sábado, 3 de junho de 2023

Iranian Hackers Using New PowerShell Backdoor In Cyber Espionage Attacks

 


An advanced persistent threat group with links to Iran has updated its malware toolset to include a novel PowerShell-based implant called PowerLess Backdoor, according to new research published by Cybereason.

The Boston-headquartered cybersecurity company attributed the malware to a hacking group known as Charming Kitten (aka Phosphorous, APT35, or TA453), while also calling out the backdoor's evasive PowerShell execution.

"The PowerShell code runs in the context of a .NET application, thus not launching 'powershell.exe' which enables it to evade security products," Daniel Frank, senior malware researcher at Cybereason, said. "The toolset analyzed includes extremely modular, multi-staged malware that decrypts and deploys additional payloads in several stages for the sake of both stealth and efficacy."

The threat actor, which is active since at least 2017, has been behind a series of campaigns in recent years, including those wherein the adversary posed as journalists and scholars to deceive targets into installing malware and stealing classified information.


Earlier this month, Check Point Research disclosed details of an espionage operation that involved the hacking group exploiting the Log4Shell vulnerabilities to deploy a modular backdoor dubbed CharmPower for follow-on attacks.

The latest refinements to its arsenal, as spotted by Cybereason, constitutes an entirely new toolset that encompasses the PowerLess Backdoor, which is capable of downloading and executing additional modules such as a browser info-stealer and a keylogger.

Also potentially linked to the same developer of the backdoor are a number of other malware artifacts, counting an audio recorder, an earlier variant of the information stealer, and what the researchers suspect to be an unfinished ransomware variant coded in .NET.

Furthermore, infrastructure overlaps have been identified between the Phosphorus group and a new ransomware strain called Memento, which first emerged in November 2021 and took the unusual step of locking files within password-protected archives, followed by encrypting the password and deleting the original files, after their attempts to encrypt the files directly were blocked by endpoint protection.

"The activity of Phosphorus with regard to ProxyShell took place in about the same time frame as Memento," Frank said. "Iranian threat actors were also reported to be turning to ransomware during that period, which strengthens the hypothesis that Memento is operated by an Iranian threat actor."

More articles


  1. Pentest Tools Nmap
  2. Hacker Tools For Ios
  3. Termux Hacking Tools 2019
  4. Pentest Tools Windows
  5. Pentest Tools Find Subdomains
  6. Hack Website Online Tool
  7. Tools Used For Hacking
  8. Pentest Tools Url Fuzzer
  9. Pentest Tools Android
  10. Hacker Tools For Ios
  11. Hack Tools For Games
  12. Pentest Tools Website
  13. Pentest Tools Url Fuzzer
  14. Hacking Tools Software
  15. Hacker Tools Linux
  16. Hacker Tools For Pc
  17. Hacking Tools Windows
  18. Hacker Tools Linux
  19. Hak5 Tools
  20. Hack And Tools
  21. Hacker Tools 2020
  22. Pentest Tools Review
  23. What Is Hacking Tools
  24. Pentest Tools Apk
  25. Pentest Tools Free
  26. Hacker Tool Kit
  27. Hacking Tools Name
  28. Pentest Tools Review
  29. Hacking Tools Software
  30. Hack Tools Download
  31. Hacking Tools Hardware
  32. Hacker Tools Free
  33. Best Hacking Tools 2020
  34. How To Install Pentest Tools In Ubuntu
  35. Hack Rom Tools
  36. Hacker Tools 2019
  37. Hack Tools For Pc
  38. Hack Tools Mac
  39. Hack Tools 2019
  40. Pentest Tools Open Source
  41. Hacking Tools Kit
  42. Hack Tool Apk
  43. How To Make Hacking Tools
  44. Pentest Automation Tools
  45. Hacking Tools And Software
  46. Hacking Tools For Pc
  47. How To Install Pentest Tools In Ubuntu
  48. Pentest Tools Port Scanner
  49. Hacks And Tools
  50. Hak5 Tools
  51. What Are Hacking Tools
  52. How To Make Hacking Tools
  53. Pentest Tools For Windows
  54. Hacking Tools For Mac
  55. Hacking Tools 2019
  56. Hacking Tools Online
  57. Pentest Tools
  58. Pentest Tools For Android
  59. Hack App
  60. Hacker Tools Free
  61. Hacking Tools And Software
  62. Pentest Tools Subdomain
  63. Hack Tools For Windows
  64. Hacking Tools Github
  65. Free Pentest Tools For Windows
  66. Hacking Tools Windows 10
  67. Bluetooth Hacking Tools Kali
  68. Hacking Tools And Software
  69. Hacking Tools For Mac
  70. Black Hat Hacker Tools
  71. What Is Hacking Tools
  72. Hack Tools Online
  73. Pentest Tools List
  74. Hacking Tools Kit
  75. Hacking Tools Online
  76. Hacking Tools
  77. Best Pentesting Tools 2018
  78. Hacking Apps
  79. Usb Pentest Tools
  80. Pentest Tools For Windows
  81. Pentest Tools For Ubuntu
  82. Hacker Tools Hardware
  83. Hacker Tools For Pc
  84. Hacker Techniques Tools And Incident Handling
  85. Hacking Tools For Beginners
  86. Pentest Tools Kali Linux
  87. Hack Tools For Windows
  88. Pentest Tools Framework
  89. Hacker Tools List
  90. Tools For Hacker
  91. Pentest Automation Tools
  92. Hacker Tools Hardware
  93. Pentest Tools Apk
  94. Pentest Tools Open Source
  95. Pentest Tools Online
  96. Hacking Tools Software
  97. Hack Rom Tools
  98. Hack Tools For Windows
  99. World No 1 Hacker Software
  100. Hacking Tools For Games
  101. Hacking Tools
  102. Pentest Tools Free
  103. Hacking Tools Software
  104. Hacking Tools For Windows 7
  105. Hak5 Tools
  106. Pentest Box Tools Download
  107. Hacker Tools Free Download
  108. World No 1 Hacker Software
  109. Hack Tools For Windows
  110. Hacker Tools Mac
  111. Hacker Tools Github
  112. Hack Tools Mac
  113. Blackhat Hacker Tools
  114. Free Pentest Tools For Windows
  115. Hacking Tools Name
  116. Hackrf Tools
  117. Hacking Tools For Windows 7
  118. Hack Tools For Windows
  119. Hacking Tools For Mac
  120. Hacker Tools Linux
  121. Hacking Tools Online
  122. Hacking Tools Download
  123. Hack Tool Apk No Root
  124. Install Pentest Tools Ubuntu
  125. Pentest Tools Bluekeep
  126. Wifi Hacker Tools For Windows
  127. Hacker Tools For Windows
  128. Tools 4 Hack
  129. Hacking Tools For Windows 7
  130. Pentest Tools Find Subdomains
  131. Pentest Tools Tcp Port Scanner
  132. Hacker Tools Apk Download

RECONNAISSANCE IN ETHICAL HACKING

What is reconnaissance in ethical hacking?
This is the primary phase of hacking where the hacker tries to collect as much information as possible about the target.It includes identifying the target ip address range,network,domain,mail server records etc.

They are of two types-
Active Reconnaissance 
Passive Reconnaissance 

1-Active Reconnaissance-It the process from which we directly interact with the computer system to gain information. This information can be relevant and accurate but there is a risk of getting detected if you are planning active reconnaissance without permission.if you are detected then the administration will take the severe action action against you it may be jail!

Passive Reconnaissance-In this process you will not be directly connected to a computer system.This process is used to gather essential information without ever interacting with the target system.
Related articles

eWPT - Web Application Penetration



 The eWPT - Web Application Penetration Testing Professional course from the popular eLearnSecurity Institute and INE is an advanced web penetration testing course. Prerequisites for this course Completion of the eJPT courseIs. The eWPT course is one of the most popular courses in the field of web penetration testing or web hacking. This course is usually compared to the AWAE course from Offensive-Security and the SEC542 course from SANS. This course starts from a complete beginner in the field of web penetration testing and its topics continue to an advanced level. In this course you will gain an in-depth understanding of OWASP, Burpsuite software, complete web application analysis, data collection, common bugs such as XSS and SQL Injection, Session-based vulnerabilities, as well as LFI / RFI, attacks On HTML, content management systems (CMS) penetration testing such as WordPress, penetration testing of SQL and non-SQL databases. 


Course pre requisites

Completion of the eJPT course
Course specifications
Course level: Intermediate
Time: 16 hours and 18 minutes
Includes: ‌ 30 videos | 18 labs | ‌ 15 slides
Professor: Dimitrios Bougioukas
EWPT Course Content - Web Application Penetration Testing Professional
Web Application Penetration Testing
Penetration Testing Process
Introduction
Information Gathering
Cross Site Scripting
SQL Injections
Authentication and Authorization
Session Security
Flash
HTML5
File and Resources Attacks
Other Attacks
Web Services
XPath
Penetration Testing Content Management Systems
Penetration Testing NoSQL Databases

Related posts
  1. Pentest Tools Port Scanner
  2. Kik Hack Tools
  3. Pentest Tools For Mac
  4. How To Hack
  5. Growth Hacker Tools
  6. Pentest Tools Linux
  7. Black Hat Hacker Tools
  8. Hacking Tools For Windows Free Download
  9. Hacking Tools Windows 10
  10. Pentest Tools Download
  11. Hacking Tools 2020
  12. Pentest Automation Tools
  13. Pentest Tools Port Scanner
  14. Pentest Tools Free
  15. Hacking Tools Github
  16. Termux Hacking Tools 2019
  17. Hacker Tools Hardware
  18. Best Hacking Tools 2019
  19. Pentest Tools Online
  20. Hacking Tools For Kali Linux
  21. Pentest Tools Open Source
  22. Pentest Tools Website Vulnerability
  23. Hacker Tools List
  24. Wifi Hacker Tools For Windows
  25. Hacker Tools Apk
  26. Best Hacking Tools 2020
  27. Hacker Tools Linux
  28. Hack Tools For Pc
  29. Underground Hacker Sites
  30. Hack Tools Online
  31. Hacking Tools For Games
  32. Hacking Tools For Beginners
  33. Best Hacking Tools 2020
  34. Hacking Tools Windows 10
  35. Hacker Tools For Mac
  36. New Hack Tools
  37. Hacking App
  38. Hackrf Tools
  39. Pentest Tools Github
  40. Wifi Hacker Tools For Windows
  41. Hacking Tools Free Download
  42. Hak5 Tools
  43. Hack Tools For Games
  44. Tools For Hacker
  45. Hack Tools Online
  46. New Hack Tools
  47. Hacking Tools Github
  48. Hacker Tools Free
  49. What Are Hacking Tools
  50. Hack And Tools
  51. Free Pentest Tools For Windows
  52. Github Hacking Tools
  53. Best Pentesting Tools 2018
  54. Pentest Tools Url Fuzzer
  55. Hackers Toolbox
  56. Pentest Reporting Tools
  57. Hack Tools
  58. Pentest Tools Android
  59. What Is Hacking Tools
  60. Hacking Tools 2020
  61. Hacker Security Tools
  62. Nsa Hack Tools Download
  63. Hack Tools Mac
  64. Hack App
  65. Hack And Tools
  66. Hack Tools Mac
  67. Hacking Tools Online
  68. Pentest Tools Website
  69. Hacking Tools Download
  70. Pentest Tools Framework
  71. New Hack Tools
  72. Hackers Toolbox
  73. Hacker Tools Mac
  74. Hack Apps
  75. Hack Tool Apk
  76. Pentest Tools For Mac
  77. Pentest Tools Alternative
  78. Hacker Hardware Tools
  79. Hacking App
  80. Free Pentest Tools For Windows
  81. Nsa Hacker Tools
  82. Best Hacking Tools 2019
  83. Hack Rom Tools
  84. Blackhat Hacker Tools
  85. Install Pentest Tools Ubuntu
  86. Hack Website Online Tool
  87. Hacking Tools Free Download
  88. Beginner Hacker Tools
  89. Hack Tools For Ubuntu
  90. Hacker Tools Mac
  91. Hacking Tools For Windows Free Download
  92. Beginner Hacker Tools
  93. Hacking Tools Free Download
  94. Hack Tools Pc
  95. Hack App
  96. Pentest Tools Linux
  97. Pentest Tools For Windows
  98. Hacking Tools For Games
  99. Pentest Tools Bluekeep
  100. Tools Used For Hacking
  101. Hacking Apps
  102. Hacking Tools Kit
  103. How To Install Pentest Tools In Ubuntu
  104. Pentest Tools Apk
  105. Pentest Tools Github
  106. Hack Tools Download
  107. Hacking App
  108. Underground Hacker Sites
  109. Free Pentest Tools For Windows
  110. Hacking Tools For Windows 7
  111. Pentest Tools For Mac
  112. Hack Tools For Mac
  113. Bluetooth Hacking Tools Kali
  114. Bluetooth Hacking Tools Kali
  115. Hack Tools Pc
  116. Hack Rom Tools
  117. Pentest Tools Subdomain
  118. Hacker Tools Hardware
  119. Hacker Tools Apk Download
  120. Hack Tools Mac
  121. Hacks And Tools
  122. Hack And Tools
  123. Hacker Tools Hardware
  124. Hacker Tools Online
  125. Pentest Tools Tcp Port Scanner
  126. Hack Rom Tools
  127. Computer Hacker
  128. Hacking Tools Github
  129. Hacker Tools Software
  130. Best Pentesting Tools 2018
  131. Physical Pentest Tools
  132. Tools 4 Hack
  133. Android Hack Tools Github
  134. Hacker Tool Kit
  135. Best Hacking Tools 2019
  136. How To Hack
  137. Hacker Tools Apk
  138. Underground Hacker Sites
  139. Pentest Tools For Windows
  140. Pentest Box Tools Download
  141. Pentest Tools Website
  142. Hacking Tools 2019
  143. Hack Tools Download
  144. Ethical Hacker Tools
  145. Hacker Hardware Tools
  146. Hacking Tools Usb
  147. Hacking Tools For Games
  148. Hack Tools Github
  149. Hack Rom Tools
  150. Install Pentest Tools Ubuntu
  151. Hacking Tools Free Download
  152. Hacker Tools Mac
  153. Pentest Tools
  154. Hackrf Tools
  155. Pentest Tools Framework
  156. Hacker Tool Kit
  157. Pentest Tools Linux
  158. Pentest Tools Free
  159. Pentest Tools Website Vulnerability
  160. Hacking Tools For Games
  161. Hacking Tools Mac
  162. Pentest Automation Tools
  163. Growth Hacker Tools
  164. Pentest Tools Nmap
  165. Pentest Automation Tools
  166. Hacker Tools For Windows
  167. Pentest Tools

sexta-feira, 2 de junho de 2023

Practical Bleichenbacher Attacks On IPsec IKE

We found out that reusing a key pair across different versions and modes of IPsec IKE can lead to cross-protocol authentication bypasses, enabling the impersonation of a victim host or network by attackers. These vulnerabilities existed in implementations by Cisco, Huawei, and others.

This week at the USENIX Security conference, I will present our research paper on IPsec attacks: The Dangers of Key Reuse: Practical Attacks on IPsec IKE written by Martin Grothe, Jörg Schwenk, and me from Ruhr University Bochum as well as Adam Czubak and Marcin Szymanek from the University of Opole [alternative link to the paper]. This blog post is intended for people who like to get a comprehensive summary of our findings rather than to read a long research paper.

IPsec and Internet Key Exchange (IKE)

IPsec enables cryptographic protection of IP packets. It is commonly used to build VPNs (Virtual Private Networks). For key establishment, the IKE protocol is used. IKE exists in two versions, each with different modes, different phases, several authentication methods, and configuration options. Therefore, IKE is one of the most complex cryptographic protocols in use.

In version 1 of IKE (IKEv1), four authentication methods are available for Phase 1, in which initial authenticated keying material is established: Two public key encryption based methods, one signature based method, and a PSK (Pre-Shared Key) based method.

Attacks on IKE implementations

With our attacks we can impersonate an IKE device: If the attack is successful, we share a set of (falsely) authenticated symmetric keys with the victim device, and can successfully complete the handshake – this holds for both IKEv1 and IKEv2. The attacks are based on Bleichenbacher oracles in the IKEv1 implementations of four large network equipment manufacturers: Cisco, Huawei, Clavister, and ZyXEL. These Bleichenbacher oracles can also be used to forge digital signatures, which breaks the signature based IKEv1 and IKEv2 variants. Those who are unfamiliar with Bleichenbacher attacks may read this post by our colleague Juraj Somorovsky for an explanation.

The affected hardware test devices by Huawei, Cisco, and ZyXEL in our network lab.

We show that the strength of these oracles is sufficient to break all handshake variants in IKEv1 and IKEv2 (except those based on PSKs) when given access to powerful network equipment. We furthermore demonstrate that key reuse across protocols as implemented in certain network equipment carries high security risks.

We additionally show that both PSK based modes can be broken with an offline dictionary attack if the PSK has low entropy. Such an attack was previously only documented for one of those modes (edit: see this comment). We thus show attacks against all authentication modes in both IKEv1 and IKEv2 under reasonable assumptions.

The relationship between IKEv1 Phase 1, Phase 2, and IPsec ESP. Multiple simultaneous Phase 2 connections can be established from a single Phase 1 connection. Grey parts are encrypted, either with IKE derived keys (light grey) or with IPsec keys (dark grey). The numbers at the curly brackets denote the number of messages to be exchanged in the protocol.

Where's the bug?

The public key encryption (PKE) based authentication mode of IKE requires that both parties exchanged their public keys securely beforehand (e. g. with certificates during an earlier handshake with signature based authentication). RFC 2409 advertises this mode of authentication with a plausibly deniable exchange to raise the privacy level. In this mode, messages three and four of the handshake exchange encrypted nonces and identities. They are encrypted using the public key of the respective other party. The encoding format for the ciphertexts is PKCS #1 v1.5.

Bleichenbacher attacks are adaptive chosen ciphertext attacks against RSA-PKCS #1 v1.5. Though the attack has been known for two decades, it is a common pitfall for developers. The mandatory use of PKCS #1 v1.5 in the PKE authentication methods raised suspicion of whether implementations resist Bleichenbacher attacks.

PKE authentication is available and fully functional in Cisco's IOS operating system. In Clavister's cOS and ZyXEL's ZyWALL USG devices, PKE is not officially available. There is no documentation and no configuration option for it and it is therefore not fully functional. Nevertheless, these implementations processed messages using PKE authentication in our tests.

Huawei implements a revised mode of the PKE mode mentioned in the RFC that saves one private key operation per peer (we call it RPKE mode). It is available in certain Huawei devices including the Secospace USG2000 series.

We were able to confirm the existence of Bleichenbacher oracles in all these implementations. Here are the CVE entries and security advisories by the vendors (I will add links once they are available):
On an abstract level, these oracles work as follows: If we replace the ciphertext of the nonce in the third handshake message with a modified RSA ciphertext, the responder will either indicate an error (Cisco, Clavister, and ZyXEL) or silently abort (Huawei) if the ciphertext is not PKCS #1 v1.5 compliant. Otherwise, the responder continues with the fourth message (Cisco and Huawei) or return an error notification with a different message (Clavister and ZyXEL) if the ciphertext is in fact PKCS #1 v1.5 compliant. Each time we learn that the ciphertext was valid, we can advance the Bleichenbacher attack one more step.

A Bleichenbacher Attack Against PKE

If a Bleichenbacher oracle is discovered in a TLS implementation, then TLS-RSA is broken since one can compute the Premaster Secret and the TLS session keys without any time limit on the usage of the oracle. For IKEv1, the situation is more difficult: Even if there is a strong Bleichenbacher oracle in PKE and RPKE mode, our attack must succeed within the lifetime of the IKEv1 Phase 1 session, since a Diffie-Hellman key exchange during the handshake provides an additional layer of security that is not present in TLS-RSA. For example, for Cisco this time limit is currently fixed to 60 seconds for IKEv1 and 240 seconds for IKEv2.

To phrase it differently: In TLS-RSA, a Bleichenbacher oracle allows to perform an ex post attack to break the confidentiality of the TLS session later on, whereas in IKEv1 a Bleichenbacher oracle only can be used to perform an online attack to impersonate one of the two parties in real time.

Bleichenbacher attack against IKEv1 PKE based authentication.

The figure above depicts a direct attack on IKEv1 PKE:
  1. The attackers initiate an IKEv1 PKE based key exchange with Responder A and adhere to the protocol until receiving the fourth message. They extract the encrypted nonce from this message, and record the other public values of the handshake.
  2. The attackers keep the IKE handshake with Responder A alive as long as the responder allows. For Cisco and ZyXEL we know that handshakes are cancelled after 60 seconds, Clavister and Huawei do so after 30 seconds.
  3. The attackers initiate several parallel PKE based key exchanges to Responder B.
    • In each of these exchanges, they send and receive the first two messages according to the protocol specifications.
    • In the third message, they include a modified version of the encrypted nonce according to the the Bleichenbacher attack methodology.
    • They wait until they receive an answer or they can reliably determine that this message will not be sent (timeout or reception of a repeated second handshake message).
  4. After receiving enough answers from Responder B, the attackers can compute the plaintext of the nonce.
  5. The attackers now have all the information to complete the key derivation and the handshake. They thus can impersonate Responder B to Responder A.

Key Reuse

Maintaining individual keys and key pairs for each protocol version, mode, and authentication method of IKE is difficult to achieve in practice. It is oftentimes simply not supported by implementations. This is the case with the implementations by Clavister and ZyXEL, for example. Thus, it is common practice to have only one RSA key pair for the whole IKE protocol family. The actual security of the protocol family in this case crucially depends on its cross-ciphersuite and cross-version security. In fact, our Huawei test device reuses its RSA key pair even for SSH host identification, which further exposes this key pair.

A Cross-Protocol Version Attack with Digital Signature Based Authentication

Signature Forgery Using Bleichenbacher's Attack

It is well known that in the case of RSA, performing a decryption and creating a signature is mathematically the same operation. Bleichenbacher's original paper already mentioned that the attack could also be used to forge signatures over attacker-chosen data. In two papers that my colleagues at our chair have published, this has been exploited for attacks on XML-based Web Services, TLS 1.3, and Google's QUIC protocol. The ROBOT paper used this attack to forge a signature from Facebook's web servers as proof of exploitability.

IKEv2 With Digital Signatures

Digital signature based authentication is supported by both IKEv1 and IKEv2. We focus here on IKEv2 because on Cisco routers, an IKEv2 handshake may take up to four minutes. This more relaxed timer compared to IKEv1 makes it an interesting attack target.

I promised that this blogpost will only give a comprehensive summary, therefore I am skipping all the details about IKEv2 here. It is enough to know that the structure of IKEv2 is fundamentally different from IKEv1.

If you're familiar with IT-security, then you will believe me that if digital signatures are used for authentication, it is not particularly good if an attacker can get a signature over attacker chosen data. We managed to develop an attack that exploits an IKEv1 Bleichenbacher oracle at some peer A to get a signature that can be used to break the IKEv2 authentication at another peer B. This requires that peer A reuses its key pair for IKEv2 also for IKEv1. For the details, please read our paper [alternative link to the paper].

Evaluation and Results

For testing the attack, we used a Cisco ASR 1001-X router running IOS XE in version 03.16.02.S with IOS version 15.5(3)S2. Unfortunately, Cisco's implementation is not optimized for throughput. From our observations we assume that all cryptographic calculations for IKE are done by the device's CPU despite it having a hardware accelerator for cryptography. One can easily overload the device's CPU for several seconds with a standard PC bursting handshake messages, even with the default limit for concurrent handshakes. And even if the CPU load is kept below 100 %, we nevertheless observed packet loss.

For the decryption attack on Cisco's IKEv1 responder, we need to finish the Bleichenbacher attack in 60 seconds. If the public key of our ASR 1001-X router is 1024 bits long, we measured an average of 850 responses to Bleichenbacher requests per second. Therefore, an attack must succeed with at most 51,000 Bleichenbacher requests.

But another limit is the management of Security Associations (SAs). There is a global limit of 900 Phase 1 SAs under negotiation per Cisco device in the default configuration. If this number is exceeded, one is blocked. Thus, one cannot start individual handshakes for each Bleichenbacher request to issue. Instead, SAs have to be reused as long as their error counter allows. Furthermore, establishing SAs with Cisco IOS is really slow. During the attack, the negotiations in the first two messages of IKEv1 require more time than the actual Bleichenbacher attack.

We managed to perform a successful decryption attack against our ASR 1001-X router with approximately 19,000 Bleichenbacher requests. However, due to the necessary SA negotiations, the attack took 13 minutes.

For the statistics and for the attack evaluation of digital signature forgery, we used a simulator with an oracle that behaves exactly as the ones by Cisco, Clavister, and ZyXEL. We found that about 26% of attacks against IKEv1 could be successful based on the cryptographic performance of our Cisco device. For digital signature forgery, about 22% of attacks could be successful under the same assumptions.

Note that (without a patched IOS), only non-cryptographic performance issues prevented a succesful attack on our Cisco device. There might be faster devices that do not suffer from this. Also note that a too slow Bleichenbacher attack does not permanently lock out attackers. If a timeout occurs, they can just start over with a new attack using fresh values hoping to require fewer requests. If the victim has deployed multiple responders sharing one key pair (e. g. for load balancing), this could also be leveraged to speed up an attack.

Responsible Disclosure

We reported our findings to Cisco, Huawei, Clavister, and ZyXEL. Cisco published fixes with IOS XE versions 16.3.6, 16.6.3, and 16.7.1. They further informed us that the PKE mode will be removed with the next major release.

Huawei published firmware version V300R001C10SPH702 for the Secospace USG2000 series that removes the Bleichenbacher oracle and the crash bugs we identified. Customers who use other affected Huawei devices will be contacted directly by their support team as part of a need-to-know strategy.

Clavister removed the vulnerable authentication method with cOS version 12.00.09. ZyXEL responded that our ZyWALL USG 100 test device is from a legacy model series that is end-of-support. Therefore, these devices will not receive a fix. For the successor models, the patched firmware version ZLD 4.32 (Release Notes) is available.

FAQs

  • Why don't you have a cool name for this attack?
    The attack itself already has a name, it's Bleichenbacher's attack. We just show how Bleichenbacher attacks can be applied to IKE and how they can break the protocol's security. So, if you like, call it IPsec-Bleichenbacher or IKE-Bleichenbacher.
  • Do you have a logo for the attack?
    No.
  • My machine was running a vulnerable firmware. Have I been attacked?
    We have no indication that the attack was ever used in the wild. However, if you are still concerned, check your logs. The attack is not silent. If your machine was used for a Bleichenbacher attack, there should be many log entries about decryption errors. If your machine was the one that got tricked (Responder A in our figures), then you could probably find log entries about unfinished handshake attempts.
  • Where can I learn more?
    First of all, you can read the paper [alternative link to the paper]. Second, you can watch the presentation, either live at the conference or later on this page.
  • What else does the paper contain?
    The paper contains a lot more details than this blogpost. It explains all authentication methods including IKEv2 and it gives message flow diagrams of the protocols. There, we describe a variant of the attack that uses the Bleichenbacher oracles to forge signatures to target IKEv2. Furthermore, we describe the quirks of Huawei's implementation including crash bugs that could allow for Denial-of-Service attacks. Last but not least, it describes a dictionary attack against the PSK mode of authentication that is covered in a separate blogpost.

Media Coverage, Blogs, and more

English

German

Related articles

  1. Hacker Tools Free
  2. Pentest Tools Open Source
  3. Hacker Tools
  4. Pentest Tools Tcp Port Scanner
  5. Tools Used For Hacking
  6. Hacking Tools Download
  7. Hack Apps
  8. Underground Hacker Sites
  9. Hacking Tools For Mac
  10. Hacking Apps
  11. Tools For Hacker
  12. Pentest Tools Alternative
  13. Hacking Tools Download
  14. Pentest Automation Tools
  15. Hacking Tools Free Download
  16. Hacking Tools
  17. Hack Apps
  18. Pentest Reporting Tools
  19. Hacking Tools Software
  20. Hacking Tools Windows 10
  21. Blackhat Hacker Tools
  22. Hacker Tools Apk
  23. Hacker Tools Github
  24. Hacking Tools Usb
  25. Hacker Tools 2019
  26. Nsa Hacker Tools
  27. Hacker Tools For Mac
  28. Hack Website Online Tool
  29. Hacking App
  30. Hacking Tools For Mac
  31. Pentest Tools Apk
  32. Hacker Tools For Ios
  33. Pentest Tools List
  34. Usb Pentest Tools
  35. Pentest Tools Android
  36. Hacker
  37. Blackhat Hacker Tools
  38. Hacking Tools Download
  39. Nsa Hack Tools
  40. Hacker Tools Apk
  41. Growth Hacker Tools
  42. Tools Used For Hacking
  43. Hacking Tools For Pc
  44. Hacks And Tools
  45. Hacker Tools Free Download
  46. Hacking Tools Mac
  47. Hacking Tools Kit
  48. Hacker Tools Apk Download
  49. Hacker Tools Software
  50. Hacking App
  51. Physical Pentest Tools
  52. Top Pentest Tools
  53. Hacking Tools Windows 10