Tuesday, September 25, 2007

2 Factor Authentication Update

I don't believe this, i can't basically do a SQL injection, CSRF or XSS! Everything i wanted to do is basically either encrypted or if i injection a simple character like ", it says service unavailable. This application can be considered very secure it terms of encryption and of good standard if weighing it against the OWASP top ten. Even if i enter a value like 10, this value will be encrypted with this:

Name=eb56be300a5b19b600b5dac4f0e96834&EventName=Immediate&encryptedString=MDEyOABhBMQY7SY0WgxGKrWjOOjaB91Q%5ENy1-UynPGaVPNGwQU2bM2OR8S0f-n1SQ7Oi1IDEKHty-SGaT78SbOH-opKMolLmboo6xTgxtxth4AFbv2klQaA3ulkErBXn%5EMHuX661Ro%5EXou9P95OrVN8xYgUaY-AMZWCwuKy9cAvoiukPZWoTRxslHOjxM7JapJ9tsvyp1ifrWjrgZjxiQfgS33znbhy2IaOqGNXFaA9rR4PvbsUFcqW0hVySynpxkNKRRxvxXJBIiCDlA9h1IK93ajLouNKITFaOVTBQSuK0upPOkjEuTJnbXM3qqZyf-i8amEULAXd4AhEkBBlGgjY8a9wWXJD61NJ-aPT5cVZ0s0H1ZZpvTto8NMRI1QiJAnYPMl4WXik8LTdChQ86n1OkUeP7Hfe4Fz13-JSEq%5E%5EvpgRjznQ4ZuLQ%5EHtMQ5D6yWWTRCPXtJ6jAj1Q2ZmYfPr9Q0uQX1YXN8UlwMXcf7igpQRXtR5yRwo3pm%5E6LJlmf7Hf94B4P26-K2iIOO%5EnVUeQbyZBt3YC4tNCWt8N5IFThY53-spUvlfRBAkwkwsK0NdkCajHGVoGLiynlc1J3GCIfZ0trlITgC9WntZgIOKXVZjTwYWe5hEAuqfHSMixUSCExNu4ZC4ZUQE%5EyK%5ElvKIl3Fd8fxx-GJjVajpHikGTHgfJ8KoeNH2SpUzEWPNQy63l4BkzqaeuJ7ssxeF%5EWhwcwfKuBzRF9rV5sss%5EP3WYjD4YsJvSZx%5EqXP1j8KIf6zfyh1xSqRJREWFXG5kSWXzlj03cL7SQmNjQupwJ9L25Km7GYhEUYfZYSsbNTr44vdkrpepIyLFRIITE29CZXXyVLrlK0OAIU7V9RfzJieGW0oBylrDqKK4VvLrKVbCj2t2hUwcDQwedGQK5J0O0W6v7Oeao9i9Y0keFg006rxP0gINtf8I9U5l%5E0RMvL7SQmNjQupyj1BfoSNNPOmsVd5RBRyJUy7dmjY1z6SxKT74w1LFyX9b-Wup4Bpykv-Ojshp82HwvLmlVapYc-I5yIyi5ev-%5E6-MiaJ-eATlq7nsFDamHtLjB09kFUKPMQArFYZzeyC1wNkE6i95PP80TJ0lPfgNkMuVhq5cxP2AXB7Kum3IJKcGeIJlpRTvpqBkeQ23jFVdIK61FykzXdSO6rlPpDFI0%5EYxJ2aAUQkn3hJJwOJW50AqBr4MBG-tU&encryptedString2=MDEyOABhBMQY7SY0WgxGKrWjOOjaB91Q%5ENy1-UynPGaVPNGwQU2bM2OR8S0f-n1SQ7Oi1IDEKHty-SGaT78SbOH-opKMolLmboo6xTgxtxth4AFbv2klQaA3ulkErBXn%5EMHuX661Ro%5EXou9P95OrVN8xYgUaY-AMZWCwuKy9cAvoiukPZfQSGPJ8Sz00GIRu7AqyMI3jMa6-sb5ZQJmYfPr9Q0uQs4F2ns3wU759YZpN-TxN6gqBr4MBG-tU

I am running outta ideas, tell me what more can i do??

The Hacka Man

6 comments:

Mitmwatcher said...

For reversing 2 factor auth application the things to kept in mind (at least I will keep are )

First Link:
Start looking at the Algorithm level most of the implementation are Time synchronized or Counter Synchronized (rfc 4226)or use S/Key based implementations both need a shared key for authentication Get the method where the shared key stored or obtained

Second Link:

Next part is is the Connection between the AUTH server and the client SSL (I assume it is )
how is the certificate info is stored on client
If it is applet based how is the signing of applet taking place
can you change the rt.jar of JVM (this bug was fixed in new JVMs)to bypass this checking

How does the client react when certificate is replaced by self signed

Third Link :
what is ethereal spitting when the client is connected
Is connection made to any remote server other then the remote AUTH server, Is it HTTP/S
If the algo is home grown check for the crypt functions and Type of RAND functions used in decompiled Jar file do you see any buffer attacks

Hope these help you to start

MitmWathcer

Anonymous said...

Thanks mitmwatcher, i can say that the algorithm is based on time and session management. Also, when you say get the method where the shared key stored or obtained, what do you actually mean? HTTP GET or POST method or is there some other implication?

For the second link, i will have to verify again. How can i check the signing of applet?

For the third link, the connection is only made to the remote Auth Server and no where else and its HTTPS. I have yet to decompile any jar file. I am still verifying the logic and some other issues. Till i verify that i can't find anything more, i will then proceed to decompile the jar file.

hackathology

mitmwatcher said...

You cant get the shared secret Key from the headers or JS it might be a server side call or a method embedded in the client applet
check the HOTP rfc in the previous reply for more insights on shared key.
If the applet is running on the cell phone then mostly it is hardware token mostly IMEA number

You can find the certfile in the
JAVAPATH/lib/security/cacerts
use http://blogs.sun.com/andreas/resource/InstallCert.java
to install the new certificate and see how the applet reacts

Decompile the Jar lets see whats inside ;)

Mitmwatcher

Anonymous said...

Can you leave your email down or send me your personal email?

hackathology

Anonymous said...

myscreen name at gmail

Anonymous said...

send you an email.

hackathology