NetworksThe (In)Security of Topology Discovery in Software Defined Networks
The (In)Security of Topology Discovery in Software Defined Networks
 
#RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez
#RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez#RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez
#RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez
 
Attacks and their mitigations
Attacks and their mitigationsAttacks and their mitigations
Attacks and their mitigations
 
Fun with TCP Packets
Fun with TCP PacketsFun with TCP Packets
Fun with TCP Packets
 
Scapy
ScapyScapy
Scapy
 
Jad NEHME - Alcatel-Lucent - Report
Jad NEHME - Alcatel-Lucent - ReportJad NEHME - Alcatel-Lucent - Report
Jad NEHME - Alcatel-Lucent - Report
 
Exploiting First Hop Protocols to Own the Network - Paul Coggin
Exploiting First Hop Protocols to Own the Network - Paul CogginExploiting First Hop Protocols to Own the Network - Paul Coggin
Exploiting First Hop Protocols to Own the Network - Paul Coggin
 
Python begin
Python beginPython begin
Python begin
 
How to dominate a country
How to dominate a countryHow to dominate a country
How to dominate a country
 
Bringing SDR to the pentest community - BlackHat USA 2014
Bringing SDR to the pentest community - BlackHat USA 2014Bringing SDR to the pentest community - BlackHat USA 2014
Bringing SDR to the pentest community - BlackHat USA 2014
 
Scapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azul
Scapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azulScapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azul
Scapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azul
 
Cybercamp 2015 - Python, hacking y sec-tools desde las trincheras
Cybercamp 2015 - Python, hacking y sec-tools desde las trincherasCybercamp 2015 - Python, hacking y sec-tools desde las trincheras
Cybercamp 2015 - Python, hacking y sec-tools desde las trincheras
 
Hacking ético con herramientas Python
Hacking ético con herramientas PythonHacking ético con herramientas Python
Hacking ético con herramientas Python
 

Similar a The jar of joy

2010 za con_ian_de_villiers
2010 za con_ian_de_villiers2010 za con_ian_de_villiers
2010 za con_ian_de_villiers
Johan Klerk
 

Similar a The jar of joy (20)

2010 za con_ian_de_villiers
2010 za con_ian_de_villiers2010 za con_ian_de_villiers
2010 za con_ian_de_villiers
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communication
 
The Java Story
The Java StoryThe Java Story
The Java Story
 
JAVA INTRODUCTION - 1
JAVA INTRODUCTION - 1JAVA INTRODUCTION - 1
JAVA INTRODUCTION - 1
 
java Features
java Featuresjava Features
java Features
 
Java
JavaJava
Java
 
Curso de Programación Java Intermedio
Curso de Programación Java IntermedioCurso de Programación Java Intermedio
Curso de Programación Java Intermedio
 
java completed units.docx
java completed units.docxjava completed units.docx
java completed units.docx
 
java full 1.docx
java full 1.docxjava full 1.docx
java full 1.docx
 
java full.docx
java full.docxjava full.docx
java full.docx
 
java full 1 (Recovered).docx
java full 1 (Recovered).docxjava full 1 (Recovered).docx
java full 1 (Recovered).docx
 
Introduction to java by priti sajja
Introduction to java by priti sajjaIntroduction to java by priti sajja
Introduction to java by priti sajja
 
Stackato v5
Stackato v5Stackato v5
Stackato v5
 
Java (1)
Java (1)Java (1)
Java (1)
 
Building Pistachio with Sencha Touch 2 (introductory)
Building Pistachio with Sencha Touch 2 (introductory)Building Pistachio with Sencha Touch 2 (introductory)
Building Pistachio with Sencha Touch 2 (introductory)
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
 
Stackato v6
Stackato v6Stackato v6
Stackato v6
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
Android java fx-jme@jug-lugano
Android java fx-jme@jug-luganoAndroid java fx-jme@jug-lugano
Android java fx-jme@jug-lugano
 

Más de SensePost

Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
SensePost
 

Más de SensePost (20)

objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile exploration
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based Application
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration Toolkit
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana Attacks
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed Overview
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine clouds
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) Pwnage
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get Hacked
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application Hacking
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorism
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summary
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and Defences
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2
 

Último

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Último (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 

The jar of joy

  • 1. The JAR of Joy SensePost - 2010
  • 2. `whoami` •  SensePost •  ian@sensepost.com –  Break some stuff –  Write reports about breaking some stuff –  Abuse the staff SensePost - 2010
  • 3. Why This Talk ? •  import disclaimer; •  Not ground breaking stuff – no 0-day •  Java applications and applets appear to be popular again •  Reversing Java applications can be difficult •  Tips for reversing Java in less time (in my experience in any case)… SensePost - 2010
  • 4. The JAR File •  Java ARchive •  Used to distribute Java applications / applets etc. •  ZIP file containing compiled classes, libraries, settings, certificates, * •  Trivial to extract •  Normally disclose a vast amount of information SensePost - 2010
  • 5. Attacking Java is fun •  Trivial to reverse engineer •  Compiled applications are vulnerable to virtually all attacks traditional web apps are vulnerable to… •  …but all wrapped up in increased sense of developer smugness •  Repurposed Java applications make *awesome* attack tools SensePost - 2010
  • 6. Difficulties Attacking Java •  Many classes and libraries in JAR files of complex applications •  Class files often do not decompile cleanly •  Impossible to fix all java sources in large application •  Applets and applications are frequently signed •  Obfuscated Code •  Frequently have to rely on other tools too… SensePost - 2010
  • 7. Defeating Signing •  Certificate information stored in META-INF •  MANIFEST.MF contains hashes for resources •  These files can easily be deleted… SensePost - 2010
  • 8. What this Means •  Now possible to modify classes in JAR file •  Signing normally used specifically for Java applets –  Allow applets to access network resources –  Allow applets to read / write files •  However, the applet runs on *my* machine –  Can specify own security model… SensePost - 2010
  • 9. Obfuscation •  Defeating Java obfuscation is difficult •  Depends on the obfuscation mechanism used •  In most cases, virtually impossible… •  … however, the newer attack methodologies outlined later will help …but wait – there is more… SensePost - 2010
  • 10. Obfuscation •  A bunch of classes depending on reflection methods and serialized objects can not normally be obfuscated… •  … in obfuscated applications this provides us with a nice area to attack  SensePost - 2010
  • 11. Java Quick Kills •  Not necessary to fix all compiler errors •  Only need to fix specific classes with functionality you need –  Sanitisation libraries –  Network Stream libraries •  Updated classes can be recompiled with the original JAR file to satisfy dependancies SensePost - 2010
  • 12. Demo and Walkthrough •  Decompile Application and export sources SensePost - 2010
  • 13. Demo and Walkthrough •  Identify key source files and include in project SensePost - 2010
  • 14. Demo and Walkthrough •  Remove compiled class files from original JAR •  Rebuild JAR file SensePost - 2010
  • 15. Demo and Walkthrough •  Link modified JAR file to compiler CLASSPATH SensePost - 2010
  • 16. Demo and Walkthrough •  Modify source code and run… SensePost - 2010
  • 17. Demo and Walkthrough •  Repurposing uses the same technique… •  … but changes the functionality in order to turn the application into an attack tool SensePost - 2010
  • 18. Newer Attack Methods •  New research and toolsets make reversing and recompiling unneccessary…  •  Also make it easier to attack obfuscated applications •  Cannot always be used for repurposing  SensePost - 2010
  • 19. BlackHat Europe – 2010 •  Manish Saindane –  Demonstrated attacks against serialized objects –  Provided Burp plug-in to view and modify serialized objects http://www.blackhat.com/html/bh-eu-10/bh-eu-10-archives.html SensePost - 2010
  • 20. Demo – Serialized Objects SensePost - 2010
  • 21. BlackHat Las Vegas – 2010 •  Arshan Dabirsiaghi –  JavaSnoop : How to Hack Anything Written in Java •  Stephen de Vries –  Hacking Java Clients •  Both talks outlined new methods for attacking Java Applications http://www.blackhat.com/html/bh-us-10/bh-us-10-archives.html SensePost - 2010
  • 22. Demo – JavaSnoop SensePost - 2010
  • 23. In Summary •  Java reversing is fun •  Java reversing can be easy •  Newer attack methodologies no longer require attackers to reverse the application •  Traditional reversing techniques still normally apply for repurposing applications SensePost - 2010
  • 24. Ta Muchly •  ZaCon folkses  SensePost - 2010
  • 25. Questions ? ian@sensepost.com SensePost - 2010